TLS Renegotiation Vulnerability IETF-76 Joe Salowey Eric Rescorla

Slides:



Advertisements
Similar presentations
Transport Layer Security (TLS) IETF-76 Chairs Joe Salowey Eric Rescorla
Advertisements

Adding SASL to HTTP/1.1 draft-nystrom-http-sasl-07.txt Magnus Nyström, RSA Security Alexey Melnikov, Isode Limited
SIP issues with S/MIME and CMS Rohan Mahy SIP, SIPPING co-chair.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
IETF OAuth Proof-of-Possession
Privacy Terminology draft-hansen-privacy-terminology-03.txt Hannes Tschofenig.
CMSC 414 Computer (and Network) Security Lecture 26 Jonathan Katz.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
Intro to SSL/TLS Network Security Gene Itkis. 6/14/2015 Gene Itkis: CS558 Network Security 2 Origins Internet Engineering Task Force (IETF) –
Protected Extensible Authentication Protocol
Intro to SSL/TLS Network Security Gene Itkis. 6/23/2015 cs Network Security (Gene Itkis) 2 Origins Internet Engineering Task Force (IETF) –
CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.
NEA Working Group IETF meeting Nov 17, 2011 IETF 82 - NEA Meeting1.
Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.
11 Secure Sockets Layer (SSL) Protocol (SSL) Protocol Saturday, University of Palestine Applied and Urban Engineering College Information Security.
An XMPP (Extensible Message and Presence Protocol) based implementation for NHIN Direct 1.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Proposed Transport Layer Security (TLS) Evidence Extensions Russ Housley IETF 67 – TLS WG Session.
XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.
Tunneling and Securing TCP Services Nathan Green.
Giuseppe Bianchi TLS connection management & application support.
1 82 nd IETF meeting NETCONF over WebSocket ( ) Tomoyuki Iijima, (Hitachi) Hiroyasu Kimura,
PAWS: Security Considerations Yizhuang WU, Yang CUI PAWS WG
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
Open Pluggable Edge Services (opes) 61st IETF Meeting Washington, D.C., USA.
All Rights Reserved © Alcatel-Lucent 2006, ##### 2G IMS CAVE Based Security Replay Protection Alec Brusilovsky, Zhibi Wang Alcatel-Lucent, July 24, 2007.
TLS user mapping hint extension Stefan Santesson Microsoft.
1 SSH / SSL Supplementary material. 2 Secure Shell (SSH) One of the primary goals of the ARPANET was remote access Several different connections allowed.
EAP-FAST Version 2 draft-zhou-emu-eap-fastv2-00.txt Hao Zhou Nancy Cam-Winget Joseph Salowey Stephen Hanna March 2011.
1 Pascal URIEN, IETF 63th Paris, France, 2nd August 2005 “draft-urien-eap-smartcard-type-02.txt” EAP Smart Card Protocol (EAP-SC)
Secure Sockets Layer (SSL) Protocol by Steven Giovenco.
Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-01.txt Magnus Westerlund.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
Agenda Pattern Authenticate a user against UCWA Operations happen using the user’s identity Interact with the UCWA service endpoint Make HTTP requests.
November 20, 2002IETF 55 - Atlanta1 VPIM Voice Profile for Internet Mail Mailing list: To subscribe: send.
Transport Layer Security (TLS) Chairs: Eric Rescorla Joe Salowey.
Lemonade IETF 70 Eric Burger Glenn Parsons
RFC 2716bis Wednesday, July 12, 2006 Draft-simon-emu-rfc2716bis-02.txt Dan Simon Bernard Aboba IETF 66, Montreal, Canada.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
Diameter SIP Application
Transport Layer Security (TLS) IETF-84 Chairs: Eric Rescorla Joe Salowey.
Transport Layer Security (TLS) IETF-78 Chairs Joe Salowey Eric Rescorla
IETF-84 EMU TEAP Updates Nancy Joseph Salowey Hao Zhou
@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.
Cryptography CSS 329 Lecture 13:SSL.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
EAP Applicability IETF-86 Joe Salowey. Open Issues Open Issues with Retransmission and re- authentication Remove text about lack of differentiation in.
TLS/SSL Protocol Presented by: Vivek Nelamangala Includes slides presented by Miao Zhang on April Course: CISC856 - TCP/IP and Upper Layer Protocols.
Dr. Michael B. Jones Identity Standards Architect at Microsoft
Open issues with PANA Protocol
Phil Hunt, Hannes Tschofenig
IETF-70 EAP Method Update (EMU)
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
CS 465 TLS Last Updated: Oct 31, 2017.
Security Vulnerabilities in RPC (csci5931)
Presentation transcript:

TLS Renegotiation Vulnerability IETF-76 Joe Salowey Eric Rescorla

TLS Renegotiation Vulnerability Discovered by Marsh Ray and Steve Dispensa of PhoneFactor - 08/2009 Re-Discovered by Martin Rex duing Channel Binding Discussions on the TLS list – 11/2009

TLS Renegotiation Client Server  Handshake   ===========Protected Data============   ============Handshake==============   ===========Protected Data============  Initial Handshake Establishes a protected channel Re-negotiation is a new handshake run under the protection of the existing channel Upon completion the new channel replaces the old channel

Renegotiation Attack Client Attacker Server  Handshake   ===== Initial Traffic =====   Handshake=================   ============= Client Traffic=============== =  Initial traffic and client traffic are treated as originating under the same context Attacker injected traffic may be processed under clients context Attacker injected traffic may set up context under which client’s traffic is processed Client handshake may use client certificates

Vulnerability Attacker injects data that is processed under client’s context –Process unauthenticated request under authenticated context –Attacker can inject data processed under client’s authorization based on client certificate Attacker sets up context that discloses information in client’s request –Client cert authentication not necessary for attack Complications –Renegotiation is often transparent to application –Client is not aware this is a renegotiation –Some HTTP servers support renegotiation to request client certs for a protected resource Other protocols may be vulnerable as well –IMAP, LDAP, XMPP, SIP, SMTP, …

Mitigation Disable renegotiation –May Be required by application –Some libraries do not have interface for this Proposed Extension –Fix TLS renegotiation Application Mitigation –Application dependent

Renegotiation Indication Extension draft-rescorla-tls-renegotiation-00 Hello extension containing the contents of the finished messages from the previous handshake struct { opaque renegotiated_connection ; } Renegotiation_Info;

Proposed Timeline for Renegotiation Extension Document 11/15 Adopt as Working Group Item 11/16 – 11/30 Working Group Last Call 12/01 – 12/04 Resolve Comments 12/04 – 12/07 Send to IESG – AD Review 12/08 – 12/22 IETF Last Call and External Review 12/22 – 01/07 Resolve Comments 01/07 – 01/14 IESG Review 01/14 – 02/14 RFC Editor and IANA Review 02/14 RFC publication

Current Open Issues Extension Number Requirements Language –particularly for client Interaction with session resumption Behavior on subsequent renegotiations Applicability of TLS extensions Dealing with broken extension support SSLv3? Needs Review

Follow-on Work Application interaction with re-negotiation –Identity comparison –API recommendations

Some References TLS.pdfhttp://extendedsubset.com/Renegotiating_ TLS.pdf 1/understanding_the_tls_renegoti.htmlhttp:// 1/understanding_the_tls_renegoti.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.