Monday, October 15, 2018

TLS Client Authentication Leaks User Info (pre-TLS1.3)

It's been long known that TLS is not the best privacy protecting protocol in that SNI leaks what domain the client connects to.  I'm a bit surprised that I haven't seen the failure to protect user information when using client authentication mentioned, but it's likely that TLS client authentication is so rarely used, that this have not been on anyone's radar.

TL;DR: Just don't use TLS client authentication on anything before TLS 1.3.

With TLS 1.2 and earlier, if you use client authentication, the client certificate is transmitted in the clear.  This contains enough information to uniquely identify the user.  If it didn't, then there would be no way for the server to do the authentication.

The danger of this is that Eve (eavesdroppers) on path will be able to track your user's (or your) connections, where they connect from, figure out how much data they transfer between to/from your site and likely profile their usage.

I was confident that this was the case as I know that the entire handshake is in the clear.  It isn't till the Finished messages that the session becomes encrypted.  (TLS 1.3 fixed this by using a new derived key, [sender]_handshake_traffic_secret, to encrypt all the server params, which the client will use to encrypt it's response to the certificate request in the server params.)  I decided to verify that this was the case.

I generated a server and a client certificate and key:
openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout server.key -out server.crt
openssl req -batch -new -newkey rsa:1024 -days 365 -nodes -x509 -keyout client.key -out client.crt


I then launched the server, and included the -Verify and -CAfile options for s_server to request a client certificate:
openssl s_server -accept 5829 -cert server.crt -key server.key -Verify 5 -CAfile client.crt -debug

Then I ran tcpdump to capture the session:
sudo tcpdump -s 0 -n -i lo0 -w clientcert.tcpdump port 5829

And then the client to connect to the server:
openssl s_client -connect localhost:5829 -key client.key -cert client.crt -debug

A usual, non-client authenticated connection and close was about 17 packets, but when I included the client authentication, it became 42 packets (the answer!).

I loaded the packet capture into wireshark, applied the SSL protocol analysis and confirmed that the client certificate was present in clear text:
Wireshark shows TLS handshake with client authentication, with the client certificate displayed in plaintext.

So, there you have it.  Do not use client authentication, pre-TLS 1.3, if you care about the privacy of your users.

It is safe to use client authentication w/ a TLS 1.3 server as long as the server requires all clients be 1.3 clients.  If the key exchange algorithm is one of DHE_DSA, DHE_RSA, or an ECDH key exchange algorithm, the random bytes in the Hello messages are signed and these bytes are used by TLS 1.3 for downgrade protection.  As the signature covers these bytes, the client would be able to detect any attempts to modify the server or client handshake messages to force a downgrade before it would send the client certificate.

Thanks to Mike Hamburg for reviewing an earlier version of this blog post and pointing out that TLS 1.3 was not vulnerable to this and helping w/ some of the research to prove it.

References:

13 comments:

  1. Replies
    1. The effectiveness of IEEE Project Domains depends very much on the situation in which they are applied. In order to further improve IEEE Final Year Project Domains practices we need to explicitly describe and utilise our knowledge about software domains of software engineering Final Year Project Domains for CSE technologies. This paper suggests a modelling formalism for supporting systematic reuse of software engineering technologies during planning of software projects and improvement programmes in Final Year Projects for CSE.

      Software management seeks for decision support to identify technologies like JavaScript that meet best the goals and characteristics of a software project or improvement programme. JavaScript Training in Chennai Accessible experiences and repositories that effectively guide that technology selection are still lacking.

      Aim of technology domain analysis is to describe the class of context situations (e.g., kinds of JavaScript software projects) in which a software engineering technology JavaScript Training in Chennai can be applied successfully

      The Angular Training covers a wide range of topics including Components, Angular Directives, Angular Services, Pipes, security fundamentals, Routing, and Angular programmability. The new Angular TRaining will lay the foundation you need to specialise in Single Page Application developer. Angular Training

      Delete
  2. Here is the details of BMIT (Medical Imaging Technology) colleges in Bangalore. If you are looking to study BMIT in Bangalore, the below will help you to find the best BMIT colleges in Bangalore.
    BSc Medical Imaging Technology Colleges in Bangalore | Medical Imaging Technology Colleges in Bangalore |

    ReplyDelete
  3. Here is the details of B.Sc Optometry colleges in Bangalore. If you are looking to study BSc Optometry in Bangalore, the below will help you to find the best Optometry colleges in Bangalore.
    BSc Optometry Colleges in Bangalore | Optometry Colleges in Bangalore |

    ReplyDelete
  4. Here is the details of B.Sc Renal Dialysis Technology colleges in Bangalore. If you are looking to study BSc Renal Dialysis Technology in Bangalore, the below will help you to find the best Renal Dialysis Technology colleges in Bangalore.
    BSc Renal Dialysis Colleges in Bangalore | Renal Dialysis Technology Colleges in Bangalore |

    ReplyDelete
  5. Here is the details of B.Sc Respiratory Care Technology colleges in Bangalore. If you are looking to study BSc Respiratory Care Technology in Bangalore, the below will help you to find the best Respiratory Technology colleges in Bangalore.
    BSc Respiratory Care Technology Colleges in Bangalore | Respiratory Care Colleges in Bangalore |

    ReplyDelete
  6. Here is the details of B.Sc Cardiac Care Technology colleges in Bangalore. If you are looking to study BSc Cardiac Care Technology in Bangalore, the below will help you to find the best Cardiac Care Technology colleges in Bangalore.
    BSc Cardiac Care Technology Colleges in Bangalore | Cardiac Care Colleges in Bangalore |

    ReplyDelete
  7. Here is the details of B.Sc Perfusion Technology colleges in Bangalore. If you are looking to study BSc Perfusion Technology in Bangalore, the below will help you to find the best Perfusion Technology colleges in Bangalore.
    BSc Perfusion Technology Colleges in Bangalore | Perfusion Technology Colleges in Bangalore |

    ReplyDelete
  8. Here is the best Digital Marketing Agency Riyadh. If you are looking for a social media agency Riyadh, the above(link) company is the best

    ReplyDelete
  9. Wow, I can say that this is another great article as expected of this blog. Thanks a million and please keep up the effective work.
    Visit us for Customised Credit Card Shaped Pen Drive.

    ReplyDelete