Re: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
<i.boureanu@surrey.ac.uk> Thu, 28 June 2018 17:06 UTC
Return-Path: <i.boureanu@surrey.ac.uk>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 66CEE130E82 for <lurk@ietfa.amsl.com>; Thu, 28 Jun 2018 10:06:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=surrey.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h3BFp1kPA4VH for <lurk@ietfa.amsl.com>; Thu, 28 Jun 2018 10:06:00 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70125.outbound.protection.outlook.com [40.107.7.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3AD3130FA5 for <lurk@ietf.org>; Thu, 28 Jun 2018 10:05:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=surrey.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jX89/MV2ydjLRdrP/RXqfhSUvOO2pOtql0lR511fZ2A=; b=FAbFQO1ubXX6wbJFWwR7Bt9oZye2S3CGmJmEP3mfEeTqwgAeyVH9+5xh0xNeEvIOVDlvmBrm40GRf4cfcjFDIjkmZSOqRV92lMm+AF5Ib291dd+yPWjMl5AOp3RS0gvVqdJ2X5dyW0FDXTSJdU17gSwP6sLdUcYTV77tfJ2Y5gs=
Received: from VI1PR06MB1216.eurprd06.prod.outlook.com (10.162.124.28) by VI1PR06MB3149.eurprd06.prod.outlook.com (10.170.230.28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.906.24; Thu, 28 Jun 2018 17:05:56 +0000
Received: from VI1PR06MB1216.eurprd06.prod.outlook.com ([fe80::4826:88:ba38:1a8f]) by VI1PR06MB1216.eurprd06.prod.outlook.com ([fe80::4826:88:ba38:1a8f%4]) with mapi id 15.20.0906.023; Thu, 28 Jun 2018 17:05:56 +0000
From: i.boureanu@surrey.ac.uk
To: daniel.migault@ericsson.com
CC: lurk@ietf.org
Thread-Topic: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
Thread-Index: AQHUCawNAa8zkf4wrk6PkUf4LtKmfqRyynsAgAH5voCAASz9AA==
Date: Thu, 28 Jun 2018 17:05:55 +0000
Message-ID: <4FC6EEC2-D4C5-4340-8A31-5D78ECE31FEB@surrey.ac.uk>
References: <97D2A22D-6F4F-45F8-A1EA-6958199C2F59@surrey.ac.uk> <CADZyTkm29boWGaWzcoC_dir3tB6vkng0ud4WzPcmx+2wY5t1_Q@mail.gmail.com> <CADZyTkm0EdH-xVa7bPPOkmaJCP6qdjrDUtrDdohMbyfSTK+6+Q@mail.gmail.com>
In-Reply-To: <CADZyTkm0EdH-xVa7bPPOkmaJCP6qdjrDUtrDdohMbyfSTK+6+Q@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=i.boureanu@surrey.ac.uk;
x-originating-ip: [131.227.23.35]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR06MB3149; 7:o7AULSQ5QFSls9mfITx5wRyLKByRV+344Uc1VD8OdqnIXeYB0L9avsrUsEd6VtiEyDQdglwyOo7QFUXXjJBoSKmXy9OZxek05qVvELv6IxaFnw/2X9zQX3xIWlzUs5cbb0WJSbINExYxGTtZkGY33JIBbFqF86lb/zMewoaMN9MyGauHW087LYYzX17Fn/Cm7a5ky/sbmiHBGoO9rioKgNP/Jnb3MYKtpFDZQ34AvQg2IyiD4HNelYIJzvmH4OrD
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d5d589c2-9f7b-42d5-5827-08d5dd1969c4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652034)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR06MB3149;
x-ms-traffictypediagnostic: VI1PR06MB3149:
x-microsoft-antispam-prvs: <VI1PR06MB3149B2AE22D0F73728463DB4AE4F0@VI1PR06MB3149.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(158342451672863)(166708455590820)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231254)(944501410)(52105095)(149027)(150027)(6041310)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123558120)(20161123562045)(6072148)(201708071742011)(7699016); SRVR:VI1PR06MB3149; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB3149;
x-forefront-prvs: 0717E25089
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(366004)(376002)(136003)(396003)(39860400002)(189003)(199004)(53754006)(54896002)(5660300001)(14444005)(6436002)(786003)(446003)(81166006)(229853002)(6506007)(256004)(74482002)(99286004)(14454004)(6246003)(4326008)(8676002)(33656002)(68736007)(57306001)(66066001)(6116002)(3846002)(50226002)(476003)(2616005)(11346002)(966005)(36756003)(478600001)(2906002)(6916009)(53936002)(606006)(86362001)(486006)(82746002)(6486002)(7736002)(236005)(6512007)(25786009)(8936002)(102836004)(76176011)(5250100002)(81156014)(186003)(2900100001)(105586002)(6306002)(97736004)(316002)(106356001)(83716003)(53546011)(26005)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB3149; H:VI1PR06MB1216.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: surrey.ac.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: d77KvhJrlX0H8c2hNisJT+dbwfhnKcy0srxH6tfD40pFZeWb8F0x0r3E5Iuv9DmYnOHlbDsRBSbu0PtJZf598cufhKeM1FTms2Itno2XEdnqJqWMpcYOAjJZ3JrafG0E2IXaAbQ34kli3l6qz8DzWZivhar8K9QPihrmVF1KCtW7Rxhz7ozVMtLCX3byZvu0m3ZfbUb5NPZDPlTtB6hg8dQ/iJrBPT/r0goXOlm2uAo9mDiOrMMwyN546FFoLMT4N2ThkV0r0tfjIkaiNZVinuUkxbJIXx6xcmyrpd6GxwDMh9PlCNWp5Y2oK3we/jcVdKQ2ke0X9Fh1unLNyU9p/Hmv6U+agwptNQYT+LP4/LM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_4FC6EEC2D4C543408A315D78ECE31FEBsurreyacuk_"
MIME-Version: 1.0
X-OriginatorOrg: surrey.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: d5d589c2-9f7b-42d5-5827-08d5dd1969c4
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2018 17:05:55.9718 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b902693-1074-40aa-9e21-d89446a2ebb5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB3149
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: VI1PR06MB1216.eurprd06.prod.outlook.com
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-TransportTrafficSubType:
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 131.227.23.35
X-MS-Exchange-CrossPremises-transporttraffictype: Email
X-MS-Exchange-CrossPremises-transporttrafficsubtype:
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: VI1PR06MB3149.eurprd06.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/1Mr6DvLhLzAcFanky3ZKsIhzqic>
Subject: Re: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jun 2018 17:06:05 -0000
Hi Daniel, I’ve pushed some mods; please see if you accept. The important ones are: 1. I renamed "pfs" to "fresshness_fct”; 2. I rewrote the security considerations, especially on sec_pfs Therein, for our alternative to using a CRHF, I introduced a simpler way than using a PRF. That is... Since the channel between the LURK Client and the LURK Server MUST be encrypted by default, in the optional version we can just do this: a. the LURK Server directly sends the server_random to the LURK Client. //again this is over an encrypted channel in any way b. the LURK Client uses this server_random with the TLS Client c. the LURK Server checks the correctness of the use of the said server_random when the query for the master_secret is made, with the messages forwarded therein; 3. in some places, we still had "LURK Client" and "LURK Server" used wrongly. Please see in details in the mkd. I will do another run tomorrow, on the appendices, but please see if you accept this first. Best, Ioana On 28 Jun 2018, at 00:08, Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote: Hi, I finally removed the option and created a new type of request when the finished message is included. The reasoning behind is that we anyway have to indicate whether the finished message is included or not which costs one byte. Then the presence of the finished message impact the format of the request ( that is the way parameters are transmitted). This is closer to another type of request than the addition of an option. Comments are appreciated as the dead line for publication is Monday 23:59 UTC time, so please provide feed back by Sunday ;-) the current version is available at: https://github.com/mglt/draft-mglt-lurk-tls12/blob/master/draft-mglt-lurk-tls12.mkd Yours Daniel On Tue, Jun 26, 2018 at 12:58 PM, Daniel Migault <daniel.migault@ericsson.com<mailto:daniel.migault@ericsson.com>> wrote: Hi, Please find an update of the document available on github: https://github.com/mglt/draft-mglt-lurk-tls12 The rsa_extended_master includes now the necessary parameters to generate the session_hash. It does not include anymore the session_hash. As a result, randoms are available which enables anti replay mechanism based on the hash of the server random. Both rsa_master and rsa_master_extended include the possibility to have an option that carries the Finished message as well as parameters to check the Finished message. While this is designated as "finished" option, it impacts the format of the request. rsa_master without the "finished" option requires to specify the client random, the server_random and the encrypted_premaster. With the "finished" option, all of them are included in the handshake. rsa_extended_master without the "finished" option requires to specify the an handshake that includes the ClientHello...ServerHello. With the "finished" option the handshake provided includes the later and so is included. The current design avoids the repetition of parameters. As such, when the "finished" option is provided, the parameters are expected to be taken from the handshake associated to the "finished" option. I do not find the term "option" appropriated, so I am happy to hear a better designation. Yours, Daniel On Thu, Jun 21, 2018 at 6:06 PM, <i.boureanu=40surrey.ac.uk@dmarc.ietf.org<mailto:i.boureanu=40surrey.ac.uk@dmarc.ietf.org>> wrote: Hi all, Daniel, thanks for our last Skype… Sorry for the delay past that Daniel, after that Skype, here’s where we are. @my actions: I’ve modified the mkd file of LURK TLS 1.2 draft as per what we discussed. I mainly placed my modifications in the security considerations, which I almost entirely rewrote. This “security-considerations” section now has these sub-headings: 1. General Considerations (in here I put not much, but general things .. like those linked to the LURK Server returning msk and not pmk) 2. Perfect Forward Secrecy Considerations In here, the new stuff is on the security analysis linked to what we need of the pfs function for LURK in RSA-mode to get some forward-secrecy (i..e., protect against a MiM + corrupt LURK client make bad queries to the LURK Server). I have put in the two options for the ‘pfs’ function we discussed of: 1) pfs being a CRHF; 2) pfs being a PRF instance keyed on a key that the LURK Server and LURK Client pre-share. I said that 1 is better at achieving security, but 2 is may be more efficient [You may one to add precise RECOMMENDATIONS there] 3. Proxied-Infrastructure Considerations In here, I’ve put two things : a). that the Client's Finished be sent to the LURK Server (along with all handshake data) help the LURK Server audit the query; b). that the option where the LURK Server sends S to the LURK Client, for this one to do server-random=pfs(S), is better at forward-secrecy protection than 2) above but it is more expensive (i.e., increased latency) * I’d like to add this 3.b) in the appendix, as an optional variant. Would that be OK? (BTW, you may need to touch up the jargon: e.g., if I used “RECOMMENDED” where I was supposed to use that, etc). All this is on GitHub on a branch of the repo called “patch1" @your actions: You are/were going to — add the aspect that Client's Finished be sent to the LURK Server (along with all handshake data) — re-design the rsa_master_extended with the full handshake Once you do this, you and/or me can make a run to make it all uniform. Thanks. Best, Ioana _______________________________________________ Lurk mailing list Lurk@ietf.org<mailto:Lurk@ietf.org> https://www.ietf.org/mailman/listinfo/lurk _______________________________________________ Lurk mailing list Lurk@ietf.org<mailto:Lurk@ietf.org> https://www.ietf.org/mailman/listinfo/lurk
- [Lurk] LURK TLS 1.2 draft -- my latest edits + sm… i.boureanu
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … Daniel Migault
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … Daniel Migault
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … Daniel Migault
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … i.boureanu