[CHANNEL-BINDING] New channel binding type similar to "tls-server-end-point"
Heikki Linnakangas <hlinnaka@iki.fi> Fri, 10 February 2023 15:01 UTC
Return-Path: <hlinnaka@iki.fi>
X-Original-To: channel-binding@ietfa.amsl.com
Delivered-To: channel-binding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AFF5C151555 for <channel-binding@ietfa.amsl.com>; Fri, 10 Feb 2023 07:01:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iki.fi
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TuarvMNKL8Tb for <channel-binding@ietfa.amsl.com>; Fri, 10 Feb 2023 07:01:08 -0800 (PST)
Received: from meesny.iki.fi (meesny.iki.fi [195.140.195.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3002C14CF1C for <channel-binding@ietf.org>; Fri, 10 Feb 2023 07:01:06 -0800 (PST)
Received: from [192.168.1.113] (dsl-hkibng22-54f8db-125.dhcp.inet.fi [84.248.219.125]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: hlinnaka) by meesny.iki.fi (Postfix) with ESMTPSA id EF817200E5 for <channel-binding@ietf.org>; Fri, 10 Feb 2023 17:01:02 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1676041263; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tPX60DgmVFVzj3xHNloOlzHfCxKQEjNSQvTldrJ789k=; b=rueHNOG+CifL+RjbG3DTIhByQ7Oshe4afYfaRgko7z56nEMDIFnc+vZXPfFFTcKrk5SLdG gEsLwnCX2u8zg06UMUwWJ0We0bp2O+B5yobeioL5j/7Xg5e53AIbOFb1ec0FMqYHfgO/bk qYGsMYRWjbGkgcQ7rUZsHL038b538WQ=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=iki.fi; s=meesny; t=1676041263; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=tPX60DgmVFVzj3xHNloOlzHfCxKQEjNSQvTldrJ789k=; b=QpLxzABXC0I6zkwCvFBiiVJ92f5ITHjNDtRD/C7dwvYFg/KNK0WUZB9TLwyFsaXEgLGtVj rf+5hN8dGTcZ7DlRm7oAbSRrJZ9dycn4QL4o2wLlklCamQnD5Og73JZZ028mWau7WaAMEa O1T3AXsRzSxbbszSXkrVTbPRYEBN4cY=
ARC-Seal: i=1; s=meesny; d=iki.fi; t=1676041263; a=rsa-sha256; cv=none; b=Aa3brfLjUKe/EMaDW11Cw/o1Ks85/q7xFZaDVu5wXHw9Lh92AnbkFzJ/2zFcQKCGdX2PVS Ad1P5vbFuMYugrWeXtzoaro1kRe516n6q365A2v++Jq5WrEpFFWXD1vEZtd5Jgscn0IkvU jR8QE/cpRDIfMv/T/i7GEkPWsFXX1Xc=
ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=hlinnaka smtp.mailfrom=hlinnaka@iki.fi
Message-ID: <138fe21f-07eb-0588-eb5e-5e974d3c633d@iki.fi>
Date: Fri, 10 Feb 2023 17:01:02 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0
Content-Language: en-US
From: Heikki Linnakangas <hlinnaka@iki.fi>
To: channel-binding@ietf.org
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/channel-binding/AWsjum_K2Ph3H0CtvGcdKgN34ag>
X-Mailman-Approved-At: Fri, 10 Feb 2023 08:03:04 -0800
Subject: [CHANNEL-BINDING] New channel binding type similar to "tls-server-end-point"
X-BeenThere: channel-binding@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of channel binding IANA registry requests and specifications <channel-binding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/channel-binding/>
List-Post: <mailto:channel-binding@ietf.org>
List-Help: <mailto:channel-binding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/channel-binding>, <mailto:channel-binding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Feb 2023 15:12:36 -0000
Currently, "tls-server-end-point" channel binding type is undefined if the server certificate's signatureAlgorithm field does not unambiguously specify a hash function. See [RFC5929], section 4.1. I propose a new channel binding type, "tls-server-end-point-auth-hash". It is the same as "tls-server-end-point", but instead of deriving the hash function from the certificate's signatureAlgorithm, it uses the same hash function that is used by the authentication method. So when it is used with SCRAM-SHA-256, for example, SHA-256 is used. If I'm reading correctly between the lines in RFC5929, the reason that "tls-server-end-point" was defined to use the hash algorithm in the signatureAlgorithm was to provide hash agility. However, when used with an authentication mechanism like SCRAM-SHA-256, that agility seems pointless; the security relies on SHA-256 anyway. This proposed variant has the advantage that it can be used with all TLS certificates, regardless of the signatureAlgorithm, and you don't need any extra hash functions other than the one that's used by the authentication mechanism anyway. I'm not familiar with the IETF processes. What do I need to do to get that registered? Background: PostgreSQL supports the SCRAM-SHA-256-PLUS authentication with "tls-server-end-point" channel binding. However, because it is undefined for some certificates, channel binding cannot be used with ED448 and ED25519 certificates, for example. We would like to support channel binding with all server certificates. A user ran into this with an rsassaPss certificate, and for that we could perhaps derive the hash algorithm by looking into the rsaSsaParams field of the certificate, in addition to signatureAlgorithm. But that seems like over-interpreting RFC5929, and doesn't solve the general case anyway. See discussion on the PostgreSQL mailing list: https://www.postgresql.org/message-id/687f8e73-e511-6994-c2e2-3cc55633fab6%40iki.fi PS. The reason that PostgreSQL implements "tls-server-end-point" and not "tls-unique", even though RFC 5802 clearly says that a server MUST support "tls-unique" if any channel binding type is supported, is that when it was implemented, the future of "tls-unique" was unclear. There were security concerns with it and TLS renegotiation, and it was undefined for TLSv1.3. Also, not all TLS implementations provided an interface to export the material needed for "tls-unique". There has been discussion on implementing the new "tls-exporter" binding with TLSv1.3, but even if we add support for that, we will likely still continue to support "tls-server-end-point" for a long time. - Heikki
- [CHANNEL-BINDING] New channel binding type simila… Heikki Linnakangas
- Re: [CHANNEL-BINDING] New channel binding type si… Alexey Melnikov