[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Revised TSL handshake proposal question

To: or-dev@xxxxxxxx
Subject: Revised TSL handshake proposal question
From: Lucky Green <shamrock@xxxxxxxxxxxxxx>
Date: Wed, 21 Nov 2007 07:30:22 +0100
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-dev-outgoing@xxxxxxxx
Delivered-to: or-dev@xxxxxxxx
Delivery-date: Wed, 21 Nov 2007 01:30:31 -0500
Reply-to: or-dev@xxxxxxxxxxxxx
Sender: owner-or-dev@xxxxxxxxxxxxx

Folks,
I read Steven.s proposal to change the Tor SSL handshake at 
https://www.torproject.org/svn/trunk/doc/spec/proposals/124-tls-certificates.txt

If I understand the preamble correctly, the goal of this proposal is to 
solve the following problem:

- common https connections only involve presentation of an SSL server 
cert.
- https connections that use client certificates are relatively rare.
- Tor authenticates both sides of the SSL connection using both server and 
client certificates.
- A passive observer can therefore distinguish common https traffic from 
Tor traffic by watching for a client cert being presented in the initial 
SSL handshake.

It is therefore desirable to present the client cert after the initial 
SSL-encrypted tunnel only using a server cert has been established. The 
spec proposes a method to implement such capability.

If I misunderstand the goals of this proposal, you may ignore the 
remainder of this post.

SSLv3 and TLS permit either the client or the server to request an SSL 
renegotiation. The content of the renegotiation and any certificates 
exchanged during the renegotiation are encrypted using the SSL connection 
that was previously established.

This means that an SSL renegotiation permits the client to present an SSL 
client cert to the server inside the initial SSL encrypted connection. Not 
revealing the client cert to an observer was very much one of the use 
cases considered during the initial SSLv3 and later TLS specification 
efforts. The idea at the time was that clients may store a great many 
certificates, one for each services they wish to access. For example, a 
website portal containing health education information may offer a number 
of forums, one for those suffering from cancer, another for those 
suffering from AIDS. Each using a client cert rather than UID/PW to access 
the forum. You wouldn't want the observer to be able to determine which 
particular forum a visitor is logging into or that they are logging into a 
forum at all.

While client certificates have not yet become as ubiquitous as was 
considered possible during the SSLv3 specification days with individual 
users potentially holding hundreds of certificates, the ability to request 
a renegotiation of an SSL session to step up from a server authenticated 
to a client authenticated connection is built into every major SSL/TLS 
implementation, including OpenSSL.

With this in mind, it is not clear to me which security properties the 
proposal will give you that you cannot natively obtain from TLS.

I of course recognize that an observer may be able to determine from 
watching the number of encrypted bits exchanged that the encrypted SSL 
connection likely contains an SSL renegotiation payload. Alas, there are 
many aspects of Tor that would permit for protocol identification based on 
traffic analysis.

You may wish to consider using TLS-native capabilities to obscure the 
client certificate exchange by using SSL renegotiation instead.

--Lucky

Follow-Ups:
- Re: Revised TSL handshake proposal question
  - From: Roger Dingledine

Prev by Author: FEATURE IDEA: Hidden Directory Authorities
Next by Author: Re: bridge and bridge authority proposal
Previous by thread: Re: bug with entry guards on 0.2.0.9-alpha
Next by thread: Re: Revised TSL handshake proposal question
Index(es):
- Author
- Thread