Re: [TLS] TLS Export Channel Binding
Jonathan Hoyland <jonathan.hoyland@gmail.com> Mon, 04 May 2020 13:14 UTC
Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522C73A08B1 for <tls@ietfa.amsl.com>; Mon, 4 May 2020 06:14:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hGVF7qmNpgE for <tls@ietfa.amsl.com>; Mon, 4 May 2020 06:14:56 -0700 (PDT)
Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E7863A087D for <tls@ietf.org>; Mon, 4 May 2020 06:14:56 -0700 (PDT)
Received: by mail-vk1-xa32.google.com with SMTP id b14so4576152vkk.10 for <tls@ietf.org>; Mon, 04 May 2020 06:14:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WuJUwhjuMLxynwsnYo4674zeEzXbBbqnr2ni4XiEgd8=; b=imkJOJSTESuMyqnDDI6EwvP5EHFcb9sr2VN+CEFDh6qdx0+r4Kqz+ueY01cjILLtOo 237Gq9PB+TlK8UGu9zo5J2/OnKg7jFq5NxllfKRi2d1ErrcyTl4jLNANXcRbO/8NSxo9 rmt/zHTAp0tGShUMRYoQC1ntSUKD/q+5bk6EacrZz95tF0dauKfwK3EmAnu8c+omNC1e qk90aYtwmANQgVSbDRe+Ryt0CMMMJmWD/iin4qoaUMbffWmOKYyVPGk0qYMscheNlvE8 a24jomUJlXXrdAEfod/2CuaZtjPuYeGO7zMKaeDOrBilMwLkPJFgXrvLsqa78f12ztCs K7MQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WuJUwhjuMLxynwsnYo4674zeEzXbBbqnr2ni4XiEgd8=; b=YDQe3h3EwLGQYfPgFBYFrEdgagbVIMnEI2Aku14BcHfdbqaJMhYzgwUBmkAiaosSwL btpS2q4gn7BZWxP5yWYkRgphgE4k6OYOdDie/rc6TLXmxRCd7+7VphZQBhHK4IDnxUzP CeW0kwyJtxPB5RoeKHLXT1AmfHrCfMsN43H0P+yt49W8Kua0xFqroFKyGmxMO1KO1Q9K j8CVSCZ23Al4EDPE6lNhrW/KqDdcemni5q9yncu8LZJWwL7eTXpoz6NPBkDaixWl1Nfy LAP+J6W/Yx04U97auCDpHODKFNbKw6R+iVQHCeh7/LGallq7ISSoSCYITwKD6OOUg8G2 B+GA==
X-Gm-Message-State: AGi0PuYs3M8XZqnIaHPYH4w5rk8LoogpL8JdRVimWqWdhueo0/8esApt 3bYXpt2JNYNxmhdsezMuGzjsg1sy3PmX62vs3uU=
X-Google-Smtp-Source: APiQypKqLn5obEzqEsVdZ8vAQraF6Dm0XVLHXKw0SsO1h5w43IAC+pq5Mp7aMkVHngw1uEeYxwXHOUz6BJwUs2vtaTY=
X-Received: by 2002:a1f:3acc:: with SMTP id h195mr10334667vka.83.1588598094932; Mon, 04 May 2020 06:14:54 -0700 (PDT)
MIME-Version: 1.0
References: <0f20d1f6-56c1-4e01-813f-f8b3c57a5c9b@www.fastmail.com> <CACykbs3WDk7a0+0vCSDfCuib1Bex8SUJ-kvtZhjchvvm+5xc0g@mail.gmail.com> <13c2ff5e-f68e-45b5-bd64-085b9bdaf17e@www.fastmail.com> <CACykbs3+G8DCwC3ZrCbmzoygGkz6nRoYWHVxKWw3BvJ8YwAv7Q@mail.gmail.com> <ba8c1b17-6032-4420-8ead-a70c529721aa@www.fastmail.com>
In-Reply-To: <ba8c1b17-6032-4420-8ead-a70c529721aa@www.fastmail.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Mon, 04 May 2020 14:14:42 +0100
Message-ID: <CACykbs1Cz4aG1WaXpBeNmpdR90b2x-cGsrpnm=MXgFJiif0K2A@mail.gmail.com>
To: Sam Whited <sam@samwhited.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000023ae2405a4d25115"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2Q0CoyQrNcnXXpwKK6_W-ocbLpY>
Subject: Re: [TLS] TLS Export Channel Binding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 13:15:01 -0000
Hi Sam, If you wanted to use a SCRAM based SASL auth then you could pick `p=SCRAM-SHA256-PLUS`, or any other very specific IANA-registered string, and update the SCRAM RFC to require that string with TLS 1.3. You actively don't want for the same channel binding to be an input to multiple different protocols (or even the same protocol but with different parameters) because it opens the door to confusion attacks. I've only skimmed the SCRAM RFC, but it might make sense to include `client-first-message` and `server-first-message` as context to the exporter interface, because it seems that the channel binding isn't needed until the `client-final-message`. The idea is to use the transcript to bind the channel binding to the negotiation of SCRAM parameters, and thus allow you to define a single "TLS-SASL-SCRAM" string (or whatever makes sense), rather than have one for each possible set of parameters. Obviously you'd need to think some more about whether that was actually secure, but at first glance it seems like a reasonable approach. Channel bindings that bind both the underlying channel and the higher-level protocol make more sense to me that channel bindings that only identify the underlying channel, because you don't have to worry about the (potentially pathological) behaviours of other users of the binding. Regards, Jonathan On Fri, 1 May 2020 at 19:16, Sam Whited <sam@samwhited.com> wrote: > On Fri, May 1, 2020, at 14:08, Jonathan Hoyland wrote: > > Maybe I'm missing something, but I don't see what your draft adds? If > > someone wants to construct a channel binding then they agree with > > their peer on a context and a label, and use that to construct an > > exporter key. > > The draft just registers a method of using it with the IANA Channel > Binding Types registry so that you can negotiate and use exported keying > material in eg. SCRAM based SASL auth. Right now if I wanted to use EKM > for channel binding, what would I negotiate (ie. what would I set the p > field of a gs2 header to in SASL based auth?) > > > > Is the idea to reserve the string for some specific use? If so, then > > the suggested string is far to general, as it describes _any_ use of > > the interface. > > Yes, that's the idea. This registers the "tls-exporter" channel binding > type in the registry, and the label EXPORTER-Channel-Binding to use with > it. This is supposed to be a generic channel binding type that can be > used to negotiate channel binding when multiple are available, eg. if > the server supports both tls-unique (the last TLS finished message) and > exporter data, we need an identifier to decide that we want to use > exporter data. That also means having a label that we can associate with > this context. > > I'd be happy to change the name if the consensus is that this is too > general, but I didn't think it made sense to make this SASL or <other > auth system> specific. > > —Sam >
- [TLS] TLS Export Channel Binding Sam Whited
- Re: [TLS] TLS Export Channel Binding Sam Whited
- Re: [TLS] TLS Export Channel Binding Jonathan Hoyland
- Re: [TLS] TLS Export Channel Binding Jonathan Hoyland
- Re: [TLS] TLS Export Channel Binding Sam Whited
- Re: [TLS] TLS Export Channel Binding Jonathan Hoyland
- Re: [TLS] TLS Export Channel Binding Sam Whited
- Re: [TLS] TLS Export Channel Binding Alexey Melnikov
- Re: [TLS] TLS Export Channel Binding Alexey Melnikov
- Re: [TLS] TLS Export Channel Binding Alexey Melnikov
- Re: [TLS] TLS Export Channel Binding Sam Whited
- Re: [TLS] TLS Export Channel Binding Jonathan Hoyland
- Re: [TLS] TLS Export Channel Binding Sam Whited