1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Internet Engineering Task Force (IETF) K. Bhargavan, Ed.
Request for Comments: 7627 A. Delignat-Lavaud
Updates: <a href="./rfc5246">5246</a> A. Pironti
Category: Standards Track Inria Paris-Rocquencourt
ISSN: 2070-1721 A. Langley
Google Inc.
M. Ray
Microsoft Corp.
September 2015
<span class="h1">Transport Layer Security (TLS) Session Hash and</span>
<span class="h1">Extended Master Secret Extension</span>
Abstract
The Transport Layer Security (TLS) master secret is not
cryptographically bound to important session parameters such as the
server certificate. Consequently, it is possible for an active
attacker to set up two sessions, one with a client and another with a
server, such that the master secrets on the two sessions are the
same. Thereafter, any mechanism that relies on the master secret for
authentication, including session resumption, becomes vulnerable to a
man-in-the-middle attack, where the attacker can simply forward
messages back and forth between the client and server. This
specification defines a TLS extension that contextually binds the
master secret to a log of the full handshake that computes it, thus
preventing such attacks.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7627">http://www.rfc-editor.org/info/rfc7627</a>.
<span class="grey">Bhargavan, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Requirements Notation ...........................................<a href="#page-5">5</a>
<a href="#section-3">3</a>. The TLS Session Hash ............................................<a href="#page-5">5</a>
<a href="#section-4">4</a>. The Extended Master Secret ......................................<a href="#page-6">6</a>
<a href="#section-5">5</a>. Extension Negotiation ...........................................<a href="#page-6">6</a>
<a href="#section-5.1">5.1</a>. Extension Definition .......................................<a href="#page-6">6</a>
<a href="#section-5.2">5.2</a>. Client and Server Behavior: Full Handshake .................<a href="#page-7">7</a>
<a href="#section-5.3">5.3</a>. Client and Server Behavior: Abbreviated Handshake ..........<a href="#page-7">7</a>
<a href="#section-5.4">5.4</a>. Interoperability Considerations ............................<a href="#page-9">9</a>
<a href="#section-6">6</a>. Security Considerations .........................................<a href="#page-9">9</a>
<a href="#section-6.1">6.1</a>. Triple Handshake Preconditions and Impact ..................<a href="#page-9">9</a>
<a href="#section-6.2">6.2</a>. Cryptographic Properties of the Hash Function .............<a href="#page-11">11</a>
<a href="#section-6.3">6.3</a>. Handshake Messages Included in the Session Hash ...........<a href="#page-11">11</a>
<a href="#section-6.4">6.4</a>. No SSL 3.0 Support ........................................<a href="#page-12">12</a>
<a href="#section-7">7</a>. IANA Considerations ............................................<a href="#page-12">12</a>
<a href="#section-8">8</a>. References .....................................................<a href="#page-12">12</a>
<a href="#section-8.1">8.1</a>. Normative References ......................................<a href="#page-12">12</a>
<a href="#section-8.2">8.2</a>. Informative References ....................................<a href="#page-13">13</a>
Acknowledgments ...................................................<a href="#page-14">14</a>
Authors' Addresses ................................................<a href="#page-15">15</a>
<span class="grey">Bhargavan, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
In TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>], every session has a "master_secret" computed as:
master_secret = PRF(pre_master_secret, "master secret",
ClientHello.random + ServerHello.random)
[0..47];
where the "pre_master_secret" is the result of some key exchange
protocol. For example, when the handshake uses an RSA ciphersuite,
this value is generated uniformly at random by the client, whereas
for Ephemeral Diffie-Hellman (DHE) ciphersuites, it is the result of
a Diffie-Hellman key agreement.
As described in [<a href="#ref-TRIPLE-HS" title=""Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS"">TRIPLE-HS</a>], in both the RSA and DHE key exchanges,
an active attacker can synchronize two TLS sessions so that they
share the same "master_secret". For an RSA key exchange where the
client is unauthenticated, this is achieved as follows. Suppose a
client C connects to a server A. C does not realize that A is
malicious and that A connects in the background to an honest server S
and completes both handshakes. For simplicity, assume that C and S
only use RSA ciphersuites.
1. C sends a "ClientHello" to A, and A forwards it to S.
2. S sends a "ServerHello" to A, and A forwards it to C.
3. S sends a "Certificate", containing its certificate chain, to A.
A replaces it with its own certificate chain and sends it to C.
4. S sends a "ServerHelloDone" to A, and A forwards it to C.
5. C sends a "ClientKeyExchange" to A, containing the
"pre_master_secret", encrypted with A's public key. A decrypts
the "pre_master_secret", re-encrypts it with S's public key, and
sends it on to S.
6. C sends a "Finished" to A. A computes a "Finished" for its
connection with S and sends it to S.
7. S sends a "Finished" to A. A computes a "Finished" for its
connection with C and sends it to C.
At this point, both connections (between C and A, and between A and
S) have new sessions that share the same "pre_master_secret",
"ClientHello.random", "ServerHello.random", as well as other session
parameters, including the session identifier and, optionally, the
session ticket. Hence, the "master_secret" value will be equal for
<span class="grey">Bhargavan, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
the two sessions and will be associated both at C and S with the same
session ID, even though the server identities on the two connections
are different. Recall that C only sees A's certificate and is
unaware of A's connection with S. Moreover, the record keys on the
two connections will also be the same.
The scenario above shows that TLS does not guarantee that the master
secrets and keys used on different connections will be different.
Even if client authentication is used, the scenario still works,
except that the two sessions now differ on both client and server
identities.
A similar scenario can be achieved when the handshake uses a DHE
ciphersuite. Note that even if the client or server does not prefer
using RSA or DHE, the attacker can force them to use it by offering
only RSA or DHE in its hello messages. Handshakes using Ephemeral
Elliptic Curve Diffie-Hellman (ECDHE) ciphersuites are also
vulnerable if they allow arbitrary explicit curves or use curves with
small subgroups. Against more powerful adversaries, other key
exchanges, such as Secure Remote Password (SRP) and Pre-Shared Key
(PSK), have also been shown to be vulnerable [<a href="#ref-VERIFIED-BINDINGS">VERIFIED-BINDINGS</a>].
Once A has synchronized the two connections, since the keys are the
same on the two sides, it can step away and transparently forward
messages between C and S, reading and modifying when it desires. In
the key exchange literature, such occurrences are called unknown key-
share attacks, since C and S share a secret but they both think that
their secret is shared only with A. In themselves, these attacks do
not break integrity or confidentiality between honest parties, but
they offer a useful starting point from which to mount impersonation
attacks on C and S.
Suppose C tries to resume its session on a new connection with A. A
can then resume its session with S on a new connection and forward
the abbreviated handshake messages unchanged between C and S. Since
the abbreviated handshake only relies on the master secret for
authentication and does not mention client or server identities, both
handshakes complete successfully, resulting in the same session keys
and the same handshake log. A still knows the connection keys and
can send messages to both C and S.
Critically, at the new connection, even the handshake log is the same
on C and S, thus defeating any man-in-the-middle protection scheme
that relies on the uniqueness of finished messages, such as the
secure renegotiation indication extension [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>] or TLS channel
bindings [<a href="./rfc5929" title=""Channel Bindings for TLS"">RFC5929</a>]. [<a href="#ref-TRIPLE-HS" title=""Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS"">TRIPLE-HS</a>] describes several exploits based on
such session synchronization attacks. In particular, it describes a
man-in-the-middle attack, called the "triple handshake", that
<span class="grey">Bhargavan, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
circumvents the protections of [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>] to break client-
authenticated TLS renegotiation after session resumption. Similar
attacks apply to application-level authentication mechanisms that
rely on channel bindings [<a href="./rfc5929" title=""Channel Bindings for TLS"">RFC5929</a>] or on key material exported from
TLS [<a href="./rfc5705" title=""Keying Material Exporters for Transport Layer Security (TLS)"">RFC5705</a>].
The underlying protocol issue leading to these attacks is that the
TLS master secret is not guaranteed to be unique across sessions,
since it is not context-bound to the full handshake that generated
it. If we fix this problem in the initial master secret computation,
then all these attacks can be prevented. This specification
introduces a TLS extension that changes the way the "master_secret"
value is computed in a full handshake by including the log of the
handshake messages, so that different sessions will, by construction,
have different master secrets. This prevents the attacks described
in [<a href="#ref-TRIPLE-HS" title=""Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS"">TRIPLE-HS</a>] and documented in <a href="./rfc7457#section-2.11">Section 2.11 of [RFC7457]</a>.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Requirements Notation</span>
This document uses the same notation and terminology used in the TLS
protocol specification [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in <a href="./rfc2119">RFC</a>
<a href="./rfc2119">2119</a> [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. The TLS Session Hash</span>
When a full TLS handshake takes place, we define
session_hash = Hash(handshake_messages)
where "handshake_messages" refers to all handshake messages sent or
received, starting at the ClientHello up to and including the
ClientKeyExchange message, including the type and length fields of
the handshake messages. This is the concatenation of all the
exchanged Handshake structures, as defined in <a href="./rfc5246#section-7.4">Section 7.4 of
[RFC5246]</a>.
For TLS 1.2, the "Hash" function is the one defined in <a href="./rfc5246#section-7.4.9">Section 7.4.9
of [RFC5246]</a> for the Finished message computation. For all previous
versions of TLS, the "Hash" function computes the concatenation of
MD5 and SHA1.
There is no "session_hash" for resumed handshakes, as they do not
lead to the creation of a new session.
<span class="grey">Bhargavan, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. The Extended Master Secret</span>
When the extended master secret extension is negotiated in a full
handshake, the "master_secret" is computed as
master_secret = PRF(pre_master_secret, "extended master secret",
session_hash)
[0..47];
The extended master secret computation differs from that described in
[<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] in the following ways:
o The "extended master secret" label is used instead of "master
secret".
o The "session_hash" is used instead of the "ClientHello.random" and
"ServerHello.random".
The "session_hash" depends upon a handshake log that includes
"ClientHello.random" and "ServerHello.random", in addition to
ciphersuites, key exchange information, and certificates (if any)
from the client and server. Consequently, the extended master secret
depends upon the choice of all these session parameters.
This design reflects the recommendation that keys should be bound to
the security contexts that compute them [<a href="#ref-SP800-108" title=""Recommendation for Key Derivation Using Pseudorandom Functions (Revised)"">SP800-108</a>]. The technique
of mixing a hash of the key exchange messages into master key
derivation is already used in other well-known protocols such as
Secure Shell (SSH) [<a href="./rfc4251" title=""The Secure Shell (SSH) Protocol Architecture"">RFC4251</a>].
Clients and servers SHOULD NOT accept handshakes that do not use the
extended master secret, especially if they rely on features like
compound authentication that fall into the vulnerable cases described
in <a href="#section-6.1">Section 6.1</a>.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Extension Negotiation</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Extension Definition</span>
This document defines a new TLS extension, "extended_master_secret"
(with extension type 0x0017), which is used to signal both client and
server to use the extended master secret computation. The
"extension_data" field of this extension is empty. Thus, the entire
encoding of the extension is 00 17 00 00 (in hexadecimal.)
Although this document refers only to TLS, the extension proposed
here can also be used with Datagram TLS (DTLS) [<a href="./rfc6347" title=""Datagram Transport Layer Security Version 1.2"">RFC6347</a>].
<span class="grey">Bhargavan, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
If the client and server agree on this extension and a full handshake
takes place, both client and server MUST use the extended master
secret derivation algorithm, as defined in <a href="#section-4">Section 4</a>. All other
cryptographic computations remain unchanged.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Client and Server Behavior: Full Handshake</span>
In the following, we use the phrase "abort the handshake" as
shorthand for terminating the handshake by sending a fatal
"handshake_failure" alert.
In all handshakes, a client implementing this document MUST send the
"extended_master_secret" extension in its ClientHello.
If a server implementing this document receives the
"extended_master_secret" extension, it MUST include the extension in
its ServerHello message.
If both the ClientHello and ServerHello contain the extension, the
new session uses the extended master secret computation.
If the server receives a ClientHello without the extension, it SHOULD
abort the handshake if it does not wish to interoperate with legacy
clients. If it chooses to continue the handshake, then it MUST NOT
include the extension in the ServerHello.
If a client receives a ServerHello without the extension, it SHOULD
abort the handshake if it does not wish to interoperate with legacy
servers.
If the client and server choose to continue a full handshake without
the extension, they MUST use the standard master secret derivation
for the new session. In this case, the new session is not protected
by the mechanisms described in this document. So, implementers
should follow the guidelines in <a href="#section-5.4">Section 5.4</a> to avoid dangerous usage
scenarios. In particular, the master secret derived from the new
session should not be used for application-level authentication.
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Client and Server Behavior: Abbreviated Handshake</span>
The client SHOULD NOT offer an abbreviated handshake to resume a
session that does not use an extended master secret. Instead, it
SHOULD offer a full handshake.
If the client chooses to offer an abbreviated handshake even for such
sessions in order to support legacy insecure resumption, then the
current connection is not protected by the mechanisms in this
document. So, the client should follow the guidelines in <a href="#section-5.4">Section 5.4</a>
<span class="grey">Bhargavan, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
to avoid dangerous usage scenarios. In particular, renegotiation is
no longer secure on this connection, even if the client and server
support the renegotiation indication extension [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>].
When offering an abbreviated handshake, the client MUST send the
"extended_master_secret" extension in its ClientHello.
If a server receives a ClientHello for an abbreviated handshake
offering to resume a known previous session, it behaves as follows:
o If the original session did not use the "extended_master_secret"
extension but the new ClientHello contains the extension, then the
server MUST NOT perform the abbreviated handshake. Instead, it
SHOULD continue with a full handshake (as described in
<a href="#section-5.2">Section 5.2</a>) to negotiate a new session.
o If the original session used the "extended_master_secret"
extension but the new ClientHello does not contain it, the server
MUST abort the abbreviated handshake.
o If neither the original session nor the new ClientHello uses the
extension, the server SHOULD abort the handshake. If it continues
with an abbreviated handshake in order to support legacy insecure
resumption, the connection is no longer protected by the
mechanisms in this document, and the server should follow the
guidelines in <a href="#section-5.4">Section 5.4</a>.
o If the new ClientHello contains the extension and the server
chooses to continue the handshake, then the server MUST include
the "extended_master_secret" extension in its ServerHello message.
If a client receives a ServerHello that accepts an abbreviated
handshake, it behaves as follows:
o If the original session did not use the "extended_master_secret"
extension but the new ServerHello contains the extension, the
client MUST abort the handshake.
o If the original session used the extension but the new ServerHello
does not contain the extension, the client MUST abort the
handshake.
If the client and server continue the abbreviated handshake, they
derive the connection keys for the new session as usual from the
master secret of the original session.
<span class="grey">Bhargavan, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
<span class="h3"><a class="selflink" id="section-5.4" href="#section-5.4">5.4</a>. Interoperability Considerations</span>
To allow interoperability with legacy clients and servers, a TLS peer
may decide to accept full handshakes that use the legacy master
secret computation. If so, they need to differentiate between
sessions that use legacy and extended master secrets by adding a flag
to the session state.
If a client or server chooses to continue with a full handshake
without the extended master secret extension, then the new session
becomes vulnerable to the man-in-the-middle key synchronization
attack described in <a href="#section-1">Section 1</a>. Hence, the client or server MUST NOT
export any key material based on the new master secret for any
subsequent application-level authentication. In particular, it MUST
disable [<a href="./rfc5705" title=""Keying Material Exporters for Transport Layer Security (TLS)"">RFC5705</a>] and any Extensible Authentication Protocol (EAP)
relying on compound authentication [<a href="#ref-COMPOUND-AUTH">COMPOUND-AUTH</a>].
If a client or server chooses to continue an abbreviated handshake to
resume a session that does not use the extended master secret, then
the current connection becomes vulnerable to a man-in-the-middle
handshake log synchronization attack as described in <a href="#section-1">Section 1</a>.
Hence, the client or server MUST NOT use the current handshake's
"verify_data" for application-level authentication. In particular,
the client MUST disable renegotiation and any use of the "tls-unique"
channel binding [<a href="./rfc5929" title=""Channel Bindings for TLS"">RFC5929</a>] on the current connection.
If the original session uses an extended master secret but the
ClientHello or ServerHello in the abbreviated handshake does not
include the extension, it MAY be safe to continue the abbreviated
handshake since it is protected by the extended master secret of the
original session. This scenario may occur, for example, when a
server that implements this extension establishes a session but the
session is subsequently resumed at a different server that does not
support the extension. Since such situations are unusual and likely
to be the result of transient or inadvertent misconfigurations, this
document recommends that the client and server MUST abort such
handshakes.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Triple Handshake Preconditions and Impact</span>
One way to mount a triple handshake attack is described in <a href="#section-1">Section 1</a>,
along with a mention of the security mechanisms that break due to the
attack; more in-depth discussion and diagrams can be found in
[<a href="#ref-TRIPLE-HS" title=""Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS"">TRIPLE-HS</a>]. Here, some further discussion is presented about attack
preconditions and impact.
<span class="grey">Bhargavan, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
To mount a triple handshake attack, it must be possible to force the
same master secret on two different sessions. For this to happen,
two preconditions must be met:
o The client, C, must be willing to connect to a malicious server,
A. In certain contexts, like the web, this can be easily
achieved, since a browser can be instructed to load content from
an untrusted origin.
o The pre-master secret must be synchronized on the two sessions.
This is particularly easy to achieve with the RSA and DHE key
exchanges, but under some conditions, ECDHE, SRP, and PSK key
exchanges can be exploited to this effect as well.
Once the master secret is synchronized on two sessions, any security
property that relies on the uniqueness of the master secret is
compromised. For example, a TLS exporter [<a href="./rfc5705" title=""Keying Material Exporters for Transport Layer Security (TLS)"">RFC5705</a>] no longer
provides a unique key bound to the current session.
TLS session resumption also relies on the uniqueness of the master
secret to authenticate the resuming peers. Hence, if a synchronized
session is resumed, the peers cannot be sure about each other's
identities, and the attacker knows the connection keys. Clearly, a
precondition to this step of the attack is that both client and
server support session resumption (either via session identifier or
session tickets [<a href="./rfc5077" title=""Transport Layer Security (TLS) Session Resumption without Server-Side State"">RFC5077</a>]).
Additionally, in a synchronized abbreviated handshake, the whole
transcript (which includes the "verify_data" values) is synchronized.
So, after an abbreviated handshake, channel bindings like
"tls-unique" [<a href="./rfc5929" title=""Channel Bindings for TLS"">RFC5929</a>] will not uniquely identify the connection
anymore.
Synchronization of the "verify_data" in abbreviated handshakes also
undermines the security guarantees of the renegotiation indication
extension [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>], re-enabling a prefix-injection flaw similar to
the renegotiation attack [<a href="#ref-Ray09" title=""Authentication Gap in TLS Renegotiation"">Ray09</a>]. However, in a triple handshake
attack, the client sees the server certificate changing across
different full handshakes. Hence, a precondition to mount this stage
of the attack is that the client accepts different certificates at
each handshake, even if their common names do not match. Before the
triple handshake attack was discovered, this used to be widespread
behavior, at least among some web browsers; such browsers were hence
vulnerable to the attack.
The extended master secret extension thwarts triple handshake attacks
at their first stage by ensuring that different sessions necessarily
end up with different master secret values. Hence, all security
<span class="grey">Bhargavan, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
properties relying on the uniqueness of the master secret are now
expected to hold. In particular, if a TLS session is protected by
the extended master secret extension, it is safe to resume it, to use
its channel bindings, and to allow for certificate changes across
renegotiation, meaning that all certificates are controlled by the
same peer. A symbolic cryptographic protocol analysis justifying the
extended master secret extension appears in [<a href="#ref-VERIFIED-BINDINGS">VERIFIED-BINDINGS</a>].
<span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. Cryptographic Properties of the Hash Function</span>
The session hashes of two different sessions need to be distinct;
hence, the "Hash" function used to compute the "session_hash" needs
to be collision resistant. As such, hash functions such as MD5 or
SHA1 are NOT RECOMMENDED.
We observe that the "Hash" function used in the Finished message
computation already needs to be collision resistant for the
renegotiation indication extension [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>] to work, because a
meaningful collision on the handshake messages (and hence on the
"verify_data") may re-enable the renegotiation attack [<a href="#ref-Ray09" title=""Authentication Gap in TLS Renegotiation"">Ray09</a>].
The hash function used to compute the session hash depends on the TLS
protocol version. All current ciphersuites defined for TLS 1.2 use
SHA256 or better, and so does the session hash. For earlier versions
of the protocol, only MD5 and SHA1 can be assumed to be supported,
and this document does not require legacy implementations to add
support for new hash functions. In these versions, the session hash
uses the concatenation of MD5 and SHA1, as in the Finished message.
<span class="h3"><a class="selflink" id="section-6.3" href="#section-6.3">6.3</a>. Handshake Messages Included in the Session Hash</span>
The "session_hash" is intended to encompass all relevant session
information, including ciphersuite negotiation, key exchange
messages, and client and server identities. The hash is needed to
compute the extended master secret and hence must be available before
the Finished messages.
This document sets the "session_hash" to cover all handshake messages
up to and including the ClientKeyExchange. For existing TLS
ciphersuites, these messages include all the significant contents of
the new session -- CertificateVerify does not change the session
content. At the same time, this allows the extended master secret to
be computed immediately after the pre-master secret, so that
implementations can shred the temporary pre-master secret from memory
as early as possible.
<span class="grey">Bhargavan, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
It is possible that new ciphersuites or TLS extensions may include
additional messages between ClientKeyExchange and Finished that add
important session context. In such cases, some of the security
guarantees of this specification may no longer apply, and new man-in-
the-middle attacks may be possible. For example, if the client and
server support the session ticket extension [<a href="./rfc5077" title=""Transport Layer Security (TLS) Session Resumption without Server-Side State"">RFC5077</a>], the session
hash does not cover the new session ticket sent by the server.
Hence, a man-in-the-middle may be able to cause a client to store a
session ticket that was not meant for the current session. Attacks
based on this vector are not yet known, but applications that store
additional information in session tickets beyond those covered in the
session hash require careful analysis.
<span class="h3"><a class="selflink" id="section-6.4" href="#section-6.4">6.4</a>. No SSL 3.0 Support</span>
The Secure Sockets Layer (SSL) protocol version 3.0 [<a href="./rfc6101" title=""The Secure Sockets Layer (SSL) Protocol Version 3.0"">RFC6101</a>] is a
predecessor of the TLS protocol, and it is equally vulnerable to
triple handshake attacks, alongside other vulnerabilities stemming
from its use of obsolete cryptographic constructions that are now
considered weak. SSL 3.0 has been deprecated [<a href="./rfc7568" title=""Deprecating Secure Sockets Layer Version 3.0"">RFC7568</a>].
The countermeasure described in this document relies on a TLS
extension and hence cannot be used with SSL 3.0. Clients and servers
implementing this document SHOULD refuse SSL 3.0 handshakes. If they
choose to support SSL 3.0, the resulting sessions MUST use the legacy
master secret computation, and the interoperability considerations of
<a href="#section-5.4">Section 5.4</a> apply.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. IANA Considerations</span>
IANA has added the extension code point 23 (0x0017), which has been
used by prototype implementations, for the "extended_master_secret"
extension to the "ExtensionType Values" registry specified in the TLS
specification [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>].
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>,
DOI 10.17487/RFC2119, March 1997,
<<a href="http://www.rfc-editor.org/info/rfc2119">http://www.rfc-editor.org/info/rfc2119</a>>.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>,
DOI 10.17487/RFC5246, August 2008,
<<a href="http://www.rfc-editor.org/info/rfc5246">http://www.rfc-editor.org/info/rfc5246</a>>.
<span class="grey">Bhargavan, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-COMPOUND-AUTH">COMPOUND-AUTH</a>]
Asokan, N., Valtteri, N., and K. Nyberg, "Man-in-the-
Middle in Tunnelled Authentication Protocols", Security
Protocols, LNCS, Volume 3364, DOI 10.1007/11542322_6,
2005.
[<a id="ref-Ray09">Ray09</a>] Ray, M., "Authentication Gap in TLS Renegotiation", 2009.
[<a id="ref-RFC4251">RFC4251</a>] Ylonen, T. and C. Lonvick, Ed., "The Secure Shell (SSH)
Protocol Architecture", <a href="./rfc4251">RFC 4251</a>, DOI 10.17487/RFC4251,
January 2006, <<a href="http://www.rfc-editor.org/info/rfc4251">http://www.rfc-editor.org/info/rfc4251</a>>.
[<a id="ref-RFC5077">RFC5077</a>] Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
"Transport Layer Security (TLS) Session Resumption
without Server-Side State", <a href="./rfc5077">RFC 5077</a>,
DOI 10.17487/RFC5077, January 2008,
<<a href="http://www.rfc-editor.org/info/rfc5077">http://www.rfc-editor.org/info/rfc5077</a>>.
[<a id="ref-RFC5705">RFC5705</a>] Rescorla, E., "Keying Material Exporters for Transport
Layer Security (TLS)", <a href="./rfc5705">RFC 5705</a>, DOI 10.17487/RFC5705,
March 2010, <<a href="http://www.rfc-editor.org/info/rfc5705">http://www.rfc-editor.org/info/rfc5705</a>>.
[<a id="ref-RFC5746">RFC5746</a>] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
"Transport Layer Security (TLS) Renegotiation Indication
Extension", <a href="./rfc5746">RFC 5746</a>, DOI 10.17487/RFC5746, February
2010, <<a href="http://www.rfc-editor.org/info/rfc5746">http://www.rfc-editor.org/info/rfc5746</a>>.
[<a id="ref-RFC5929">RFC5929</a>] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", <a href="./rfc5929">RFC 5929</a>, DOI 10.17487/RFC5929, July 2010,
<<a href="http://www.rfc-editor.org/info/rfc5929">http://www.rfc-editor.org/info/rfc5929</a>>.
[<a id="ref-RFC6101">RFC6101</a>] Freier, A., Karlton, P., and P. Kocher, "The Secure
Sockets Layer (SSL) Protocol Version 3.0", <a href="./rfc6101">RFC 6101</a>,
DOI 10.17487/RFC6101, August 2011,
<<a href="http://www.rfc-editor.org/info/rfc6101">http://www.rfc-editor.org/info/rfc6101</a>>.
[<a id="ref-RFC6347">RFC6347</a>] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", <a href="./rfc6347">RFC 6347</a>, DOI 10.17487/RFC6347,
January 2012, <<a href="http://www.rfc-editor.org/info/rfc6347">http://www.rfc-editor.org/info/rfc6347</a>>.
[<a id="ref-RFC7457">RFC7457</a>] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
Known Attacks on Transport Layer Security (TLS) and
Datagram TLS (DTLS)", <a href="./rfc7457">RFC 7457</a>, DOI 10.17487/RFC7457,
February 2015, <<a href="http://www.rfc-editor.org/info/rfc7457">http://www.rfc-editor.org/info/rfc7457</a>>.
<span class="grey">Bhargavan, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
[<a id="ref-RFC7568">RFC7568</a>] Barnes, R., Thomson, M., Pironti, A., and A. Langley,
"Deprecating Secure Sockets Layer Version 3.0", <a href="./rfc7568">RFC 7568</a>,
DOI 10.17487/RFC7568, June 2015,
<<a href="http://www.rfc-editor.org/info/rfc7568">http://www.rfc-editor.org/info/rfc7568</a>>.
[<a id="ref-SP800-108">SP800-108</a>] Chen, L., "Recommendation for Key Derivation Using
Pseudorandom Functions (Revised)", NIST Special
Publication 800-108, 2009.
[<a id="ref-TRIPLE-HS">TRIPLE-HS</a>] Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti,
A., and P-Y. Strub, "Triple Handshakes and Cookie
Cutters: Breaking and Fixing Authentication over TLS",
IEEE Symposium on Security and Privacy,
DOI 10.1109/SP.2014.14, 2014.
[<a id="ref-VERIFIED-BINDINGS">VERIFIED-BINDINGS</a>]
Bhargavan, K., Delignat-Lavaud, A., and A. Pironti,
"Verified Contributive Channel Bindings for Compound
Authentication", Network and Distributed System Security
Symposium (NDSS), 2015.
Acknowledgments
Triple handshake attacks were originally discovered by Antoine
Delignat-Lavaud, Karthikeyan Bhargavan, and Alfredo Pironti. They
were further developed by the miTLS team: Cedric Fournet, Pierre-Yves
Strub, Markulf Kohlweiss, and Santiago Zanella-Beguelin. Many of the
ideas in this document emerged from discussions with Martin Abadi,
Ben Laurie, Nikos Mavrogiannopoulos, Manuel Pegourie-Gonnard, Eric
Rescorla, Martin Rex, and Brian Smith.
<span class="grey">Bhargavan, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7627">RFC 7627</a> TLS Session Hash Extension September 2015</span>
Authors' Addresses
Karthikeyan Bhargavan (editor)
Inria Paris-Rocquencourt
23, Avenue d'Italie
Paris 75214 CEDEX 13
France
Email: karthikeyan.bhargavan@inria.fr
Antoine Delignat-Lavaud
Inria Paris-Rocquencourt
23, Avenue d'Italie
Paris 75214 CEDEX 13
France
Email: antoine.delignat-lavaud@inria.fr
Alfredo Pironti
Inria Paris-Rocquencourt
23, Avenue d'Italie
Paris 75214 CEDEX 13
France
Email: alfredo.pironti@inria.fr
Adam Langley
Google Inc.
1600 Amphitheatre Parkway
Mountain View, CA 94043
United States
Email: agl@google.com
Marsh Ray
Microsoft Corp.
1 Microsoft Way
Redmond, WA 98052
United States
Email: maray@microsoft.com
Bhargavan, et al. Standards Track [Page 15]
</pre>
|
