Re: [http-state] draft-salgueiro-secure-state-management
"Paul E. Jones" <paulej@packetizer.com> Wed, 28 April 2010 04:18 UTC
Return-Path: <paulej@packetizer.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 88D4B3A6AC4 for <http-state@core3.amsl.com>; Tue, 27 Apr 2010 21:18:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.836
X-Spam-Level:
X-Spam-Status: No, score=-0.836 tagged_above=-999 required=5 tests=[AWL=-0.837, BAYES_50=0.001]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JZJMScRu173w for <http-state@core3.amsl.com>; Tue, 27 Apr 2010 21:18:35 -0700 (PDT)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by core3.amsl.com (Postfix) with ESMTP id 977C63A6A97 for <http-state@ietf.org>; Tue, 27 Apr 2010 21:18:34 -0700 (PDT)
Received: from berlin.arid.us (rrcs-98-101-146-183.midsouth.biz.rr.com [98.101.146.183]) (authenticated bits=0) by dublin.packetizer.com (8.14.2/8.14.2) with ESMTP id o3S4IDk0030420 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 28 Apr 2010 00:18:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1272428299; bh=18v8Zlur4x6oVT0Sbv6U2VTnJ8S41yi9cDP2VaYdPNw=; h=From:To:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=NZP72ICY8LqNw66wX6qx6OE3ApaUK0SuslNRr/NijhJNVB/JwIKAg/xdbLR3Nl+0m 3dG638c1g0TlydT4FrdkG6Qv8Kjwi3D6daWrOfcrLFqQXD/xJMEPJNEef77QmL59YU fIEUsiu6FCZaxUg3QzqpDyCZ9S7fHWjoF1mrE2HU=
Received: from sydney (sydney.arid.us [192.168.1.20]) (authenticated bits=0) by berlin.arid.us (8.14.2/8.14.2) with ESMTP id o3S4IBNk018457 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Wed, 28 Apr 2010 00:18:11 -0400
From: "Paul E. Jones" <paulej@packetizer.com>
To: "'Yngve N. Pettersen (Developer Opera Software ASA)'" <yngve@opera.com>, 'Gonzalo Salgueiro' <gsalguei@cisco.com>, http-state@ietf.org
References: <E022D1C0-F0DF-4BF3-B309-317B38314788@cisco.com> <op.u9floursqrq7tp@acorna> <008401cac1b9$a7f767c0$f7e63740$@com> <op.u9gbuuzqqrq7tp@acorna>
In-Reply-To: <op.u9gbuuzqqrq7tp@acorna>
Date: Wed, 28 Apr 2010 00:18:07 -0400
Message-ID: <005001cae689$ce603500$6b209f00$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcrB2WIE3WbRj7E/Q4msbvQoDeoBZQki8BGw
Content-Language: en-us
Subject: Re: [http-state] draft-salgueiro-secure-state-management
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Apr 2010 04:18:54 -0000
Yngve, et al., We took everybody's comments into consideration and revised the draft to add a means of exchanging the encryption key used to encrypt the secure HTTP state management information using TLS. So, the draft now provides a web server with both the option to use HTTP (and Diffie Hellman) to establish a secret key, or use TLS to exchange the key. We look forward to your comments on draft -03: http://tools.ietf.org/html/draft-salgueiro-secure-state-management Paul > -----Original Message----- > From: Yngve N. Pettersen (Developer Opera Software ASA) > [mailto:yngve@opera.com] > Sent: Friday, March 12, 2010 6:08 AM > To: Paul E. Jones; 'Gonzalo Salgueiro'; http-state@ietf.org > Subject: Re: [http-state] draft-salgueiro-secure-state-management > > On Fri, 12 Mar 2010 08:57:26 +0100, Paul E. Jones > <paulej@packetizer.com> > wrote: > > >> Section 4: > >> > >> * It is not a good idea to have default g and p values > > > > Why? I've seen this done a number of times with various protocols, > and > > they're certainly not secret values. > > Mostly I am concerned about being able to use prior knowledge about > what > the client uses to weaken security > > >> * The nonces could cause issues when multiple parallel requests are > >> used, > >> possibly out of order, or the client is forced to send one request > >> multiple times. > > > > This is the reason for having an "association". Each parallel > request > > would > > establish its own, separate association. There would never be two > > requests > > in parallel using the same assoc value. > > The parallel requests I am primarily referring to are, for example, > inline > resource requests (for images, scripts, etc.) sent across multiple > parallel connections, and which can be sent pipelined. Clients seldom > keep > just one connection open to a server that have several resources the > client needs. > > BTW, about separate tabs having separate associations: Opera, at least, > does not normally separate URLs in tabs from each other, except in > special > situations like the Private Mode. Tabs normally share the cookies, > including document.cookie cookies, and it would IMO not be practical to > add this as a special case. > > >> I could probably go into further detail about the system, but my > >> conclusion is that it will not provide any extra security for the > >> information, except against two specific types of adversaries: A > >> passive > >> eavesdropper and an active attacker that started working after the > >> handshake completed, and I don't think we can rely on only > encountering > >> those. > > > > You're correct, but that was our objective. TLS is excellent when we > > wish > > to secure everything end-to-end. Without TLS, there is absolutely no > > security at all. In our opinion, there is a need to prevent passive > > attacks > > from taking place so trivially. > > That may be, but only targeting passive attackers is IMO not enough of > a > reason for this, particularly when TLS can be used to avoid both that > type > of attacker and the active attacker. > > >> Against an active attacker (MITM) this method does not (as the draft > >> admit) provide any security since the attacker is able to establish > a > >> session using his own DH key instead, because there is no end-to-end > >> verification of the key agreement. > > > > A possible solution to this is to use TLS to perform the DH operation > > *or* > > to simply send the key over the wire from the server. So, if a web > site > > (e.g., Facebook) wanted to secure the login process and ensure there > was > > no > > possibility of a MiM could intercept the key, it could design the > system > > in > > that way. The balance of the traffic, though, could be exchanged in > the > > clear and the session served to the right user based on the encrypted > > cookie > > passed on the wire. > > Possible. See my comment about using TLS extractor for key-agreement, > which would eliminate the separate DH operation, and implicitly protect > the operation against passive and active attackers, as long as they are > not able to attack the SSL connection. > > > > -- > Sincerely, > Yngve N. Pettersen > > ******************************************************************** > Senior Developer Email: yngve@opera.com > Opera Software ASA http://www.opera.com/ > Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 > ******************************************************************** >
- [http-state] draft-salgueiro-secure-state-managem… Gonzalo Salgueiro
- Re: [http-state] draft-salgueiro-secure-state-man… Adam Barth
- Re: [http-state] draft-salgueiro-secure-state-man… Paul E. Jones
- Re: [http-state] draft-salgueiro-secure-state-man… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-salgueiro-secure-state-man… Paul E. Jones
- Re: [http-state] draft-salgueiro-secure-state-man… Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [http-state] draft-salgueiro-secure-state-man… Paul E. Jones
- Re: [http-state] draft-salgueiro-secure-state-man… Paul E. Jones
- Re: [http-state] draft-salgueiro-secure-state-man… Yngve Nysaeter Pettersen
- Re: [http-state] draft-salgueiro-secure-state-man… Paul E. Jones
- Re: [http-state] draft-salgueiro-secure-state-man… Yngve Nysaeter Pettersen
- Re: [http-state] draft-salgueiro-secure-state-man… Paul E. Jones