Topic: [SOLVED] Secure renegotiation is not secure?

I'm reading "CyaSSL Secure Renegotiation, Documentation and Users Guide, October 13th, 2014, version 3.2.2"
It says "CyaSSL now supports client side Secure Renegotiation. wolfSSL strongly discourages the use of Secure Renegotiation because of attacks that can exploit the lack of secret binding inherit in renegotiation."

Wasn't secure renegotiation in rfc5746 to fix what you're describing? Is there some other attack that makes it no longer secure, and can you please explain. Thanks

Share

Re: [SOLVED] Secure renegotiation is not secure?

Hi raysatiro,

Secure renegotiation (RFC 5746) was indeed meant to fix the original or "insecure" renegotiation.

Our comments about attacks on Secure Renegotiation are instead directly related to the new "secure" version, specifically the 3SHAKE attack which takes advantage of an incorrect assumption made in the Secure Renegotiation spec:

3SHAKE Attack Webpage:
https://mitls.org/pages/attacks/3SHAKE

Blog post from cryptographyengineering.com that talks about this as well:
http://blog.cryptographyengineering.com … shake.html

Best Regards,
Chis

Re: [SOLVED] Secure renegotiation is not secure?

chrisc wrote:

Secure renegotiation (RFC 5746) was indeed meant to fix the original or "insecure" renegotiation.

Our comments about attacks on Secure Renegotiation are instead directly related to the new "secure" version, specifically the 3SHAKE attack which takes advantage of an incorrect assumption made in the Secure Renegotiation spec:

If secure renegotiation is used in wolfSSL it is vulnerable to that attack?

Share

Re: [SOLVED] Secure renegotiation is not secure?

The way the 3SHAKE attack used Secure Renegotiation and session resumption is a protocol (or feature) level vulnerability.  This means that it affects any implementation that supports Secure Renegotiation.

Re: [SOLVED] Secure renegotiation is not secure?

Ok. Some SSL libraries have done various mitigations as cited in that notice, for example Microsoft's schannel they disabled certificate changes and later went on to add extended master secret binding support. I thought maybe there was a similar mitigation in wolfSSL.

Share

Re: [SOLVED] Secure renegotiation is not secure?

Circling back around on this topic, wolfSSL 3.9.10 now has support for the TLS Extended Master Secret extension.  This is enabled by default.

Re: [SOLVED] Secure renegotiation is not secure?

Thanks for the update Chris!

Share