IETF Logo Mail Archive

Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Dave Cridland <dave@cridland.net> Tue, 09 November 2021 16:13 UTC

Return-Path: <dave@cridland.net>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E77403A0AAD for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 08:13:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 80Jf8oO-lpuM for <kitten@ietfa.amsl.com>; Tue, 9 Nov 2021 08:13:37 -0800 (PST)
Received: from mail-wm1-x336.google.com (mail-wm1-x336.google.com [IPv6:2a00:1450:4864:20::336]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B8713A0D86 for <kitten@ietf.org>; Tue, 9 Nov 2021 08:13:16 -0800 (PST)
Received: by mail-wm1-x336.google.com with SMTP id y84-20020a1c7d57000000b00330cb84834fso2335355wmc.2 for <kitten@ietf.org>; Tue, 09 Nov 2021 08:13:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=S99AO/YNNmz7KLLOZOoNfN5RDZthHdMQLq4ro64eEA8=; b=cJFBjxftMXfq/w0zf/LpTeJUbgfK7/TtZuO70WsFjBqKmSe5WmSsfIfx8CSJhPwkWc r7KOy7+k7v4u2SJegkYer5aFJzE80XjPNCzcIf0T83nZ7KiXBdPcEeZknWMJr3+wL8VU YsF4cv2/TGcFqJ3CgXaf94Zn6zQrWHlsZYpGQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=S99AO/YNNmz7KLLOZOoNfN5RDZthHdMQLq4ro64eEA8=; b=bp6N1vPx7ynPDkvXSVFhiLiFDI3FnPXkJ2vIs/GOHSRPrVieowM2DGN/dg5Zl6hR2O rVpcUFg1hKuFeklmHUxFwn0Lj2XOPFVkaWlVbiTnNjJR9tbI9iuOUPMs0ZRjP2P7iaRP CuQP/Ge/SUKmtcEsRtRrUIH3jxMXbDilDxmpzO5cODk9JHEH7BoDPtATo5ORiC6lnseb Vh1b+WRS13A5MHVROWccDd0UJ8WGnKekw7eIUAExOYayF1rj91QeV34395aMUhlvvV5r J8nPDkZfmU/CgyXu6bxrHow09hjbPH79XvuHPlnEqx5EgCLovHYFze4/V4O0vd8LFWMB kygw==
X-Gm-Message-State: AOAM531Nafxm1kFEdTU54zD74MisFuq7dY28JZR72LX7o2kVLopjpzoL 5hSBRQaC/oe5VU/9uWofMV2IwBE5yk7IANwOgpyD/zoRe+c=
X-Google-Smtp-Source: ABdhPJzaOOlPpjHiZyQKl2ZhwgnUVXmAtfAqdCXsLWN4/zXakyZzwKylkoXrIvFREsRiLX9roEFexuUyT8+vzHRuW+Y=
X-Received: by 2002:a05:600c:b46:: with SMTP id k6mr8381832wmr.45.1636474392432; Tue, 09 Nov 2021 08:13:12 -0800 (PST)
MIME-Version: 1.0
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com> <CAKHUCzz5ErY0xuBXVRuoNeZ3RS-7MwKrGH37kgZ=qwyqb-CgOg@mail.gmail.com> <CACykbs251Tn77jMN_YjcL8RxSax0NcFp8RNRT+oJp1Z=Z+qB2A@mail.gmail.com>
In-Reply-To: <CACykbs251Tn77jMN_YjcL8RxSax0NcFp8RNRT+oJp1Z=Z+qB2A@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
Date: Tue, 9 Nov 2021 16:13:01 +0000
Message-ID: <CAKHUCzw=_QRTdOovSBwV0VeN1M-7b9fSXonTyfF_oo4_VAGaBQ@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Sam Whited <sam@samwhited.com>, KITTEN Working Group <kitten@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/zLUCzCWAf4o6-jYceCQg7Bvf0hc>
Subject: Re: [kitten] [TLS] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 16:13:43 -0000

On Tue, 9 Nov 2021 at 16:01, Jonathan Hoyland
<jonathan.hoyland@gmail.com> wrote:
>
> Hi All,
>
> My specific solution is to simply include a different fixed string for each variant of SCRAM and GSS-API, and ideally a nonce.

I think you may mean SASL and GSS-API, but more probably I think you
need to decide what it is you mean.

SCRAM *already* includes a nonce in its hash calculations. Your
proposal is to include another, to avoid an unspecified attack.

> Given that applications will have to update their stacks anyway to accommodate the new fixed string in the current proposal I don't see that as a hugely difficult proposition.
>
> The goal of labels in material that is used to derive keys (yes, material that is used to derive keys is necessarily secret, yes material derived from keys is not necessarily secret), is to exclude classes of attack.
> It is good protocol design.
>
> One of the things use of a TLS channel binding gives you is protection for the upper level protocol against TLS being MITMed.
> Using a fixed string for multiple protocols probably gives you that protection (assuming the channel binding is correctly agreed by both sides).
>
> Using a distinct channel binding, even if the upper level protocol is not secure, means that if both sides agree on the channel binding they agree on the intent of the upper layer protocol, i.e. it gives you some level assurance that the client and server agree on what was intended.
> This eliminates classes of attack such as message confusion.
> Adding this protection costs virtually nothing, given that you are _already_ commiting to updating this section of code (no code currently makes this specific call to the TLS-Exporter interface).
> Leaving it out means that people like me who do formal analysis can't reasonably analyse these designs.
> I build models of protocols and prove they meet certain properties.
> The only way to keep that analysis viable (we're already talking hundreds of hours of work) is to eliminate classes of attack wholesale.
> Yes, you can add unique and clever protections into every sub-protocol, but it makes formally proving anything about the security exponentially harder (and yes, I mean that in the literal / mathematical sense).

SASL (and GSS-API) are pluggable authentication systems which means
that if you want a formal proof (or even just a finger-in-the-air
back-of-the-envelope one) you have to do it against a specific SASL
(or GSS-API) mechanism.

Without knowing the mechanism, it's impossible to perform a formal
proof, because you don't know how the channel binding is exchanged and
proven, and so you would be missing an absolutely crucial part of your
model.

Dave.

v2.8.7 | Report a Bug | By Email