IETF Logo Mail Archive

Re: Report on preliminary decision on TLS 1.3 and client auth

Kyle Rose <krose@krose.org> Thu, 22 October 2015 18:15 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DE2E1B2A63 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Oct 2015 11:15:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.389
X-Spam-Level:
X-Spam-Status: No, score=-6.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p2G_4P7Gz1SW for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 22 Oct 2015 11:15:39 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C7C31B2A65 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 22 Oct 2015 11:15:39 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1ZpKLV-0008Rw-5P for ietf-http-wg-dist@listhub.w3.org; Thu, 22 Oct 2015 18:12:13 +0000
Resent-Date: Thu, 22 Oct 2015 18:12:13 +0000
Resent-Message-Id: <E1ZpKLV-0008Rw-5P@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1ZpKLQ-0008RB-VN for ietf-http-wg@listhub.w3.org; Thu, 22 Oct 2015 18:12:08 +0000
Received: from mail-ig0-f182.google.com ([209.85.213.182]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <krose@krose.org>) id 1ZpKLP-0003Y4-2v for ietf-http-wg@w3.org; Thu, 22 Oct 2015 18:12:08 +0000
Received: by igbdj2 with SMTP id dj2so187032igb.1 for <ietf-http-wg@w3.org>; Thu, 22 Oct 2015 11:11:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=+g3Infj9LHTKpWPqpvvQELK4qsE++gCub4pXB3K79Fk=; b=Ufcjeq5hiw1R/lgKnWt7w3LANx3wNnO5giV+gBP69pybvjOX72d7rUxhcOLQ44y4n3 3DSImUnEElukptBC8mUNIVo1dq3vuQXaCv4QFcxhwFbcbkJJJnaMoZV055TWC16C9gHs b/R/1Yail7N42rwX5k5ewk1ZvjXvA2lokkvEk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=+g3Infj9LHTKpWPqpvvQELK4qsE++gCub4pXB3K79Fk=; b=a7lQ6gOvXMKqQMAEEIFkBc06yOl6e1+gz/alyAsPxL4dA7XE0PWdNT6BdVvxjRGDkV MSMbJ8tV9Ig8ahsWO1tjxE/Aq2fPxRfIENxfCf1js13cv+TpUfGbrb34MLd3CGldaDtg NR+uxWzyzT5q3g3SM823QtcsSknN0mIv0/kl36Bu36tueD+wCEtkGYA+GwPXpaLmdUZd DSUmt54VaqI92hPQCndw098dwu0sra/IH7hjbOYn4tqjM/eSIksbTLkBBTpDt2OM0w7J RYu4MVdGwc8GXt/i0V6SgYWDuxTJvpZhkY2Qppt91CnDXZnmZZIGIbDVhDnoIeDpjPn7 mmAw==
X-Gm-Message-State: ALoCoQkNmsbThh8x2uFhBQiiGnyqwQO2zBgiU6Gj3JO/KaaasFgZnJalak1uF5Nl1g5DUijf8Piw
MIME-Version: 1.0
X-Received: by 10.50.103.99 with SMTP id fv3mr38987090igb.69.1445537500230; Thu, 22 Oct 2015 11:11:40 -0700 (PDT)
Received: by 10.79.31.130 with HTTP; Thu, 22 Oct 2015 11:11:20 -0700 (PDT)
X-Originating-IP: [2001:4878:8000:60:247c:f6e2:7b3c:5a2f]
In-Reply-To: <CABkgnnWREq6X+chcvookChGAZGxkJ6Zs_7FGwz7Mbn12XMxewQ@mail.gmail.com>
References: <CABkgnnWREq6X+chcvookChGAZGxkJ6Zs_7FGwz7Mbn12XMxewQ@mail.gmail.com>
Date: Thu, 22 Oct 2015 14:11:20 -0400
Message-ID: <CAJU8_nW44dLrATV=P3SSCQ7VSJk+yyV=2F+1q5KKP5pZ6RO53Q@mail.gmail.com>
From: Kyle Rose <krose@krose.org>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary="047d7b2e08ab360e0f0522b56da2"
Received-SPF: pass client-ip=209.85.213.182; envelope-from=krose@krose.org; helo=mail-ig0-f182.google.com
X-W3C-Hub-Spam-Status: No, score=-4.7
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1ZpKLP-0003Y4-2v fee80f6d1cb6d038620127fde113fa10
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Report on preliminary decision on TLS 1.3 and client auth
Archived-At: <http://www.w3.org/mid/CAJU8_nW44dLrATV=P3SSCQ7VSJk+yyV=2F+1q5KKP5pZ6RO53Q@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/30396
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Sorry to take so long to respond to this, but life and work get in the way.
I wanted to give a perspective on how one enterprise uses client
certificates in real life, and the reasons for that.

Like all great decisions, the one my company made to introduce client certs
was the result of a compromise. The original requirement was for a second
factor ("something you have") in addition to a password ("something you
know"), because the thing you know is often of poor quality in order to
make remembering it easy: the standard way to get around password re-use
restrictions on rotation, for instance, is to take a prefix that never
changes and append a number in monotonically-increasing fashion at each
rotation. (Why password rotation in the first place? Because PCI DSS
§8.2.4.)

Trials were performed with HOTP tokens, which did not go well for various
reasons I'm not privy to, though I've heard that will be revisited in the
next year or two.

There was also a desire to have a solution that reduced the attack surface.
This is where the decision to use client certs intersects with the
conversation here. One of the properties of our specific MO for client
certs is that a client cannot complete a TLS handshake with any of the RPs
without first presenting an acceptable client certificate (which may then
result in a redirect to the SSO IdP/token issuer if successful). What this
does is create a firewall around applications with potentially faulty
authorization logic. It also makes for a very poor user experience when
certificates expire, but this was deemed "acceptable" in compromise-logic.

Having a client cert also raises the bar ever so slightly to access from
unauthorized equipment. Yes, it's trivial to transfer the cert to a browser
on another machine, but this is a triviality that few will bother with,
especially among the demographic whose collective attention paid to
security is most troublesome. Keeping 3 year-old Android phones 2 years
past their most recent security update away from corporate resources is a
feature, not a bug.

Sealing the deal, our CDN happens to support client certificates: we can
eat our own dog food *and* do it while requiring a second factor. Profit.

The way in which this is relevant is that it would be nice to present the
user a better error than "ssl_error_handshake_failure_alert" in the case of
an expired or missing certificate. To that end, switching to a model in
which any client can connect and perform some actions, and only later be
required to authenticate, would be helpful. The downside of supporting this
is that the handshake-time firewall between RP authentication logic and
clients would be eliminated; the upside is that the first principle of IT
is bureaucratic inertia, so I suspect that justification would be silently
dropped in favor of keeping the second factor scheme and improving the UX.

As for H/1.1 and TLS <=1.2, we presumably disabled renegotiation entirely
due to the potential for downgrade attacks, and so are unlikely to solve
the UX issue prior to TLS 1.3.

Kyle

On Wed, Sep 23, 2015 at 1:16 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> The minutes of the TLS interim have been posted. Some decisions regard
> client authentication were made.
>
>
> https://www.ietf.org/proceedings/interim/2015/09/21/tls/minutes/minutes-interim-2015-tls-3
>
> Here is a summary of the applicable pieces, plus what I options it
> provides HTTP/2...
>
> (Caveat here: aspects of this could change if new information is
> presented, but it seems unlikely that there will be changes that will
> affect the core decisions.)
> The big change is that a server can request client authentication at any
> time. A server may also make multiple such requests. Those multiple
> requests could even be concurrent.
>
> The security claims associated with client authentication require more
> analysis before we can be certain, but the basic idea is that
> authentication merely provides the proof that a server needs to regard the
> entire session to be authentic. In other words, client authentication will
> apply retroactively. This could allow a request sent prior to
> authentication to be considered authenticated. This is a property that is
> implicitly relied on for the existing renegotiation cases and one that we
> might want to exploit.
>
> Each certificate request includes an identifier that allows it to be
> correlated with the certificate that is produced in response. This also
> allows for correlating with application context. This is what I think that
> we can use to fix HTTP/2.
>
> Clients cannot spontaneously authenticate, which invalidates the designs I
> have proposed, however, the basic structure is the basis for the first
> option that I will suggest.
>
>
> Option 1 uses a new authentication scheme. A request that causes a server
> to require a client certificate is responded to with a 4xx response
> containing a ClientCertificate challenge. That challenge includes an
> identifier.  The server also sends - at the TLS layer - a
> CertificateRequest containing the same identifier, allowing the client to
> correlate it's HTTP request with the server's CertificateRequest.
>
> Client@HTTP/2:
> HEADERS
>   :method = GET ...
>
> Server@HTTP/2:
> HEADERS
>   :status = 401
>   authorization = ClientCertificate req="option 1"
>
> Server@TLS:
> CertificateRequest { id: "option 1" }
>
> Client@TLS:
> Certificate+CertificateVerify { id: "option 1", certificates... }
>
> Client@HTTP/2:
> HEADERS
>   :method = GET ...
>
> Server@HTTP/2:
> HEADERS
>   :status = 200
>
>
> Option 2 aims to more closely replicate the experience we get from
> renegotiation in HTTP/1.1 + TLS <= 1.2.  Rather than rejecting the request,
> the server sends an HTTP/2 frame on the stream to indicate to the client to
> expect a CertificateRequest. That frame includes the identifier.
>
> Client@HTTP/2:
> HEADERS
>   :method = GET ...
>
> Server@HTTP/2:
> EXPECT_AUTH
>   id = option 2
>
> Server@TLS:
> CertificateRequest { id: "option 2" }
>
> Client@TLS:
> Certificate+CertificateVerify { id: "option 2", certificates... }
>
> Server@HTTP/2:
> HEADERS
>   :status = 200
>
> In this case, the server probably wants to know that the client is willing
> to respond to these requests, otherwise it will want to use
> HTTP_1_1_REQUIRED or 421.  So a companion setting to enable this is a good
> idea (the semantics of the setting that Microsoft use for renegotiation is
> pretty much exactly what we'd need).
>
> I think that the first option has some architectural advantages, but that
> is all.  The latter more closely replicates what people do today and for
> that reason, I think that it is the best option.
>
>
> As for how to implement this same basic mechanism in TLS 1.2, I have an
> idea that will work for either option, but it's a bit disgusting, so I'll
> save that for a follow-up email.
>

v2.23.0 | Report a Bug | By Email