[Security] TLS Triple Handshakes

Fedor Brunner fedor.brunner at azet.sk
Tue Mar 4 15:16:47 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512



On 03.03.2014 23:35, Dave Cridland wrote:
> On 3 March 2014 21:47, Waqas Hussain <waqas20 at gmail.com> wrote:
> 
>> On Mon, Mar 3, 2014 at 3:46 PM, Fedor Brunner
>> <fedor.brunner at azet.sk> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>>> 
>>> 
>>> Hi all, this attack on TLS security may be interesting for
>>> XMPP 
>>> https://www.imperialviolet.org/2014/03/03/triplehandshake.html 
>>> https://secure-resumption.com/#further
>>> 
>>> The attacker could modify tls-unique channel binding and
>>> affect SCRAM-SHA-1-PLUS authentication method.
>>> 
>> 
> 
> 
> Yes, it's interesting, at a first glance.
> 
> It would, however, only affect clients that do not verify
> certificates properly (at least at the point of sending SASL
> stuff).
> 
> You also need clients and servers that are perfectly happy to see 
> renegotiation, and it's not vastly obvious why XMPP *needs* any 
> renegotiation.
> 
> So something to be aware of, rather than panic over.
> 
> Dave.
> 
There are multiple attacks described in the document.

1. The attack on client certificate authentication uses both
resumption and renegotiation. It's more targeted on behavior of HTTPS
servers and it could be more complicated to exploit it in XMPP, but
not impossible.

2. The attack on SASL channel binding uses resumption, not renegotiation.
Page 11:
https://secure-resumption.com/tlsauth.pdf

The attack applies to scenario where both XMPP client and server use
TLS/SSL libraries that support TLS resumption for example OpenSSL.

If the attacker can forge a valid certificate (for example with the help
of CA), or the XMPP client is ignoring warning about incorrect SSL
certificate (which many users do, see the paper:
Alice in Warningland: A Large-Scale Field Study of Browser Security
Warning Effectiveness
https://www.cs.berkeley.edu/~devdatta/papers/alice-in-warningland.pdf
)
then an active attacker can downgrade the security of SCRAM-SHA-1-PLUS
authentication to SCRAM-SHA-1 and do a MITM.

-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJTFe5eXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4QkVFQ0NBRDcyNzU1RTk2RTQwMzlEQjc2
RTE3NDA5NTQwNTY2M0FEAAoJEG4XQJVAVmOtI2MQALPZasHgv0/LYPD0mSYjQOIn
9JwpuOfc1+8zY7Y82bboyxk6mBxPppU/EGl7gSape/EuPK2hrCkXINC6myovrUiq
EwfVrlTrtoh9KAOC0pHAUllYASgz9Q/qCmpQXJBCuk8MdA2hPrvqZWwFvNDe0Itn
9s7Xz6q0BQA80WYaKNI7veLnJdt/4ltt/T02WLq7U4Jj/ARdgvK8Bux2DiXmdxYM
Sx+xJjMrwTWuAKBSRhmyzjwxWPfNTgDcOdO1lMzDDy7SKcdyxW9eDA4glYDOoWw3
eO94yJU1UCuU5YaU/oonnZTvqkGZGysBEQ05sxHxKm2LRumHjBw6zi9xNwzJYdLW
DYRrwRP7zjgbRykZkb6eiOduoIM0+Hfb++EVXPR235iPwUctY07TSyWGSVh5VyNf
TU3SPqBzRxkSbPl2jyr067QlAw/lzyzKSS1ErlzkqsFYo+v06Y3YwKVP4lPwOxe3
k6iLPFvDnsGfzr7hlTHeQwVuqkD5YI3EHaq2xuMOk3MXl9z9ktQcbsD7hY3XZTlK
CDIIdIzgsr2CxR1jEtllaR65u2FzGt6Wdv5eAaBRlDek1BAJR5CqO51Sg4aAmAH1
tOz+29Mechon+HvzHnSlccQ2XLGYPgFBODuTT+LQZkz29bqXhdiKCR760fctCf/y
yUNLfopsuDBbewiRANn1
=3iee
-----END PGP SIGNATURE-----


More information about the Security mailing list