|
Packit Service |
4684c1 |
@node How to use TLS in application protocols
|
|
Packit Service |
4684c1 |
@section How to use @acronym{TLS} in application protocols
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This chapter is intended to provide some hints on how to use
|
|
Packit Service |
4684c1 |
@acronym{TLS} over simple custom made application protocols. The
|
|
Packit Service |
4684c1 |
discussion below mainly refers to the @acronym{TCP/IP} transport layer
|
|
Packit Service |
4684c1 |
but may be extended to other ones too.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@menu
|
|
Packit Service |
4684c1 |
* Separate ports::
|
|
Packit Service |
4684c1 |
* Upward negotiation::
|
|
Packit Service |
4684c1 |
@end menu
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Separate ports
|
|
Packit Service |
4684c1 |
@subsection Separate ports
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Traditionally @acronym{SSL} was used in application protocols by
|
|
Packit Service |
4684c1 |
assigning a new port number for the secure services. By doing this two
|
|
Packit Service |
4684c1 |
separate ports were assigned, one for the non-secure sessions, and one
|
|
Packit Service |
4684c1 |
for the secure sessions. This method ensures that if a user requests a
|
|
Packit Service |
4684c1 |
secure session then the client will attempt to connect to the secure port
|
|
Packit Service |
4684c1 |
and fail otherwise. The only possible attack with this method is to perform
|
|
Packit Service |
4684c1 |
a denial of service attack. The most famous example of this method is
|
|
Packit Service |
4684c1 |
``HTTP over TLS'' or @acronym{HTTPS} protocol @xcite{RFC2818}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Despite its wide use, this method has several issues. This
|
|
Packit Service |
4684c1 |
approach starts the @acronym{TLS} Handshake procedure just after the
|
|
Packit Service |
4684c1 |
client connects on the ---so called--- secure port. That way the
|
|
Packit Service |
4684c1 |
@acronym{TLS} protocol does not know anything about the client, and
|
|
Packit Service |
4684c1 |
popular methods like the host advertising in HTTP do not
|
|
Packit Service |
4684c1 |
work@footnote{See also the Server Name Indication extension on
|
|
Packit Service |
4684c1 |
@ref{serverind}.}. There is no way for the client to say ``I
|
|
Packit Service |
4684c1 |
connected to YYY server'' before the Handshake starts, so the server
|
|
Packit Service |
4684c1 |
cannot possibly know which certificate to use.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Other than that it requires two separate ports to run a single
|
|
Packit Service |
4684c1 |
service, which is unnecessary complication. Due to the fact that there
|
|
Packit Service |
4684c1 |
is a limitation on the available privileged ports, this approach was
|
|
Packit Service |
4684c1 |
soon deprecated in favor of upward negotiation.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@node Upward negotiation
|
|
Packit Service |
4684c1 |
@subsection Upward negotiation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
Other application protocols@footnote{See LDAP, IMAP etc.} use a
|
|
Packit Service |
4684c1 |
different approach to enable the secure layer. They use something
|
|
Packit Service |
4684c1 |
often called as the ``TLS upgrade'' method. This method is quite tricky but it
|
|
Packit Service |
4684c1 |
is more flexible. The idea is to extend the application protocol to
|
|
Packit Service |
4684c1 |
have a ``STARTTLS'' request, whose purpose it to start the TLS
|
|
Packit Service |
4684c1 |
protocols just after the client requests it. This approach
|
|
Packit Service |
4684c1 |
does not require any extra port to be reserved.
|
|
Packit Service |
4684c1 |
There is even an extension to HTTP protocol to support
|
|
Packit Service |
4684c1 |
this method @xcite{RFC2817}.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
The tricky part, in this method, is that the ``STARTTLS'' request is
|
|
Packit Service |
4684c1 |
sent in the clear, thus is vulnerable to modifications. A typical
|
|
Packit Service |
4684c1 |
attack is to modify the messages in a way that the client is fooled
|
|
Packit Service |
4684c1 |
and thinks that the server does not have the ``STARTTLS'' capability.
|
|
Packit Service |
4684c1 |
See a typical conversation of a hypothetical protocol:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@quotation
|
|
Packit Service |
4684c1 |
(client connects to the server)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: HELLO I'M MR. XXX
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
SERVER: NICE TO MEET YOU XXX
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: PLEASE START TLS
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
SERVER: OK
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
*** TLS STARTS
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: HERE ARE SOME CONFIDENTIAL DATA
|
|
Packit Service |
4684c1 |
@end quotation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
And an example of a conversation where someone is acting
|
|
Packit Service |
4684c1 |
in between:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@quotation
|
|
Packit Service |
4684c1 |
(client connects to the server)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: HELLO I'M MR. XXX
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
SERVER: NICE TO MEET YOU XXX
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: PLEASE START TLS
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(here someone inserts this message)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
SERVER: SORRY I DON'T HAVE THIS CAPABILITY
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: HERE ARE SOME CONFIDENTIAL DATA
|
|
Packit Service |
4684c1 |
@end quotation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
As you can see above the client was fooled, and was na@"ive enough to
|
|
Packit Service |
4684c1 |
send the confidential data in the clear, despite the server telling the
|
|
Packit Service |
4684c1 |
client that it does not support ``STARTTLS''.
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
How do we avoid the above attack? As you may have already noticed this
|
|
Packit Service |
4684c1 |
situation is easy to avoid. The client has to ask the user before it
|
|
Packit Service |
4684c1 |
connects whether the user requests @acronym{TLS} or not. If the user
|
|
Packit Service |
4684c1 |
answered that he certainly wants the secure layer the last
|
|
Packit Service |
4684c1 |
conversation should be:
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
@quotation
|
|
Packit Service |
4684c1 |
(client connects to the server)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: HELLO I'M MR. XXX
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
SERVER: NICE TO MEET YOU XXX
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: PLEASE START TLS
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(here someone inserts this message)
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
SERVER: SORRY I DON'T HAVE THIS CAPABILITY
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
CLIENT: BYE
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
(the client notifies the user that the secure connection was not possible)
|
|
Packit Service |
4684c1 |
@end quotation
|
|
Packit Service |
4684c1 |
|
|
Packit Service |
4684c1 |
This method, if implemented properly, is far better than the
|
|
Packit Service |
4684c1 |
traditional method, and the security properties remain the same, since
|
|
Packit Service |
4684c1 |
only denial of service is possible. The benefit is that the server may
|
|
Packit Service |
4684c1 |
request additional data before the @acronym{TLS} Handshake protocol
|
|
Packit Service |
4684c1 |
starts, in order to send the correct certificate, use the correct
|
|
Packit Service |
4684c1 |
password file, or anything else!
|