Re: [kitten] AD review of draft-ietf-kitten-tls-channel-bindings-for-tls13-08
Sam Whited <sam@samwhited.com> Fri, 01 October 2021 11:25 UTC
Return-Path: <sam@samwhited.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id BC1A63A0A24;
Fri, 1 Oct 2021 04:25:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001,
SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=samwhited.com header.b=ozxiOKTX;
dkim=pass (2048-bit key)
header.d=messagingengine.com header.b=p17q1m8F
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id eoxUaGv_EAZk; Fri, 1 Oct 2021 04:25:31 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com
[64.147.123.21])
(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id A1BF83A0A26;
Fri, 1 Oct 2021 04:25:20 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41])
by mailout.west.internal (Postfix) with ESMTP id DDA5632019B4;
Fri, 1 Oct 2021 07:25:15 -0400 (EDT)
Received: from imap42 ([10.202.2.92])
by compute1.internal (MEProxy); Fri, 01 Oct 2021 07:25:16 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samwhited.com;
h=mime-version:message-id:in-reply-to:references:date:from:to
:cc:subject:content-type:content-transfer-encoding; s=fm1; bh=Wb
6a/alIR5zPXJTGU9XZeBdrXjt5nTNfdFwDev5yENw=; b=ozxiOKTXBEzO9ru8yG
fBYIbtkSzp7N61nPg6wOFU0NR++OZeh60sECWKKoCkSX1Y4Ouq2rzf4U52Jvnxmy
LYxrxqXKqqYvV71BSoQ81gE1M8WSc99dk4DveeTOEA80ffKmxHuqnuZkZWQw7Tk3
Zy4r1f24kTX4wRvrwKcf/6khWn7MGC62asFNEwXV2W/b6kurtGiarO17px10i5Aq
CUGMufXhgGBrOif52CETRmzwMMS1Ds9ntWwXia5f+nz0ajoFeg9Tu2ic45fExDF8
42q/m36xYNOpFjrdDWDzGP2R3wMHhqfPu7vYTPE9WF6tZG5HyfjnhtEUPeLNu4l1
NpAA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=cc:content-transfer-encoding:content-type
:date:from:in-reply-to:message-id:mime-version:references
:subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
:x-sasl-enc; s=fm3; bh=Wb6a/alIR5zPXJTGU9XZeBdrXjt5nTNfdFwDev5yE
Nw=; b=p17q1m8FaUHLGcauJs07VQ8uuxktGr2NAacBBasLfDEbHsSF+kmfb07R1
LL13q12S/eSTMi9n78EUrj1uVm+ntfjurLhTexP2kOq/H6UOSOCPc4pWhntvosDT
N7fsKfJvT4/GUxo5ZK7T1GFpID9m7dSQsKEFksKN4vdv1Ds/xE7qqFiRXvmU1aJx
0HhHnlWhv9yIBs8hsJFDFfz4IcSjQ/UzGLE+0hNMBJjR+tN42Pb+TOQ4TtUxApTB
vSQc3ZVHBVKjxazAHXxPu/QvtlIx5ZQaUuStHPoNBzvK8cqCLUw6LqvR/cftSlar
gptJyoI+ohO8JQfV6HfSQa+L41dwg==
X-ME-Sender: <xms:G_BWYdUdYjZYsBMvFWztAxu_dI-oVzPnyMsqi1Cy1_fEFdM-dYWccA>
<xme:G_BWYdkt5sy99QwTZPXTqCw4fVBHniNMYCqY7BbSKOFbeFNPZOzi6zWrXB2D4xzx8
VXy7pHmfgUpqd-ebw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvtddrudekiedgfeejucetufdoteggodetrfdotf
fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne
cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfufgr
mhcuhghhihhtvggufdcuoehsrghmsehsrghmfihhihhtvggurdgtohhmqeenucggtffrrg
htthgvrhhnpeefuddukeekueetueelfeeguedvuedvffehvdevieffgeehhfejffdtveev
uedvffenucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptd
enucfrrghrrghmpehmrghilhhfrhhomhepshgrmhesshgrmhifhhhithgvugdrtghomh
X-ME-Proxy: <xmx:G_BWYZbTnnR6V_IawauMf3cOJTL_woQXUYm-WurfDXQ2ye7556EQpg>
<xmx:G_BWYQVH5MCX8vpbivBb0TxQJ9zjD_KDzGXjucAqBnj79OXXE35nTQ>
<xmx:G_BWYXl_4EOJnlJi6mT3M1WSdgtLlfxPdwVkShM9mrEQ8RwlnDOsCg>
<xmx:G_BWYWuN3pRLaPKUb23ZtO-u-fjsf92WS2DNwTDNR9BCiMv39TzyaQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501)
id 67B8F2180078; Fri, 1 Oct 2021 07:25:15 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-1322-g921842b88a-fm-20210929.001-g921842b8
Mime-Version: 1.0
Message-Id: <f048b2f9-c53c-4c91-81e8-4fc5b4331bef@www.fastmail.com>
In-Reply-To: <20211001045330.GX98042@kduck.mit.edu>
References: <20211001045330.GX98042@kduck.mit.edu>
Date: Fri, 01 Oct 2021 07:24:54 -0400
From: "Sam Whited" <sam@samwhited.com>
To: "Benjamin Kaduk" <kaduk@mit.edu>,
draft-ietf-kitten-tls-channel-bindings-for-tls13.all@ietf.org
Cc: "KITTEN Working Group" <kitten@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/1GCkBfY0zLzIY4tiPb4t56md_ps>
Subject: Re: [kitten] AD review of
draft-ietf-kitten-tls-channel-bindings-for-tls13-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 11:25:38 -0000
This all looks good; I've updated the draft and incorporated your language as well as the tweaks you suggested. Thank you for your review. —Sam On Fri, Oct 1, 2021, at 00:53, Benjamin Kaduk wrote: > Hi all, > > Nothing particularly earth-shattering here, but enough that we should > put out a revised I-D before I initiate the IETF last-call. > > Though there's not currently a formal requirement (since the precise > meaning and usage of the "updates" tag is not well defined), it's been > the practice of recent IESGs to ask that documents provide a clear > statement of the nature of any updates being made. While we currently > do this for the updates of RFCs 5801 and 5802, we're pretty silent > about how we update RFCs 5929 and 8446. I have a proposal for 8446 > below (wrapped into another suggestion), and we can probably put a > note somewhere that we update 5929 to provide a channel-binding for > TLS that is compatible with TLS 1.3. > > Section 1 > > The "unique" channel binding types defined in [RFC5929] were found > to be vulnerable to the "triple handshake vulnerability" [TRIPLE- > HANDSHAKE] without the extended master secret extension defined in > [RFC7627]. Because of this they were not defined for TLS > 1.3 (see [RFC8446] section C.5). [...] > > I don't think this conveys quite the right reasoning for why the > channel bindings were not updated in RFC 8446 directly. In > particular, TLS 1.3 intrinsically uses the extended master secret > mechanism of "hash the entire handshake transcript" and in that regard > is not susceptible to triple-handshake type attacks. > > Peeking through the archives, it seems that > https://mailarchive.ietf.org/arch/msg/tls/2XbkUZhdxwFXhLVTdE2C-UZGaO0/ > may have been the most recent discussion of tls-unique in the context > of draft-ietf-tls-tls13 . The note referenced in that email thread > seems to be: > > % [Raw public keys or skipping certificate chain checking] used alone > % is vulnerable to man-in-the-middle attacks and therefore unsafe for > % general use. However, it is also possible to bind such connections > % to an external authentication mechanism via out-of-band validation > % of the server's public key, trust on first use, or channel bindings > % [RFC5929]. [[NOTE: TLS 1.3 needs a new channel binding definition > % that has not yet been defined.]] If no such mechanism is used, then > % the connection has no protection against active man-in-the-middle > % attack; applications MUST NOT use TLS in such a way absent explicit > % configuration or a specific application profile. > > So I would propose the following replacement text: > > The "unique" channel binding types defined in [RFC5929] were found > to be vulnerable to the "triple handshake vulnerability" [TRIPLE- > HANDSHAKE] without the extended master secret extension defined in > [RFC7627]. While TLS 1.3 uses a complete transcript hash akin to > the extended master secret procedures, the safety of channel > bindings with TLS 1.3 was not analyzed as part of the core protocol > work, and so the specification of channel bindings for TLS 1.3 was > deferred. [RFC8446] section C.5 notes the lack of a channel > bindings definition for TLS 1.3; as this document defines such > channel bindings, it accordingly updates [RFC8446] to note that the > gap has been filled. > > (Note that I also modified the final sentence to be able to explicitly > note in what way we see this document as updating RFC 8446.) > > Section 3 > > Channel bindings do not leak secret information about the channel > and are considered public. [...] > > In light of the way that > https://datatracker.ietf.org/doc/html/rfc5929#section-10.2 frames its > discussion of channel-bindings disclosure (and to some extent > https://datatracker.ietf.org/doc/html/rfc5056#section-8 as well), I > think that we might want to scope the statement to just "the channel > bindings type defined in this document" and to frame the subsequent > discussion as being that "disclosure of the channel binding data does > not affect the security of the TLS channel. To say that they are > "considered public" might imply an intention to disclose, when it > seems that the important point is only that disclosure or non- > disclosure is irrelevant. With those changes included, this might > look something like: > > The channel binding type defined in this document is constructed so > that disclosure of the channel binding data does not leak secret > information about the TLS channel and does not affect the security > of the TLS channel. [...] > > Section 3.1 > > While it is possible to use this channel binding mechanism with TLS > versions below 1.3, extra precaution must be taken to ensure that > the chosen cipher suites always result in unique master secrets. > For more information see the Security Considerations section of > [RFC5705]. > > Should we reiterate here that the extended master secret mechanism of > RFC 7627 is one way to ensure uniqueness of master secrets? > > When TLS renegotiation is enabled the "tls-exporter" channel > binding type is not defined and implementations MUST NOT > support it. > > We may want to be specific that this mandate is scoped to > renegotiation being enabled at (e.g.) connection scope (vs implementation- > wide). > > Section 4.1 > > Subject: Registration of channel binding tls-exporter > > It's interesting that this is part of the template given in RFC 5056 > but not part of the registry itself...arguably a bug in 5056, but > probably not worth doing anything about now. > > Thanks, > > Ben -- Sam Whited
- [kitten] AD review of draft-ietf-kitten-tls-chann… Benjamin Kaduk
- Re: [kitten] AD review of draft-ietf-kitten-tls-c… Alexey Melnikov
- Re: [kitten] AD review of draft-ietf-kitten-tls-c… Sam Whited
- Re: [kitten] AD review of draft-ietf-kitten-tls-c… Benjamin Kaduk