[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Comments on TLS identity protection

To: badra@xxxxxxxx
Subject: Re: [TLS] Comments on TLS identity protection
From: Eric Rescorla <ekr@xxxxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Dec 2006 14:36:43 -0800
Cc: tls@xxxxxxxx
In-reply-to: <61434.86.72.162.216.1166567558.squirrel@xxxxxxxxxxxx> (badra@xxxxxxxx's message of "Tue, 19 Dec 2006 23:32:38 +0100 (CET)")
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <20061219204505.5F2EE5C01E@xxxxxxxxxxxxxxxxxxxxxxxxxx> <61434.86.72.162.216.1166567558.squirrel@xxxxxxxxxxxx>
Reply-to: EKR <ekr@xxxxxxxxxxxxxxxxxxxx>
User-agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)

badra@xxxxxxxx writes:
>> Comments on: draft-hajjeh-tls-identity-protection-00
>>
>> BACKGROUND
>> The TLS handshake occurs in the clear. Thus, any observer can
>> determine the credentials used by the client or server to authenticate
>> themselves. This document describes an "identity protection" mode for
>> TLS designed to hide the client's certificate.
>>
>>
>> GENERAL COMMENTS
>> I don't understand what the motivation for this mode is. I appreciate
>> that it was an advertised feature of IPsec, but TLS doesn't
>> need to replicate every feature of IPsec. In particular, since
>> certificate-based client authentication is actually fairly
>> rare, it's not clear that *privacy* of that client authentication
>> is really a big consideration.
>
> In EAP-TLS, an implementation of TLS for Wireless LAN and later for WiMAX,
> the client is authenticated based on the certificate's use. This is the
> initial motivation of this work.

Yes, but I don't think this really explains why the certificate
needs to be kept secret or why the double handshake technique isn't
good enough.


>> In order for the identity protection to be protected against
>> MITM attack, the server cert needs to be verified prior to
>> sending the Certificate message. Because the question of whether
>> this is the correct certificate is outside of TLS, in many TLS
>> stacks the handshake completes prior to checking the server
>> hostname. That won't work here.
>
>
> Could you clarify that please? I didn't get the point regarding the server
> cert which is sent in cleartext.

The attacker performs a MITM attack with a valid certificate.
The TLS implementation completes the handshake and then prompts
the application to verify the certificate's identity against
the intended identity. This fails, but by this time the client
has already provided his certificate.

-Ekr

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- Re: [TLS] Comments on TLS identity protection
  - From: badra

References:
- [TLS] Comments on TLS identity protection
  - From: Eric Rescorla
- Re: [TLS] Comments on TLS identity protection
  - From: badra

Prev by Date: Re: [TLS] Comments on TLS identity protection
Next by Date: Re: [TLS] Comments on TLS identity protection
Previous by thread: Re: [TLS] Comments on TLS identity protection
Next by thread: Re: [TLS] Comments on TLS identity protection
Index(es):
- Date
- Thread