Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00

Adam Langley <agl@google.com> Wed, 23 October 2013 15:32 UTC

Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7494F11E81AF for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 08:32:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.978
X-Spam-Level:
X-Spam-Status: No, score=-1.978 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kq4m3qI1aDbJ for <tls@ietfa.amsl.com>; Wed, 23 Oct 2013 08:32:08 -0700 (PDT)
Received: from mail-vc0-x232.google.com (mail-vc0-x232.google.com [IPv6:2607:f8b0:400c:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id B914C11E8450 for <tls@ietf.org>; Wed, 23 Oct 2013 08:32:08 -0700 (PDT)
Received: by mail-vc0-f178.google.com with SMTP id lh4so617393vcb.37 for <tls@ietf.org>; Wed, 23 Oct 2013 08:32:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=fZ4CBdmA3UnsJXjjT6hCfycytCQtK6AvI11hl/iD4xU=; b=W0tD2ahAzLh8mVV3NT1Gen1xkHretsZ+Y0P4zs9G3+gPJo815EqCH1F/iuyIgog395 0s9yyUOjAELvsVtTDDzxev8jdQ3lZO1fofRi2s06ga4uIcHeP8oh9E1bzPIO1LQwTHuw vKCJVwxEjfIZ4SJI1p6YoZpO8jrEK4zjKlXpt4dkdMQxmhg+2aFkg+wPrUh+1bkiZS6N SXS+bAxeAYrlTExCiEinLFDVM1WYbSEr8o2FUjveq/nqHm19F1ctB/IB0cEuYFWFiQt4 VSYG9lelm595fYLyQE6xuEQhOdDS55uUMElxzIZmYcthHj4DHZ2yX2PYwxVIuNbTqAVm tfIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=fZ4CBdmA3UnsJXjjT6hCfycytCQtK6AvI11hl/iD4xU=; b=M1sPnRXuYxzIfwlI52upr0dIP3Qynq8/8wigTbxuLwh57MlI+L+B3kK4Ikwjtkdtuq Jlbg0xyp+8KFTMbY1bik19Fcr+5KoGVkdXQ7xJlrfkg0IxkylQtpJKBEkZNilCqpktZI U0oaYXFcvlFaQe+m/BMbWUbpI+eKYnEZPDNUav/b3CG5VKSawjU3VIj4QvHtCrfNH7NW QMXItInMNyIqbLMfooZj12G+o0eOTcb7Rm3WPiBfclHebgEvD5c/OEgo7OMx29ak7ylr yUH/MGZpySTNEsvJSmGH7l0pQdhdEgdn+tc20SoPXO2MwhyAi5+R+JpxMGuqKx3U1lQa 6GlA==
X-Gm-Message-State: ALoCoQkDKhWGBhr/Go8LeIFz/AIZXMRW2haX4aN3GmrXVoaAi2FAlY8YJIBCHqhZg/91tRg2ffw7SyoPYYZPH1rw+7O+GG38x+ZzpeRIzNIpS1Q0hAaMtUJP8A38PbP1qex3AFmS/Q6Yo2byNvYcREJ+Yrt0tM8WQuk+NERo1DGs2fXeZpDAx/ijDRL3tXZt62XjbcJ4Vkg2
X-Received: by 10.52.118.73 with SMTP id kk9mr1275245vdb.13.1382541929533; Wed, 23 Oct 2013 08:25:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.100.40 with HTTP; Wed, 23 Oct 2013 08:25:09 -0700 (PDT)
In-Reply-To: <CAGZ8ZG2vF5qK+qv5vQ+J5szFU_E0dTbCmbXLupCfaBZq+se3cg@mail.gmail.com>
References: <CACsn0cnzTuyezaCj0AmxtV_-6a04TZeAJtbBovAUQQfy16ua7w@mail.gmail.com> <CAL9PXLxdAGK2E5577xHJGexQpEWwrbC_Y+otEQmWfv2pV211HQ@mail.gmail.com> <CACsn0c=4HHw3PfCsRxnuHf+Rca1GrOSi60OjJQ4qoJKGcP60Pw@mail.gmail.com> <CAGZ8ZG2vF5qK+qv5vQ+J5szFU_E0dTbCmbXLupCfaBZq+se3cg@mail.gmail.com>
From: Adam Langley <agl@google.com>
Date: Wed, 23 Oct 2013 11:25:09 -0400
Message-ID: <CAL9PXLy_o+sW7sur+8Gko=uq83LnYbMJuAnScV1PXytEttyCLQ@mail.gmail.com>
To: Trevor Perrin <trevp@trevp.net>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2013 15:32:09 -0000

On Tue, Oct 22, 2013 at 2:32 PM, Trevor Perrin <trevp@trevp.net>; wrote:
> On Tue, Oct 22, 2013 at 10:52 AM, Watson Ladd <watsonbladd@gmail.com>; wrote:
>> On Tue, Oct 22, 2013 at 8:14 AM, Adam Langley <agl@google.com>; wrote:
>>> On Mon, Oct 21, 2013 at 9:11 PM, Watson Ladd <watsonbladd@gmail.com>; wrote:
>>>> Why could Channel ID identifiers not get stolen when the resumption
>>>> tickets are? Is there a reasonable threat model in which a client so
>>>> compromised as to lose resumption tickets has a meaningful benefit
>>>> from Channel ID?
>>>
>>> Because ChannelIDs have a public and private part, the private part
>>> can be much better protected. For example, by moving it out of the
>>> browser process completely, even on standard machines, and even under
>>> hardware-protection, where such capability exists.
>> Completely spurious: hardware (or a separate process) does not know
>> whether it is being asked to provide
>> the ChannelID for a request that is genuine or one that the attacker
>> provided after subverting the browser process.
>> There also is a replay attack: a signature of a static string provides
>> no liveness, contrary to assumptions made here.
>
> Hi Watson,
>
> I think you're misreading the draft: ChannelID signs hashes of
> handshake messages, not a "static string".
>
> I do think ChannelID needs to explain the value of storing private
> keys in a "secure element" further, and why storing ECDSA private keys
> is better than, say, HMAC keys.

I agree that HMAC would, of course, be much faster but I believe that
public/private is needed for some of the higher level capabilities:
http://www.browserauth.net/proof-key-federation-protocols


Cheers

AGL