Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
"Ruslan N. Marchenko" <me@ruff.mobi> Tue, 26 October 2021 19:58 UTC
Return-Path: <me@ruff.mobi>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 746123A1832; Tue, 26 Oct 2021 12:58:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RDVh9wIRgXuN; Tue, 26 Oct 2021 12:58:23 -0700 (PDT)
Received: from vex.ruff.mobi (vex.ruff.mobi [37.120.177.103]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BA093A182B; Tue, 26 Oct 2021 12:58:21 -0700 (PDT)
Received: from pi.ruff.mobi (ip-78-45-99-112.net.upcbroadband.cz [78.45.99.112]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "ruff.mobi", Issuer "R3" (not verified)) by vex.ruff.mobi (Postfix) with ESMTPS id 69ED21493B94; Tue, 26 Oct 2021 21:58:18 +0200 (CEST)
Received: from dei.ruff.mobi (unknown [IPv6:2001:470:741b::6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by pi.ruff.mobi (Postfix) with ESMTPSA id 700D113979; Tue, 26 Oct 2021 21:58:14 +0200 (CEST)
Message-ID: <e9570c02c4f703780a4e317b26607ac124a3b595.camel@ruff.mobi>
From: "Ruslan N. Marchenko" <me@ruff.mobi>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>, Sam Whited <sam@samwhited.com>
Cc: KITTEN Working Group <kitten@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Date: Tue, 26 Oct 2021 21:58:07 +0200
In-Reply-To: <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com>
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.40.4
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/dgPeBR7jaSK9AN2Q1OzogptIqV8>
Subject: Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Oct 2021 19:58:29 -0000
Hi Jonathan, Am Dienstag, dem 26.10.2021 um 17:32 +0100 schrieb Jonathan Hoyland: > Hi Sam, all, > > I'd like to again raise the issues I pointed out in > https://mailarchive.ietf.org/arch/msg/kitten/13pPj4E3-gYwpbu2K844uI1BPoU/ > . > This draft hasn't received enough security analysis, and further, I > pointed out a specific security issue that remains unaddressed. > > Using the same label for different protocols produces trivial > collisions, and thus it is perfectly possible that a message meant for > GSS-API is identical in both form and key to a message for SCRAM, and > thus there is strong potential for confusion. > I'm not familiar with either of these protocols, so maybe they have > internal reasons why this example doesn't work, but that misses the > much larger and more significant point. > Any future protocol that uses the same label will potentially be > confusable, and further updates to GSS-API now must ensure that they > don't form valid SCRAM messages, and vice versa. > > There isn't even a one-to-one relationship between GSS-API / SCRAM > runs. This channel binding design doesn't protect against messages > being swapped between two GSS-API runs on a single TLS connection. > Again, whether that is a specific problem for GSS-API is totally > irrelevant. > Another protocol that uses this draft may well be vulnerable, and thus > this is just leaving a huge security landmine in TLS channel bindings. > > At an absolute minimum this draft should include "A TLS session using > this RFC to produce a binding for any purpose MUST NOT generate more > than one per session. If a second exporter using this protocol is > required the TLS session MUST be rekeyed." > Can you please elaborate a bit more on this particular attack vector? What exactly information it may leak/compromise and how? The reason I'm asking is that application is the one glueing together TLS and authentication sessions, however application does not always have access to internals of either one(tls), or another(auth) or even both. Therefore asking application to transfer context between authentication and transport APIs may not always be feasible or even possible. Regards, Ruslan
- [kitten] Last Call: <draft-ietf-kitten-tls-channe… The IESG
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Sam Whited
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Simo Sorce
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Alexey Melnikov
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Simon Josefsson
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Dave Cridland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Dave Cridland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Jonathan Hoyland
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Ruslan N. Marchenko
- Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-ki… Sam Whited