[Cryptography] Client certificates as a defense against MITM attacks

Jerry Leichter leichter at lrw.com
Sun Mar 16 15:58:42 EDT 2014

On Mar 16, 2014, at 2:58 PM, Christian Huitema <huitema at huitema.net> wrote:
> This comes down to "detecting MITM." You could indeed use client
> certificates. You could also use some form of password check that is secure against MITM, e.g. EKE. But the client authentication tends to happen outside of the TLS exchange, because it is a somewhat complex user
> interaction.
I'm actually not suggesting using (a) TLS as it stands; (b) client certificates as a way of authenticating the client in a traditional sense.  Rather, the client cert exist solely to provide a mechanism for the client to send an unforgeable (without attacks on parts of the system that don't currently need to be attacked) message to the server.  This would be automatic - effectively an additional round in a TLSX session setup.  It can be piggy-backed on the first client-to-server message, though that does increase the risk as that message would be visible to the MITM.

Servers already *do* place information on clients to let them detect "known" machines.  This becomes one other authentication factor; when it isn't available, sites may ask security questions or whatever.  That, however, is static data which can simply be forwarded by the MITM.  By using the same kind of approach but tying it to a particular connection as seen by the two end nodes, we can make it impossible for the MITM to forge.

> What if this is the first time the client connects to the site?
Explicitly not covered by this proposal.  A true "first connection" with no previously shared information and no mutually trusted third party (effectively, an introducer) is an incoherent concept anyway.

> What if they just start using a new device?
Then they aren't protected.  Though providing a way to export and import the information on a USB stick or whatever seems easy enough.  You can even imagine techniques for transferring it over a network, though this gets tricky.

> What if they forgot their password?
There's no password for the user to forget in my proposal.

Given a client cert, you *could* decide to use it in place of the password.  In general, that's a *bad idea*, as it means a stolen laptop gives immediate access to tons of websites.  Of course, if you store the client certs in something akin to a password safe - which the user has to unlock - then both the user experience and the safety are pretty much as they are today.  (Note, BTW, that many password safes sync over the Internet.  That might be OK here *with* the proviso that the crypto used doesn't just prevent reading a stolen copy of the safe - it prevents a MITM modification that modifies or even just adds a new client cert.  I doubt any existing implementations have worried about that problem - though with autofill for account names and passwords, perhaps they should.)

> If client authentication is implemented outside the TLS exchange, what API do we have to tie the client verification to the TLS credentials and negotiated keys?
None.  The only thing this is designed to do is make MITM attacks harder.

> Detection inside the second automated TLS exchange could also rely on
> "re-negotiation." If the MITM attack does not happen all the time, it will lead to renegotiation failure, and that can be detected.
I don't follow this.

And also:

On Mar 16, 2014, at 2:51 PM, Hanno Böck <hanno at hboeck.de> wrote:
> Yes. We had this technology for ages and nobody is using it.
Which technology?  Clients certs have certainly been around for years, but 
I'm suggesting a non-standard use for them.

> The problem is: Users don't use a single browser. And transferring
> certs from one browser to another is hard in a user-friendly and secure
> way. Just think of internet cafes or people using random foreign
> computers to log into their webmail. (that's a security nightmare on
> its own without any relation to tls, but that's the way it is)
Frankly, if we spend our time worrying about how to secure things that are inherently unsecurable, we'll make no progress at all.  I don't really care about the security of someone who reads his mail on some machine he has no reason to trust.  *He* clearly doesn't - it's not like the hazards aren't obvious once explained (and they *have* been explained many times) even to the technically unsophisticated.  If he wants to take the risks, fine - but his willingness to live with high risk shouldn't block the rest of us from building things better.
                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140316/624bf252/attachment.html>

More information about the cryptography mailing list