Re: [TLS] [sasl] Updates to draft-altman-tls-channel-bindings (PLEASE REVIEW)
<Pasi.Eronen@nokia.com> Thu, 18 March 2010 11:49 UTC
Return-Path: <Pasi.Eronen@nokia.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB5CC3A6B6A; Thu, 18 Mar 2010 04:49:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.944
X-Spam-Level:
X-Spam-Status: No, score=-5.944 tagged_above=-999 required=5 tests=[AWL=-0.475, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5u-TST9eLIaC; Thu, 18 Mar 2010 04:49:09 -0700 (PDT)
Received: from mgw-mx09.nokia.com (smtp.nokia.com [192.100.105.134]) by core3.amsl.com (Postfix) with ESMTP id EC0E73A6B67; Thu, 18 Mar 2010 04:49:07 -0700 (PDT)
Received: from vaebh105.NOE.Nokia.com (vaebh105.europe.nokia.com [10.160.244.31]) by mgw-mx09.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o2IBmqKA014632; Thu, 18 Mar 2010 06:49:18 -0500
Received: from esebh102.NOE.Nokia.com ([172.21.138.183]) by vaebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 18 Mar 2010 13:49:13 +0200
Received: from smtp.mgd.nokia.com ([65.54.30.8]) by esebh102.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 18 Mar 2010 13:49:13 +0200
Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-04.mgdnok.nokia.com ([65.54.30.8]) with mapi; Thu, 18 Mar 2010 12:49:13 +0100
From: Pasi.Eronen@nokia.com
To: Nicolas.Williams@sun.com, channel-binding@ietf.org, sasl@ietf.org, tls@ietf.org
Date: Thu, 18 Mar 2010 12:49:11 +0100
Thread-Topic: [sasl] Updates to draft-altman-tls-channel-bindings (PLEASE REVIEW)
Thread-Index: AcrGKDS98AAOEnlDSM6Om6cAPMiS/QAaAn+A
Message-ID: <808FD6E27AD4884E94820BC333B2DB775848524D7A@NOK-EUMSG-01.mgdnok.nokia.com>
References: <20100317231522.GA18167@Sun.COM>
In-Reply-To: <20100317231522.GA18167@Sun.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginalArrivalTime: 18 Mar 2010 11:49:13.0216 (UTC) FILETIME=[07847800:01CAC691]
X-Nokia-AV: Clean
Subject: Re: [TLS] [sasl] Updates to draft-altman-tls-channel-bindings (PLEASE REVIEW)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Mar 2010 11:49:11 -0000
A question for SASL: both GS2 and SCRAM are currently in RFC Editor AUTH48, and they have a normative reference to the IANA registration page for 'tls-unique'. Since it appears we're about to change that registration quite radically, what's the impact on GS2/SCRAM? Have GS2 and/or SCRAM implementors implemented the 'tls-unique' binding? And should we publish the RFCs at this time, if we know one of the normative references is, well, unstable (likely to change in non-backward-compatible way soon)? Best regards, Pasi > -----Original Message----- > From: sasl-bounces@ietf.org [mailto:sasl-bounces@ietf.org] On Behalf Of > ext Nicolas Williams > Sent: 18 March, 2010 01:15 > To: channel-binding@ietf.org; sasl@ietf.org; tls@ietf.org > Subject: [sasl] Updates to draft-altman-tls-channel-bindings (PLEASE > REVIEW) > > Now that TLS re-negotiation security (RFC5746) is done we need to > finish > draft-altman-tls-channel-bindings. > > It's become clear that MSFT implemented and deployed something slightly > different than the 'tls-unique' binding description that had been > registered. They seem to be the only implementors to date; their > implementation is secure, therefore I propose that we simply modify the > description of 'tls-unique' and be done. > > The differences are: > > - it's not always the client's Finished message, but the _first_ > Finished message in the relevant handshake (in a session resumption > handshake the server sends its Finished message first); > > - the Finished message is taken from the latest/inner-most TLS > handshake, rather than the outer-most one > > For the most common case, where there's no TLS re-negotiation and no > TLS > session resumption, there is no difference. > > It's past the I-D submission cut-off, so I can't submit an updated I-D. > Below are the full diffs from -07 to the -08 to-be. > > Please review, > > Nico > > > --- altman-tls-channel-bindings-07.unpg Wed Mar 17 13:32:15 2010 > +++ altman-tls-channel-bindings-08.unpg Wed Mar 17 13:32:51 2010 > @@ -1,594 +1,603 @@ > > > > NETWORK WORKING GROUP J. > Altman > Internet-Draft Secure > Endpoints > Intended status: Standards Track N. > Williams > -Expires: April 4, 2010 > Sun > +Expires: September 18, 2010 > Oracle > L. > Zhu > Microsoft > Corporation > - October > 2009 > + March 17, > 2010 > > > Channel Bindings for TLS > - draft-altman-tls-channel-bindings-07.txt > + draft-altman-tls-channel-bindings-08.txt > > Status of this Memo > > This Internet-Draft is submitted to IETF in full conformance with > the > provisions of BCP 78 and BCP 79. This document may contain > material > from IETF Documents or IETF Contributions published or made > publicly > available before November 10, 2008. The person(s) controlling the > copyright in some of this material may not have granted the IETF > Trust the right to allow modifications of such material outside the > IETF Standards Process. Without obtaining an adequate license from > the person(s) controlling the copyright in such materials, this > document may not be modified outside the IETF Standards Process, > and > derivative works of it may not be created outside the IETF > Standards > Process, except to format it for publication as an RFC or to > translate it into languages other than English. > > Internet-Drafts are working documents of the Internet Engineering > Task Force (IETF), its areas, and its working groups. Note that > other groups may also distribute working documents as Internet- > Drafts. > > Internet-Drafts are draft documents valid for a maximum of six > months > and may be updated, replaced, or obsoleted by other documents at > any > time. It is inappropriate to use Internet-Drafts as reference > material or to cite them other than as "work in progress." > > The list of current Internet-Drafts can be accessed at > http://www.ietf.org/ietf/1id-abstracts.txt. > > The list of Internet-Draft Shadow Directories can be accessed at > http://www.ietf.org/shadow.html. > > - This Internet-Draft will expire on April 4, 2010. > + This Internet-Draft will expire on September 18, 2010. > > Copyright Notice > > - Copyright (c) 2009 IETF Trust and the persons identified as the > + Copyright (c) 2010 IETF Trust and the persons identified as the > document authors. All rights reserved. > > This document is subject to BCP 78 and the IETF Trust's Legal > Provisions Relating to IETF Documents in effect on the date of > publication of this document (http://trustee.ietf.org/license- > info). > Please review these documents carefully, as they describe your > rights > and restrictions with respect to this document. > > Abstract > > This document defines three channel binding types for Transport > Layer > Security (TLS), tls-unique, tls-server-end-point, and tls-unique- > for- > telnet, in accordance with RFC 5056 (On Channel Binding). > > > Table of Contents > > 1. Conventions used in this document > 2. Introduction > 3. The 'tls-unique' Channel Binding Type > 3.1. Description > 3.2. Registration > 4. The 'tls-server-end-point' Channel Binding Type > 4.1. Description > 4.2. Registration > 5. The 'tls-unique-for-telnet' Channel Binding Type > 5.1. Description > 5.2. Registration > 6. Applicability of TLS Channel Binding Types > 7. Required Application Programming Interfaces > 8. IANA Considerations > 9. Security Considerations > 9.1. Cryptographic Algorithm Agility > 9.2. On Disclosure of Channel Bindings Data by Authentication > Mechanisms > 10. References > 10.1. Normative References > 10.2. Normative References for 'tls-server-end-point' > 10.3. Informative References > Authors' Addresses > > > 1. Conventions used in this document > > The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", > "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in > this > document are to be interpreted as described in [RFC2119]. > > > 2. Introduction > > Subsequent to the publication of "On Channel Bindings" [RFC5246], > three channel binding types for Transport Layer Security (TLS) were > proposed, reviewed and added to the IANA channel binding type > registry, all in accordance with [RFC5246]. Those channel binding > types are: 'tls-unique', 'tls-server-end-point', and 'tls-unique- > for- > telnet'. It has become desirable to have these channel binding > types > re-registered through an RFC so as to make it easier to reference > - them. This document does just that. The authors of those three > - channel binding types have, or have indicated that they will, > - transferred "ownership" of those channel binding types to the IESG. > + them, and to correct them to describe actual implementations. This > + document does just that. The authors of those three channel > binding > + types have, or have indicated that they will, transferred > "ownership" > + of those channel binding types to the IESG. > > We also provide some advice on the applicability of these channel > binding types, as well as advice on when to use which. And we > provide an abstract API that TLS implementors should provide, by > which to obtain channel bindings data for a TLS connection. > > > 3. The 'tls-unique' Channel Binding Type > > IANA is hereby directed to update the registration of the 'tls- > - unique' channel binding type to match the following. Note that the > - only material changes from the original registration should be: the > - "owner" (now the IESG), contacts, the published specfication, and a > - clarification to the description by the addition of a parenthetical > - note (that is, the first such note in the descritption is a new > - addition). We also added a note indicating that this specification > - contains applicability advice, and we moved security considerations > - notes to the security considerations section of this document. All > - other fields of the registration are copied here for the > convenience > - of readers. > + unique' channel binding type to match the following. There are > + material changes from the original registration, both in the > + description as well as registration meta-data (such as registration > + ownership). > > 3.1. Description > > - Description: The client's TLS Finished message (note: the Finished > - struct) from the first handshake of the connection (note: > connection, > - not session, so that the channel binding is specific to each > - connection regardless of whether session resumption is used). > + Description: The first TLS Finished message sent (note: the > Finished > + struct) in the most recent TLS handshake of the TLS connection > being > + bound to (note: TLS connection, not session, so that the channel > + binding is specific to each connection regardless of whether > session > + resumption is used). If TLS re-negotiation takes place before the > + channel binding operation, then the first TLS Finished message sent > + of the latest/inner-most TLS connection is used. Note that for > full > + TLS handshakes the first Finished message is sent by the client, > + while for abbreviated TLS handshakes the first Finished message is > + sent by the server. > > 3.2. Registration > > o Channel binding unique prefix: tls-unique > > o Channel binding type: unique > > o Channel type: TLS [RFC5246] > > o Published specification: <this document> > > o Channel binding is secret: no > > o Description: <See specification> > > o Intended usage: COMMON > > o Person and email address to contact for further information: > Larry > Zhu (lzhu@microsoft.com), Nicolas Williams > (Nicolas.Williams@sun.com). > > o Owner/Change controller name and email address: IESG. > > o Expert reviewer name and contact information: IETF TLS WG > (tls@ietf.org, failing that, ietf@ietf.org) > > o Note: see the published specification for advice on the > applicability of this channel binding type. > > > 4. The 'tls-server-end-point' Channel Binding Type > > IANA is hereby directed to update the registration of the 'tls- > server-end-point' channel binding type to match the following. > Note > that the only material changes from the original registration > should > be: the "owner" (now the IESG), the contacts, the published > specfication, and a note indicating that the published > specification > should be consulted for applicability advice. References were > added > to the description. All other fields of the registration are > copied > here for the convenience of readers. > > 4.1. Description > > Description: The hash of the TLS server's certificate [RFC5280] as > it > appears, octet for octet, in the server's Certificate message (note > that the Certificate message contains a certificate_list, the first > element of which is the server's certificate). > > The hash function is to be selected as follows: > > o if the certificate's signatureAlgorithm uses a single hash > function, and that hash function is either MD5 [RFC1321] or SHA- > 1 > [RFC3174] then use SHA-256 [FIPS-180-2]; > > o if the certificate's signatureAlgorithm uses a single hash > function and that hash function neither MD5 nor SHA-1, then use > the hash function associated with the certificate's > signatureAlgorithm; > > o if the certificate's signatureAlgorithm uses no hash functions > or > multiple hash functions, then this channel binding type's > channel > bindings are undefined at this time (updates to is channel > binding > type may occur to address this issue if it ever arises). > > The reason for using a hash of the certificate is that some > implementations need to track the channel binding of a TLS session > in > kernel-mode memory, which is often at a premium. > > 4.2. Registration > > o Channel binding unique prefix: tls-server-end-point > > o Channel binding type: end-point > > o Channel type: TLS [RFC5246] > > o Published specification: <this document> > > o Channel binding is secret: no > > o Description: <See specification> > > o Intended usage: COMMON > > o Person and email address to contact for further information: > Larry > Zhu (lzhu@microsoft.com), Nicolas Williams > (Nicolas.Williams@sun.com). > > o Owner/Change controller name and email address: IESG. > > o Expert reviewer name and contact information: IETF TLS WG > (tls@ietf.org, failing that, ietf@ietf.org) > > o Note: see the published specification for advice on the > applicability of this channel binding type. > > > 5. The 'tls-unique-for-telnet' Channel Binding Type > > IANA is hereby directed to update the registration of the 'tls- > unique-for-telnet' channel binding type to match the following. > Note > that the only material changes from the original registration > should > be: the "owner" (now the IESG), the contacts, the published > specfication, and a note indicating that the published > specification > should be consulted for applicability advice. The description is > also clarified. We also moved security considerations notes to the > security considerations section of this document. All other fields > of the registration are copied here for the convenience of readers. > > 5.1. Description > > Description: There is a proposal for adding a "StartTLS" extension > to > TELNET, and a channel binding extension for the various TELNET AUTH > mechanisms whereby each side sends the other a "checksum" (MAC) of > - their view of the channel's bindings. The client uses the first > TLS > - Finished messages (note: the Finished struct) from the client and > - server, each concatenated in that order and in their clear text > form. > - The server does the same but in the opposite concatenation order > - (server, then client). > + their view of the channel's bindings. The client uses the TLS > + Finished messages (note: the Finished struct) sent by the client > and > + server, each concatenated in that order and in their clear text > form, > + of the first TLS handshake of the connection being bound to. The > + server does the same but in the opposite concatenation order > (server, > + then client). > > 5.2. Registration > > o Channel binding unique prefix: tls-unique-for-telnet > > o Channel binding type: unique > > o Channel type: TLS [RFC5246] > > o Published specification: <this document> > > o Channel binding is secret: no > > o Description: <See specification> > > o Intended usage: COMMON > > o Person and email address to contact for further information: > Jeff > Altman (jaltman@secure-endpoints.com), Nicolas Williams > (Nicolas.Williams@sun.com). > > o Owner/Change controller name and email address: IESG. > > o Expert reviewer name and contact information: IETF TLS WG > (tls@ietf.org, failing that, ietf@ietf.org) > > o Note: see the published specification for advice on the > applicability of this channel binding type. > > > 6. Applicability of TLS Channel Binding Types > > The 'tls-unique-for-telnet' channel binding type is only applicable > to TELNET [RFC0854], and is available for all TLS connections. > > The 'tls-unique' channel binding type is available for all TLS > connections, while 'tls-server-end-point' is only available when > TLS > cipher suites with server certificates are used, specifically: > cipher > suites that use the Certificate handshake message, which typically > involve the use of PKIX [RFC5280]. For example, 'tls-server-end- > point' is available when using TLS ciphers suites such as (this is > not an exhaustive list): > > o TLS_DHE_DSS_WITH_* > > o TLS_DHE_RSA_WITH_* > > o TLS_DH_DSS_WITH_* > > o TLS_DH_RSA_WITH_* > > o TLS_ECDHE_ECDSA_WITH_* > > o TLS_ECDHE_RSA_WITH_* > > o TLS_ECDH_ECDSA_WITH_* > > o TLS_ECDH_RSA_WITH_* > > o TLS_RSA_PSK_WITH_* > > o TLS_RSA_WITH_* > > o TLS_SRP_SHA_DSS_WITH_* > > o TLS_SRP_SHA_RSA_WITH_* > > but is not available when using TLS cipher suites such as (this is > not an exhaustive list): > > o TLS_DHE_PSK_WITH_* > > o TLS_DH_anon_WITH_* > > o TLS_ECDHE_PSK_WITH_* > > o TLS_ECDH_anon_WITH_* > > o TLS_KRB5_WITH_* > > o TLS_PSK_WITH_* > > o TLS_SRP_SHA_WITH_* > > Nor is this channel binding type available for use with OpenPGP > server certificates [RFC5081] [RFC4880] (since these don't use the > Certificate handshake message). > > Therefore 'tls-unique' is generally better than 'tls-server-end- > point'. However, 'tls-server-end-point' may be used with existing > TLS server-side proxies ("concentrators") without modification to > the > proxies, whereas 'tls-unique' may require firmware or software > updates to server-side proxies. Therefore there may be cases where > 'tls-server-end-point' may interoperate but where 'tls-unique' may > not. > > Also, authentications mechanisms may arise which depend on channel > bindings to contribute entropy, in which case unique channel > bindings > would have to always be used in preference to end-point channel > bindings. At this time there are no such mechanisms, though one > such > SASL mechanism has been proposed. Whether such mechanisms should > be > allowed is out of scope for this document. > > In other words, for many applications there may be two potentially > applicable TLS channel binding types. Channel binding is all or > nothing for the GSS-API [RFC2743], and likely other frameworks. > Therefore agreement on the use of channel binding, and a particular > channel binding type is necessary. Such agreement can be obtained > a > priori, by convention, or negotiated. > > The specifics of whether and how to negotiate channel binding types > are beyond the scope of this document. However, it is RECOMMENDED > that application protocols making use of TLS channel bindings, use > 'tls-unique' exclusively, except, perhaps, where server-side > proxies > are common in deployments of an application protocol. In the > latter > case an application protocol MAY specify that 'tls-server-end- > point' > channel bindings must be used when available, with 'tls-unique' > being > used when 'tls-server-end-point' channel bindings are not > available. > Alternatively, the application may negotiate which channel binding > type to use, or may make the choice of channel binding type > configurable. > > Specifically, application protocol specifications MUST indicate at > least one mandatory to implement channel binding type, MAY specify > a > negotiation protocol, MAY allow for out-of-band negotiation or > configuration, and SHOULD have a preference for 'tls-unique' over > 'tls-server-end-point'. > > > 7. Required Application Programming Interfaces > > TLS implementations supporting the use of 'tls-unique' and/or 'tls- > unique-for-telnet' channel binding types, MUST provide application > programming interfaces by which applications (clients and servers > both) may obtain the channel bindings for a TLS connection. Such > interfaces may be expressed in terms of extracting the channel > bindings data for a given connection and channel binding type. > Alternatively the implementor may provide interfaces by which to > obtain the initial client Finished message, the initial server > Finished message and/or the server certificate (in a form that > matches the description of the 'tls-server-end-point' channel > binding > type). In the latter case the application has to have knowledge of > the channel binding type descriptions from this document. This > document takes no position on which form these application > programming interfaces must take. > > > 8. IANA Considerations > > The IANA is hereby directed to update three existing channel > binding > type registrations. See the rest of this document. > > > 9. Security Considerations > > - The Security Considerations section of [RFC5056] applies to this > - document. > + The Security Considerations sections of [RFC5056], [RFC5246] and > + [RFC5746] apply to this document. > > The TLS Finished messages (see section 7.4.9 of [RFC5246]) are > known > to both endpoints of a TLS connection, and are cryptographycally > - bound to it. Therefore the TLS Finished messages can be safely > used > - as a channel binding provided that the authentication mechanism > doing > - the channel binding conforms to the requirements in [RFC5056]. > + bound to it. For implementations of TLS that correctly handle re- > + negotiation [RFC5746] each handshake on a TLS connection is bound > to > + the preceding handshake, if any. Therefore the TLS Finished > messages > + can be safely used as a channel binding provided that the > + authentication mechanism doing the channel binding conforms to the > + requirements in [RFC5056]. > > The server certificate, when present, is also cryptographically > bound > to the TLS connection through its use in key transport and/or > authentication of the server (either by dint of its use in key > transport, by its use in signing key agreement, or by its use in > key > agreement). Therefore the server certificate is suitable as an > end- > point channel binding as described in [RFC5056]. > > 9.1. Cryptographic Algorithm Agility > > The 'tls-unique' and 'tls-unique-for-telnet' channel binding types > do > not add any use of cryptography beyond that used by TLS itself. > Therefore these two channel binding types add no considerations > with > respect to cryptographic algorithm agility. > > The 'tls-server-end-point' channel binding type consist of a hash > of > a server certificate. The reason for this is to produce manageably > small channel binding data, as some implementations will be using > kernel-mode memory (which is typically scarce) to store these. > This > use of a hash algorithm is above and beyond TLS's use of > cryptography, therefore the 'tls-server-end-point' channel binding > type has a security consideration with respect to hash algorithm > agility. The algorithm to be used, however, is derived from the > server certificate's signature algorithm as described in Section > 4.1; > to recap: use SHA-256 if the certificate signature algorithm uses > MD5 > or SHA-1, else use whatever hash function the certificate uses > (unless the signature algorithm uses no hash functions or more than > one hash function, in which case 'tls-server-end-point' is > undefined). This construction automatically makes 'tls-server-end- > point' hash algorithm agile, with a dependency on PKIX and TLS for > hash agility. > > Current proposals for randomized signatures algorithms > [I-D.irtf-cfrg-rhash] [NIST-SP.800-106.2009] use hash functions in > their construction -- a single hash function in each algorithm. > Therefore the 'tls-server-end-point' channel binding type should be > available even in cases where new signatures algorithms are used > that > are based on current randomized hashing proposals (but we cannot > guarantee this, of course). > > 9.2. On Disclosure of Channel Bindings Data by Authentication > Mechanisms > > When these channel binding types were first considered, one issue > that some commenters were concerned about was the possible impact > on > the security of the TLS channel, of disclosure of the channel > bindings data by authentication mechanisms. This can happen, for > example, when an authentication mechanism transports the channel > bindings data, with no confidentiality protection, over other > transports (for example, in communicating with a trusted third > party), or when the TLS channel provides no confidentiality > protection and the authentication mechanism does not protect the > confidentiality of the channel bindings data. This section > considers > that concern. > > When the TLS connection uses a cipher suite that does not provide > confidentiality protection, the TLS Finished messages will be > visible > to eavesdroppers, regardless of what the authentication mechanism > does. The same is true of the server certificate which, in any > case, > is generally visible to eavesdroppers. Therefore we must consider > our choices of TLS channel bindings here to be safe to disclose by > definition -- if that were not the case then TLS with cipher suites > that don't provide confidentiality protection would be unsafe. > Furthermore, the TLS Finished message construction depends on the > security of the TLS PRF, which in turn needs to be resistant to key > recovery attacks, and we think that it is, as it is based on HMAC, > and the master secret is, well, secret (and the result of key > exchange). > > Note too that in the case of an attempted active man-in-the-middle > attack, the attacker will already possess knowledge of the TLS > finished messages for both inbound and outbound TLS channels (which > will differ, given that the attacker cannot force them to be the > same). No additional information is obtained by the attacker from > the authentication mechanism's disclosure of channel bindings data > -- > the attacker already has it, even when cipher suites providing > confidentiality protection are provided. > > None of the channel binding types defined herein produce channel > bindings data that must be kept secret. Moreover, none of the > channel binding types defined herein can be expected to be private > (known only to the end-points of the channel), except that the > unique > TLS channel binding types can be expected to be private when a > cipher > suite that provides confidentiality protection is used to protect > the > Finished message exchanges and the application data records > containing application-layer authentication messages. > > > 10. References > > 10.1. Normative References > > [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate > Requirement Levels", BCP 14, RFC 2119, March 1997. > > [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure > Channels", RFC 5056, November 2007. > > [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer > Security > (TLS) Protocol Version 1.2", RFC 5246, August 2008. > > + [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, > + "Transport Layer Security (TLS) Renegotiation Indication > + Extension", RFC 5746, February 2010. > + > 10.2. Normative References for 'tls-server-end-point' > > [FIPS-180-2] > United States of America, National Institute of > Standards > and Technology, "Secure Hash Standard (Federal > Information > Processing Standard (FIPS) 180-2". > > 10.3. Informative References > > [I-D.irtf-cfrg-rhash] > Halevi, S. and H. Krawczyk, "Strengthening Digital > Signatures via Randomized Hashing", > draft-irtf-cfrg-rhash-01 (work in progress), October > 2007. > > [NIST-SP.800-106.2009] > National Institute of Standards and Technology, "NIST > Special Publication 800-106: Randomized Hashing for > Digital Signatures", February 2009. > > [RFC0854] Postel, J. and J. Reynolds, "Telnet Protocol > Specification", STD 8, RFC 854, May 1983. > > [RFC1321] Rivest, R., "The MD5 Message-Digest Algorithm", RFC > 1321, > April 1992. > > [RFC2743] Linn, J., "Generic Security Service Application Program > Interface Version 2, Update 1", RFC 2743, January 2000. > > [RFC3174] Eastlake, D. and P. Jones, "US Secure Hash Algorithm 1 > (SHA1)", RFC 3174, September 2001. > > [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and > R. > Thayer, "OpenPGP Message Format", RFC 4880, November > 2007. > > [RFC5081] Mavrogiannopoulos, N., "Using OpenPGP Keys for Transport > Layer Security (TLS) Authentication", RFC 5081, > November 2007. > > [RFC5280] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., > Housley, R., and W. Polk, "Internet X.509 Public Key > Infrastructure Certificate and Certificate Revocation > List > (CRL) Profile", RFC 5280, May 2008. > > > Authors' Addresses > > Jeff Altman > Secure Endpoints > 255 W 94TH ST PHB > New York, NY 10025 > US > > Email: jaltman@secure-endpoints.com > > > Nicolas Williams > - Sun Microsystems > + Oracle > 5300 Riata Trace Ct > Austin, TX 78727 > US > > - Email: Nicolas.Williams@sun.com > + Email: Nicolas.Williams@oracle.com > > > Larry Zhu > Microsoft Corporation > One Microsoft Way > Redmond, WA 98052 > US > > Email: lzhu@microsoft.com > > _______________________________________________ > sasl mailing list > sasl@ietf.org > https://www.ietf.org/mailman/listinfo/sasl
- [TLS] Updates to draft-altman-tls-channel-binding… Nicolas Williams
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Pasi.Eronen
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Dave Cridland
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Simon Josefsson
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [sasl] [CHANNEL-BINDING] Updates to dra… Larry Zhu
- Re: [TLS] [sasl] [CHANNEL-BINDING] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [sasl] [CHANNEL-BINDING] Updates to dra… Alexey Melnikov
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Alexey Melnikov
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Simon Josefsson
- Re: [TLS] [CHANNEL-BINDING] Updates to draft-altm… Simon Josefsson
- Re: [TLS] [CHANNEL-BINDING] Updates to draft-altm… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] Updates to Martin Rex
- [TLS] Updates to draft-altman-tls-channel-binding… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] Updates to draft-altm… Alexey Melnikov
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Nicolas Williams
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Nicolas Williams
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Larry Zhu
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Larry Zhu
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Simon Josefsson
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Simon Josefsson
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Larry Zhu
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to Martin Rex
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to Simon Josefsson
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to dra… Nicolas Williams
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to Martin Rex
- Re: [TLS] [CHANNEL-BINDING] [sasl] Updates to Larry Zhu
- [TLS] Avoiding CB sync problem via server-side so… Nicolas Williams
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Eliot Lear
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Nicolas Williams
- Re: [TLS] [sasl] Updates to draft-altman-tls-chan… Sean Turner