IETF Logo Mail Archive

Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Alexey Melnikov <alexey.melnikov@isode.com> Mon, 08 November 2021 11:58 UTC

Return-Path: <alexey.melnikov@isode.com>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E34433A0E8E; Mon, 8 Nov 2021 03:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.428
X-Spam-Level:
X-Spam-Status: No, score=-5.428 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-3.33, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isode.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khD6efsQxHN9; Mon, 8 Nov 2021 03:58:48 -0800 (PST)
Received: from waldorf.isode.com (waldorf.isode.com [62.232.206.188]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD143A0E1B; Mon, 8 Nov 2021 03:58:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1636372723; d=isode.com; s=june2016; i=@isode.com; bh=9Wap1R1qnRZn78XAuP5Re/rZ2JNWj32HPQCqgOni+oM=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=mavR9f4BHaE9z61SiGBD+iz42ifWeNBJo8VSR7h/de+9IshLvMDTTs/ooUbBl2/hzAGG9O AZ2KjcMn1oMV2zyL3IPyj/5hWstlFaO41XwvpmNqc0KMVJfapNdcMFjsjOfX/K0/HjqK5V 0hqvFKMm8ehhZvrrO2VI68DNGwuL39I=;
Received: from [192.168.1.222] (host5-81-100-95.range5-81.btcentralplus.com [5.81.100.95]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id <YYkQ8gAF4jvY@waldorf.isode.com>; Mon, 8 Nov 2021 11:58:42 +0000
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>, Simo Sorce <simo@redhat.com>
Cc: KITTEN Working Group <kitten@ietf.org>, "Ruslan N. Marchenko" <rufferson@gmail.com>, tls@ietf.org
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com> <e9570c02c4f703780a4e317b26607ac124a3b595.camel@ruff.mobi> <CACykbs3v0FC50WQHNqq-oXwKDE=Jha-o0P=Mgr92OgyeKPS6Ug@mail.gmail.com> <7e862904cee5f86e4b77fce23c451c2abe0dc720.camel@ruff.mobi> <CACykbs2V0mgxDz_MK2EiqSDBGWWfvq0TAX+UpLSEZKwOoFc8HQ@mail.gmail.com> <e682da42c5ccd32d1d184970db631624eb6ee507.camel@redhat.com> <CACykbs1biupGfYaxrBykYk+=cFZxqVLVbFvcynnjCUzxLh4pmg@mail.gmail.com>
From: Alexey Melnikov <alexey.melnikov@isode.com>
Message-ID: <6a4297cd-6514-78b7-b93b-1a7a3461c0de@isode.com>
Date: Mon, 08 Nov 2021 11:58:36 +0000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0
In-Reply-To: <CACykbs1biupGfYaxrBykYk+=cFZxqVLVbFvcynnjCUzxLh4pmg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------5D4F46DFE0847A4756952998"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ZbrrPDpKzKeJTrxxjFbtFt1_Izc>
Subject: Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Nov 2021 11:58:58 -0000

Hi Jonathan,

On 05/11/2021 15:34, Jonathan Hoyland wrote:
> Hi Simo,
>
> As I said in my email to Sam, my language here was sloppy, I meant 
> that the channel binding is included in the key derivation process, 
> and thus the output keys will be related to each other.
> The term channel bindings has two different meanings using in very 
> similar contexts, which leads to great confusion and is why I prefer 
> the term compound authentication (see Chapter 4.4 of my thesis) 
> <https://pure.royalholloway.ac.uk/portal/files/33074422/2018HoylandJGPhD.pdf>. 
>
> A channel binding is a "name" of a channel as you say, but it is also 
> used to mean using one channel to authenticate another.
> Very specifically if channel `a` is bound to channel `b` then that 
> means that if channel `b` is securely authenticated then channel `a` 
> was formed honestly (i.e. even if all of the long term key material 
> for channel `a` has been leaked, I can be sure that my channel `a` 
> peer is the same actor as my channel `b` peer.)
>
> Channel bindings that aren't bound to a specific session are less 
> secure than ones that are, so yes, you can use them, but that doesn't 
> mean they have the security properties you need.
> The purpose of binding a protocol to an underlying TLS session is to 
> leverage some of the security guarantees offered by the TLS layer.
> If those guarantees are never necessary because the over-the-top 
> protocol is always perfectly secure, just run the protocol on the wire 
> and drop the TLS complication.
> If those guarantees are at least sometimes necessary then you need to 
> securely bind the two channels together.
>
> Channel binding does more than simply guarantee that the messages were 
> the same, it also guarantees that the identity of the actors at each 
> layer remains the same, and that the keys derived in each layer match.
> With an appropriately designed channel binding you can use TLS's 
> protection against MITM attacks to protect insecure protocols run over 
> the top.
> Having now looked at SCRAM a little bit, using the TLS channel binding 
> guarantees that some malicious server isn't passing the client's 
> messages off to another server and performing a malicious 
> authentication there.
> Using a unique string from SCRAM means that messages from some other 
> protocol won't be compatible.
> If you don't require a unique string I could write a new protocol 
> SCRAM++ with cross-compatible messages, but different security 
> guarantees, and use that to compromise SCRAM clients.
> Obviously that's a patently malicious example, but it's perfectly 
> possible that some new version of SCRAM produces messages that an old 
> version of SCRAM misinterprets.
> It's even highly likely that a server that supports old versions of 
> SCRAM for backwards compatibility would use the same key material for 
> all versions.

I've been reading this exchange and I still struggle to understand what 
do you think the issue is. But more importantly, what are the possible 
fixes? If you can propose specific modifications to how 
draft-ietf-kitten-tls-channel-bindings-for-tls13 should be constructing 
channel binding for TLS 1.3, then maybe we can make some progress on this.

Best Regards,

Alexey

> Requiring a unique string makes the messages totally unrelated.
>
> I don't find the arguments "It's always been insecure in the past" or 
> "We have bad APIs" especially compelling.
>
> Regards,
>
> Jonathan
>
>
> On Fri, 29 Oct 2021 at 14:55, Simo Sorce <simo@redhat.com 
> <mailto:simo@redhat.com>> wrote:
>
>     Hi Jonathan,
>
>     On Thu, 2021-10-28 at 18:46 +0100, Jonathan Hoyland wrote:
>     > Hi Ruslan,
>     >
>     > Yes, two distinct TLS connections having the same exporter key
>     would be
>     > really bad, but I'm specifically talking about two runs of some
>     protocol
>     > bound to a single TLS session.
>     > A single TLS session will return the same key (modulo rekeying,
>     resumption
>     > etc.) if you call the Exporter API with the same label.
>     > This means that the channel bindings it produces, which will
>     then be used
>     > to derive the keys of the higher layer protocol, will produce
>     related keys.
>     >
>     > The key reason for making the binding retrieval context-specific
>     is to make
>     > sure that different protocols run in the same TLS session
>     produce disjoint
>     > keys.
>
>     Note, Channel Bindings are *not* a key and should never used as such,
>     so I think you are using a false premise here.
>     Channel Bindings are, at most, a unique value associated with a
>     session
>     (keep in mind that often Channel Bindings do not even bind to a
>     specific session, see 'tls-server-end-point' which is used in
>     preference in many cases within HTTPS endpoints because of the way
>     server termination is built in some scalable architectures).
>
>     > When someone tries to copy a message from a SCRAM handshake into
>     some
>     > GSS-API run on a single TLS connection I want to be sure that it
>     will be
>     > rejected, without having to understand exactly how every version
>     of SCRAM
>     > and GSS-API ever (including ones that will be drafted in the
>     future) works
>     > (not to mention every other protocol past, present, and future
>     that uses
>     > the same string.)
>
>     Both SCRAM and GSS-API are authentication mechanisms that use shared
>     keys for authentication. Both protocols are inherently resistant to
>     message swapping because the chances of producing a message on one
>     protocol that can be successfully decrypted/HMACed on the other are
>     astronomically low (they must be or the protocols are broken).
>
>     Channel bindings are just a way to tie those authentications to the
>     specific channel used underneath. I can't see how using the same value
>     for both protocols can lead to any compromise (see again 'tls-server-
>     end-point', where there isn't even a "same" channel guarantee, or
>     previous CBs where the binding was done to an IP address or other
>     clear
>     text session value).
>
>     If passing an arbitrary channel binding values could suddenly (and
>     predictably?) allow one protocol to be swapped for the other or have
>     one protocol generate derived session keys that are usable with the
>     other, it would mean those authentication mechanisms (SCRAM,GSS-
>     API,...) are completely broken, as that would mean the keys and
>     derivations used in those protocols are not providing the necessary
>     security guarantees.
>
>     > In the same way that we include strings in the TLS key schedule
>     to ensure
>     > that handshake messages can't be confused with each other or
>     with earlier
>     > versions of TLS, or even with Exported Authenticators, or MLS,
>     or any other
>     > protocol that uses keys, we should use channel bindings to separate
>     > protocols run over the top of TLS.
>
>     Yes, this is done because those messages are not further confounded
>     with additional private keys, but the situation is substantially
>     different when you talk about authentication mechanism that
>     already use
>     additional key material, key derivation and random challenges.
>
>     HTH,
>     Simo.
>
>     > Regards,
>     >
>     > Jonathan
>     >
>     > On Wed, 27 Oct 2021 at 19:39, Ruslan N. Marchenko
>     <rufferson@gmail.com <mailto:rufferson@gmail.com>>
>     > wrote:
>     >
>     > > Hi Jonathan,
>     > >
>     > > Am Mittwoch, dem 27.10.2021 um 18:02 +0100 schrieb Jonathan
>     Hoyland:
>     > > > Hi Ruslan,
>     > > >
>     > > > Without digging into the guts of GSS-API and SCRAM I can't
>     give you a
>     > > > concrete attack, the issue is that all our assumptions about
>     protocol
>     > > > security assume that different protocols use totally
>     separate key
>     > > > material.
>     > > > For example if I have one protocol that signs arbitrary
>     blobs and
>     > > > another that requires me to sign a challenge to prove I know
>     a private
>     > > > key then even if they're both perfectly secure on their own
>     they are
>     > > > totally broken in composition.
>     > > > This separation of keys is one of the core reasons for the
>     use of
>     > > > HKDFs, it lets us take some source randomness and use it to
>     generate
>     > > > independent keys.
>     > > >
>     > > > Designing a channel binding that explicitly suggests people
>     use the
>     > > > same key material for different things is bad practice and poor
>     > > > protocol design.
>     > > > Pretty much every attack is on the table if you have
>     multiple protocols
>     > > > using the same keys, message forgery, improper
>     authentication, key
>     > > > leakage, etc.
>     > > > The reason for separation of keys is to simply rule out this
>     entire
>     > > > class of vulnerability.
>     > >
>     > > Sorry maybe I'm missing something but why would two unrelated
>     protocols
>     > > have same key? The binding is derived from TLS session key, if two
>     > > unrelated TLS sessions are having the same key this is the
>     problem by
>     > > itself, and binding material is not amplifying it, just
>     falling to the
>     > > same problem bucket. And if they are related (eg resumed) then
>     protocol
>     > > muxing should perhaps be part of applicaiton stack and it
>     should still
>     > > be happy with a common security context.
>     > >
>     > > > If you don't separate the keys then whenever you make any
>     change to any
>     > > > protocol you have to consider its security in composition
>     with every
>     > > > other protocol, including ones that you don't know about or that
>     > > > haven't been written yet.
>     > > >
>     > > > Using different labels for different purposes shouldn't require
>     > > > anything complicated, as it's just changing the input
>     literals to the
>     > > > API call.
>     > > >
>     > > There's a difference in telling TLS stack "give me binding of that
>     > > type" - which is pretty much high level abstract call, and
>     asking TLS
>     > > to perform key derivation (export) for specific label - which
>     requires
>     > > speaking native TLS implementation api. Now that we have a
>     bunch of TLS
>     > > implementations and several abstractions and all other binding
>     types
>     > > are independent of the higher protocol - it may be challenging
>     changing
>     > > the API to make the binding retrieval context-specific. Not
>     that it is
>     > > impossible to make such change, but why?
>     > >
>     > >
>     > >
>     > >
>     > _______________________________________________
>     > Kitten mailing list
>     > Kitten@ietf.org <mailto:Kitten@ietf.org>
>     > https://www.ietf.org/mailman/listinfo/kitten
>     <https://www.ietf.org/mailman/listinfo/kitten>
>
>     -- 
>     Simo Sorce
>     RHEL Crypto Team
>     Red Hat, Inc
>
>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email