Re: [TLS] WGLC for draft-ietf-tls-cached-info-19
Eric Rescorla <ekr@rtfm.com> Tue, 15 September 2015 20:29 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DF91ACF5E for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 13:29:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qnar2kFGJ02v for <tls@ietfa.amsl.com>; Tue, 15 Sep 2015 13:29:53 -0700 (PDT)
Received: from mail-wi0-f181.google.com (mail-wi0-f181.google.com [209.85.212.181]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95D721ACEFC for <tls@ietf.org>; Tue, 15 Sep 2015 13:29:52 -0700 (PDT)
Received: by wiclk2 with SMTP id lk2so43502847wic.1 for <tls@ietf.org>; Tue, 15 Sep 2015 13:29:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=U236o1OSfn4xy1aa+GoYuGsnkw1m8rxLXobUxp0ypSU=; b=D+8iAPGzifD07lkqAEKW0oVGLX6DGjbrTMEn9Z+SQSKTKjKMAd2rDaI4WxYAKoGqWO DDsVd3Q/+etLBG41PNeVJKuu0j9fmMqvWhWNGjE03rglpJd31uClHq+8HoI6gOXFPr4P Cunsf9pDuipRYS+m9+kS+e3I9OJDSNZvhC5lq0E1GWze5OCAXa8Tqh1nAiM3bA0C8Qtt IpzyfwG8vBm33mR/qNfBmtYJEfChXr9K4h8bUovE/0SHUZSX3ilct1iG2SjrZTF84hZW 5WQqe8JUNLTbDFgWeb5yX5tGefwpjh6YBoqVZ1FgnYpwGH6jiWfNhUNZJXDFERrAp/c6 7ARg==
X-Gm-Message-State: ALoCoQkUhZ4pX+m+G50k2qkBZ34v0Mv0jDu08yFpBfMFVYcXCp1BDpwjQf611iRUiNCWCOCb52RP
X-Received: by 10.180.96.164 with SMTP id dt4mr11285466wib.53.1442348991151; Tue, 15 Sep 2015 13:29:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Tue, 15 Sep 2015 13:29:11 -0700 (PDT)
In-Reply-To: <CABkgnnU_r=CmNuaX8kOoxYPoBJ052=4Df88yLb5xxVp4zgRjGw@mail.gmail.com>
References: <CAOgPGoBivgXGKpZH=4mSkrVaKyg9YPi05rphs3VOcvuiFfPzrg@mail.gmail.com> <CABkgnnU++z-r3m2p-+k-6i8BwE5o9wXULS0RVJfCG1+nmkY13Q@mail.gmail.com> <55DB489C.80505@gmx.net> <CABkgnnWXsieUibqFwa_ugm==Vw+5zYpkH6nersxJVvURqf475A@mail.gmail.com> <55F1662C.5050209@gmx.net> <CABkgnnU_r=CmNuaX8kOoxYPoBJ052=4Df88yLb5xxVp4zgRjGw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Sep 2015 13:29:11 -0700
Message-ID: <CABcZeBP-xGLkMDewK47AVPGqdvzoamQ8R+dj+1=HXF2u-GDMSA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="f46d04426e204293c5051fcf0b36"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BHJih5CeYiTZFhvCvFW95StxIZc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cached-info-19
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2015 20:29:56 -0000
Sorry it's taken me so long to respond, but I'm not convinced that it's not necessary to have a secure digest here. Do you have a security analysis that demonstrates that that's the case? -Ekr On Thu, Sep 10, 2015 at 7:59 AM, Martin Thomson <martin.thomson@gmail.com> wrote: > Hi Hannes, > > I've followed a similar chain of thought myself. I think that the > right answer here is similar to what you describe: the security of TLS > does not depend on the presence of the certificate at all, rather it > depends on the use of a private key that the client trusts. That most > clients rely on the certificate for getting the information they need > to make that trust decision and that the certificate happens to be > carried in TLS in most cases is largely consequential. > > On that basis, I would be happy then to accept any hash, even a > truncated hash in both directions. In most cases, I suspect that 8 > bits would be plenty, though I imagine that clients will want to send > a few more than that just to reduce the odds of having to receive a > certificate. > > --Martin > > > On 10 September 2015 at 04:14, Hannes Tschofenig > <hannes.tschofenig@gmx.net> wrote: > > Hi Martin, > > > > thanks for your feedback. I have discussed the topic with my co-worker > > Manuel. > > > > Another way of seeing the use of the hash by the client is to help the > > server to select the pick certificate (or other cached data). It does > > not have a security purpose as such, it is only a way to prevent the > > server accidentally including the wrong information. For example, this > > can happen when the server has multiple certificates to choose from then > > it should pick the right one (and I am not talking about the SNI case > > here). > > > > Without the possibility for picking the wrong value we could have as > > well omitted the hash altogether. The actual function used to compete > > the fingerprint isn't that important as long as it helps to make sure > > that the correct value can be chosen with a reasonable probably. In the > > worst case, the wrong value is chosen and the exchange failed. The > > client will then have to re-start the exchange without the cached info > > feature. > > > > As such, you are certainly right that the hash does not need to be long > > since the changes of selecting the wrong information is very low. In > > case of the certificate the security actually comes from the private > > key: the server needs to demonstrate that it knows the privacy key in > > the exchange. > > > > Regarding the use of the TLS PRF I am not sure that this will work since > > the actual function is the result of the negotiated cipher and not known > > at the time when the client and the server exchange their hello messages. > > > > Ciao > > Hannes > > > > PS: Additing extra text with information about what is included in the > > hash will be added to make sure that implementers compute the hash over > > the correct fields of the message. > > > > > > On 08/24/2015 08:35 PM, Martin Thomson wrote: > >> Hi Hannes, > >> > >> On 24 August 2015 at 09:38, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > >>>> I'd like to see the document explicitly note that msg_type and length > >>>> from the handshake message are not covered by the hash. The > >>>> description of what is covered is a little too terse (and badly > >>>> formatted). > >>> > >>> There are multiple message type / message length fields included in the > >>> message and I am not sure which of those you rare referring to. > >>> > >>> The msg_type and msg_length from the record layer is not part of the > >>> fingerprint calculation. The spec only focuses on the certificate > >>> message in Section 4.1 and the CertificateRequest message in Section > >>> 4.2. These message do, however, also contain length information. > >> > >> I refer to the msg_type and length from the handshake message, which > >> are the only things with that name in the TLS spec. > >> > >> You use the name `CertificateRequest`, which leads me to conclude that > >> you mean the struct identified as such, which is *inside* the > >> handshake message. (I'm fine with hashing that part, I just want to > >> have it be very clear.) > >> > >>> I included an example into the document. See Appendix A: > >>> > https://github.com/hannestschofenig/tschofenig-ids/blob/master/tls-cached-info/draft-ietf-tls-cached-info-20.txt > >> > >> This includes the msg_type and length. Which means that you should > >> talk about hashing `Handshake` instead. > >> > >>>> I'm not sure that I like the lack of both negotiation and signaling > >>>> for the hashes that are used here. > >>> > >>> We had a negotiation capability in earlier versions of the document but > >>> it appeared to be an overkill. > >> > >> Yeah, that's why I'm thinking that this can use the PRF hash. > >> > >>> What is there now is essentially an indication of the hash algorithm > >>> based on what the client presents with the CachedInformationType > >>> structure. > >> > >> I don't see that anywhere. The algorithm seems to be fixed to SHA-256 > >> in the current draft (and your copy). > >> > >>>> Though I think the chances of a > >>>> collision being found, or that a collision would lead to an attack, > >>>> are slim, I would rather see this use the PRF hash so we have at least > >>>> that much flexibility. > >>> > >>> While there is indeed a possibility for hash collisions those will > still > >>> lead to a failed exchange since the TLS server will not possess the > >>> correct private key that corresponds to the cached certificate. > >> > >> Right, this might be all that the analysis requires. > >> > >>>> If the current design is retained, I would > >>>> like to see a little discussion of this in the document. A little > >>>> analysis of the properties we expect the hash to provide would also be > >>>> good. > >>>> > >>>> I think that truncated hashes might be advantageous from the server > >>>> side. Given that the server only uses hashes to identify which of the > >>>> offered (available, known?) cached information is in use, is there any > >>>> reason you can't save additional space by arbitrarily truncating the > >>>> hash? In many cases I would imagine that the client would be offering > >>>> only one option and even if there were a small number of options > >>>> presented, a single byte would suffice to disambiguate. > >>>> > >>>> I'm trying to think why you might want the full-length hash on the > >>>> client side, but I believe that the only problem there is that there > >>>> might be a collision between the certificates that a server might > >>>> offer if you truncate too aggressively. The connection still relies > >>>> on the server presenting proof of knowledge of a key that the client > >>>> extracts from a certificate bound to the server identity, so I believe > >>>> that it would be equally secure if you removed all mention of > >>>> certificates from the protocol. And that makes me nervous, because > >>>> I'm fairly sure that Karthik will tell me that I'm wrong very shortly; > >>>> since we've put in a lot of work to cover key fields in the handshake > >>>> hash, and I'm concerned that this could be exploited somehow. > >>>> > >>>> The more I think about this, the more I think that we need a little > >>>> more analysis on this point (i.e., what properties the hash function > >>>> needs to provide and why). If it has already happened, mention of > >>>> that in the security considerations is needed. > >>>> > >>>> (I think that truncation on the server side is safe if the client uses > >>>> a strong hash function to identify the certificate, but I'm frequently > >>>> wrong about these things.) > >>>> > >>> There are three designs possible for referencing the cached state, > namely > >>> > >>> 1) The client creates the reference. > >>> 2) The server creates the reference. > >>> 3) There is no reference at all. > >> > >> I'm not suggesting that you change the design, just provide a > >> description of the properties that it provides - and those that it > >> relies on. > >> > >> On the surface at least, it seems OK to rely on a weak guarantee of > >> collision resistance from the hash. Failure only results in handshake > >> failure, after which the client can fall back. That suggests that a > >> truncated hash output could be used, potentially saving quite a few > >> bytes in the client's first flight. I'd like to do that if it is > >> possible. > >> > >> However, I'm concerned that eliding identity will lead to a weakness > >> somewhere. For instance, if the client uses a shorter hash, then the > >> server might pick up different certificates. Or, it means that > >> identity is not bound to the session hash as directly. If, as you > >> say, we can rely on this being a direct selector for a private key > >> where the security is bound to that private key, then maybe it's OK. > >> > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] WGLC for draft-ietf-tls-cached-info-19 Joseph Salowey
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Hannes Tschofenig
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Hannes Tschofenig
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Sankalp Bagaria
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Sean Turner
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Karthikeyan Bhargavan
- Re: [TLS] WGLC for draft-ietf-tls-cached-info-19 Martin Thomson