IETF Logo Mail Archive

Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Jonathan Hoyland <jonathan.hoyland@gmail.com> Tue, 26 October 2021 16:32 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87A653A1496; Tue, 26 Oct 2021 09:32:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IYsx-L1OmDjK; Tue, 26 Oct 2021 09:32:38 -0700 (PDT)
Received: from mail-qt1-x832.google.com (mail-qt1-x832.google.com [IPv6:2607:f8b0:4864:20::832]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA98E3A1494; Tue, 26 Oct 2021 09:32:38 -0700 (PDT)
Received: by mail-qt1-x832.google.com with SMTP id v17so14091536qtp.1; Tue, 26 Oct 2021 09:32:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=ymKeavrz7UOrRQNISHtW8sMLuOLlhQ6y2I2SFWPZ33E=; b=SjEVaD7huzz+Iz48SPKmph7PSXSGDcbMNu3H9yEzmNFCv0FnKmwp7eLgcvDUhIyYAT t38fL7jo9A8g4CW8ydg670pGr9s6CvKftq5LtOgk00PZ0K3SZoREgKdPSYGNk+WO+Ezf UpuHuJiEZLt+LyiDI6Ti8cZVWhpJzBWTK40UlreazQm6FGELfKzsoiMC2VfJKwPmfX2q aGF+RN54YmMaRVbKJwMGqe9Biyq8dBmt9CPbJD+ow5if9S9B4pxQ76ZkBn6dReiPkDFj ausZjz45qQqJ/jetb18Y2SmKNIX9hIpJRChcE26NT11Av/mGq0SUxR+H8h+FOgX7IcUd DH5A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=ymKeavrz7UOrRQNISHtW8sMLuOLlhQ6y2I2SFWPZ33E=; b=Y2KUFakOucsEuBwwTW+hujlXmAg0NZvTuZGl8MOQiNg2iQ7X1VPGhtRuSoq20M9pMN x61+JGB9TX/kWLh4X/vE/bkvGuRHWYxAP9OTCa8jGMSbHx2lRy0Q/mUZLLxq6qrpHXMp uxF3eVf39maCorSZyXMgqMy3ArUff+8S4I7Paya0ZtTq7JG5wGLsbLO04eWZzC8cn9m/ lMBxBJ1LwvkkNE3G3HffN+3c7BbFtHJQVXSYswqznjU6Wyu+nR3WQgx/uykLsOpcR/7E tVBzFp1VgXBbzzbqLWn1Kx8hDBdEBoHmoJSXLkBCs20yaqoinAKuUVz5x4CNHCAOKGOv aJcg==
X-Gm-Message-State: AOAM531eoQuAEyFdCI1zkU2/8CinaK8rdrIkJSl4tiudhTCd6qeupd5n wZWrUmBa3fCU3Z0S/CErzP4zsN094e/l42BWa6Grix4qg3K1Gw==
X-Google-Smtp-Source: ABdhPJylYEYXJHwcIV6HJH58v0tvymXNXmylY/W1x2lEAhabTH5UC7MUNbk/OOIOnsdSP0oRRarSIlbJfSmVsd4PEV4=
X-Received: by 2002:a05:622a:28f:: with SMTP id z15mr3905469qtw.361.1635265956847; Tue, 26 Oct 2021 09:32:36 -0700 (PDT)
MIME-Version: 1.0
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com>
In-Reply-To: <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Tue, 26 Oct 2021 17:32:25 +0100
Message-ID: <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com>
To: Sam Whited <sam@samwhited.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "<tls@ietf.org>" <tls@ietf.org>, KITTEN Working Group <kitten@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000078a3a505cf440638"
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ZTFB-fOSsAAJy2rKxmOK_ywpBHo>
Subject: Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 16:32:44 -0000

Hi Sam, all,

I'd like to again raise the issues I pointed out in
https://mailarchive.ietf.org/arch/msg/kitten/13pPj4E3-gYwpbu2K844uI1BPoU/ .
This draft hasn't received enough security analysis, and further, I pointed
out a specific security issue that remains unaddressed.

Using the same label for different protocols produces trivial collisions,
and thus it is perfectly possible that a message meant for GSS-API is
identical in both form and key to a message for SCRAM, and thus there is
strong potential for confusion.
I'm not familiar with either of these protocols, so maybe they have
internal reasons why this example doesn't work, but that misses the much
larger and more significant point.
Any future protocol that uses the same label will potentially be
confusable, and further updates to GSS-API now must ensure that they don't
form valid SCRAM messages, and vice versa.

There isn't even a one-to-one relationship between GSS-API / SCRAM runs.
This channel binding design doesn't protect against messages being swapped
between two GSS-API runs on a single TLS connection.
Again, whether that is a specific problem for GSS-API is totally irrelevant.
Another protocol that uses this draft may well be vulnerable, and thus this
is just leaving a huge security landmine in TLS channel bindings.

At an absolute minimum this draft should include "A TLS session using this
RFC to produce a binding for any purpose MUST NOT generate more than one
per session. If a second exporter using this protocol is required the TLS
session MUST be rekeyed."

The correct solution would be to use unique labels for every different mode
and variant of SCRAM and GSS-API, and require this for all runs, and
further include a run number in the label derivation.
This string can be (should be) constructed mechanistically, and commit the
TLS client and TLS server to all relevant security parameters.

Another approach would be to use a fixed string to generate a channel
binding, use that in a run of GSS-API, and then call the Exporter API again
on the hash of the transcript and any relevant key material*.
Taking the resultant output and HKDFing it with the keys resulting from the
GSS-API run would give you a channel binding that is unique for every
unique run of GSS-API.
This is a much stronger binding, tying the specific run of the GSS-API back
to the TLS layer. The idea being that even in the case that the TLS
server's private key has been compromised, if the GSS-API run was secure
then the TLS layer was run honestly (i.e. is with the server.)

Regards,

Jonathan

* Specifically everything listed in Verified Contributive Channel Bindings
for Compound Authentication
<https://www.ndss-symposium.org/wp-content/uploads/2017/09/08_5.pdf>
Section II should be included.



On Mon, 4 Oct 2021 at 01:32, Sam Whited <sam@samwhited.com> wrote:

> 8446 currently contains:
>
> > However, it is also possible to bind such connections to an external
> > authentication mechanism via out-of-band validation of the server's
> > public key, trust on first use, or a mechanism such as channel
> > bindings (though the channel bindings described in [RFC5929] are not
> > defined for TLS 1.3).
>
> If I were part of the TLS group I'd want to see discussion of the the
> parenthetical at the end being  replaced with something like:
>
> "such as the bindings defined in <future RFC number>".
>
> Then the parenthetical could be moved to the security considerations
> section or similar (right now it's quite hard to find).
>
> At the risk of veering into 8446 feedback, I have gotten a lot of push
> back when I mentioned that the RFC5929 channel bindings weren't defined
> for TLS 1.3 in the past, normally something along the lines of "that's
> just one random throw-away sentence in the middle of the document, why
> should I not implement this?"
>
> That being said, I haven't really thought about this and don't know
> whether this would be appropriate or not, I'm just trying to respond to
> your query with some initial thoughts. None of this should be taken as
> what I've been pushing for in the rest of this thread.
>
> —Sam
>
> On Sun, Oct 3, 2021, at 15:02, Eric Rescorla wrote:
> > Sorry to be difficult, but as I said, I'd prefer to focus not on the
> > question of the header of this document but rather on what we wish
> > 8446 said. To that end, what text do you think should go in 8446-bis?
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email