[kitten] AD review of draft-ietf-kitten-tls-channel-bindings-for-tls13-08
Benjamin Kaduk <kaduk@mit.edu> Fri, 01 October 2021 04:53 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 6ED6F3A040F;
Thu, 30 Sep 2021 21:53:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, KHOP_HELO_FCRDNS=0.399, SPF_HELO_NONE=0.001,
SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id UprFurh7Zoxm; Thu, 30 Sep 2021 21:53:46 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 1755E3A040B;
Thu, 30 Sep 2021 21:53:42 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56)
(User authenticated as kaduk@ATHENA.MIT.EDU)
by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 1914rUCr001564
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
Fri, 1 Oct 2021 00:53:36 -0400
Date: Thu, 30 Sep 2021 21:53:30 -0700
From: Benjamin Kaduk <kaduk@mit.edu>
To: draft-ietf-kitten-tls-channel-bindings-for-tls13.all@ietf.org
Cc: kitten@ietf.org
Message-ID: <20211001045330.GX98042@kduck.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/R49_PRj6waCTdjNaXv44FPnAH58>
Subject: [kitten] AD review of
draft-ietf-kitten-tls-channel-bindings-for-tls13-08
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>,
<mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>,
<mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Oct 2021 04:53:51 -0000
Hi all, Nothing particularly earth-shattering here, but enough that we should put out a revised I-D before I initiate the IETF last-call. Though there's not currently a formal requirement (since the precise meaning and usage of the "updates" tag is not well defined), it's been the practice of recent IESGs to ask that documents provide a clear statement of the nature of any updates being made. While we currently do this for the updates of RFCs 5801 and 5802, we're pretty silent about how we update RFCs 5929 and 8446. I have a proposal for 8446 below (wrapped into another suggestion), and we can probably put a note somewhere that we update 5929 to provide a channel-binding for TLS that is compatible with TLS 1.3. Section 1 The "unique" channel binding types defined in [RFC5929] were found to be vulnerable to the "triple handshake vulnerability" [TRIPLE-HANDSHAKE] without the extended master secret extension defined in [RFC7627]. Because of this they were not defined for TLS 1.3 (see [RFC8446] section C.5). [...] I don't think this conveys quite the right reasoning for why the channel bindings were not updated in RFC 8446 directly. In particular, TLS 1.3 intrinsically uses the extended master secret mechanism of "hash the entire handshake transcript" and in that regard is not susceptible to triple-handshake type attacks. Peeking through the archives, it seems that https://mailarchive.ietf.org/arch/msg/tls/2XbkUZhdxwFXhLVTdE2C-UZGaO0/ may have been the most recent discussion of tls-unique in the context of draft-ietf-tls-tls13 . The note referenced in that email thread seems to be: % [Raw public keys or skipping certificate chain checking] % used alone is vulnerable to man-in-the-middle % attacks and therefore unsafe for general use. However, it is also % possible to bind such connections to an external authentication % mechanism via out-of-band validation of the server's public key, % trust on first use, or channel bindings [RFC5929]. [[NOTE: TLS 1.3 % needs a new channel binding definition that has not yet been % defined.]] If no such mechanism is used, then the connection has no % protection against active man-in-the-middle attack; applications MUST % NOT use TLS in such a way absent explicit configuration or a specific % application profile. So I would propose the following replacement text: The "unique" channel binding types defined in [RFC5929] were found to be vulnerable to the "triple handshake vulnerability" [TRIPLE-HANDSHAKE] without the extended master secret extension defined in [RFC7627]. While TLS 1.3 uses a complete transcript hash akin to the extended master secret procedures, the safety of channel bindings with TLS 1.3 was not analyzed as part of the core protocol work, and so the specification of channel bindings for TLS 1.3 was deferred. [RFC8446] section C.5 notes the lack of a channel bindings definition for TLS 1.3; as this document defines such channel bindings, it accordingly updates [RFC8446] to note that the gap has been filled. (Note that I also modified the final sentence to be able to explicitly note in what way we see this document as updating RFC 8446.) Section 3 Channel bindings do not leak secret information about the channel and are considered public. [...] In light of the way that https://datatracker.ietf.org/doc/html/rfc5929#section-10.2 frames its discussion of channel-bindings disclosure (and to some extent https://datatracker.ietf.org/doc/html/rfc5056#section-8 as well), I think that we might want to scope the statement to just "the channel bindings type defined in this document" and to frame the subsequent discussion as being that "disclosure of the channel binding data does not affect the security of the TLS channel. To say that they are "considered public" might imply an intention to disclose, when it seems that the important point is only that disclosure or non-disclosure is irrelevant. With those changes included, this might look something like: The channel binding type defined in this document is constructed so that disclosure of the channel binding data does not leak secret information about the TLS channel and does not affect the security of the TLS channel. [...] Section 3.1 While it is possible to use this channel binding mechanism with TLS versions below 1.3, extra precaution must be taken to ensure that the chosen cipher suites always result in unique master secrets. For more information see the Security Considerations section of [RFC5705]. Should we reiterate here that the extended master secret mechanism of RFC 7627 is one way to ensure uniqueness of master secrets? When TLS renegotiation is enabled the "tls-exporter" channel binding type is not defined and implementations MUST NOT support it. We may want to be specific that this mandate is scoped to renegotiation being enabled at (e.g.) connection scope (vs implementation-wide). Section 4.1 Subject: Registration of channel binding tls-exporter It's interesting that this is part of the template given in RFC 5056 but not part of the registry itself...arguably a bug in 5056, but probably not worth doing anything about now. Thanks, Ben
- [kitten] AD review of draft-ietf-kitten-tls-chann… Benjamin Kaduk
- Re: [kitten] AD review of draft-ietf-kitten-tls-c… Alexey Melnikov
- Re: [kitten] AD review of draft-ietf-kitten-tls-c… Sam Whited
- Re: [kitten] AD review of draft-ietf-kitten-tls-c… Benjamin Kaduk