Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
draft-bhargavan-tls-session-hash-01
Document | Type | Expired Internet-Draft (individual) | |
---|---|---|---|
Authors | Karthikeyan Bhargavan , Antoine Delignat-Lavaud , Alfredo Pironti , Adam Langley , Marsh Ray | ||
Last updated | 2015-01-22 (latest revision 2014-07-21) | ||
Stream | (None) | ||
Intended RFC status | (None) | ||
Formats |
Expired & archived
pdf
htmlized (tools)
htmlized
bibtex
|
||
Stream | Stream state | (No stream defined) | |
Consensus Boilerplate | Unknown | ||
RFC Editor Note | (None) | ||
IESG | IESG state | Expired | |
Telechat date | |||
Responsible AD | (None) | ||
Send notices to | (None) |
https://www.ietf.org/archive/id/draft-bhargavan-tls-session-hash-01.txt
Abstract
The Transport Layer Security (TLS) master secret is not cryptographically bound to important session parameters such as the client and server identities. Consequently, it is possible for an active attacker to set up two sessions, one with a client and another with a server such that the master secrets on the two sessions are the same. Thereafter, any mechanism that relies on the master secret for authentication, including renegotiation after session resumption, becomes vulnerable to a man-in-the-middle attack, where the attacker can simply forward messages back and forth between the client and server. This specification defines a TLS extension that contextually binds the master secret to a log of the full handshake that computes it, thus preventing such attacks.
Authors
Karthikeyan Bhargavan
(karthikeyan.bhargavan@inria.fr)
Antoine Delignat-Lavaud
(antoine.delignat-lavaud@inria.fr)
Alfredo Pironti
(alfredo.pironti@inria.fr)
Adam Langley
(agl@google.com)
Marsh Ray
(maray@microsoft.com)
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)