[openssl-dev] Enhance Extended Master Secret to conform to new MUST requirements in spec

Bill Cox waywardgeek at google.com
Mon Apr 20 15:36:36 UTC 2015 

Hi.  I'm looking into extended master secret (EMS) support in OpenSSL.  It
works on my machine correctly, except for session resumption.  From the
latest EMS spec:

"If a server receives a ClientHello for an abbreviated handshake
   offering to resume a previous session, it behaves as follows.

o  If the original session did not use an extended master secret but
      the new ClientHello does contain the "extended_master_secret"
      extension, the server MUST NOT perform the abbreviated handshake.
      Instead, it SHOULD continue with a full handshake to negotiate a
      new session."

The threat here is that in a Triple Handshake attack, the attacker A
down-grades both initial connections to client C and server S to not
support EMS.  In the second step, the session resumption step, he
re-enables EMS on both connections, causing the handshake logs to agree,
which allows the third connection (the renegotiation step) to complete with
EMS enabled for any client accepting a server cert change.  At this point C
accepts the connection to A as actually a connection to S, thwarting TLS
authentication.

Emilia suggested that I develop a patch for this by forking master on
github and submitting a pull request.  If I understand correctly, you guys
prefer an email like this before starting work on patches.  Is that right?

There is also a bit of related behavior that I would also like to fix.  As
described in the spec:

"If a client receives a ServerHello that accepts an abbreviated
   handshake, it behaves as follows.

   o  If the original session did not use an extended master secret but
      the new ServerHello does contain the "extended_master_secret"
      extension, the client MUST abort the handshake."

In this case, the client has detected a bug in the server's EMS
implementation, and if the client continues, it is subject to the full TH
downgrade attack as above.

Thanks,
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20150420/ddc1e520/attachment.html>

More information about the openssl-dev mailing list