Closed
Bug 1421572
Opened 7 years ago
Closed 6 years ago
Early exporters don't include ClientHello
Categories
(NSS :: Libraries, enhancement)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.35
People
(Reporter: mt, Assigned: mt)
Details
(Keywords: sec-low)
Attachments
(1 file)
Peter Wu caught this: we aren't currently folding ClientHello into the early exporter secret. This was a pretty serious oversight, which would have made QUIC interop a fun exercise. Also, we would have had key synchronization.
Assignee | ||
Updated•7 years ago
|
Group: crypto-core-security
Comment 1•7 years ago
|
||
Comment on attachment 8932799 [details] Bug 1421572 - Correct early exporter secret derivation, r?ekr Peter Wu has approved the revision. https://phabricator.services.mozilla.com/D297#7209
Attachment #8932799 -
Flags: review+
Comment 2•7 years ago
|
||
Hi Martin, what is the security impact of this? We'd like to rate it.
Flags: needinfo?(martin.thomson)
The early exporter secret was only determined by the PSK, an attacker would be able to modify the Client Hello message containing the PSK extension followed by 0-RTT data and the server would not reject it. The attacker cannot modify nor read the 0-RTT data though. Specifically for QUIC, this would allow the negotiated QUIC version in the quic_transport_parameters Client Hello extension to be modified, resulting in a different interpretation of QUIC 0-RTT packets on the server side. Note that the 1-RTT handshake cannot be completed in this case. It does not affect TLS application data (such as HTTP/2) because the export secret is not used there. It has some integrity impact for applications using the TLS Exporter (both of them must use NSS), but I don't know if such applications exist.
Assignee | ||
Comment 4•7 years ago
|
||
mwobensmith: Let's say sec-low based on Peter's analysis. I don't believe that anyone is using this right now, otherwise we'd hear about the interop problems: NSS wouldn't talk to another implementation successfully.
Flags: needinfo?(martin.thomson)
Assignee | ||
Comment 6•6 years ago
|
||
https://hg.mozilla.org/projects/nss-try/rev/401de5188538
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Updated•6 years ago
|
Group: crypto-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•