On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hka...@redhat.com> wrote:
> On Friday, 16 February 2018 18:06:41 CET The IESG wrote: > > The IESG has received a request from the Transport Layer Security WG > (tls) > > to consider the following document: - 'The Transport Layer Security (TLS) > > Protocol Version 1.3' > > <draft-ietf-tls-tls13-24.txt> as Proposed Standard > > The current draft states that if the server recognises an identity but is > unable to verify corresponding binder, it "MUST abort the handshake" > Which text are you referring to here? -Ekr at the same time, they "SHOULD select as single PSK and validate solely the > binder that corresponds to that PSK" > (Page 60, draft-ietf-tls-tls13-24). > > That allows for trivial enumeration of externally established identities - > the > attacker just needs to send to the server a list of identity guesses, with > random data as binders, if the server recognises any identity it will abort > connection, if it doesn't, it will continue to a non-PSK handshake. > > Behaviour like this is generally considered a vulnerability: > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229 > > I was wondering if the document shouldn't recommend ignoring any and all > identities for which binders do not verify to prevent this kind of attack. > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
