Re: [http-state] draft-salgueiro-secure-state-management

"Paul E. Jones" <paulej@packetizer.com> Fri, 12 March 2010 16:51 UTC

Return-Path: <paulej@packetizer.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F36863A6AF1 for <http-state@core3.amsl.com>; Fri, 12 Mar 2010 08:51:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YpSVXaPCqYWE for <http-state@core3.amsl.com>; Fri, 12 Mar 2010 08:51:34 -0800 (PST)
Received: from dublin.packetizer.com (dublin.packetizer.com [75.101.130.125]) by core3.amsl.com (Postfix) with ESMTP id 56FC03A6B3F for <http-state@ietf.org>; Fri, 12 Mar 2010 08:40:59 -0800 (PST)
Received: from berlin.arid.us (rrcs-98-101-146-183.midsouth.biz.rr.com [98.101.146.183]) (authenticated bits=0) by dublin.packetizer.com (8.14.2/8.14.2) with ESMTP id o2CGeva8003225 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 12 Mar 2010 11:41:03 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=packetizer.com; s=dublin; t=1268412063; bh=SGRsXztfGBzBXw7o4VGB5K807VZ6KQi7sMXhC+s85Rk=; h=From:To:References:In-Reply-To:Subject:Date:Message-ID: MIME-Version:Content-Type:Content-Transfer-Encoding; b=k+OgBXJUOv2a+3IvTjf0iNoQ1iRsSsN3ew27WIFS9reXh0XioWE/x2GmWhxmLe3KJ coukxjPmAzERqGwRTFhJye5zx6TAGMtZpTEbgBYuF+L+ZgfonUTsiunvW262TY25yM uAUVgh+Vgv+IFllY3gZpQi1zVoXqmXeNoRfTWwpY=
Received: from sydney (sydney.arid.us [192.168.1.20]) (authenticated bits=0) by berlin.arid.us (8.14.2/8.14.2) with ESMTP id o2CGetCj027972 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Fri, 12 Mar 2010 11:40:55 -0500
From: "Paul E. Jones" <paulej@packetizer.com>
To: "'Yngve N. Pettersen \(Developer Opera Software ASA\)'" <yngve@opera.com>, "'Gonzalo Salgueiro'" <gsalguei@cisco.com>, <http-state@ietf.org>
References: <E022D1C0-F0DF-4BF3-B309-317B38314788@cisco.com> <op.u9floursqrq7tp@acorna> <008401cac1b9$a7f767c0$f7e63740$@com> <op.u9gbuuzqqrq7tp@acorna>
In-Reply-To: <op.u9gbuuzqqrq7tp@acorna>
Date: Fri, 12 Mar 2010 11:40:48 -0500
Message-ID: <00b901cac202$c51c4d90$4f54e8b0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AcrB2WIEPZ4xahISR161JanNgDFM1AAImrTQ
Content-Language: en-us
Subject: Re: [http-state] draft-salgueiro-secure-state-management
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2010 16:51:36 -0000

Yngve,

> >> Section 4:
> >>
> >> * It is not a good idea to have default g and p values
> >
> > Why?  I've seen this done a number of times with various protocols,
> and
> > they're certainly not secret values.
> 
> Mostly I am concerned about being able to use prior knowledge about
> what
> the client uses to weaken security

I would like to hear other opinions on this, but it seems like this one is
not really an issue.  The important thing is to ensure we have proper
values, but the clients will use random numbers that will be extremely
challenging even with knowledge of these two values, I think.

> >> * The nonces could cause issues when multiple parallel requests are
> >> used,
> >> possibly out of order, or the client is forced to send one request
> >> multiple times.
> >
> > This is the reason for having an "association".  Each parallel
> request
> > would
> > establish its own, separate association.  There would never be two
> > requests
> > in parallel using the same assoc value.
> 
> The parallel requests I am primarily referring to are, for example,
> inline
> resource requests (for images, scripts, etc.) sent across multiple
> parallel connections, and which can be sent pipelined. Clients seldom
> keep
> just one connection open to a server that have several resources the
> client needs.

I understand.  Requests over a separate connection would require a separate
association.
 
> BTW, about separate tabs having separate associations: Opera, at least,
> does not normally separate URLs in tabs from each other, except in
> special
> situations like the Private Mode. Tabs normally share the cookies,
> including document.cookie cookies, and it would IMO not be practical to
> add this as a special case.

This is really important feedback.  Clearly, we don't want to create a
burden for either the client or server.  I had assumed that the cookie value
(unencrypted) would be maintained globally as it is today.  Each tab,
though, or each thread that issues separate requests would establish its own
association.

In the simplest case, an association could be established with each tab and
the association data could be discarded when closed.  Would that approach
help?

I would prefer to cache the association data for a longer period of time (24
hours?) and have a mechanism to prevent two requests from using the same
value at the same time, but I am more interested in making this simple.

> >> I could probably go into further detail about the system, but my
> >> conclusion is that it will not provide any extra security for the
> >> information, except against two specific types of adversaries: A
> >> passive
> >> eavesdropper and an active attacker that started working after the
> >> handshake completed, and I don't think we can rely on only
> encountering
> >> those.
> >
> > You're correct, but that was [not] our objective.  TLS is excellent when
we
> > wish
> > to secure everything end-to-end.  Without TLS, there is absolutely no
> > security at all.  In our opinion, there is a need to prevent passive
> > attacks
> > from taking place so trivially.
> 
> That may be, but only targeting passive attackers is IMO not enough of
> a
> reason for this, particularly when TLS can be used to avoid both that
> type
> of attacker and the active attacker.

Given that TLS is not universally employed, even by companies that have the
resources to do it (like Facebook), does that not provide you with
sufficient evidence that we should take steps to protect end-users with
something better than nothing?  I think we should, but I guess you disagree.

> >> Against an active attacker (MITM) this method does not (as the draft
> >> admit) provide any security since the attacker is able to establish
> a
> >> session using his own DH key instead, because there is no end-to-end
> >> verification of the key agreement.
> >
> > A possible solution to this is to use TLS to perform the DH operation
> > *or*
> > to simply send the key over the wire from the server.  So, if a web
> site
> > (e.g., Facebook) wanted to secure the login process and ensure there
> was
> > no
> > possibility of a MiM could intercept the key, it could design the
> system
> > in
> > that way.  The balance of the traffic, though, could be exchanged in
> the
> > clear and the session served to the right user based on the encrypted
> > cookie
> > passed on the wire.
> 
> Possible. See my comment about using TLS extractor for key-agreement,
> which would eliminate the separate DH operation, and implicitly protect
> the operation against passive and active attackers, as long as they are
> not able to attack the SSL connection.

We will.  It seems we need to consider both a means of exchanging a key via
DH and TLS.

Paul