Re: [secdir] Secdir last call review of draft-ietf-tls-exported-authenticator-09

Benjamin Kaduk <kaduk@mit.edu> Sun, 21 July 2019 01:57 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14B80120041; Sat, 20 Jul 2019 18:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hqfMAv7LNp1j; Sat, 20 Jul 2019 18:57:06 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 663A6120018; Sat, 20 Jul 2019 18:57:06 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x6L1v0Ug014784 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sat, 20 Jul 2019 21:57:03 -0400
Date: Sat, 20 Jul 2019 20:57:00 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: secdir@ietf.org, draft-ietf-tls-exported-authenticator.all@ietf.org, ietf@ietf.org, tls@ietf.org
Message-ID: <20190721015659.GL23137@kduck.mit.edu>
References: <156330717256.15259.2193942101748847069@ietfa.amsl.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <156330717256.15259.2193942101748847069@ietfa.amsl.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/2VA1_jnUQCsJ3Tx7zGL2sRBmg3A>
Subject: Re: [secdir] Secdir last call review of draft-ietf-tls-exported-authenticator-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 01:57:09 -0000

Hi Yaron,

Thanks for the thoughtful review.  It seems like we'll need to think about
some points a bit more...

On Tue, Jul 16, 2019 at 12:59:32PM -0700, Yaron Sheffer via Datatracker wrote:
> Reviewer: Yaron Sheffer
> Review result: Has Issues
> 
> The document is generally clear in both its motivation and the proposed
> solution.
> 
> I think it's playing a bit too liberal with TLS 1.3, in sort-of but not quite
> deprecating renegotiation, and in changing the IANA registry in a way that
> actually changes the protocol. Details below.

To be clear, 1.3 does not have renegotiation at all, so that deprecation
has already been done and not by this document.

> Other comments:
> 
>
> * Abstract: please reword to make it clear that it's the proof (not the cert)
> that is portable.
> * Introduction: TLS 1.3 post-handshake auth "has the
> disadvantage of requiring additional state to be stored as part of the TLS
> state machine." Why is that an issue is practice, assuming this feature is

It requires either caching the entire handshake messages (including
certificate), which can add up, or being able to "fork" a copy of internal
hash state, which is a pretty uncommon API.

> already supported by TLS libraries? Also, are we in effect deprecating this TLS
> 1.3 feature because of the security issue of the mismatched record boundaries?

I think in some peoples' minds that would be a good thing, though it's not
entirely clear that we are actually doing so.

> * "For simplicity, the mechanisms... require", maybe a normative REQUIRE?
> *
> Authenticator Request: please clarify that we use the TLS 1.3 format even when
> running on TLS 1.2.
> * Also, I suggest to change "is not encrypted with a
> handshake key" which is too specific to "is sent unencrypted within the normal
> TLS-protected data".
> * Before diving into the detailed messages in Sec. 3, it
> would be nice to include a quick overview of the message sequence.
> * Sec. 3:
> "SHOULD use TLS", change to MUST. There's no way it can work otherwise anyway.

What about QUIC?

> * "This message reuses the structure to the CertificateRequest message" -
> repeats the preceding paragraph.
> * Sec. 4: again, SHOULD use TLS -> MUST.
> * Is
> there a requirement for all protocol messages to be sent over a single TLS
> connection? If so, please mention it. Certainly this is true for the
> Authenticator message that must be sent over a single connection and cannot be
> multiplexed by the high-level protocol. I think this protocol actually assumes
> "nice" transport properties (no message reorder, reliability) that also require
> a single, clean TLS connection.

It seems like we should be more clear about what we do (and do not)
require.  Though IIRC we can do separate authenticators in parallel and not
require them to be ordered with respect to each other.

> * Why no authenticator request for servers?
> Don't we care about replay? OTOH if the client wants to detect replays, it
> would need to keep state on received authenticators, which would be very messy.

IIUC the thinking is that there's no way to revoke an authenticator for a
connection, so replay (if  not detected by another layer anyway) would not
cause the authentication state to change.

> * 4.1: when referencing Exporters, mention this is Sec. 7.5 of [TLS1.3].
> * The
> discussion of Extended Master Secret only applies to TLS 1.2 - please clarify
> that, plus I suggest to reword this paragraph which I find hard to parse.

(RFC 8446 tries to say "when something  requires EMS, TLS 1.3 counts for
that", but it's not great.)

> *
> 4.2: "the extensions are chosen from the TLS handshake." - What does it mean
> exactly, and how does an application even know which extensions were used at
> the TLS layer? Reading further, we mention "ClientHello extensions." Maybe the
> authenticator should also include a ClientHello message to indicate supported
> extensions. Assuming we can peek into ClientHello contradicts the hopeful "even
> if it is possible to implement it at the application layer" in Sec. 6.
> * 4.2.1:
> the first sentence of the section is incomplete.
> * Can I use TLS 1.3-specific
> extensions (oid_filters) if I'm running on a TLS 1.2 connection? Is there a
> situation where a certificate is acceptable for TLS 1.3 connections but not for
> TLS 1.2 connections?
> * "using a value derived from the connection secrets" - I
> think we should recommend a specific construction here to ensure people do it
> securely.
> * 4.2.3: Are we computing HMAC(MAC-key, Hash(a || b || c || d))? If
> so, please say so.
> * 4.2.4: "a constant-time comparison" - why is it actually
> required, what is the threat? An attacker can do very little because each
> authenticator being sent is different.

I  think this text was added because of  a question I asked during AD
review, and we didn't put a huge amount of thought into it.

> * 5: please say explicitly which
> messages are used in this case to construct the authenticator.
> * 6.1: the
> "MUST" is strange in a section that's only supposed to be informative. Also,
> the library may provide this extension (and possibly others) without requiring
> it as input.
> * 6.4: "The API MUST return a failure if the
> certificate_request_context of the authenticator was used in a previously
> validated authenticator." Are we requiring the library to keep previous
> contexts for replay protection? If so, please make it explicit.
> *  7.1: this is
> changing TLS 1.3 by allowing this extension in Cert Request! I think it's a
> really bad idea. Better to hack special support to existing libraries, allowing
> this specific extension for this special case, than to change the base
> protocol. Otherwise, this document should UPDATE 8446.

Or, since extension codepoints are cheap, just use a newcodepoint.

-Ben

> * 8: I think the
> Security Considerations is the right place to talk about interaction between
> this protocol and TLS 1.3 (or 1.2) renegotiation. Even if we simply RECOMMEND
> not to do it. Or else explain the use cases where renegotiation is still useful
> if there are any.
>