[Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
<i.boureanu@surrey.ac.uk> Thu, 21 June 2018 22:06 UTC
Return-Path: <i.boureanu@surrey.ac.uk>
X-Original-To: lurk@ietfa.amsl.com
Delivered-To: lurk@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C955D130E3A for <lurk@ietfa.amsl.com>; Thu, 21 Jun 2018 15:06:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=surrey.ac.uk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 16CEJTUEzUl3 for <lurk@ietfa.amsl.com>; Thu, 21 Jun 2018 15:06:09 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80102.outbound.protection.outlook.com [40.107.8.102]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26770130E1B for <lurk@ietf.org>; Thu, 21 Jun 2018 15:06:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=surrey.ac.uk; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SHm934puYxCqdfxb7DWH+daYSXvtQQE7RbEo7aM14AQ=; b=ShJnJPoCdA+UVjjpQK91ssLnSg5itgyEpcRUuKAs4drrJ/WT9dqryRlEQBnoOI1cE9gYvy98MOvgBkKEcxliUL8Tfy2OZxZrAuz2TK/cqFf+garkrNRnQnShX+EN3SprzhAHlqZvtMFtl9dlBkv/XxL3/biFWW4r8HiMbsW73CY=
Received: from VI1PR06MB1216.eurprd06.prod.outlook.com (10.162.124.28) by VI1PR06MB4128.eurprd06.prod.outlook.com (20.176.6.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.19; Thu, 21 Jun 2018 22:06:06 +0000
Received: from VI1PR06MB1216.eurprd06.prod.outlook.com ([fe80::40d0:174a:714f:12ac]) by VI1PR06MB1216.eurprd06.prod.outlook.com ([fe80::40d0:174a:714f:12ac%6]) with mapi id 15.20.0863.021; Thu, 21 Jun 2018 22:06:06 +0000
From: i.boureanu@surrey.ac.uk
To: lurk@ietf.org
CC: daniel.migault@ericsson.com, stere.preda@ericsson.com
Thread-Topic: LURK TLS 1.2 draft -- my latest edits + small TO-DOs
Thread-Index: AQHUCawNf0DOy//YbEajH1rDQQW8HQ==
Date: Thu, 21 Jun 2018 22:06:06 +0000
Message-ID: <97D2A22D-6F4F-45F8-A1EA-6958199C2F59@surrey.ac.uk>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-mailer: Apple Mail (2.3273)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=i.boureanu@surrey.ac.uk;
x-originating-ip: [2a00:23c4:4b20:4e00:959e:9488:81fa:9b75]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR06MB4128; 7:UCP22t37aHBf5dJF2akMKxs8FgTxahX3iVvKMqk6OR9UTEZfm2dcRuYp8YrpkhqPhJwyhtzNrQa7muB8z+VWkrvDR2VhXuMHFBOvbnfyq1aQjScBR6FzmlMFc0rjc4N9rAGRhVGf8BU42trGKqoa8bQlMJFJlutE9DJh+w6r5uqDC0f4nHzF+wSvvy7q8L+1qnhORzAwMCz+DS5Ot/F/rHJM7gLsT5GU0eMBMr/YmOlO4EtNmfC9R4l6UbC9QvpV
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b9fa01ff-ccd4-4362-497c-08d5d7c32fa8
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR06MB4128;
x-ms-traffictypediagnostic: VI1PR06MB4128:
x-microsoft-antispam-prvs: <VI1PR06MB412816001D4BD87C96DF58B5AE760@VI1PR06MB4128.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231254)(944501410)(52105095)(3002001)(93006095)(93001095)(10201501046)(149027)(150027)(6041310)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281529075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:VI1PR06MB4128; BCL:0; PCL:0; RULEID:; SRVR:VI1PR06MB4128;
x-forefront-prvs: 07106EF9B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39380400002)(396003)(39860400002)(376002)(366004)(189003)(199004)(53754006)(105586002)(83716003)(33656002)(2906002)(3660700001)(4326008)(3280700002)(14454004)(81166006)(81156014)(8676002)(25786009)(7736002)(97736004)(478600001)(106356001)(86362001)(74482002)(8936002)(36756003)(53936002)(486006)(2900100001)(6436002)(316002)(50226002)(59450400001)(6486002)(102836004)(6506007)(5660300001)(99286004)(6116002)(68736007)(46003)(786003)(6916009)(54906003)(186003)(54896002)(476003)(6512007)(57306001)(2616005)(5250100002)(82746002)(217873001); DIR:OUT; SFP:1102; SCL:1; SRVR:VI1PR06MB4128; H:VI1PR06MB1216.eurprd06.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: surrey.ac.uk does not designate permitted sender hosts)
x-microsoft-antispam-message-info: fBH/E3WSDnNs9hh6t0j3yHl74KyESOPabFf9NG1OG5umQSWLE6Ro0Z3DpdBf8PcHAQ2vlSdoLai50xj2GDq3MLljREiOu91Nay7fz/A9bllgQVRtcF4VNLazYYkz7ZxlEQTCzPNZE6iskn8Kixz5tBDi2y0I4Eukk5CJLTFZKTTOmcvOPtwCov5wT12G5f7xWVNoW6nTpjAdZCTgeSqpcOwOge3yI2t8VGA11Dk+FCJdiS7+FxnY5hUadONCT3P12LRydqDQR1+kfptSA1mvk9ppgygXfcfVx/xCmz7M9Db8v7AB5RmSYo2KIrXBqTIg5k7LLbPjJfF8MA5LT8vVgg==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_97D2A22D6F4F45F8A1EA6958199C2F59surreyacuk_"
MIME-Version: 1.0
X-OriginatorOrg: surrey.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: b9fa01ff-ccd4-4362-497c-08d5d7c32fa8
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2018 22:06:06.0435 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 6b902693-1074-40aa-9e21-d89446a2ebb5
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR06MB4128
X-MS-Exchange-CrossPremises-AuthAs: Internal
X-MS-Exchange-CrossPremises-AuthMechanism: 04
X-MS-Exchange-CrossPremises-AuthSource: VI1PR06MB1216.eurprd06.prod.outlook.com
X-MS-Exchange-CrossPremises-TransportTrafficType: Email
X-MS-Exchange-CrossPremises-TransportTrafficSubType:
X-MS-Exchange-CrossPremises-SCL: 1
X-MS-Exchange-CrossPremises-messagesource: StoreDriver
X-MS-Exchange-CrossPremises-BCC:
X-MS-Exchange-CrossPremises-originalclientipaddress: 2a00:23c4:4b20:4e00:959e:9488:81fa:9b75
X-MS-Exchange-CrossPremises-transporttraffictype: Email
X-MS-Exchange-CrossPremises-transporttrafficsubtype:
X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating; SFV:NSPM; SKIP:0;
X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent
X-OrganizationHeadersPreserved: VI1PR06MB4128.eurprd06.prod.outlook.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/lurk/ugyxh6DRIGL4OkJJNh80A6zVrh0>
Subject: [Lurk] LURK TLS 1.2 draft -- my latest edits + small TO-DOs
X-BeenThere: lurk@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Limited Use of Remote Keys <lurk.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lurk>, <mailto:lurk-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lurk/>
List-Post: <mailto:lurk@ietf.org>
List-Help: <mailto:lurk-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lurk>, <mailto:lurk-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 22:06:13 -0000
Hi all,
Daniel, thanks for our last Skype… Sorry for the delay past that
Daniel, after that Skype, here’s where we are.
@my actions:
I’ve modified the mkd file of LURK TLS 1.2 draft as per what we discussed.
I mainly placed my modifications in the security considerations, which I almost entirely rewrote.
This “security-considerations” section now has these sub-headings:
1. General Considerations (in here I put not much, but general things .. like those linked to the LURK Server returning msk and not pmk)
2. Perfect Forward Secrecy Considerations
In here, the new stuff is on the security analysis linked to what we need of the pfs function for LURK in RSA-mode to get some forward-secrecy (i.e., protect against a MiM + corrupt LURK client make bad queries to the LURK Server).
I have put in the two options for the ‘pfs’ function we discussed of:
1) pfs being a CRHF; 2) pfs being a PRF instance keyed on a key that the LURK Server and LURK Client pre-share.
I said that 1 is better at achieving security, but 2 is may be more efficient
[You may one to add precise RECOMMENDATIONS there]
3. Proxied-Infrastructure Considerations
In here, I’ve put two things :
a). that the Client's Finished be sent to the LURK Server (along with all handshake data) help the
LURK Server audit the query;
b). that the option where the LURK Server sends S to the LURK Client, for this one to do server-random=pfs(S), is better at forward-secrecy protection than 2) above but it is more expensive (i.e., increased latency)
* I’d like to add this 3.b) in the appendix, as an optional variant. Would that be OK?
(BTW, you may need to touch up the jargon: e.g., if I used “RECOMMENDED” where I was supposed to use that, etc).
All this is on GitHub on a branch of the repo called “patch1"
@your actions:
You are/were going to
— add the aspect that Client's Finished be sent to the LURK Server (along with all handshake data)
— re-design the rsa_master_extended with the full handshake
Once you do this, you and/or me can make a run to make it all uniform.
Thanks.
Best,
Ioana
- [Lurk] LURK TLS 1.2 draft -- my latest edits + sm… i.boureanu
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … Daniel Migault
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … Daniel Migault
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … Daniel Migault
- Re: [Lurk] LURK TLS 1.2 draft -- my latest edits … i.boureanu