Der Triple Handshake Angriff auf TLS im Überblick
Das folgende "Bild" zeigt die drei Handshakes des Triple Handshake Angriffs im Zusammenhang (nach den ersten drei Bildern in "Triple Handshakes Considered Harmful: Breaking and Fixing Authentication over TLS").
Drei Handshakes sind gefährlich
Schritt 1
Benutzer Angreifer Ziel
Client C Server A Server S
¦ ¦ ¦
¦--> ClientHello(cr, [RSA, DH], ...) -------->¦ ¦
¦ ¦--> ClientHello(cr, [RSA], ...) ---------------->¦
¦ ¦ ¦
¦ ¦ ¦
¦<------------------------------------------------ ServerHello(sr, sid, RSA, ENC_ALG) <---------¦
¦ ¦ ¦
¦ ¦<-- ServerCertificate(cert_S, pk_S) <------------¦
¦<-- ServerCertificate(cert_A, pk_A) <--------¦ ¦
¦ ¦ ¦
¦<------------------------------------------------ ServerHelloDone <----------------------------¦
¦ ¦ ¦
¦ ¦ ¦
¦--> ClientKeyExchange(rsa(pms, pk_A)) ------>¦ ¦
¦ ¦--> ClientKeyExchange(rsa(pms, pk_S)) ---------->¦
¦ ¦ ¦
¦--> ClientCCS -------------------------------------------------------------------------------->¦
¦ ¦ ¦
¦--> ClientFinished(verifydata(log_1, ms)) -->¦ ¦
¦ ¦--> ClientFinished(verifydata(log'_1, ms)) ----->¦
¦ ¦ ¦
¦ ¦ ¦
¦<------------------------------------------------ ServerCCS <----------------------------------¦
¦ ¦ ¦
¦ ¦<-- ServerFinished(verifydata(log_2, ms)) <------¦
¦<-- ServerFinished(verifydata(log'_2, ms)) <-¦ ¦
¦ ¦ ¦
¦ ¦ ¦
neue Session: kennt: neue Session:
sid, ms, anon->cert_A sid, ms, cr, sr sid, ms, anon->cert_S
cr, sr, RSA, ENC_ALG ¦ cr, sr, RSA, ENC_ALG
¦ ¦ ¦
¦ ¦ ¦
¦--> Anwendungs-Daten ------------------------------------------------------------------------->¦
¦<------------------------------------------------ Anwendungs-Daten <---------------------------¦
¦ ¦ ¦
¦ Schritt 2 ¦ ¦
¦ ¦ ¦
¦--> ClientHello(cr', sid) -------------------------------------------------------------------->¦
¦ ¦ ¦
¦<------------------------------------------------ ServerHello(sr', sid) <----------------------¦
¦ ¦ ¦
¦<------------------------------------------------ ServerCCS <----------------------------------¦
¦ ¦ ¦
¦<------------------------------------------------ ServerFinished(cvd=verifydata(log_1, ms)) <--¦
¦ ¦ ¦
¦--> ClientCCS -------------------------------------------------------------------------------->¦
¦ ¦ ¦
¦--> ClientFinished(svd=verifydata(log_2, ms)) ------------------------------------------------>¦
¦ ¦ ¦
neue Verbindung: kennt: neue Verbindung:
sid, ms, cr', sr', cvd, svd sid, ms, cr', sr' sid, ms, cr', sr', cvd, svd
¦ ¦ ¦
¦ ¦ ¦
¦ ¦ ¦
¦--> Anwendungs-Daten ------------------------------------------------------------------------->¦
¦<------------------------------------------------ Anwendungs-Daten <---------------------------¦
¦ ¦ ¦
¦ Schritt 3 ¦ ¦
¦ ¦ ¦
vorhandene Session: kennt: vorhandene Session:
sid, ms, anon->cert_A sid, ms, cr, sr sid, ms, anon->cert_S
cr, sr, RSA, ENC_ALG ¦ cr, sr, RSA, ENC_ALG
¦ ¦ ¦
vorhandene Verbindung: kennt: vorhandene Verbindung:
sid, ms, cr', sr', cvd, svd sid, ms, cr', sr' sid, ms, cr', sr', cvd, svd
¦ ¦ ¦
¦<-- Anwendungs-Daten_1 -------------------------- Anwendungs-Daten_2 ------------------------->¦
¦ ¦ ¦
¦--> ClientHello(cr", [KEX_ALG'], [ENC_ALG'], cvd) -------------------------------------------->¦
¦ ¦ ¦
¦<------------------------------------ ServerHello(sr", sid', KEX_ALG', ENC_ALG', cvd, svd) <---¦
¦ ¦ ¦
¦<------------------------------------------------ ServerCertificate(cert_S, pk_S) <------------¦
¦ ¦ ¦
¦<------------------------------------------------ ServerKeyExchange(sign(kex_s, sk_s)) <-------¦
¦ ¦ ¦
¦<------------------------------------------------ CertificateRequest <-------------------------¦
¦ ¦ ¦
¦<------------------------------------------------ ServerHelloDone <----------------------------¦
¦ ¦ ¦
¦ ¦ ¦
¦--> ClientCertificate(cert_C, pk_C)) --------------------------------------------------------->¦
¦ ¦ ¦
¦--> ClientKeyExchange(kex_C) ----------------------------------------------------------------->¦
¦ ¦ ¦
¦--> CertificateVerify(sign(log_1, sk_C), cert_C) --------------------------------------------->¦
¦ ¦ ¦
¦--> ClientCCS -------------------------------------------------------------------------------->¦
¦ ¦ ¦
¦--> ClientFinished(verifydata(log_2, ms') ---------------------------------------------------->¦
¦ ¦ ¦
¦<------------------------------------------------ ServerCCS <----------------------------------¦
¦ ¦ ¦
¦<------------------------------------------------ ServerFinished(verifydata(log_3, ms')) <-----¦
¦ ¦ ¦
¦ ¦ ¦
neue Session: kennt: neue Session:
sid', ms', cert_C->cert_S cert_C sid, ms, cert_C->cert_S
cr", sr", KEX_ALG', ENC_ALG' ¦ cr", sr", KEX_ALG', ENC_ALG'
¦ ¦ ¦
¦--> Anwendungs-Daten_3------------------------------------------------------------------------>¦
¦ ¦ ¦
¦<------------------------------------------------ Anwendungs-Daten_4 <-------------------------¦
¦ ¦ ¦
Erhalten von A: Erhalten von C:
Anwendungs-Daten_1 Anwendungs-Daten_2
+ +
Anwendungs-Daten_4 Anwendungs-Daten_3
Trackbacks