Re: [TLS] Keeping TLS extension points working

David Benjamin <davidben@chromium.org> Wed, 03 August 2016 13:47 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F8112DD9C for <tls@ietfa.amsl.com>; Wed, 3 Aug 2016 06:47:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.976
X-Spam-Level:
X-Spam-Status: No, score=-3.976 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e3-mNQ71tqat for <tls@ietfa.amsl.com>; Wed, 3 Aug 2016 06:47:14 -0700 (PDT)
Received: from mail-it0-x235.google.com (mail-it0-x235.google.com [IPv6:2607:f8b0:4001:c0b::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 454EB12DDAD for <tls@ietf.org>; Wed, 3 Aug 2016 06:39:53 -0700 (PDT)
Received: by mail-it0-x235.google.com with SMTP id f6so231402502ith.0 for <tls@ietf.org>; Wed, 03 Aug 2016 06:39:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=cLWGz3cMO16fVL00NJLN7HMD8LuZgjHdhKXmcyBOphQ=; b=QVARDenIAayx2qQHFnG7gL3GJZ3L+qd3HeQn15Jd9kOTg8mv0e46xZPB7Yqyge5l9h lvWj3M1HbV/ZNbw3K7LY1YOTny+9CTnG3hkYjfXBIqUZJ1noDRmrPQ5rhJoQ4ThihKN+ dQ3gTgTv2J/DF+RPAujn2fglWSg+7rlAbfPYg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=cLWGz3cMO16fVL00NJLN7HMD8LuZgjHdhKXmcyBOphQ=; b=bXZnspOgHkkNqi1GxMp7kSs3Bc+BQ7A1df1/auave104RgJR9KaEd9iIRpWRq7Ascc xeWx+UjbSW/UYHMH5ChUmsoQrihDaGpfgUesdKjt00ZHp8XahHnpTPIcS1akeUQx7V7r b95aFslXQtHWmCk612UweYSxQRJuhq1ZGItatj8g12NK/atf5etBXKs9F/SqFXjfsZIA Q0xO9MsLmk4pPIj1Cxm7ngPq1x2JK3gsF8uEPsvYf4x6CP+6udLYlZue3ZOrZnQoMmWJ 65qkx3BEOQYEPk0BW78BUZ/bGlRhotyvFycLQEvhXlF6Ggz9AWgIsJQc/9priftlSQ5j fyLw==
X-Gm-Message-State: AEkoouu8PQhsHbgS8gXMl3bIkpFbHzFEkltQ6uCHkt+qJJqmJDe7HjMukOoCnechMLo/qT+oKoVC6Bq8D+5A2y6w
X-Received: by 10.36.61.201 with SMTP id n192mr26180165itn.92.1470231592284; Wed, 03 Aug 2016 06:39:52 -0700 (PDT)
MIME-Version: 1.0
References: <CAF8qwaCaW2Q+z_JoDqzQZaGCWJ2aqUiyK8_J8_CO4Ck_cqtaSA@mail.gmail.com> <FDFEA8C9B9B6BD4685DCC959079C81F5E18BF559@blreml502-mbx> <CANduzxBqLsvsybwCqR_zC-tpSQ2P1mTz8waZw0Y-im-X0-p0Lw@mail.gmail.com> <CAF8qwaCF4psOSMrbc5aiwsb5FOOJAVpyP1EL3CFBJbp8JQH=Sw@mail.gmail.com> <FDFEA8C9B9B6BD4685DCC959079C81F5E18BF7AB@blreml502-mbx>
In-Reply-To: <FDFEA8C9B9B6BD4685DCC959079C81F5E18BF7AB@blreml502-mbx>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 03 Aug 2016 13:39:40 +0000
Message-ID: <CAF8qwaAs2TN5o+fNVQA7A5aZJ_daPqFy25BAi3h9G4kxCEr1Zw@mail.gmail.com>
To: Raja ashok <raja.ashok@huawei.com>, Steven Valdez <svaldez@google.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/related; boundary=001a11444e94cc3e8b05392af770
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5bEMqNi0gtxW_AWSEHyxQPbZQxc>
Subject: Re: [TLS] Keeping TLS extension points working
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2016 13:47:18 -0000

On Wed, Aug 3, 2016 at 8:52 AM Raja ashok <raja.ashok@huawei.com> wrote:

> Hi David & Steven,
>
>
>
> Here our intension is to find out buggy server which implemented a cipher
> suite support with wrong value other than specified in RFC.
>
> -          If that wrong value usage in that buggy server collides with
> any real cipher suite on the period of deployment means, the bug would have
> identified immediately with some other non buggy client.
>
> -          If that wrong value is in the range of unspecified value, then
> that bug thrives and it will come out only after several years when IANA
> assigns that value to some new cipher suite.
>
As ecosystem problems go, this is very tame one. I don't think the
complexity cost of a retry (which is not compatible with existing servers
anyway) far outweighs the ecosystem costs of that particular bug.

Should an implementation, say, copy-and-paste the wrong value for some
cipher suite and use an unallocated one then, yes, if widespread we will
have difficulties using cipher suite value. But then we can simply pick a
different one and document that that value has been lost.

Moreover, making all values into GREASE values will not catch this bug. The
probability of hitting this wrong value randomly is around 1/2^16 which is
well in the noise. Flaky failures won't do any good to prevent bugs.

In contrast, intolerance to *anything* unknown is a huge problem for
deployment. Then we simply can't deploy new things. (At least not without
fallbacks and such which have security consequences, among other problems.)

In this case, can you please tell me why we decided only few values as
> GREASE value {0x0A0A, 0x1A1A, ..}. Whether chrome browser has found a real
> buggy web server which supports these values ?
>
Ultimately the values need to get reserved so people don't try to use them
for real ones. I picked a small-ish number so that people maintaining the
registries would not become too unhappy at me. :-)

Chrome has yet to ship code which does this. I figured I ought to write
something up and send it to this list before squatting on quite so many
values in the registry. For the moment, this idea is merely a spec.

David

Regards,
>
> R Ashok
> ------------------------------
>
> Raja Ashok VK
> 华为技术有限公司 Huawei Technologies Co., Ltd.
> [image: image001.jpg]
>
> Phone:
> Fax:
> Mobile:
> Email:
> Huawei Technologies Co., Ltd.
> Bangalore, India
> http://www.huawei.com
>
> ------------------------------
>
> 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁
> 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中
> 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
> This e-mail and its attachments contain confidential information from
> HUAWEI, which
> is intended only for the person or entity whose address is listed above.
> Any use of the
> information contained herein in any way (including, but not limited to,
> total or partial
> disclosure, reproduction, or dissemination) by persons other than the
> intended
> recipient(s) is prohibited. If you receive this e-mail in error, please
> notify the sender by
> phone or email immediately and delete it!
>
> *From:* David Benjamin [mailto:davidben@chromium.org]
> *Sent:* 02 August 2016 19:30
> *To:* Steven Valdez; Raja ashok; tls@ietf.org
> *Subject:* Re: [TLS] Keeping TLS extension points working
>
>
>
> To expand on that a little, since it seems comments (a) and (b) are really
> the same one:
>
>
>
> The purpose of having an explicitly reserved list (b) is precisely so we
> do not have to do a second handshake (a). The purpose here is to ensure we
> exercise the little-used codepaths, not introduce new ones. This is
> intended to be an extremely minimal mechanism. Clients add a tiny bit of
> code to their ClientHello and no server code changes at all. (Note that
> every MUST in the document is just reiterating what TLS already requires.)
>
>
>
> David
>
>
>
> On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez <svaldez@google.com> wrote:
>
> a) It seems like if an implementation has updated to be able to handle a
> specific GREASE alert, it should be able to handle not sending an invalid
> cipher suite. In general, its probably cleaner for the connection to
> fatally shutdown and then restart if the server is behaving that poorly.
> Servers that are sending back non-existent ciphers are also potentially
> broken in other ways, and I don't know whether a client should trust that
> it can reset any handshake state correctly if it were to try doing a
> "warning" alert.
>
>
>
> b) The reasoning behind having an explicit list is so that implementations
> don't send a value that ends up being defined as some other valid value.
> Otherwise its possible that some implementations will update to include
> GREASE values, but they might not update immediately upon new values being
> assigned by IANA, which means that there will be periods of times that some
> clients might send "fake" values that collide with real values, confusing
> the peer implementation into believing they actually support something that
> they don't and resulting in more intolerance issues between outdated GREASE
> clients and newly updated servers, with this intolerance being firmly the
> GREASE clients fault. The hardcoded list gets around this by making sure
> GREASE never overlaps with an actual value, though at the trade-off that
> badly designed implementations could choose to just hard-code ignore the
> GREASE codepoints.
>
>
>
> On Tue, Aug 2, 2016 at 2:59 AM Raja ashok <raja.ashok@huawei.com> wrote:
>
> Hi Benjamin,
>
>
>
> I have gone through the GREASE mechanism which you proposed in your new
> draft. It’s really a nice idea for finding a buggy server before it thrives.
>
>
>
> I am having few doubts on this, which are listed below.
>
> a)      What should be the behaviour of client incase if a buggy server
> responded for a GREASE value ?
>
> -          Consider a client sends a GREASE cipher value at first place
> and followed by valid cipher suites, in its client hello.
>
> -          If a buggy server selects that cipher then it will response
> server hello with that GREASE cipher value. At this case if client sends
> FATAL alert then both side TLS and TCP needs to be closed and client needs
> to recreate a new TCP connection, and then restart TLS handshake without
> GREASE cipher value.
>
> -          Instead of this we can make client to send warning alert (with
> new TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS
> handshake by sending client hello again.
>
> -          If a server receives this new warning, then it should be ready
> to receive new client hello to restart handshake.
>
>
>
> SERVER
>                                 CLIENT
>
> CH (GREASE Cipher value & Valid Cipher value)          ------>
>
>
> <-------                  SH (GREASE cipher value)
>
> Fatal alert                    -------->
>
> TCP (SYN)                    -------->
>
>
>                                                 <--------
> TCP(SYN ACK)
>
> TCP (ACK)                    -------->
>
> CH (Valid cipher
> value)                                                          ------->
>
>                         Scenario 1 : Sending FATAL alert for server
> selecting GREASE value
>
>
>
> SERVER
>                                 CLIENT
>
> CH (GREASE Cipher value & Valid Cipher value)          ------->
>
>
> <-------                  SH (GREASE cipher value)
>
> Warning alert             -------->
>
> CH (Valid cipher
> value)                                                          ------->
>
>                         Scenario 2 : Sending WARNING alert for server
> selecting GREASE value
>
>
>
> -          I hope sending warning msg and restarting TLS handshake will
> be efficient.
>
> -          TLS Server must notify the application, whenever it receives a
> GREASE warning alert.
>
>
>
> b)      Why only few values are specified as GREASE value ? Basically all
> value which are not specified by IANA should be considered as GREASE value
> right ?
>
> -          Basically client should maintain the list of values (cipher
> suite, extensions) specified by IANA. The range of values.
>
> -          For example IANA specified cipher suite values are
> {{0x0000,0x005C}, {0x0060,0x006D}, {0x0084, 0x00C5}, {0x00FF, 0x00FF} …..
> }. This should be maintained in client.
>
> -          We should make the client to choose a random value which are
> not in this supported value list. That cipher value should be considered as
> GREASE value and need to keep in first place of its cipher list.
>
> -          If its selected by a buggy server, then client should behave
> as mentioned in above scenario 2.
>
> -          Even in future if IANA provides new values to new cipher, then
> this list also should be updated. Consider in this case server is
> supporting that new cipher and client is not aware about it, so client can
> propose that value as GREASE value, then still connection will work with
> the 2nd handshake.
>
> -          I am not understanding why we are planning to maintain a few
> set of GREASE values {0x0A0A, 0x1A1A …. }. If I am missing something,
> please clarify me.
>
>
>
> Regards,
>
> R Ashok
>
>
> ------------------------------
>
> Raja Ashok VK
> 华为技术有限公司 Huawei Technologies Co., Ltd.
> [image: Company_logo]
>
> Phone:
> Fax:
> Mobile:
> Email:
> Huawei Technologies Co., Ltd.
> Bangalore, India
>
> http://www.huawei.com
> ------------------------------
>
> 本邮件及其附件含有华为公司的保密信息,仅限于发送给上面地址中列出的个人或群组。禁
> 止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、或散发)本邮件中
> 的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本邮件!
> This e-mail and its attachments contain confidential information from
> HUAWEI, which
> is intended only for the person or entity whose address is listed above.
> Any use of the
> information contained herein in any way (including, but not limited to,
> total or partial
> disclosure, reproduction, or dissemination) by persons other than the
> intended
> recipient(s) is prohibited. If you receive this e-mail in error, please
> notify the sender by
> phone or email immediately and delete it!
>
> *From:* TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *David Benjamin
> *Sent:* 26 July 2016 04:02
> *To:* tls@ietf.org
> *Subject:* [TLS] Keeping TLS extension points working
>
>
>
> Hi folks,
>
>
>
> I'm not sure how this process usually works, but I would like to reserve a
> bunch of values in the TLS registries to as part of an idea to keep our
> extension points working. Here's an I-D:
>
> https://tools.ietf.org/html/draft-davidben-tls-grease-00
>
>
>
> (The name GREASE is in honor of AGL's rusted vs. well-oiled joints analogy
> from https://www.imperialviolet.org/2016/05/16/agility.html )
>
>
>
> One problem we repeatedly run into is servers failing to implement TLS's
> various extension points correctly. The most obvious being version
> intolerance. When we deployed X25519 in Chrome, we discovered an intolerant
> implementation. (Thankfully it was rare enough to not warrant a fallback or
> revert!) It appears that signature algorithms maybe also be gathering rust.
> Ciphers and extensions seem to have held up, but I would like to ensure
> they stay that way.
>
>
>
> The root problem here is these broken servers interoperate fine with
> clients at the time they are deployed. It is only after new values get
> defined do we notice, by which time it is too late.
>
>
>
> I would like to fix this by reserving a few values in our registries so
> that clients may advertise random ones and regularly exercise these
> codepaths in servers. If enough of the client base does this, we can turn a
> large class of tomorrow's interop failures into today's interop failures.
> This is important because an bug will not thrive in the ecosystem if it
> does not work against the current deployment.
>
>
>
> If you were in Berlin, you may recognize this idea from the version
> negotiation debate. Alas that all happened in the wrong order as I hadn't
> written this up yet. This idea can't be applied to versioning without
> giving up on ClientHello.version, but we can start with the rest of the
> protocol.
>
>
>
> David
>
>
>
> PS: This is actually my first I-D, so apologies if I've messed it up
> somewhere!
>
> _______________________________________________
>
>
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>