Renegotiate Tls

Renegotiating TLS

Marsh Ray Steve Dispensa PhoneFactor, Inc. v1.1 November 4, 2009

Summary Transport Layer Security (TLS, RFC 5246 and previous, including SSL v3 and previous) is subject to a number of serious man-in-the-middle (MITM) attacks related to renegotiation. In general, these problems allow an MITM to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream, leading to a variety of abuse possibilities. In particular, practical attacks against HTTPS client certificate authentication have been demonstrated against recent versions of both Microsoft IIS and Apache httpd on a variety of platforms and in conjunction with a variety of client applications. Cases not involving client certificates have been demonstrated as well. Although this research has focused on the implications specifically for HTTP as the application protocol, the research is ongoing and many of these attacks are expected to generalize well to other protocols layered on TLS. There are three general attacks against HTTPS discussed here, each with slightly different characteristics, all of which yield the same result: the attacker is able to execute an HTTP transaction of his choice, authenticated by a legitimate user (the victim of the MITM attack). Some attacks result in the attacker-supplied request generating a response document which is then presented to the client without any certificate warning or other indication to the user. Other techniques allow the attacker to forward or re-purpose client certificate authentication credentials. Technology Background TLS is a widely used protocol, but there are a number of features (standardized and otherwise) that are inconsistently implemented and used. Following is a brief summary of TLS negotiation, and an explanation of two relevant features of the protocol. Basic TLS begins negotiation with a Client Hello message sent by the client to the server, including the list of supported cipher suites. The...