Re: [http-state] draft-salgueiro-secure-state-management

"Yngve Nysaeter Pettersen" <yngve@opera.com> Fri, 02 July 2010 14:38 UTC

Return-Path: <yngve@opera.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42C9E3A67DB for <http-state@core3.amsl.com>; Fri, 2 Jul 2010 07:38:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.579
X-Spam-Level:
X-Spam-Status: No, score=-6.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BThjYHc9zRLQ for <http-state@core3.amsl.com>; Fri, 2 Jul 2010 07:38:31 -0700 (PDT)
Received: from smtp.opera.com (smtp.opera.com [213.236.208.81]) by core3.amsl.com (Postfix) with ESMTP id 2167F3A67B2 for <http-state@ietf.org>; Fri, 2 Jul 2010 07:38:30 -0700 (PDT)
Received: from killashandra.oslo.osa (pat-tdc.opera.com [213.236.208.22]) by smtp.opera.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id o62EcRwp006491 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 2 Jul 2010 14:38:39 GMT
Content-Type: text/plain; charset=iso-8859-15; format=flowed; delsp=yes
To: "'Gonzalo Salgueiro'" <gsalguei@cisco.com>, http-state@ietf.org, "Paul E. Jones" <paulej@packetizer.com>
References: <E022D1C0-F0DF-4BF3-B309-317B38314788@cisco.com> <op.u9floursqrq7tp@acorna> <008401cac1b9$a7f767c0$f7e63740$@com> <op.u9gbuuzqqrq7tp@acorna> <005001cae689$ce603500$6b209f00$@com> <op.ve6bw9z3vqd7e2@killashandra.oslo.osa> <056f01cb199c$3831c710$a8955530$@packetizer.com>
Date: Fri, 02 Jul 2010 16:38:22 +0200
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
From: "Yngve Nysaeter Pettersen" <yngve@opera.com>
Organization: Opera Software
Message-ID: <op.ve7z98sdvqd7e2@killashandra.oslo.osa>
In-Reply-To: <056f01cb199c$3831c710$a8955530$@packetizer.com>
User-Agent: Opera Mail/10.54 (Win32)
Subject: Re: [http-state] draft-salgueiro-secure-state-management
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: yngve@opera.com
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Jul 2010 14:38:37 -0000

Using the key extractor means that the key is clearly associated with the  
endpoint and its certificate.

IMO your design is exactly the kind of thing the extractor was intended  
for.

It also means that you do not have to use the HTTP headers for  
transferring the keydata (except perhaps some kind of nonce), does not  
have to establish a default DH key, and saves an extra roundtrip for  
establishing the key since both parties already have the necessary data,  
in the form of the master secret.


On Fri, 02 Jul 2010 06:08:19 +0200, Paul E. Jones <paulej@packetizer.com>  
wrote:

> Yngve,
>
> I'll confess that we must have overlooked your proposal when putting
> together this latest version.  The previous version of the document just
> specified the use of DH over HTTP.  This most recent document specifies  
> the
> transmission of a random number in the HTTPS response, which the server
> would generate to align with the encryption algorithm used to encrypt the
> cookies.
>
> The reasons you cite for using this RFC are that it:
> * Removes the overhead caused by establishing an independent key  
> agreement
> protocol
> * Makes the key agreement independent of any specific algorithm
>
> In our draft, we actually do not specify the use of a key agreement
> mechanism over TLS at all, but merely transmit the key from the server to
> the client over the encrypted TLS connection.  Do you believe this  
> approach
> has negative security implications that this RFC will address?  More
> generally, do you feel that we need to introduce a key agreement  
> mechanism
> where both the client and server play some role in defining what the
> symmetric key shall be for encrypting cookies?
>
> As I said, we assumed it was acceptable for the server to specify that  
> key
> since the connection was already secured with TLS, but we're certainly  
> open
> to further dialog to improve the security.
>
> Paul
>
>> -----Original Message-----
>> From: Yngve Nysaeter Pettersen [mailto:yngve@opera.com]
>> Sent: Thursday, July 01, 2010 12:55 PM
>> To: 'Gonzalo Salgueiro'; http-state@ietf.org; Paul E. Jones
>> Subject: Re: [http-state] draft-salgueiro-secure-state-management
>>
>> Hi,
>>
>> As I indicated earlier, I would strongly suggest that you replace the
>> current key agreement with the method described in RFC 5705 ("Keying
>> Material Exporters for Transport Layer Security") which uses an already
>> established TLS connection and master secret to agree on the encryption
>> key, removing the overhead caused by establishing an independent key
>> agreement protocol, and also makes the key agreement independent of any
>> specific algorithm, instead relying on the TLS protocol's security.
>>
>> http://datatracker.ietf.org/doc/rfc5705/
>>
>>
>> On Wed, 28 Apr 2010 06:18:07 +0200, Paul E. Jones  
>> <paulej@packetizer.com>
>> wrote:
>>
>> > Yngve, et al.,
>> >
>> > We took everybody's comments into consideration and revised the draft
>> > to add a means of exchanging the encryption key used to encrypt the
>> > secure HTTP state management information using TLS.  So, the draft now
>> > provides a web server with both the option to use HTTP (and Diffie
>> > Hellman) to establish a secret key, or use TLS to exchange the key.
>> >
>> > We look forward to your comments on draft -03:
>> > http://tools.ietf.org/html/draft-salgueiro-secure-state-management
>> >
>> > Paul
>>
>>
>> --
>> Sincerely,
>> Yngve N. Pettersen
>> ********************************************************************
>> Senior Developer		     Email: yngve@opera.com
>> Opera Software ASA                   http://www.opera.com/
>> Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
>> ********************************************************************
>


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		     Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 23 69 32 60              Fax:    +47 23 69 24 01
********************************************************************