jmg
/
blog
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
The blog.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
107 Commits
1 Branch
4.6 MiB
 
 
 
 
Tree: 3e9df87cf1
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '3e9df87cf1'
${ noResults }
blog/content/2018/10/tls-client-authentication-l...

95 lines
4.1 KiB
Raw Blame History 

  1. ---

  2. title: TLS Client Authentication Leaks User Info (pre-TLS1.3)

  3. description: >

  4.   TLS Client Authentication Leaks User Info (pre-TLS1.3)

  5. posted: !!timestamp '2018-10-15'

  6. created: !!timestamp '2018-10-15'

  7. time: 10:54 AM

  8. tags:

  9.   - TLS

  10.   - security

  11. ---

  12. 

  13. It's been long known that TLS is not the best privacy protecting

  14. protocol in that SNI leaks what domain the client connects to.  I'm a

  15. bit surprised that I haven't seen the failure to protect user

  16. information when using client authentication mentioned, but it's likely

  17. that TLS client authentication is so rarely used, that this have not

  18. been on anyone's radar.

  19. 

  20. TL;DR: Just don't use TLS client authentication on anything before TLS

  21. 1.3.

  22. 

  23. With TLS 1.2 and earlier, if you use client authentication, the client

  24. certificate is transmitted in the clear.  This contains enough

  25. information to uniquely identify the user.  If it didn't, then there

  26. would be no way for the server to do the authentication.

  27. 

  28. The danger of this is that Eve (eavesdroppers) on path will be able to

  29. track your user's (or your) connections, where they connect from, figure

  30. out how much data they transfer between to/from your site and likely

  31. profile their usage.

  32. 

  33. I was confident that this was the case as I know that the entire

  34. handshake is in the clear.  It isn't till the Finished messages that

  35. the session becomes encrypted.  (TLS 1.3 fixed this by using a new

  36. derived key, `[sender]_handshake_traffic_secret`, to encrypt all the

  37. server params, which the client will use to encrypt it's response to

  38. the certificate request in the server params.)  I decided to verify

  39. that this was the case.

  40. 

  41. I generated a server and a client certificate and key:

  42. ```

  43. openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout server.key -out server.crt

  44. openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout client.key -out client.crt

  45. ```

  46. 

  47. I then launched the server, and included the `-Verify` and `-CAfile` options

  48. for `s_server` to request a client certificate:

  49. ```

  50. openssl s_server -accept 5829 -cert server.crt -key server.key -Verify 5 -CAfile client.crt -debug

  51. ```

  52. 

  53. Then I ran tcpdump to capture the session:

  54. ```

  55. sudo tcpdump -s 0 -n -i lo0 -w clientcert.tcpdump port 5829

  56. ```

  57. 

  58. And then the client to connect to the server:

  59. ```

  60. openssl s_client -connect localhost:5829 -key client.key -cert client.crt -debug

  61. ```

  62. 

  63. A usual, non-client authenticated connection and close was about 17

  64. packets, but when I included the client authentication, it became 42

  65. packets (the answer!).

  66. 

  67. I loaded the packet capture into wireshark, applied the SSL protocol

  68. analysis and confirmed that the client certificate was present in clear

  69. text:

  70. [![Wireshark shows TLS handshake with client authentication, with the client certificate displayed in plaintext.]([[!!images/tls.packet.capture.screenshot.png]])]({{ media_url('images/tls.packet.capture.screenshot.png') }})

  71. 

  72. So, there you have it.  Do not use client authentication, pre-TLS 1.3,

  73. if you care about the privacy of your users.

  74. 

  75. It is safe to use client authentication w/ a TLS 1.3 server as long as

  76. the server requires all clients be 1.3 clients.  If the key exchange

  77. algorithm is one of DHE_DSA, DHE_RSA, or an ECDH key exchange algorithm,

  78. the random bytes in the Hello messages are signed and these bytes are

  79. used by TLS 1.3 for downgrade protection.  As the signature covers these

  80. bytes, the client would be able to detect any attempts to modify the

  81. server or client handshake messages to force a downgrade before it would

  82. send the client certificate.

  83. 

  84. Thanks to Mike Hamburg for reviewing an earlier version of this blog

  85. post and pointing out that TLS 1.3 was not vulnerable to this and

  86. helping w/ some of the research to prove it.

  87. 

  88. References:

  89. 

  90. * [TLS 1.2 Protocol Diagram](https://tools.ietf.org/html/rfc5246#page-36)

  91. * [TLS 1.2 ServerKeyExchange](https://tools.ietf.org/html/rfc5246#page-52)

  92. * [ECC Cipher Suites for TLS ServerKeyExchange Signature](https://tools.ietf.org/html/rfc4492#page-20)

  93. * [TLS 1.3 Protocol Diagram](https://tools.ietf.org/html/rfc8446#section-2)

  94. * [TLS 1.3 Server Hello](https://tools.ietf.org/html/rfc8446#section-4.1.3) Downgrade Protection