Re: [kitten] draft-hansen-scram-sha256 and incorporating session hashing for channel binding

[Nico Williams <nico@cryptonector.com>]

On Thu, May 28, 2015 at 10:01:42PM +0200, Simon Josefsson wrote:
> > On Thu, May 28, 2015 at 05:11:22PM +0200, Simon Josefsson wrote:
> > > > > You then go on to say: "Personally, I would prefer to change to
> > > > > another mandatory channel binding that is secure for all TLS
> > > > > versions."
> > > > 
> > > > This is not really appropriate here because it's the applications
> > > > that need to do this, and we can't say anything here about this
> > > > that will force them to.
> > > 
> > > > A reference to TLS-SESSION-HASH of the same level (i.e., normative
> > > > or informative) as RFCs 5246 and 5929 would be nice.
> > > 
> > > I believe that what is required is
> > > 
> > >   1) scram-sha256 has a normative reference to tls-session-hash; or
> > > 
> > >   2) tls-session-hash uses an Update: that makes it applicapable to
> > > all TLS versions, and that it is clarified (if not already the
> > > case) that tls-session-hash must be used; or
> > 
> > And RFC5929.
> 
> That's not strictly necessary, is it?  5929 refer to TLS, so if
> tls-session-hash update TLS specs, 5929 indirectly refer too
> tls-session-hash.  At least that is how I would interprete it.  But
> I'm all for making things explicit.

Less not-strictly-necessary than the change you're proposing to SCRAM...

After all, it'd be useful if anyone reading RFC5929 saw that there's a
security consideration when using TLS w/o the session hash (namely: that
tls-unique is insecure when used with connections made by resuming
sessions).

> > My vote is for (2).  I don't mind (1) in addition, but I want (2).
> 
> There is precedent for that for TLS, several of the security fixes
> Update:'s all TLS RFCs.

Yes.

> > >   3) scram-sha256 uses a new channel binding that is secure with or
> > >   without tls-session-hash.
> > 
> > We disagree as to (3).  This is advice we can give to apps in the
> > security considerations section, not something we can force a SASL or
> > GSS mechanism to do because API-wise the mechanism doesn't get a
> > choice.
> 
> I don't understand this...

The mechanism is not in a position to use any one CB type or other.  The
application chooses the CB type.

> > > I believe 1) and 2) would be worse than 3) for the next ~5 years or
> > > so, and things being equal after that.  SASL libraries/applications
> > > rarely have any influence over TLS internals, but they directly
> > > influence the channel binding used.  Using another channel binding
> > > for [...]
> > 
> > No, they don't.  Certainly not GSS ones, and the SASL implementations
> > I'm familiar with don't either.
> > 
> > E.g., GSS_Init_sec_context() doesn't get a handle to a channel to bind
> > to, it only gets the channel binding as already extracted by the app.
> > Worse, GSS_Init_sec_context() doesn't even get the channel binding
> > type.
> 
> ...and I don't understand any of this.

I don't understand how you can't understand it.

GSS_Init_sec_context() doesn't have access to the TLS (or whatever)
channel, and therefore the mechanism can't be involved in getting the
channel binding.

> A new channel binding in SCRAM-SHA256 would work exactly the same way
> as tls-unique works in SCRAM-SHA1 today.
> 
> In my SASL library, the app has to provide the tls-unique channel
> binding (either upfront or in a callback) when SCRAM-SHA1 is used.  If
> I would implement SCRAM-SHA256, and assuming that document referred
> directly to tls-unique-prf, the app would need to supply the
> tls-unique-prf data upfront or in a callback when SCRAM-SHA256 is
> used.  I don't see any problem with this.  The channel binding type is
> hardcoded with the SASL mechanism name.

The CB type is NOT a part of the mechanism name.  The CB type name is
prefixed to the CB data in the SASL/GS2 case (but not in the non-SASL
GSS case).  The best SCRAM-SHA256 could do is detect that tls-unique is
used in the SASL/GS2 case and fail.

Nico
--