Triple Handshake Attacks Target TLS Resumption, Renegotiation

A team of researchers has published a paper that explains a number of attacks against websites and Web-based applications running TLS.

A team of researchers has published a paper that explains a number of attacks against websites and Web-based applications running TLS. The researchers’ techniques do not exploit implementation errors, the most common attack vector against encryption securing online communication, instead focus on exploiting features of the protocol that include session resumption followed by client authentication during session renegotiation.

The paper, called “Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS,” describes in detail how an attacker can use a man-in-the-middle attack to successfully impersonate a TLS client in attacks against TLS renegotiations, wireless networks, challenge-response protocols and channel-bound cookies.

Written by Karthikeyan Bhargavan, Antoine Delignat-Lavaud and Alfredo Pironti of the Prosecco research team at INRIA Paris-Rocquencourt, C’edric Fournet at Microsoft Research, Cambridge, and Pierre-Yves Strub of the IMDEA Software Institute, the paper demonstrates how an attacker could force a client running TLS to connect to an attacker-controlled server with an authenticated credential. The attacker’s server will then be able to impersonate the client at another server accepting the same credential, via single sign-on, for example.

“Concretely, the malicious server performs a man-in-the-middle attack on three successive handshakes between the honest client and server, and succeeds in impersonating the client on the third handshake,” the researchers wrote.

The researchers said their attacks work against leading browsers, VPN applications, and HTTPS libraries; different takes on the attacks that do not rely on renegotiation, for example, can enable spoofing of other TLS authentication such as PEAP, SASL and Channel ID.

“Our attacks exploit a lack of cross-connection binding when TLS sessions are resumed on new connections,” the researchers wrote. “Moreover, our attacks do not require an active network adversary but can be mounted only with a malicious server or website.”

The researchers dug into four TLS weaknesses, starting with a problem in the RSA handshake that enables impersonation via an unknown key-share attack, as well as another weakness in the Diffie-Hellman Exchange handshake where an attacker can use a man-in-the-middle attack between the client and server to steal sessions sharing the same keys, a different take on the same unknown key-share attack.

Session resumption on a new connection exhibits another weak link exploiting the fact that it uses an abbreviated handshake that can be forwarded between connections and accepted because it does not re-authenticate the client and server identities.

The fourth TLS issue happens during renegotiation, the researchers said, where the server and client certificates can change and applications are not properly instructed how to deal with changes and may not implement the best cert for the situation.

The researchers disclosed the vulnerabilities to a number of vendors, including the major browser vendors Apple, Google, Microsoft and Mozilla, all of which implemented a patch or some mitigation. OpenSSL, GnuTLS and GNU SASL said mitigations are pending.

Suggested articles