IETF Logo Mail Archive

Re: [TLS] TLS Export Channel Binding

Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 04 May 2020 16:56 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4BEC43A0D38 for <tls@ietfa.amsl.com>; Mon, 4 May 2020 09:56:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P9otNbzbCP7D for <tls@ietfa.amsl.com>; Mon, 4 May 2020 09:56:51 -0700 (PDT)
Received: from mail-vs1-xe2a.google.com (mail-vs1-xe2a.google.com [IPv6:2607:f8b0:4864:20::e2a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8633F3A0D39 for <tls@ietf.org>; Mon, 4 May 2020 09:56:50 -0700 (PDT)
Received: by mail-vs1-xe2a.google.com with SMTP id e10so47919vsp.12 for <tls@ietf.org>; Mon, 04 May 2020 09:56:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=OPMs0Bgk7u6orQJ7k2/S0qMV4XNeYk8uobwtWAqP0bw=; b=rq3A8AZTtEgKVejPH/dQszqJao/RT7LW9x8qwXDd3qtmFVXBEsSLKvQbTZpxZT5dUR Av6zHy3nY50oFrraZ7I+oSa8Y/sME71xhIOF3KLBGiB9oxDq19/d4ASs+MPyet0RsXNM cWeJ9APEbzJKQSnnckJ+01eSM+jQNlm8MiA0RFsuanEDEGfNfsuN53UUZozlaFNl5yPI w2tWAIsBv5DoLhZzQHCx7/kgo7SyE0GGCis8FrWnXEIN9Zra51W3iZomZMmo/No4/gTa JlNZW3vFZ85DAcci9E2TfiDMTyKilO9rN6TmCVhRsBjkl6wF2dprnldn4AIVXt4Rr0z4 hIAQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=OPMs0Bgk7u6orQJ7k2/S0qMV4XNeYk8uobwtWAqP0bw=; b=tRRUqEHtKfOxv7eyZ7POj8RRtykPSCxCheQBbZ5/aij09Bgh1myYHThW5R0uoad4Sz mGkx99vywmhqWRxEcV+U21JC+a1In76O/s/DCc+G2D/TGAZMtvJOlaDmQefd2F0jQxPB jadeuvQJbgu+TXYtQIhoxAU0m0EFf4JlLhC00LLdupme9EO8Q7zMBhDzgi7qypZ9unsz os1Vltk0J2stnLX+z3ttjXCOuBCvQ5MekugW2T06sGXH48Djb/RoP3Lg5M9KRKlTMaOp APtTv1+gd/vIDUl6Uo4bv4j64viEgicoJ1y/rArYu46Kt+9ALZ0U8Kzpw1PH//40s8+I L+nQ==
X-Gm-Message-State: AGi0PuYgHOMg+vGRI3uNouNhOPTQI9HdHaUW056dS+UTjW+AnpoaQCBl nupD+yo1pNGvtkWyY2BeqWAUJUoxU+7yxz878Mr3nGgG
X-Google-Smtp-Source: APiQypJ24KNHymY7XVJHfTUNGpSqHvQleqTwRK0/34wmWF+80t8+oJvql1YxxbliTzfq7tzYcanWN+xnD5fZZEI7qFk=
X-Received: by 2002:a67:fb06:: with SMTP id d6mr78915vsr.66.1588611409366; Mon, 04 May 2020 09:56:49 -0700 (PDT)
MIME-Version: 1.0
References: <0f20d1f6-56c1-4e01-813f-f8b3c57a5c9b@www.fastmail.com> <CACykbs3WDk7a0+0vCSDfCuib1Bex8SUJ-kvtZhjchvvm+5xc0g@mail.gmail.com> <13c2ff5e-f68e-45b5-bd64-085b9bdaf17e@www.fastmail.com> <CACykbs3+G8DCwC3ZrCbmzoygGkz6nRoYWHVxKWw3BvJ8YwAv7Q@mail.gmail.com> <ba8c1b17-6032-4420-8ead-a70c529721aa@www.fastmail.com> <CACykbs1Cz4aG1WaXpBeNmpdR90b2x-cGsrpnm=MXgFJiif0K2A@mail.gmail.com> <dc82ad3c-2806-7be3-c4fc-307d0f5fd482@isode.com>
In-Reply-To: <dc82ad3c-2806-7be3-c4fc-307d0f5fd482@isode.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 04 May 2020 17:56:38 +0100
Message-ID: <CACykbs1kn4ivMgkF5yZe9V1HzKW8bMHRZrFVH7Qben_CUEynoA@mail.gmail.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>
Cc: Sam Whited <sam@samwhited.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bdd35505a4d56a24"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-Cun2XPicPDLgZe1xiYTvmgYXc4>
Subject: Re: [TLS] TLS Export Channel Binding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 16:56:53 -0000

Hi Alexey

On Mon, 4 May 2020 at 16:23, Alexey Melnikov <alexey.melnikov@isode.com>
wrote:

> Hi Jonathan,
>
> On 04/05/2020 14:14, Jonathan Hoyland wrote:
> > Hi Sam,
> >
> > If you wanted to use a SCRAM based SASL auth then you could pick
> > `p=SCRAM-SHA256-PLUS`, or any other very specific IANA-registered
> > string, and update the SCRAM RFC to require that string with TLS 1.3.
> > You actively don't want for the same channel binding to be an input to
> > multiple different protocols (or even the same protocol but with
> > different parameters) because it opens the door to confusion attacks.
>
> Can you elaborate on what you are trying to protect from?
>
>
If two protocols use the same channel binding there is a risk that the
messages from one can be confused with the messages from the other.
This might happen accidentally, or an adversary might be able to forge one
from the other.
If you wanted to do a formal analysis of the of the security of TLS 1.3 +
SCRAM then a generic binding means you have to factor in what every other
possible protocol might do.
If you use a unique and specific channel binding then the analysis is far
easier and can be a lot more robust (this assumes a global coordinator of
unique strings, such as IANA).
>From an analysis perspective it's easier to rule out classes of attacks
than to consider all possible interactions between all users of the
interface, some of which you won't know about, or perhaps haven't even been
invented yet.

Historically channel bindings were constant once TLS negotiation was
> complete (they could change if TLS renegotiation happens). So they never
> depended on what was sent over the protocol above TLS.
>
>
Yeah, I think the design in TLS 1.3 is much more robust, especially from a
formal analysis perspective.
By constructing channel bindings based on the parameters negotiated over
the top you get a belt-and-braces design.
If you have a contributive channel binding [1] then if the security of
either the underlying protocol (in this case TLS) or the over-the-top
protocol (in this case SCRAM) fails, then the channel binding guarantees
the authentication still happened properly.
Consider the case where an adversary publishes the server's private key to
twitter.
If you have a contributive channel binding then if the SCRAM handshake
succeeds you could be sure that you were talking to the real server, and
weren't being MITMed.
If you don't base the channel binding on the parameters agreed in the
upper  protocol it's possible (in theory) that an adversary could compute
two SCRAM handshakes that appear to succeed, but that actually agree
different parameters.
In this particular case it's not obvious how that could happen, but it's
easy to think up pathological examples, and [1] has a few concrete examples
too.


> > I've only skimmed the SCRAM RFC, but it might make sense to include
> > `client-first-message` and `server-first-message` as context to the
> > exporter interface, because it seems that the channel binding isn't
> > needed until the `client-final-message`.
>
> "the channel binding isn't needed until the `client-final-message`" is
> correct. Can you elaborate on what is problematic with this?
>

Sorry if I was unclear, there's nothing problematic with this per se.
It's just that the channel binding can't be dependent on itself, but
including everything that precedes the channel binding just seems like an
easy win, esp. as (in this case) that includes all parameter negotiation.


> > The idea is to use the transcript to bind the channel binding to the
> > negotiation of SCRAM parameters, and thus allow you to define a single
> > "TLS-SASL-SCRAM" string (or whatever makes sense), rather than have
> > one for each possible set of parameters.
> > Obviously you'd need to think some more about whether that was
> > actually secure, but at first glance it seems like a reasonable approach.
> >
> > Channel bindings that bind both the underlying channel and the
> > higher-level protocol make more sense to me that channel bindings that
> > only identify the underlying channel, because you don't have to worry
> > about the (potentially pathological) behaviours of other users of the
> > binding.
> >
> Best Regards,
>
> Alexey
>
> Regards,

Jonathan

[1] Bhargavan, Karthikeyan, Antoine Delignat-Lavaud, and Alfredo Pironti.
"Verified Contributive Channel Bindings for Compound Authentication." *NDSS*.
2015.
https://prosecco.gforge.inria.fr/personal/karthik/pubs/verified-channel-bindings-ndss15.pdf

v2.23.0 | Report a Bug | By Email