Re: Last Call: 'TLS User Mapping Extension' to Proposed Standard
Eric Rescorla <ekr@networkresonance.com> Sun, 19 February 2006 01:31 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1FAdQ1-0006aX-9w; Sat, 18 Feb 2006 20:31:21 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1FAdPz-0006a5-JL; Sat, 18 Feb 2006 20:31:19 -0500
Received: from laser.networkresonance.com ([198.144.196.2]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1FAdPw-0003As-Ps; Sat, 18 Feb 2006 20:31:19 -0500
Received: from networkresonance.com (raman.networkresonance.com [198.144.196.3]) by laser.networkresonance.com (Postfix) with ESMTP id 779CC22241D; Sat, 18 Feb 2006 17:32:38 -0800 (PST)
To: ietf@ietf.org
X-Mailer: MH-E 7.4.3; nmh 1.0.4; XEmacs 21.4 (patch 18)
Date: Sat, 18 Feb 2006 17:31:13 -0800
From: Eric Rescorla <ekr@networkresonance.com>
Message-Id: <20060219013238.779CC22241D@laser.networkresonance.com>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f2984bf50fb52a9e56055f779793d783
Cc: tls@ietf.org, iesg@ietf.org
Subject: Re: Last Call: 'TLS User Mapping Extension' to Proposed Standard
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org
BACKGROUND
This document describes an extension to TLS which allows the client to
give the server a hint (the User Principal Name) about which directory
entry to look up in order to verify the client's identity.
This works as follows:
1. The client offers the extension (called UME) in the
ClientHello message.
2. The server accepts the extension.
3. The client sends the new HandshakeType to the server
before sending its Certificate message.
The packet flow looks like this (cut-and-pasted from the draft):
Client Server
ClientHello
/* with user_mapping ext */ -------->
ServerHello
/* with user-mapping ext */
Certificate*
ServerKeyExchange*
CertificateRequest*
<-------- ServerHelloDone
--> UserMappingDataList
Certificate*
ClientKeyExchange
CertificateVerify*
[ChangeCipherSpec]
Finished -------->
[ChangeCipherSpec]
<-------- Finished
Application Data <-------> Application Data
New handshake message marked by --> on the left.
This document was presented to the TLS WG in Vancouver and there was
only a very small amount of interest. The authors posted the -00 version
of their draft on January 10. Some minor comments were made by a single
WG member and these were addressed. The authors asked for a preliminary
code point assignment on January 14. I provided a number of technical
comments (including suggesting an alternate approach, described below)
at that time, but was told that the implementation was already too far
along to be changed significantly.
Since the IETF would not have change control, this is an inappropriate
work item for the TLS WG and therefore the authors appear to have
decided on an Individual Submission. The reason for the intended status
of Proposed Standard is that this extension defines a new Handshake Type
and the TLS WG has decided that new Handshake Types require a Standards
Action (See S 7.4 of draft-ietf-tls-rfc2246-13, in RFC-Ed queue).
Contrary to the the Last Call announcement, the comments I raised
originally have not been addressed--except to be told they weren't
possible. For the reasons indicated below, I believe this document
should not be advanced to Proposed Standard as-is.
REVIEW COMMENTS
The obvious design here would simply be to place the information
in the UserMappingDataList (UMDL) message directly in the ClientHello
extension. The draft argues that this is bad for the following
reason:
The reason the mapping data itself is not placed in the extension
portion of the ClientHello is to prevent broadcasting this
information to servers that don't understand the extension.
Additionally, if new mapping information were to be considered
confidential, the addition of a new handshake message allows the data
to be encrypted using the servers public key.
No other modifications to the protocol are required. The messages are
detailed in the following sections.
This is unconvincing for a number of reasons. First, TLS handles the
case where an extension is not understood just fine. It's ignored. Since
the extension appears to be less than 100 bytes, there's no performance
issue.
The authors suggest that there is a security issue:
As the client is the initiator of this TLS extension, it needs to
determine when it is appropriate to send the User Mapping
Information. It may not be prudent to broadcast this information to
just any server at any time, as it can reveal network infrastructure
the client and server are using.
- The client SHOULD only send the UserMappingDataList handshake
message if it is agreed upon in the Hello exchange, preventing
the information from being sent to a server that doesn't
understand the User Mapping Extension.
- The client SHOULD further only send this information if the
server belongs to a domain to which the client intends to
authenticate using the UPN as identifier.
However, the second piece of information (the domain name of the server)
is generally available to the client prior to the connection initiation,
since it's used to look up the server's address. So, the client could
decide whether to send the UMDL data prior to handshake initiation.
One difference here is that the client now has the server's certificate
and that certificate could potentially contain some X.509 Extension that
indicated that the server was authorized to receive the UMDL
data. However, this is of very limited security value because in the
static RSA modes which are common with SSL/TLS, the server has not
proved possession of the corresponding private key at this point in the
handshake. Note that this draft does not describe any such extension.
An attacker who wished to impersonate the server in order to capture the
UMDL would be able to do so with a simple replay/cut-and-paste
attack. Moreover, because the UMDL is sent in the clear (the draft
claims that it could be encrypted but provides no facility for doing
so) any passive attacker can capture the UMDL by observing a single
handshake.
At best this strategy stops the client from inadvertantly sending the
UMDL to a server which it *thinks* should support it (because it's
got the right domain name) but which actually doesn't (perhaps because
it's broken?). This seems to be of extremely limited value.
AN ALTERNATE DESIGN
There is an alternate design which has superior security properties
and does not involve defining a new HandshakeType.
1. Do an ordinary TLS handshake without offering UME.
2. Initiate a TLS rehandshake and send the UMDL in an extension
in the ClientHello.
Because the second TLS handshake is conducted over the TLS session
established in step (1), the entire UMDL extension exchange is
protected. A passive attacker cannot capture the UMDL data and an active
attacker cannot impersonate the server and force the transmission of the
UMDL.
This approach has two (modest) drawbwacks.
1. It is slower because it requires two handshakes.
2. The client may have to authenticate twice (this is a special
case of (1)).
The second case can be easily ameliorated by having the client send an
extension (empty UME?) in the first handshake as a signal that it wants
to do UMDL and that the server should hold off on demanding client
authentication until the rehandshake happens.
The performance issue is quite modest with modern servers. Indeed, it's
quite common for web servers to do a first handshake without cert-based
client auth and then rehandshake with client auth if the client asks for
a sensitive page.
Note: there is an alternate design in which you do a client auth in the
first handshake and then do a resumption in the second one but do
UME. This is rather faster, both in terms of computation and round trips
but is technically precluded by S 2.3 of RFC3546 which requires ignoring
extensions if you do a resume. One could imagine relaxing this
restriction but that hasn't been done yet.
Note also that if the client isn't worried about the sensitivity of the
UMDL, then it can simply offer the UME extension with a UMDL in the
first handshake and skip the second handshake.
Another (hacky) approach would be for the client to probe the server
with an initial ClientHello (and no UME) and then abort the handshake
and restart if it decides that it likes the server and wants to do
UME. This would have equivalent security properties to this draft at the
cost of a single round trip.
SUMMARY
The technique described in this document appears to be of limited
usefulness. In particular, the lack of confidentiality for the
UMDL is a big limitation in extending it to other applications
than the one envisioned by Microsoft. There are alternate designs
which don't have those limitations and don't involve allocating a
new HandshakeType value. This document should not advance as a
Proposed Standard.
-Ekr
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Eric Rescorla
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Steven M. Bellovin
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Bill Fenner
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Russ Housley
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Russ Housley
- Is round-trip time no longer a concern? (was: Re:… Dave Crocker
- Re: Is round-trip time no longer a concern? Russ Allbery
- Re: Is round-trip time no longer a concern? (was:… Steven M. Bellovin
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Bill Strahm
- Re: Is round-trip time no longer a concern? (was:… Dave Cridland
- Re: Is round-trip time no longer a concern? Harald Tveit Alvestrand
- Re: Is round-trip time no longer a concern? Peter Dambier
- RE: Last Call: 'TLS User Mapping Extension' to Pr… Pasi.Eronen
- Re: Is round-trip time no longer a concern? Eric Rescorla
- Re: Is round-trip time no longer a concern? Keith Moore
- Re: Is round-trip time no longer a concern? Dave Cridland
- Re: Is round-trip time no longer a concern? Dave Crocker
- Re: Is round-trip time no longer a concern? Eric Rescorla
- Re: Is round-trip time no longer a concern? Tony Finch
- Re: Is round-trip time no longer a concern? Steven M. Bellovin
- Re: Is round-trip time no longer a concern? Dave Crocker
- RE: Last Call: 'TLS User Mapping Extension' to Pr… Gray, Eric
- RE: [TLS] Re: Last Call: 'TLS User Mapping Extens… Pasi.Eronen
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Bernard Aboba
- RE: Last Call: 'TLS User Mapping Extension' to Pr… Russ Housley
- RE: [TLS] Re: Last Call: 'TLS User Mapping Extens… Russ Housley
- RE: [TLS] Re: Last Call: 'TLS User Mapping Extens… Stefan Santesson
- RE: Last Call: 'TLS User Mapping Extension' to Pr… Stefan Santesson
- RE: Last Call: 'TLS User Mapping Extension' to Pr… Stefan Santesson
- RE: Re: [TLS] Re: Last Call: 'TLS User Mapping Ex… Stefan Santesson
- RE: Re: [TLS] Re: Last Call: 'TLS User Mapping Ex… Stefan Santesson
- RE: Re: [TLS] Re: Last Call: 'TLS User Mapping Ex… Russ Housley
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Simon Josefsson
- Re: Last Call: 'TLS User Mapping Extension' to Pr… Jeffrey Hutzelman
- RE: [TLS] Re: Last Call: 'TLS User Mapping Extens… Ari Medvinsky