Re: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs

<i.boureanu@surrey.ac.uk> Thu, 28 June 2018 17:06 UTC

Return-Path: <i.boureanu@surrey.ac.uk>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CEE130E82 for <lurk@ietfa.amsl.com>; Thu, 28 Jun 2018 10:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=surrey.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3BFp1kPA4VH for <lurk@ietfa.amsl.com>; Thu, 28 Jun 2018 10:06:00 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70125.outbound.protection.outlook.com [40.107.7.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3AD3130FA5 for <lurk@ietf.org>; Thu, 28 Jun 2018 10:05:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=surrey.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jX89/MV2ydjLRdrP/RXqfhSUvOO2pOtql0lR511fZ2A=; b=FAbFQO1ubXX6wbJFWwR7Bt9oZye2S3CGmJmEP3mfEeTqwgAeyVH9+5xh0xNeEvIOVDlvmBrm40GRf4cfcjFDIjkmZSOqRV92lMm+AF5Ib291dd+yPWjMl5AOp3RS0gvVqdJ2X5dyW0FDXTSJdU17gSwP6sLdUcYTV77tfJ2Y5gs=
Received: from VI1PR06MB1216.eurprd06.prod.outlook.com (10.162.124.28) by VI1PR06MB3149.eurprd06.prod.outlook.com (10.170.230.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.906.24; Thu, 28 Jun 2018 17:05:56 +0000
Received: from VI1PR06MB1216.eurprd06.prod.outlook.com ([fe80::4826:88:ba38:1a8f]) by VI1PR06MB1216.eurprd06.prod.outlook.com ([fe80::4826:88:ba38:1a8f%4]) with mapi id 15.20.0906.023; Thu, 28 Jun 2018 17:05:56 +0000
From: <i.boureanu@surrey.ac.uk>
To: <daniel.migault@ericsson.com>
CC: <lurk@ietf.org>
Thread-Topic: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
Thread-Index: AQHUCawNAa8zkf4wrk6PkUf4LtKmfqRyynsAgAH5voCAASz9AA==
Date: Thu, 28 Jun 2018 17:05:55 +0000
Message-ID: <4FC6EEC2-D4C5-4340-8A31-5D78ECE31FEB@surrey.ac.uk>
References: <97D2A22D-6F4F-45F8-A1EA-6958199C2F59@surrey.ac.uk> <CADZyTkm29boWGaWzcoC_dir3tB6vkng0ud4WzPcmx+2wY5t1_Q@mail.gmail.com> <CADZyTkm0EdH-xVa7bPPOkmaJCP6qdjrDUtrDdohMbyfSTK+6+Q@mail.gmail.com>
In-Reply-To: <CADZyTkm0EdH-xVa7bPPOkmaJCP6qdjrDUtrDdohMbyfSTK+6+Q@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=i.boureanu@surrey.ac.uk;
x-originating-ip: [131.227.23.35]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR06MB3149; 7:o7AULSQ5QFSls9mfITx5wRyLKByRV+344Uc1VD8OdqnIXeYB0L9avsrUsEd6VtiEyDQdglwyOo7QFUXXjJBoSKmXy9OZxek05qVvELv6IxaFnw/2X9zQX3xIWlzUs5cbb0WJSbINExYxGTtZkGY33JIBbFqF86lb/zMewoaMN9MyGauHW087LYYzX17Fn/Cm7a5ky/sbmiHBGoO9rioKgNP/Jnb3MYKtpFDZQ34AvQg2IyiD4HNelYIJzvmH4OrD
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d5d589c2-9f7b-42d5-5827-08d5dd1969c4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652034)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR06MB3149;
x-ms-traffictypediagnostic: VI1PR06MB3149:
x-microsoft-antispam-prvs: <VI1PR06MB3149B2AE22D0F73728463DB4AE4F0@VI1PR06MB3149.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(158342451672863)(166708455590820)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:VI1PR06MB3149; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB3149;
x-forefront-prvs: 0717E25089
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(376002)(136003)(396003)(39860400002)(189003)(199004)(53754006)(54896002)(5660300001)(14444005)(6436002)(786003)(446003)(81166006)(229853002)(6506007)(256004)(74482002)(99286004)(14454004)(6246003)(4326008)(8676002)(33656002)(68736007)(57306001)(66066001)(6116002)(3846002)(50226002)(476003)(2616005)(11346002)(966005)(36756003)(478600001)(2906002)(6916009)(53936002)(606006)(86362001)(486006)(82746002)(6486002)(7736002)(236005)(6512007)(25786009)(8936002)(102836004)(76176011)(5250100002)(81156014)(186003)(2900100001)(105586002)(6306002)(97736004)(316002)(106356001)(83716003)(53546011)(26005)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB3149; H:VI1PR06MB1216.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: surrey.ac.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: d77KvhJrlX0H8c2hNisJT+dbwfhnKcy0srxH6tfD40pFZeWb8F0x0r3E5Iuv9DmYnOHlbDsRBSbu0PtJZf598cufhKeM1FTms2Itno2XEdnqJqWMpcYOAjJZ3JrafG0E2IXaAbQ34kli3l6qz8DzWZivhar8K9QPihrmVF1KCtW7Rxhz7ozVMtLCX3byZvu0m3ZfbUb5NPZDPlTtB6hg8dQ/iJrBPT/r0goXOlm2uAo9mDiOrMMwyN546FFoLMT4N2ThkV0r0tfjIkaiNZVinuUkxbJIXx6xcmyrpd6GxwDMh9PlCNWp5Y2oK3we/jcVdKQ2ke0X9Fh1unLNyU9p/Hmv6U+agwptNQYT+LP4/LM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_4FC6EEC2D4C543408A315D78ECE31FEBsurreyacuk_"
MIME-Version: 1.0
X-OriginatorOrg: surrey.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: d5d589c2-9f7b-42d5-5827-08d5dd1969c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2018 17:05:55.9718 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b902693-1074-40aa-9e21-d89446a2ebb5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB3149
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: VI1PR06MB1216.eurprd06.prod.outlook.com
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-TransportTrafficSubType:
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 131.227.23.35
X-MS-Exchange-CrossPremises-transporttraffictype: Email
X-MS-Exchange-CrossPremises-transporttrafficsubtype:
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: VI1PR06MB3149.eurprd06.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/1Mr6DvLhLzAcFanky3ZKsIhzqic>
Subject: Re: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2018 17:06:05 -0000

Hi Daniel,

I’ve pushed some mods; please see if you accept.

The important ones are:
1. I renamed "pfs" to "fresshness_fct”;

2. I rewrote the security considerations, especially on sec_pfs
      Therein, for our alternative to using a CRHF, I introduced a simpler way than using a PRF. That is...
       Since the channel between the LURK Client and the LURK Server  MUST be encrypted by default, in the optional version we can just do this:
 a.  the LURK Server directly  sends the server_random to the LURK Client. //again this is over an encrypted channel in any way
 b.  the LURK Client uses this server_random with the TLS Client
 c.  the LURK Server checks the correctness of the use of the said server_random when the query for the master_secret is made, with
the messages forwarded therein;


  3. in some places, we still had "LURK Client" and "LURK Server" used wrongly.

Please see in details in the mkd.

I will do another run tomorrow, on the appendices, but please see if you accept this first.

Best,
Ioana




On 28 Jun 2018, at 00:08, Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote:

Hi,

I finally removed the option and created a new type of request when the finished message is included. The reasoning behind is that we anyway have to indicate whether the finished message is included or not which costs one byte. Then the presence of the finished message impact the format of the request ( that is the way parameters are transmitted). This is closer to another type of request than the addition of an option.

Comments are appreciated as the dead line for publication is Monday 23:59 UTC time, so please provide feed back by Sunday ;-)

the current version is available at:
https://github.com/mglt/draft-mglt-lurk-tls12/blob/master/draft-mglt-lurk-tls12.mkd


Yours
Daniel

On Tue, Jun 26, 2018 at 12:58 PM, Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote:
Hi,

Please find an update of the document available on github: https://github.com/mglt/draft-mglt-lurk-tls12

The rsa_extended_master includes now the necessary parameters to generate the session_hash. It does not include anymore the session_hash. As a result, randoms are available which enables anti replay mechanism based on the hash of the server random.

Both rsa_master and rsa_master_extended include the possibility to have an option that carries the Finished message as well as parameters to check the Finished message. While this is designated as "finished" option, it impacts the format of the request.

rsa_master without the "finished" option requires to specify the client random, the server_random and the encrypted_premaster. With the "finished" option, all of them are included in the handshake.
rsa_extended_master without the "finished" option requires to specify the an handshake that includes the ClientHello...ServerHello. With the "finished" option the handshake provided includes the later and so is included.

The current design avoids the repetition of parameters. As such, when the "finished" option is provided, the parameters are expected to be taken from the handshake associated to the "finished" option.

I do not find the term "option" appropriated, so I am happy to hear a better designation.

Yours,
Daniel





On Thu, Jun 21, 2018 at 6:06 PM, <i.boureanu=40surrey.ac.uk@dmarc.ietf.org<mailto:i.boureanu=40surrey.ac.uk@dmarc.ietf.org>> wrote:
Hi all,

Daniel, thanks for our last Skype… Sorry for the delay past that

Daniel, after that Skype, here’s where we are.

@my actions:
I’ve modified the mkd  file of LURK TLS 1.2 draft as per what we discussed.

I mainly placed my modifications in the security considerations, which I almost entirely rewrote.

This “security-considerations” section now has these sub-headings:
1. General Considerations (in here I put not much, but general things .. like those linked to the LURK Server returning msk and not pmk)

2. Perfect Forward Secrecy Considerations
In here, the new stuff is on the security analysis linked to what we need of the pfs function for LURK in RSA-mode to get some forward-secrecy (i..e., protect against a MiM + corrupt LURK client make bad queries to the LURK Server).

I have put in the two options for the ‘pfs’ function we discussed of:
1) pfs being a CRHF; 2) pfs being a PRF instance keyed on a key that the LURK Server and LURK Client pre-share.
I said that 1 is better at achieving security, but 2 is may be more efficient

[You may one to add precise RECOMMENDATIONS there]

3. Proxied-Infrastructure Considerations
In here, I’ve put two things :
a). that the Client's Finished be sent to the LURK Server (along with all handshake data) help the
LURK Server audit the query;
                b). that the option where the LURK Server sends S to the LURK Client, for this one to do server-random=pfs(S), is better at  forward-secrecy protection than 2) above  but it is more expensive (i.e., increased latency)
* I’d like to add this 3.b) in the appendix, as an optional variant. Would that be OK?

    (BTW, you may need to touch up the jargon: e.g., if I used “RECOMMENDED” where I was supposed to use that, etc).

All this is on GitHub on a  branch of the repo called “patch1"

@your actions:

You are/were going to
  — add the aspect that Client's Finished be sent to the LURK Server (along with all handshake data)
  — re-design the rsa_master_extended with the full handshake
Once you do this, you and/or me can make a run to make it all uniform.

Thanks.

Best,
Ioana




_______________________________________________
Lurk mailing list
Lurk@ietf.org<mailto:Lurk@ietf.org>
https://www.ietf.org/mailman/listinfo/lurk



_______________________________________________
Lurk mailing list
Lurk@ietf.org<mailto:Lurk@ietf.org>
https://www.ietf.org/mailman/listinfo/lurk