Internet DRAFT - draft-bhargavan-tls-resumption-indication

draft-bhargavan-tls-resumption-indication







Network Working Group                                       K. Bhargavan
Internet-Draft                                        A. Delignat-Lavaud
Expires: October 20, 2014                                     A. Pironti
                                                Inria Paris-Rocquencourt
                                                              A. Langley
                                                             Google Inc.
                                                                  M. Ray
                                                         Microsoft Corp.
                                                          April 18, 2014


     Transport Layer Security (TLS) Resumption Indication Extension
              draft-bhargavan-tls-resumption-indication-00

Abstract

   When a TLS session is resumed via an abbreviated handshake, the
   knowledge of the master secret is used to implicitly mutually
   authenticate the two peers.  However, an attacker can synchronize two
   different TLS sessions, so that they share the same master secret,
   breaking the resumption authentication property.  This specification
   defines a TLS extension that cryptographically binds the resumption
   abbreviated handshake with its original session, thus preventing this
   attack.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on October 20, 2014.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.





Bhargavan, et al.       Expires October 20, 2014                [Page 1]

Internet-Draft          TLS Resumption Extension              April 2014


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Requirements Notation . . . . . . . . . . . . . . . . . . . .   4
   3.  The TLS Session Hash  . . . . . . . . . . . . . . . . . . . .   4
   4.  The secure_resumption Extension . . . . . . . . . . . . . . .   4
     4.1.  Overwiev  . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  Extension definition  . . . . . . . . . . . . . . . . . .   4
     4.3.  Client behavior: no resumption desired  . . . . . . . . .   4
     4.4.  Client behavior: resumption desired . . . . . . . . . . .   5
       4.4.1.  Server behavior: resumption rejected  . . . . . . . .   5
       4.4.2.  Server behavior: resumption accepted  . . . . . . . .   5
   5.  Backward compatibility  . . . . . . . . . . . . . . . . . . .   6
     5.1.  Client not supporting secure_resumption . . . . . . . . .   6
     5.2.  Server not supporting secure_resumption . . . . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     7.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     7.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   In TLS [RFC5246], a session is established by a full handshake, and
   it can be resumed via abbreviated handshakes.  Furthermore, several
   full or abbreviated hansdshakes can follow over the same connection.
   It is well known that, without the secure_renegotiation extension
   [RFC5746], handshakes performed over the same connection are not
   cryptographically bound: this means that an attacker can initiate a
   communication with a server, then ask for renegotiation and plug a
   connection originating from a victim client.  The server will treat
   this as a renegotiation, while the victim client will believe it is
   the first handshake over the connection.  The secure_renegotiation
   extension fixes this by cryptographically binding each handshake
   happening on a connection with the previous handshake that happened
   on the same connection.  Technically, according to [RFC5746], the
   Client and Server Hello messages contain the client and server
   verify_data generated by the previous handshake in the same



Bhargavan, et al.       Expires October 20, 2014                [Page 2]

Internet-Draft          TLS Resumption Extension              April 2014


   connection: if these data do not match at the client and server side,
   then a renegotiation attack is detected, and the connection is
   aborted.

   Complementary, an existing session can be resumed via an abbreviated
   handshake as the first handshake over a connection.  In this case,
   one needs to make sure that the peers resuming the session are indeed
   the same as the ones who originated such session.  In an abbreviated
   TLS handshake, this is achieved by proving the knowledge of the
   session master_secret, via the generation of the correct verify_data
   content (and its encryption within the Finished message).

   However, especially with the RSA key exchange method, an attacker can
   easily synchronize two TLS sessions, so that they share the same
   master_secret [TRIPLE-HS].  Suppose a client, C, is connecting to an
   attacker, A. The attacker wishes to synchronize the client and a
   victim server, S, so that both have a session cached with a master
   secret and session ID that are known to the attacker.

   1.  C sends its "ClientHello.random" value to A.

   2.  A connects to S, using C's "ClientHello.random" value.

   3.  S responds to A, sending its "ServerHello.random",
       "ServerHello.session_id" and certificate chain.

   4.  A responds to C with its own certificates, but using the server's
       "ServerHello.random" and "ServerHello.session_id" values.

   5.  C proceeds with the key exchange, sending to A the
       "pre_master_secret" value, encrypted with A's public key.

   6.  A decrypts the "pre_master_secret", re-encrypts it with the
       server's public key and sends it on to S.

   At this point, both sessions (between C and A, and between A and S)
   share the same "pre_master_secret", "ClientHello.random" and
   "ServerHello.random".  Hence, the "master_secret" value will be equal
   for the two sessions and it will be associated both at C and S with
   the same session ID.

   Note that the secure_renegotiation extension does not help in this
   case, because both client and server are resuming a session as their
   first handshake over the new connection, and hence the
   secure_renegotiation values (empty values in this case) will also
   match.  Indeed, this resumption attack is dual to the renegotiation
   one, and as such requires a dual extension to fix the problem.




Bhargavan, et al.       Expires October 20, 2014                [Page 3]

Internet-Draft          TLS Resumption Extension              April 2014


2.  Requirements Notation

   This document uses the same notation and terminology used in the TLS
   Protocol specification [RFC5246].

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  The TLS Session Hash

   When a full handshake takes place, and thus a new TLS session is
   generated, implementations complying with this document MUST compute
   the "session_hash", as defined in [session-hash].

   Additionally, the session_hash MUST be stored along with the other
   session data in the session database, or it MUST be included in the
   session ticket, where applicable.

4.  The secure_resumption Extension

4.1.  Overwiev

   This specification introduces a new TLS extension, called
   "secure_resumption", that prevents the resumption attack described
   above.  Basically, this extension cryptographically binds any
   abbreviated handshake with the original session the handshake is
   trying to resume.  Technically, this is achieved by adding to the
   Client and Server Hello messages a "session_hash" associated to the
   session being resumed.

4.2.  Extension definition

   The "secure_resumption" extension has type TBD.  The "extension data"
   field of this extension contains a "SecureResumption" structure:

     struct {
       opaque secure_resumption<0..255>;
     } SecureResumption;

   The content of this extension is explained below, together with the
   different use case scenarios.

4.3.  Client behavior: no resumption desired

   When a client sends a Client Hello with empty session_id (and no
   session ticket), it means it has no session to resume and is only
   willing to establish a new session with the server.  In this case,



Bhargavan, et al.       Expires October 20, 2014                [Page 4]

Internet-Draft          TLS Resumption Extension              April 2014


   the client MUST NOT send the secure_resumption extension in its
   Client Hello message.

   With such a Client Hello message, the server will start a new session
   and, not seeing any secure_resumption extension, will not include it
   in its Server Hello message.

   Servers receiving an invalid Client Hello message containing an empty
   ClientHello.session_id and a secure_resumption extension MUST NOT
   send the secure_resumption extension back in the Server Hello.
   Servers MAY abort the connection, or decide to continue ignoring the
   secure_resumption extension given by the client.

4.4.  Client behavior: resumption desired

   When a client wishes to resume a session, it fills the
   ClientHello.session_id (or sends a session ticket).  In this case, a
   client implementing this specification MUST also send a
   secure_resumption extension, with SecureResumption.secure_resumption
   filled with the session_hash value of the session being resumed.

4.4.1.  Server behavior: resumption rejected

   If the server rejects the client request to resume a session, it
   provides a new ServerHello.session_id and proceeds with a full
   handshake.  In this case, a server implementing this specification
   MUST NOT send a secure_resumption extension, and MUST ignore the
   value of the secure_resumption extension sent by the client.

   Clients receiving an invalid ServerHello containing a new
   ServerHello.session_id value together with a secure_resumption
   extension MUST ignore the content of the server provided
   secure_resumption extension.  Such clients MAY disconnect or continue
   with a full handshake.

4.4.2.  Server behavior: resumption accepted

   If the server accepts to resume the session it MUST check that the
   value contained in the ClientHello.secure_resumption extension
   matches the locally stored session_hash for the session being
   resumed.

   If the check fails, the server MUST NOT continue with session
   resumption; instead the server MAY abort the connection or start a
   full handshake to generate a new session.

   If the check succeeds, the server MAY continue with session
   resumption.  In this case, the server MUST include a



Bhargavan, et al.       Expires October 20, 2014                [Page 5]

Internet-Draft          TLS Resumption Extension              April 2014


   ServerHello.secure_resumption extension, filled with the session_hash
   for the session being resumed.

4.4.2.1.  Client behavior: resumption accepted

   When the server accepts resumption, the client MUST check that a
   ServerHello.secure_resumption is present, and it MUST check that its
   content matches the locally stored session_hash for the session being
   resumed.

   If the match fails, the client MUST abort the connection.  (At this
   stage of the handshake, the client cannot ask anymore for a full
   handshake, and the server already committed to an abbreviated one,
   hence the only solution is to abort and re-start.)

   If the match succeeds, the client continues with a normal abbreviated
   handshake.

5.  Backward compatibility

5.1.  Client not supporting secure_resumption

   It is easy for servers to identify clients not supporting the
   secure_resumption extension: the ClientHello.session_id will be
   filled, but no secure_resumption extension will be present.  In such
   cases, servers implementing this specification MUST refuse the
   resumption request and hence continue with a full handshake.  Note
   that in practice, this disables resumption for all un-patched
   clients.

5.2.  Server not supporting secure_resumption

   With the current definition of the extension, a client gets to know
   whether a server supports or not the secure_resumption extension only
   after the server has already committed to an abbreviated handshake.
   If a client detects an un-patched server wishing to resume, it MUST
   abort the session with a handshake_failure fatal alert, and re-start
   a new connection proposing a full handshake.

6.  Security Considerations

   Without this extension, authentication over a resumed session is
   based only on the uniqueness of the master_sercret.  However, an
   attacker can carefully craft two TLS sessions so that they share the
   same master_secret, breaking the authentication properties of TLS in
   case of resumed sessions.





Bhargavan, et al.       Expires October 20, 2014                [Page 6]

Internet-Draft          TLS Resumption Extension              April 2014


   This specification introduces a secure_resumption extension which
   cryptographically binds an abbreviated handshake to the session being
   resumed, by means of its session_hash.  The session_hash value is
   unique to each session, as it depends on all the data exchanged to
   generate the session, including client and server randomness, their
   identities, and the choices of the pre_master_secret.

   In principle, the Client and Server Finished.verify_data of the full
   handshake generating the session could be used instead of the
   session_hash, because both the verify_data and the session_hash
   depend on all the data that lead to the session context.  However,
   the verify_data is typically very short (12 bytes for all currently
   defined cipher suites), and so collisions among verify_data of
   different sessions are relatively easy to find.  In this document, by
   using the session_hash, the collision probability reduces to the
   collision resistance of the chosen hash algorithm (ciper suite-
   dependent for TLS 1.2, and concatenation of MD5 and SHA1 for all
   previous TLS versions and SSL 3.0).

7.  References

7.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5746]  Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
              "Transport Layer Security (TLS) Renegotiation Indication
              Extension", RFC 5746, February 2010.

7.2.  Informative References

   [TRIPLE-HS]
              Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti,
              A., and P. Strub, "Triple Handshakes and Cookie Cutters:
              Breaking and Fixing Authentication over TLS", IEEE
              Symposium on Security and Privacy, to appear , 2014.

   [session-hash]
              Bhargavan, K., Delignat-Lavaud, A., Langley, A., Pironti,
              A., and M. Ray, "Transport Layer Security (TLS) Session
              Hash and Extended Master Secret Extension", Internet Draft
              , 2014.





Bhargavan, et al.       Expires October 20, 2014                [Page 7]

Internet-Draft          TLS Resumption Extension              April 2014


Authors' Addresses

   Karthikeyan Bhargavan
   Inria Paris-Rocquencourt
   23, Avenue d'Italie
   Paris  75214 CEDEX 13
   France

   Email: karthikeyan.bhargavan@inria.fr


   Antoine Delignat-Lavaud
   Inria Paris-Rocquencourt
   23, Avenue d'Italie
   Paris  75214 CEDEX 13
   France

   Email: antoine.delignat-lavaud@inria.fr


   Alfredo Pironti
   Inria Paris-Rocquencourt
   23, Avenue d'Italie
   Paris  75214 CEDEX 13
   France

   Email: alfredo.pironti@inria.fr


   Adam Langley
   Google Inc.
   1600 Amphitheatre Parkway
   Mountain View, CA  94043
   USA

   Email: agl@google.com


   Marsh Ray
   Microsoft Corp.
   1 Microsoft Way
   Redmond, WA  98052
   USA

   Email: maray@microsoft.com






Bhargavan, et al.       Expires October 20, 2014                [Page 8]