jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
55 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 34b0aa74e2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '34b0aa74e2'
${ noResults }
blog/content/2018/10/tls-client-authentication-l...

94 lines
4.0 KiB
Raw Blame History 

  1. ---

  2. title: TLS Client Authentication Leaks User Info (pre-TLS1.3)

  3. description: >

  4.   TLS Client Authentication Leaks User Info (pre-TLS1.3)

  5. created: !!timestamp '2018-10-15'

  6. time: 10:54 AM

  7. tags:

  8.   - TLS

  9.   - security

  10. ---

  11. 

  12. It's been long known that TLS is not the best privacy protecting

  13. protocol in that SNI leaks what domain the client connects to.  I'm a

  14. bit surprised that I haven't seen the failure to protect user

  15. information when using client authentication mentioned, but it's likely

  16. that TLS client authentication is so rarely used, that this have not

  17. been on anyone's radar.

  18. 

  19. TL;DR: Just don't use TLS client authentication on anything before TLS

  20. 1.3.

  21. 

  22. With TLS 1.2 and earlier, if you use client authentication, the client

  23. certificate is transmitted in the clear.  This contains enough

  24. information to uniquely identify the user.  If it didn't, then there

  25. would be no way for the server to do the authentication.

  26. 

  27. The danger of this is that Eve (eavesdroppers) on path will be able to

  28. track your user's (or your) connections, where they connect from, figure

  29. out how much data they transfer between to/from your site and likely

  30. profile their usage.

  31. 

  32. I was confident that this was the case as I know that the entire

  33. handshake is in the clear.  It isn't till the Finished messages that

  34. the session becomes encrypted.  (TLS 1.3 fixed this by using a new

  35. derived key, `[sender]_handshake_traffic_secret`, to encrypt all the

  36. server params, which the client will use to encrypt it's response to

  37. the certificate request in the server params.)  I decided to verify

  38. that this was the case.

  39. 

  40. I generated a server and a client certificate and key:

  41. ```

  42. openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout server.key -out server.crt

  43. openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout client.key -out client.crt

  44. ```

  45. 

  46. I then launched the server, and included the `-Verify` and `-CAfile` options

  47. for `s_server` to request a client certificate:

  48. ```

  49. openssl s_server -accept 5829 -cert server.crt -key server.key -Verify 5 -CAfile client.crt -debug

  50. ```

  51. 

  52. Then I ran tcpdump to capture the session:

  53. ```

  54. sudo tcpdump -s 0 -n -i lo0 -w clientcert.tcpdump port 5829

  55. ```

  56. 

  57. And then the client to connect to the server:

  58. ```

  59. openssl s_client -connect localhost:5829 -key client.key -cert client.crt -debug

  60. ```

  61. 

  62. A usual, non-client authenticated connection and close was about 17

  63. packets, but when I included the client authentication, it became 42

  64. packets (the answer!).

  65. 

  66. I loaded the packet capture into wireshark, applied the SSL protocol

  67. analysis and confirmed that the client certificate was present in clear

  68. text:

  69. [![Wireshark shows TLS handshake with client authentication, with the client certificate displayed in plaintext.]([[!!images/tls.packet.capture.screenshot.png]])]({{ media_url('images/tls.packet.capture.screenshot.png') }})

  70. 

  71. So, there you have it.  Do not use client authentication, pre-TLS 1.3,

  72. if you care about the privacy of your users.

  73. 

  74. It is safe to use client authentication w/ a TLS 1.3 server as long as

  75. the server requires all clients be 1.3 clients.  If the key exchange

  76. algorithm is one of DHE_DSA, DHE_RSA, or an ECDH key exchange algorithm,

  77. the random bytes in the Hello messages are signed and these bytes are

  78. used by TLS 1.3 for downgrade protection.  As the signature covers these

  79. bytes, the client would be able to detect any attempts to modify the

  80. server or client handshake messages to force a downgrade before it would

  81. send the client certificate.

  82. 

  83. Thanks to Mike Hamburg for reviewing an earlier version of this blog

  84. post and pointing out that TLS 1.3 was not vulnerable to this and

  85. helping w/ some of the research to prove it.

  86. 

  87. References:

  88. 

  89. * [TLS 1.2 Protocol Diagram](https://tools.ietf.org/html/rfc5246#page-36)

  90. * [TLS 1.2 ServerKeyExchange](https://tools.ietf.org/html/rfc5246#page-52)

  91. * [ECC Cipher Suites for TLS ServerKeyExchange Signature](https://tools.ietf.org/html/rfc4492#page-20)

  92. * [TLS 1.3 Protocol Diagram](https://tools.ietf.org/html/rfc8446#section-2)

  93. * [TLS 1.3 Server Hello](https://tools.ietf.org/html/rfc8446#section-4.1.3) Downgrade Protection