Cryptography Reference
In-Depth Information
Renegotiation Pitfalls and the Client Hello
Extension 0xFF01
Believe it or not, session renegotiation was found to be problematic. After all,
if negotiating a handshake in the clear is secure, then negotiating a handshake
using a previously negotiated cipher suite must be that much more secure,
right? In 2009, Marsh Ray and Steve Dispensa detailed a series of attacks that
could be used against session renegotiation (
http://extendedsubset.com/
Renegotiating_TLS.pdf
). The essential problem had nothing to do with session
renegotiation per se, but instead with the way that it was commonly deployed
across secure websites.
This is not a theoretical, academic attack — this attack breaks most protocols
that use TLS. It works like this: Imagine that the attacker has compromised a
router somewhere, or has falsely advertised himself as a wireless hotspot, and
the victim is routing all traffi c through the attacker. The attacker can change,
add, or delete packets at will. This is the essence of the man-in-the-middle
attack that TLS strives so hard to guard against. Now the victim, being security
conscious, connects to his banking site securely — the attacker cannot modify
the TLS handshake in any way without being detected. Let's say the victim just
wants to check his bank balance, so he logs in:
POST /bank/login.cgi HTTP/1.1
Host: www.bank.com
Connection: Close
user=josh&password=secret
HTTP/1.1 200 OK
Set-Cookie: session=12345
<html>
<head><title>Welcome</title></head>
<body>
<a href=”checkbalance.cgi”>check bank balance</a>
<a href=”transferfunds.cgi”>transfer money</a>
</body>
</html>
So far, so good. The attacker can't eavesdrop on any of this because it's pro-
tected by the negotiated TLS parameters. The attacker does know, however,
that the victim is connected to IP address 192.168.0.1, which he can determine
is the IP address of bank.com through a DNS lookup. Now, the victim clicks on
“check bank balance.” In the absence of an active attack, this should result in a
TLS negotiation, followed by the HTTP query:
Search WWH ::
Custom Search