The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

94 lines
4.0 KiB

  1. ---
  2. title: TLS Client Authentication Leaks User Info (pre-TLS1.3)
  3. description: >
  4. TLS Client Authentication Leaks User Info (pre-TLS1.3)
  5. created: !!timestamp '2018-10-15'
  6. time: 10:54 AM
  7. tags:
  8. - TLS
  9. - security
  10. ---
  11. It's been long known that TLS is not the best privacy protecting
  12. protocol in that SNI leaks what domain the client connects to. I'm a
  13. bit surprised that I haven't seen the failure to protect user
  14. information when using client authentication mentioned, but it's likely
  15. that TLS client authentication is so rarely used, that this have not
  16. been on anyone's radar.
  17. TL;DR: Just don't use TLS client authentication on anything before TLS
  18. 1.3.
  19. With TLS 1.2 and earlier, if you use client authentication, the client
  20. certificate is transmitted in the clear. This contains enough
  21. information to uniquely identify the user. If it didn't, then there
  22. would be no way for the server to do the authentication.
  23. The danger of this is that Eve (eavesdroppers) on path will be able to
  24. track your user's (or your) connections, where they connect from, figure
  25. out how much data they transfer between to/from your site and likely
  26. profile their usage.
  27. I was confident that this was the case as I know that the entire
  28. handshake is in the clear. It isn't till the Finished messages that
  29. the session becomes encrypted. (TLS 1.3 fixed this by using a new
  30. derived key, `[sender]_handshake_traffic_secret`, to encrypt all the
  31. server params, which the client will use to encrypt it's response to
  32. the certificate request in the server params.) I decided to verify
  33. that this was the case.
  34. I generated a server and a client certificate and key:
  35. ```
  36. openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout server.key -out server.crt
  37. openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout client.key -out client.crt
  38. ```
  39. I then launched the server, and included the `-Verify` and `-CAfile` options
  40. for `s_server` to request a client certificate:
  41. ```
  42. openssl s_server -accept 5829 -cert server.crt -key server.key -Verify 5 -CAfile client.crt -debug
  43. ```
  44. Then I ran tcpdump to capture the session:
  45. ```
  46. sudo tcpdump -s 0 -n -i lo0 -w clientcert.tcpdump port 5829
  47. ```
  48. And then the client to connect to the server:
  49. ```
  50. openssl s_client -connect localhost:5829 -key client.key -cert client.crt -debug
  51. ```
  52. A usual, non-client authenticated connection and close was about 17
  53. packets, but when I included the client authentication, it became 42
  54. packets (the answer!).
  55. I loaded the packet capture into wireshark, applied the SSL protocol
  56. analysis and confirmed that the client certificate was present in clear
  57. text:
  58. [![Wireshark shows TLS handshake with client authentication, with the client certificate displayed in plaintext.]([[!!images/tls.packet.capture.screenshot.png]])]({{ media_url('images/tls.packet.capture.screenshot.png') }})
  59. So, there you have it. Do not use client authentication, pre-TLS 1.3,
  60. if you care about the privacy of your users.
  61. It is safe to use client authentication w/ a TLS 1.3 server as long as
  62. the server requires all clients be 1.3 clients. If the key exchange
  63. algorithm is one of DHE_DSA, DHE_RSA, or an ECDH key exchange algorithm,
  64. the random bytes in the Hello messages are signed and these bytes are
  65. used by TLS 1.3 for downgrade protection. As the signature covers these
  66. bytes, the client would be able to detect any attempts to modify the
  67. server or client handshake messages to force a downgrade before it would
  68. send the client certificate.
  69. Thanks to Mike Hamburg for reviewing an earlier version of this blog
  70. post and pointing out that TLS 1.3 was not vulnerable to this and
  71. helping w/ some of the research to prove it.
  72. References:
  73. * [TLS 1.2 Protocol Diagram](https://tools.ietf.org/html/rfc5246#page-36)
  74. * [TLS 1.2 ServerKeyExchange](https://tools.ietf.org/html/rfc5246#page-52)
  75. * [ECC Cipher Suites for TLS ServerKeyExchange Signature](https://tools.ietf.org/html/rfc4492#page-20)
  76. * [TLS 1.3 Protocol Diagram](https://tools.ietf.org/html/rfc8446#section-2)
  77. * [TLS 1.3 Server Hello](https://tools.ietf.org/html/rfc8446#section-4.1.3) Downgrade Protection