IETF Logo Mail Archive

Re: [TLS] In-handshake CertificateRequest and 0-RTT

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 12 May 2016 19:53 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A70C12D159 for <tls@ietfa.amsl.com>; Thu, 12 May 2016 12:53:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fYgz2X4JYlAa for <tls@ietfa.amsl.com>; Thu, 12 May 2016 12:53:17 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0742.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::742]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A533212B039 for <tls@ietf.org>; Thu, 12 May 2016 12:53:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gANtdd2HHB4Q3u7YBjxp+uE2qSXvv/8Eq47xD6AA8tc=; b=LTWyHLFvhJI6Hv2cU2ZZERTCdmKaxmIY8vuW9q2GS2HSKIwQrXtbZU5p54HXDaV/nU38sHNgM4lfpIRLEMLNoq8N06Z2FiU+z+aCW0OMjPwlIoq3dUH4p769z8X1qNhPk50UTH4Sm+cg1g0Vk75LoFLxNtPaO6JjLNKY+7KBvSU=
Received: from BN3PR03MB1445.namprd03.prod.outlook.com (10.163.34.28) by BN3PR03MB1447.namprd03.prod.outlook.com (10.163.34.30) with Microsoft SMTP Server (TLS) id 15.1.492.11; Thu, 12 May 2016 19:52:53 +0000
Received: from BN3PR03MB1445.namprd03.prod.outlook.com ([10.163.34.28]) by BN3PR03MB1445.namprd03.prod.outlook.com ([10.163.34.28]) with mapi id 15.01.0492.019; Thu, 12 May 2016 19:52:53 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: David Benjamin <davidben@chromium.org>, Eric Rescorla <ekr@rtfm.com>
Thread-Topic: [TLS] In-handshake CertificateRequest and 0-RTT
Thread-Index: AQHRq8YKJ6vbePADq0yCRqtFxjAW9J+1a4KAgAA/wQCAAAVjgIAABDAAgAACqBA=
Date: Thu, 12 May 2016 19:52:53 +0000
Message-ID: <BN3PR03MB14459AC22FD4529B1E246F7A8C730@BN3PR03MB1445.namprd03.prod.outlook.com>
References: <CAF8qwaD870fuNuVnhnbKBEk3Vc4G7_AfR+mOAtvLwDYNtNgcwA@mail.gmail.com> <CABcZeBPUmahhCN97wrjUE1iR2f8jT9Sp3D81qQBfM8aMM8EA7Q@mail.gmail.com> <CAF8qwaAqHeyn3O0-n1-EJNiHae8=mE=mM+vDbE8bRbVLqA2D2w@mail.gmail.com> <CABcZeBN-fYXjmOcpZO6Vk-+G6==XJaqfFT=cMJTmYFi=gWA9yQ@mail.gmail.com> <CAF8qwaAaLDqSB=wpmZtZO0P45--dDOMxeg1d5NTV8z77maxXqw@mail.gmail.com>
In-Reply-To: <CAF8qwaAaLDqSB=wpmZtZO0P45--dDOMxeg1d5NTV8z77maxXqw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: chromium.org; dkim=none (message not signed) header.d=none; chromium.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:7::1d2]
x-ms-office365-filtering-correlation-id: d873081f-e589-4fde-093e-08d37a9f01c4
x-microsoft-exchange-diagnostics: 1; BN3PR03MB1447; 5:YGagPjZCtl6zRiKaGQjaLUYgeUcR7TKS7pojrUVgmKVviorZvNh8DMNmY8XMhVLn/rpE6lJ/NVIA97YoffcmlCIF+ogTrT9WKk3N7NDcV09Q81ACCS8RLhveHnb0QeHBUnDxaQUT9v/QPUeT53JUAg==; 24:Fca8/I4MJUTrFcB3lGgKGaPluqr7PCeQQM4L/qsqWNZwoKLw1YkGN2kcL+CtdL2zM35D7x+2Oml6X4HlLWEQoZT9BFiA0PDxJMhhDHIuWeM=; 7:dEt80XnkEY9v9iU0/4///sqsWTDVAaBykGdpZKO1n5fZKN6PMNqeLn3Bu7RG9GsgrM4ue+lMh3+0+UYo3svn2Y/wRr6HhZBDPJ7FxWvxiwqKmCnG1GVoa/hemdkRIzF8VKwk4ctYuFyAMYZyNwMHGENYoE+7cduIgl/V0gwTAvlaOwh87qQkSDYUjI8Cu/Y6g7JlgZkc+UfAJndSz1KahA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR03MB1447;
x-microsoft-antispam-prvs: <BN3PR03MB1447C821140BC4A543DC92278C730@BN3PR03MB1447.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038); SRVR:BN3PR03MB1447; BCL:0; PCL:0; RULEID:; SRVR:BN3PR03MB1447;
x-forefront-prvs: 0940A19703
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(51444003)(24454002)(50986999)(102836003)(6116002)(4326007)(790700001)(5004730100002)(5001770100001)(10400500002)(86362001)(1220700001)(5005710100001)(99286002)(16236675004)(19300405004)(19580405001)(19580395003)(81166006)(92566002)(76176999)(106116001)(8990500004)(5002640100001)(54356999)(33656002)(2906002)(74316001)(15975445007)(2900100001)(10090500001)(2950100001)(11100500001)(9686002)(5008740100001)(3660700001)(10290500002)(189998001)(8936002)(93886004)(77096005)(86612001)(19625215002)(5003600100002)(87936001)(19617315012)(122556002)(3280700002)(76576001)(586003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR03MB1447; H:BN3PR03MB1445.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN3PR03MB14459AC22FD4529B1E246F7A8C730BN3PR03MB1445namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 May 2016 19:52:53.6447 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR03MB1447
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/22SBHM3X_gCz6AFO5koG4CjYRHs>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] In-handshake CertificateRequest and 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 May 2016 19:53:22 -0000

Ø  Is the client still authenticated as the previous one too, or just the new one?
I think the client that has authenticated as A and then B in the same TLS session, can’t claim to not be A anymore.

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of David Benjamin
Sent: Thursday, May 12, 2016 12:41 PM
To: Eric Rescorla <ekr@rtfm.com>
Cc: tls@ietf.org
Subject: Re: [TLS] In-handshake CertificateRequest and 0-RTT

Right, I want to forbid it precisely because I don't want to allow post-handshake client auth. :-)

Or rather, I expect most TLS applications will not want post-handshake client auth enabled as it significantly changes the authentication picture (TLS-level auth can change mid-stream) and would have it off. I would like disabling post-handshake client auth to, as a result, disable all such TLS-level mid-stream switches. For some legacy uses of HTTP/1.1, sure, post-handshake auth will be enabled and this feature doesn't do much harm. (But it also doesn't help. The server can just as easily send post-handshake CertificateRequest right after the handshake.)

For 1-RTT, there's no mid-stream transition problem. Though it is kind of weird for PSK-resumption. PSK-resumption already implicitly carries a set of certificate-based identities from the previous run, but we're saying the server may ask the client to pick a different one (but not vice versa). Is the client still authenticated as the previous one too, or just the new one?

David

On Thu, May 12, 2016 at 3:26 PM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
I agree that the current draft is ambiguous on this point but I think the question is what the right
thing is. My intuition here is that we should try to make the client's side and the server's side
more independent so that you can have client auth in either case. Given that we're going to
allow post-handshake client auth when you resume, it's just not clear to me why you wouldn't
allow in-handshake client-auth. I'm not sure it's a hill I'm willing to die on though.

-Ekr



On Thu, May 12, 2016 at 9:06 PM, David Benjamin <davidben@chromium.org<mailto:davidben@chromium.org>> wrote:
Which PSK/non-PSK symmetry are you referring to? I didn't think 1.3 currently allowed CertificateRequest in a PSK handshake either, or are you referring to something else?

Actually, looking at the text again, it's a little confusing right now where CertificateRequest is and isn't allowed. The message flow in 6.2.2 implies a PSK resumption handshake does not send CertificateRequest. The flow in 6.2.3 implies a 0-RTT handshake does, but it describes the 0-RTT handshake as:

"""
When resuming via a PSK, clients can also send data on their first flight (“early data”). This data is encrypted solely under keys derived using the PSK as the static secret. As shown in Figure 4, the Zero-RTT data is just added to the 1-RTT handshake in the first flight, the rest of the handshake uses the same messages.
"""

This suggests it should match 6.2.2 in whether CertificateRequest is allowed. Arguably the rules should be in text, not diagrams, but the text in 6.3.3.2 just says:

"""
A non-anonymous server can optionally request a certificate from the client, if appropriate for the selected cipher suite. This message, if sent, will follow EncryptedExtensions.
"""

(I'm guessing "non-anonymous" is a holdover from TLS 1.2's text.)

In TLS 1.2, I believe CertificateRequest in a PSK-based cipher wasn't allowed. RFC 4279 explicitly says it's not allowed in plain PSK. It's not clear whether that applies to DHE_PSK, but I think that combined with 1.2's "non-anonymous" rule gives client auth => certificate-based cipher as the most reasonable interpretation.

David

On Thu, May 12, 2016 at 11:19 AM Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
Interesting suggestion. I see what you mean about symmetry with the server

The symmetry I was optimizing for is that the PSK and non-PSK handshake, and I think from that perspective the current design is simpler, so I see it both ways.

WRT to the 0.5RTT data, Hugo Krawczyk has done some nice work on analyzing this case and I think we're starting to get more comfort with that.

So, not sure what I think...

-Ekr





On Wed, May 11, 2016 at 10:44 PM, David Benjamin <davidben@chromium.org<mailto:davidben@chromium.org>> wrote:
The 0-RTT handshake originally had two places with a client Certificate + CertificateVerify: in the 0-RTT flow and in the second Finished block in response to a server CertificateRequest. We've dropped the first now. I propose we drop the second too. Client auth with 0-RTT is solely carried over via resumption. (I mentioned this previously, but with 0-RTT looking closer to resumption and the IETF 95 decision on 0.5-RTT data, I think the case is clearer.)

This makes 6.2.3 more consistent with 6.2.2 where neither side authenticates in a resumption handshake. 0-RTT is much more similar to resumption with most parameters carrying over anyway.

1-RTT client auth in a 0-RTT handshake also invites more of the retroactive auth confusion as with post-handshake auth. The client stream switches from unauthenticated to authenticated. I believe this was one of the reasons we agreed at IETF 95 to discourage/forbid (not sure which) sending 0.5-RTT data following a CertificateRequest. In-handshake CertificateRequest either requires this discouraged situation or accepting 0-RTT data without sending 0.5-RTT data, which is largely pointless.

We accepted the retroactive auth issue in post-handshake auth, but I think we should limit it to that. For implementations, BoringSSL made accepting renego an opt-in feature. I expect we'd do the same for post-handshake auth. For specs, one might specify that post-handshake authentication is forbidden. HTTP/2 did this for renegotiation. I haven't been following the HTTP/2 client cert saga as closely, but draft-thomson-http2-client-certs-02 is the current plan, right? If so, HTTP/2 should forbid TLS-level post-handshake auth too.

In both cases, excluding post-handshake auth should exclude any transition from unauthenticated to authenticated in the stream. Instead, if you want to change authentication state, send a post-handshake CertificateRequest, as you would have normally.

David

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email