Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
"Ruslan N. Marchenko" <me@ruff.mobi> Fri, 05 November 2021 23:02 UTC
Return-Path: <me@ruff.mobi>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 783F13A096D; Fri, 5 Nov 2021 16:02:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id locLa8-vSRV8; Fri, 5 Nov 2021 16:02:04 -0700 (PDT)
Received: from vex.ruff.mobi (vex.ruff.mobi [37.120.177.103]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11D773A0965; Fri, 5 Nov 2021 16:02:02 -0700 (PDT)
Received: from pi.ruff.mobi (ip-78-45-99-112.net.upcbroadband.cz [78.45.99.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "ruff.mobi", Issuer "R3" (not verified)) by vex.ruff.mobi (Postfix) with ESMTPS id F0A5814E09D3; Sat, 6 Nov 2021 00:01:54 +0100 (CET)
Received: from dei.ruff.mobi (unknown [IPv6:2001:470:741b::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by pi.ruff.mobi (Postfix) with ESMTPSA id 89C51132E3; Sat, 6 Nov 2021 00:01:51 +0100 (CET)
Message-ID: <74b19fe040f34462c6b2249614319b9fe95b4399.camel@ruff.mobi>
From: "Ruslan N. Marchenko" <me@ruff.mobi>
To: KITTEN Working Group <kitten@ietf.org>, TLS Working Group <tls@ietf.org>
Cc: Simo Sorce <simo@redhat.com>
Date: Sat, 06 Nov 2021 00:01:34 +0100
In-Reply-To: <CACykbs1biupGfYaxrBykYk+=cFZxqVLVbFvcynnjCUzxLh4pmg@mail.gmail.com>
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com> <e9570c02c4f703780a4e317b26607ac124a3b595.camel@ruff.mobi> <CACykbs3v0FC50WQHNqq-oXwKDE=Jha-o0P=Mgr92OgyeKPS6Ug@mail.gmail.com> <7e862904cee5f86e4b77fce23c451c2abe0dc720.camel@ruff.mobi> <CACykbs2V0mgxDz_MK2EiqSDBGWWfvq0TAX+UpLSEZKwOoFc8HQ@mail.gmail.com> <e682da42c5ccd32d1d184970db631624eb6ee507.camel@redhat.com> <CACykbs1biupGfYaxrBykYk+=cFZxqVLVbFvcynnjCUzxLh4pmg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-puZozTi2b7XWVnjgoadT"
User-Agent: Evolution 3.40.4
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/NROrGAzfrvXGc0YS9EqE8qCI5R0>
Subject: Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Nov 2021 23:02:08 -0000
Hi Jonathan, Am Freitag, dem 05.11.2021 um 15:34 +0000 schrieb Jonathan Hoyland: > > Having now looked at SCRAM a little bit, using the TLS channel > binding guarantees that some malicious server isn't passing the > client's messages off to another server and performing a malicious > authentication there. > ... > If you don't require a unique string I could write a new protocol > SCRAM++ with cross-compatible messages, but different security > guarantees, and use that to compromise SCRAM clients. > Obviously that's a patently malicious example, but it's perfectly > possible that some new version of SCRAM produces messages that an old > version of SCRAM misinterprets. Authentication method and SCRAM mechanism negotiation must happen before SCRAM exchange. if parties don't agree on the method/mechanism negotiation fails. If you control the server to the level that you negotate one method/mechanism but use another - you're not mitm, you just _pwn_ the service, and no binding in the world would solve that. > It's even highly likely that a server that supports old versions of > SCRAM for backwards compatibility would use the same key material for > all versions. > > Requiring a unique string makes the messages totally unrelated. > > I don't find the arguments "It's always been insecure in the past" or > "We have bad APIs" especially compelling. > It's not "historically insecure", it's just not a secret key by design. It's public (non-secret) but unique and imutable property of the TLS channel (not application/authentication channel, mind you). Finished packet - is not a secret - any sneaky person can snoop it. Certificate digest - is not a secret, any person in the world can get it. It's not a guardian of the confidentiality, rather a warrant of integrity. Regards, Ruslan
- [kitten] Last Call: <draft-ietf-kitten-tls-channe… The IESG
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Sam Whited
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Simo Sorce
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Alexey Melnikov
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Simon Josefsson
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Dave Cridland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Dave Cridland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Sam Whited