Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (abridged)
Eric Rescorla <ekr@rtfm.com> Wed, 15 July 2015 21:30 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 689B61A885C for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 14:30:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NHlBocwCaj1F for <tls@ietfa.amsl.com>; Wed, 15 Jul 2015 14:29:51 -0700 (PDT)
Received: from mail-wg0-f45.google.com (mail-wg0-f45.google.com [74.125.82.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FBE11B2CB7 for <tls@ietf.org>; Wed, 15 Jul 2015 14:29:50 -0700 (PDT)
Received: by wgmn9 with SMTP id n9so43512347wgm.0 for <tls@ietf.org>; Wed, 15 Jul 2015 14:29:49 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=SIil77uuQvQ9dT3fpVVqCN36/fbajD0GjTWwhb95xE8=; b=Ox/NmIyMcQcmqbFhfZ7YWF3CVidXDwiQ95PO6kOZWvGGaExUPyp5Mt5u3vYQvxWk3S tfoA8kkQCW2vKDt2jFF3EqTD1qGUA3+SINO4Xf80j0WfaC5tNv0zQCYg8gul2UQI7IVO YWbSejUN3Z9GHn3aiRKucCJSawGJHBmEFWDdzDRn0h+a96hCJnFESlf/ax3Eu6fhE9VA yP3nY1sA5RdEwObqCCTtXQrrg1uoPQERbD5m7sRwOnJHERNonloFzX4KVYS0dlPR6PCs GgIlp6DVVA3DgohMwgOQddwqRQGOBMaTCoG7aYSeSdpBywyhRkFDZ/3rLtC3nmYlUGuP DhTQ==
X-Gm-Message-State: ALoCoQm7G0rxO6LXFHyS6Py0TbpPIh1eoGfhTVwLnR5xtYv8MI5J4talYTWpbxKSzS6fYnbunTbx
X-Received: by 10.180.75.78 with SMTP id a14mr369220wiw.68.1436995788985; Wed, 15 Jul 2015 14:29:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.85.75 with HTTP; Wed, 15 Jul 2015 14:29:09 -0700 (PDT)
In-Reply-To: <20150715141523.GA13669@LK-Perkele-VII>
References: <20150715141523.GA13669@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 15 Jul 2015 14:29:09 -0700
Message-ID: <CABcZeBO0PCB43Mtkd9FL6nt4o4sRaWk3roZTz66rbdRzF7wSAA@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="f46d0438eb9d8bea1b051af0a7ab"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Egkd5zxBiJh-kFj40_b2yzZVVOc>
X-Mailman-Approved-At: Wed, 15 Jul 2015 21:37:14 -0700
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (abridged)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2015 21:30:02 -0000
Ilari, Thanks for your detailed comments. > > Header > > Isn't 4346 already obsoleted by 5246, which this document also obsoletes? > > 4366 seems to be jointly obsoleted by 5246 and 6066. > > 5246 and 5077 are not in numerical order, whereas the rest are. This was updated in a recent PR by Dave Garrett. > > 1. (Introduction) > > DSA should be replaced by ECDSA (DSA is pretty much obsolete)? Yes, I can do that. I'm happy to remove DSA entirely if the chairs declare consensus on this. > > 1.2. (Major Differences from TLS 1.2) > > Is this meant to be changelog or list of changes? It in current form > looks more like a changelog. It's just a changelog. I'll eventually make it a real list in the final version. > > 4.9.1. (Digital Signing) > > I think someone wanted randoms back here in order to support privilege > separation (which I think is important to support, I consider it much > more important than being "HSM friendly")? I think it was Nikos. Nikos, if you'd like to submit a PR that we can discuss, that would be great. > Reading what current draft of 4492-bis says, the hash function used is > determined by signature_algorithms (or presumably the corresponding > mechanism in CertificateRequest for client certs). Well, it's negotiated by that, but indicated in the message. > Also, to my knowledge, there is no mechanism to indicate in ECDSA > certificate what hash algorithms are allowed. I am also unaware of one. > > 4.9.2. (Authenticated Encryption with Additional Data (AEAD)) > > The example looks like it belongs to section 4.9.1, as it is about > signatures, not AEAD construct. > Oops. Yeah, I'll fix that. > > 5. (The TLS Record Protocol) > > Documenting the security properties of TLS would be useful... Agreed. I intend to rewrite the entire security analysis soon. > The lack of record length hiding may be problematic in protocols that > have no place for cover traffic (e.g. can DNS requests contain padding, > DPRIVE WG is apparently planning on putting DNS into (D)TLS?). > > > 5.2.1. (Fragmentation) > > Zero-length fragments of application data are very much visible in > ciphertext (unless record padding is added), so those are not currently > useful as traffic analysis countermeasure. Agreed. We have PRs for adding padding, but they haven't been merged yet because I wanted to get key management squared away. See: https://github.com/tlswg/tls13-spec/pull/147 > > 5.2.2. (Record Payload Protection) > > There looks to be latter limits that restrict ciphertext size to 2^14 > +1024, which is smaller than 2^14+2048 here (but those limits might be > tightened further). > > As for amount of expansion needed for length-hiding, I think that being > able to represent 16384-byte record with no padding would be enough > (since record sizes cap at 16384 bytes anyway). Yes. As you can see there is an open issue marker here. If you wanted to submit a PR, that would be great. > > 6. (The TLS Handshaking Protocols) > > Are encryption keys, finished value (tls-unique) and exporter secret > part of session or not? I'm planning to remove/rewrite this entire section, as I don't think it's useful. > > 6.1.1. (Closure Alerts) > > The semantics of closure alerts seem incompatible with half-closes, > which some protocols actually use. True, but this has been in TLS since the beginning, so there presumably should not be any TLS-using apps which depend on it. Do you think this is a feature which we should add. > > 6.1.2. (Error Alerts) > > Could use another example of warning alert, now that no_renegotiation > is not a warning anymore? Will see what I can find. > > 6.2.1. (Incorrect DHE Share) > > EncryptedExtensions is marked optional in Figure 2, but not Figure 1? It's not optional. I just got confused. Thanks. > The relationship between session hash and handshake restarts seems > like a hairy problem. > > Also, I figured out a downgrade attack that works against careless > _server_ (not requiring client to do anything else than have weak > crypto enabled). Continuing hashes looks to block that attack. > > It involves attacker sending ClientHello with arbitrary parameters > that triggers a retry (very easy to trigger a retry), eating the > reply, followed by sending client's original ClientHello. That > could trigger crypto downgrade in some badly made servers. Do you think you could walk through this in more detail? I'm having trouble understanding the issue. > > 6.2.2. (Cached Server Configuration) > > Issue #184 manifests here too. I think both accepting and provoding > configuration in the same handshake is sensible (key rollover), and > later the draft talks about exactly that case. I agree. > Also, maybe note that provoding the message does not alter the > configuration hash (even if there is no existing one) could be useful. Agreed. Will see what I can do. > > 6.2.3. (Zero-RTT Exchange) > > No EncryptedExtensions? Pilot error. > How would the server know when 0-RTT data ended, so it could send its > ServerHello? Is there a reason it needs to know? It needs to be able to distinguish the 0-RTT from the 1-RTT data, but the Finished allows that. > Also, how is the 0-RTT data bound to session if accepted, or is there > a security analysis for leaving this binding out? Can you say more about what you mean here? > Can anyone expand on the note about impersonation with compromised > server key? I can't offhand figure out how attacker can calculate > server-side ES (without having also compromised (possibly former) > client or (current) server exchange key). Will see what I can do. > > 6.3. (Handshake Protocol) > > Missing encrypted_extensions (it is a handshake message, right)? Yeah, pilot error. > > 6.3.1.1. (Client Hello) > > The non-match case gives HelloRetryRequest, not ServerHello, right? Yes. > s/should/SHOULD/ in description of session_id? > > I don't think client extensions are optional anymore in TLS 1.3 (being > required for successful handshake. > > Also, TLS 1.2 servers that care about security (are there actually any?) > already require extensions for successful handshake. I agree. We should mandate these. > > 6.3.1.2. (Server Hello) > > Well, at least it wouldn't be backward compatiblity hazard to remove > session_id_len, since it comes after server version. I'm sold. > Note: Unlike client extensions, I think server extensions might be empty > in TLS 1.3 handshake (since extensions required for GDHE_CERT type key > exchanges are not replied to by server). > > > 6.3.1.3. (Hello Retry Request) > > server_version and cipher_suite in HRR seem bit dangerous to me. If > HashAlgorithm contained all PRF hashes (currently it does), one could > use that to designate PRF hash. I think we only need the minimum information, so maybe we could skip these... > Merging DTLS cookies might be a good idea. However, then group mismatch > wouldn't be the only source of failure (which needs some text adjustment > about the selected_group check). Yes, I can fix this. > s/use for/add to/ in description of selected_group? Thanks. Yes. > What happens if Ciphersuite and NamedGroup don't match between HRR > and SH/SKS? I expect there be clients that don't check, no matter if it > is MUST or not. Depends on if we continue the hash. If not, I would imagine that the handshake succeeds. With that said, this is intended to be a client-side enforcement of correct server behavior. Since the client's offered parameters are the same as the ones it offered before (with just a new key in ClientKeyShare) the server should be picking the same parameters as before, no? > > 6.3.1.4. (Hello Extensions) > > supported_groups is 10, right? Thanks, yes, I'll bring this in. > Also, for matter of protocol testing, could be useful to give some > free values to temporary squat on for extensions that aren't stable > yet. I agree. Suggest you propose this as a PR. > The restriction on extensions appearing also holds for > EncryptedExtensions, not just SH or HRR. I wonder if we should relax these. > It could also be useful to deprecate some extensions (client MAY send > for backwards compat, server MUST NOT select). > > Some candidates: > - truncated_hmac: Block modes have been removed. > - encrypt_then_mac: Block modes have been removed. > - extended_master_secret: The THS bug is fixed anyway. > - sessionticket TLS: Session tickets are deprecated. > - renegotiation_info: The renego bug is fixed anyway. Agreed. > The interaction of some extensions with PSK-based resumption isn't > that clear. This is further complicated by the fact that PSK can also > start a new session. Yes, I haven't quite worked this out. > Reference to "error alerts". Should that be "fatal alerts"? Yes, thanks. > The part about being careful with extensions modifying handshake > presumably also goes for functions that are sometimes used for > authentication like TLS-EXPORTER or TLS-UNIQUE. We may be beyond that point. > > 6.3.1.4.1. (Signature Algorithms) > > Anonymous should be removed. It is apparently not used (there is reference > to another section saying that section uses it, but I can't find in that > section how it is actually used). I think there is still a desire to have anonymous DH cipher suites. > Description of signature refers to 6.3,2, which is about SKS, which does > not seem to have anything to do with signatures (leftover from TLS 1.2?) > > Then in description of the extensions there is reference to 6.3.4 and > 6.3.2. 6.3.4 looks relevant, 6.3.2. doesn't look so. I'll clean these up. > Also, making signature_algorithms mandatory would allow dropping the > backward compatiblity special cases from here. Agreed. Just waiting for the chairs to declare consensus on that :) > There is text that talks about "offering prior versions". Does that > refer to insecure version downgrade (I don't suppose TLS 1.1 maximum > client would care about what TLS 1.3 spec says). It was just to make clear that people shouldn't be adopting this for older versions. > > 6.3.1.4.2. (Negotiated Groups) > > One chould add Curve25519 and Curve448, and the corresponding > signature groups (signature groups when CFRG signatures become > stable). Yep. I think the drafts are now stable for this. > > 6.3.1.5.1. (Diffie-Hellman Parameters) > > 6.3.1.5.2. (ECDHE Parameters) > > Drop the wrappers? Then DHE and ECDHE could be unified (the unification > is currently blocked by different lengths of the length field). Yes, that looks like it would work. Will try that > The point description might make it more clear that encodings are per- > curve (altough most curves use X9.62). Will see what I can do. Suggested tet would help. > Does the note about only single point format apply to signatures too > (if so, ec_point_formats could be deprecated). Yes, it should. > Regarding CFRG curves, the current draft (for TLS 1.2) specifies use > of the native point format (32/56 octets) as if it was uncompressed. That sounds like a good fit then. > > 6.3.1.5.4. (Pre-Shared Key Extension) > > Client SHOULD offer at most two PSK identities (one for DH-PSK, > the other for pure-PSK)? My sense was just to offer a pile of identities, since they're untyped anyway. > This would imply that one can't resume pure-PSK sessions, but that > does not look to be useful anyway. > > Also, could be useful to state that the PSK identity hint from > previous versions has been deprecated. Willdo. > > 6.3.1.5.5. (Early Data Indication) > > s/MUST not/MUST NOT/ in description of early_data with client auth? Ack. > Also, I would say that 0-RTT data with 0-RTT auth is more dangerous than > 0-RTT data with 1-RTT auth (for reasons mentioned earlier in the draft). It is. It's also important for some applications. > Eeh, the rule for detecting end of 0RTT data, isn't the next client > handshake message from the next flight at least in some cases (and > waiting would obviously deadlock)? I don't believe that the server has to wait for the end of 0-RTT data before it sends the ServerHello. What is necessary is to be able to skip ahead through the handshake messages that you can't read (if you reject). > Again, how is binding of early handshake messages done (or security > analysis showing this unnecressary)? There are two cases here: 1. The server accepts the 0-RTT, in which case they are bound in the usual way. 2. The server rejects the 0-RTT in which case they aren't bound but also no data from them is used (though the fact of rejection is bound). We are working on analyzing this now. > Client receiving rejection knows that auth failed and data failed, it > might try to fix things up in its next flight. > As for what to sign for client auth, the ClientHello and Certificate > (at least)? One thing to note is that if verify contains randoms, then > server_random isn't available. Yeah, it would be 0. > Regarding finished, isn't Finished in second flight? Or is this another > client Finished? The client's Finished is in the second flight. Can you clarify this question. > Regarding cryptographic parameter set, I think one better prepare for > failure (there are multiple causes of server failing to compute keys or > decrypt data). Can you say more about this? > Also, how does known_configuration interact with PSK (other than > configurations seemingly not being usable with PSK)? I will have a proposal to fix this which I plan to send shortly. > Also, the record protection used for early handshake messages should be > indicated. Can you expand on that? > I think there are basically two things to signal for 0RTT: > - What key material is used (either by PSK ID or configuration ID) > - What record protection (and KDF to derive keys) is used? > > Tying the latter to client offered ciphersuites is probably not wanted. Yeah, I think we should signal this separately. > > 6.3.2. (Server Key Share) > > Add that connection will be rekeyed immediately after this message, and > that it MUST be the last message in record it is in? Thanks. Yes. > > 6.3.3. (Encrypted Extensions) > > Some of the figures have this as mandatory, some optional. Which is it? Mandatory. Pilot error. > Yeah, would be good to have explicit list of what goes to SH, and what > goes to EE. Yes. > Also, the list is affected by #184, as some extensions introduce extra > messages (esp. status_request{,_v2} and signed_certificate_timestamp). Good point. > > 6.3.4. (Server Certificate) > > > > The certificate MUST be appropriate for the negotiated cipher > > suite's key exchange algorithm and any negotiated extensions. > > If signature_algorithms is mandatory, this would then key to that for > signature algorithm, not ciphersuites (and even if it isn't, it would > then key to its fallback default). Yep. > Could change example of alternative certificate formats to RFC7250 (it > seems better designed than RFC5081). Ack. > Doesn't TLS 1.3 always use the certificate for signing, with indicated > algorithm (which obviously needs to be supported by peer)? Wouldn't it > make more sense to talk about signature algorithms instead of key > exchange algorithms. (Unless some key exchange that uses non-signing > certificates is added). Yeah, this is just old text. > > 6.3.6. (Server Configuration) > > Use TTL instead of of explicit time for expiration, as broken clocks > are abound (also, just 32-bit field that only goes up to 2106 or so)? Here's my argument for explicit time: We might in the future want to allow some kind of offline signing (potentially, as Hugo has suggested, with a special bit in the certificate). In that case, it would be really nice to have an absolute expiration time for obvious reasons. > Also, considering the dangers of configuration, it might be appropriate > to have other permission flags (especially client and server auth) too? I could see client auth, as in "I will want you to do client auth" but why server auth, since once you have the configuration, you have continuing auth. > Also, Could be useful for client to know what ciphers it can use for > 0-RTT data? This is a possibility, but I was more thinking that they would reuse the same ones as were negotiated here. More on this shortly. > > 6.3.7. (Server Certificate Verify) > > Should PRF hash designation be added in order to avoid attacks from > weak PRF hashes? Could you say more about this? > I think note about checking signature algorithm against ciphersuite > should be removed. This seems to interact with the a la carte discussion. > Also, with regards to complications of DSA, just dump it? :-) I'm fine with that if the chairs declare consensus on it. > > 6.3.9. (Client Certificate) > > > Doesn't CertificateRequest override algorithms anyway (and CR isn't an > extension)? Sorry, I'm not clear on what text you are sad about. > Again, could use RFC7250 instead of RFC5081 as an example? Yes. > > 6.3.10. (Client Certificate Verify) > > Similar problems as in DSA for server auth. And missing identifier > for PRF too. Sorry, can you expand on this. > > 6.3.11. (New Session Ticket Message) > > Eh, if server starts transmitting immediately without waiting for > client Finished (as is permitted for case where 1-RTT client auth > is not performed), it can't resume the session? Good point. This seems like a silly restriction, so let's remove it. > > 7.2.3. (Elliptic Curve Diffie-Hellman) > > Probably needs different description for Curve25519 and Curve448. > Those are functions that take in octet strings and output octet strings > (32 or 56 bytes). Now that those drafts are stable will see if I can incorporate. > > 11. (IANA Considerations) > > Yeah, looks to need a rewrite. Doesn't register the new stuff, and > furthermore has problems like: > > - signature_algorithms is already defined by RFC5246. > - SignatureAlgorithm registry is already defined. > - HashAlgorithm registry is already defined. > > > A.4. (The Cipher Suite) > > Probably remove note about 001C and 001D, since lots of ciphersuites are > now reserved to avoid collisions with old ones. > > > C.1. (Random Number Generation and Seeding) > Replace SHA-1 with SHA-256? > > The example is completely obsolete. Any sort of modern PCs have much > faster timers (some reaching multi-GHz rates) and one really should use > Operating System for (seeding) random numbers. > > > C.4. (Implementation Pitfalls) > > - Do you handle required handshake messages being missing or handshake > messages being in wrong order properly (i.e. terminate the connection)? > > Also, ECDSA signing operations need timing protection. > > s/DSA/ECDSA/ in seeding? And shouldn't k be determinstically generated? Thanks for the suggestions. Will edit. > > E.1.1. (Authentication and Key Exchange) I plan to rewrite all of E. > Would be useful to list what can be used to authenticate peers, in > practicular, are the following valid: > > - Signing TLS-Unique value? > - Signing value from TLS-EXPORTER? I think we should generate an explicit TLS-channel-binding output and recommend people use that. Thanks again, -Ekr On Wed, Jul 15, 2015 at 7:15 AM, Ilari Liusvaara < ilari.liusvaara@elisanet.fi> wrote: > Let's review: draft-ietf-tls-tls13-07 > > This is abridged version of mail I sent earlier, but was too large for > the list due to its sheer size. > > (Note: I omitted some stuff I saw recently discussed (e.g. pruning > unused crypto algorithms) or I remember discussed. I didn't explicitly > check issue list when doing this). > > Note: The issue list could use some cleanup. It has multiple duplicate > issues (especially about fixing THS) and also some issues that no longer > look applicable. > > > > Header > > Isn't 4346 already obsoleted by 5246, which this document also obsoletes? > > 4366 seems to be jointly obsoleted by 5246 and 6066. > > 5246 and 5077 are not in numerical order, whereas the rest are. > > > 1. (Introduction) > > DSA should be replaced by ECDSA (DSA is pretty much obsolete)? > > > 1.2. (Major Differences from TLS 1.2) > > Is this meant to be changelog or list of changes? It in current form > looks more like a changelog. > > > 4.9.1. (Digital Signing) > > I think someone wanted randoms back here in order to support privilege > separation (which I think is important to support, I consider it much > more important than being "HSM friendly")? > > Reading what current draft of 4492-bis says, the hash function used is > determined by signature_algorithms (or presumably the corresponding > mechanism in CertificateRequest for client certs). > > Also, to my knowledge, there is no mechanism to indicate in ECDSA > certificate what hash algorithms are allowed. > > > 4.9.2. (Authenticated Encryption with Additional Data (AEAD)) > > The example looks like it belongs to section 4.9.1, as it is about > signatures, not AEAD construct. > > > 5. (The TLS Record Protocol) > > Documenting the security properties of TLS would be useful... > > The lack of record length hiding may be problematic in protocols that > have no place for cover traffic (e.g. can DNS requests contain padding, > DPRIVE WG is apparently planning on putting DNS into (D)TLS?). > > > 5.2.1. (Fragmentation) > > Zero-length fragments of application data are very much visible in > ciphertext (unless record padding is added), so those are not currently > useful as traffic analysis countermeasure. > > > 5.2.2. (Record Payload Protection) > > There looks to be latter limits that restrict ciphertext size to 2^14 > +1024, which is smaller than 2^14+2048 here (but those limits might be > tightened further). > > As for amount of expansion needed for length-hiding, I think that being > able to represent 16384-byte record with no padding would be enough > (since record sizes cap at 16384 bytes anyway). > > > 6. (The TLS Handshaking Protocols) > > Are encryption keys, finished value (tls-unique) and exporter secret > part of session or not? > > > 6.1.1. (Closure Alerts) > > The semantics of closure alerts seem incompatible with half-closes, > which some protocols actually use. > > > 6.1.2. (Error Alerts) > > Could use another example of warning alert, now that no_renegotiation > is not a warning anymore? > > > 6.2.1. (Incorrect DHE Share) > > EncryptedExtensions is marked optional in Figure 2, but not Figure 1? > > The relationship between session hash and handshake restarts seems > like a hairy problem. > > Also, I figured out a downgrade attack that works against careless > _server_ (not requiring client to do anything else than have weak > crypto enabled). Continuing hashes looks to block that attack. > > It involves attacker sending ClientHello with arbitrary parameters > that triggers a retry (very easy to trigger a retry), eating the > reply, followed by sending client's original ClientHello. That > could trigger crypto downgrade in some badly made servers. > > > 6.2.2. (Cached Server Configuration) > > Issue #184 manifests here too. I think both accepting and provoding > configuration in the same handshake is sensible (key rollover), and > later the draft talks about exactly that case. > > Also, maybe note that provoding the message does not alter the > configuration hash (even if there is no existing one) could be useful. > > > 6.2.3. (Zero-RTT Exchange) > > No EncryptedExtensions? > > How would the server know when 0-RTT data ended, so it could send its > ServerHello? > > Also, how is the 0-RTT data bound to session if accepted, or is there > a security analysis for leaving this binding out? > > Can anyone expand on the note about impersonation with compromised > server key? I can't offhand figure out how attacker can calculate > server-side ES (without having also compromised (possibly former) > client or (current) server exchange key). > > > 6.3. (Handshake Protocol) > > Missing encrypted_extensions (it is a handshake message, right)? > > > 6.3.1.1. (Client Hello) > > The non-match case gives HelloRetryRequest, not ServerHello, right? > > s/should/SHOULD/ in description of session_id? > > I don't think client extensions are optional anymore in TLS 1.3 (being > required for successful handshake. > > Also, TLS 1.2 servers that care about security (are there actually any?) > already require extensions for successful handshake. > > > 6.3.1.2. (Server Hello) > > Well, at least it wouldn't be backward compatiblity hazard to remove > session_id_len, since it comes after server version. > > Note: Unlike client extensions, I think server extensions might be empty > in TLS 1.3 handshake (since extensions required for GDHE_CERT type key > exchanges are not replied to by server). > > > 6.3.1.3. (Hello Retry Request) > > server_version and cipher_suite in HRR seem bit dangerous to me. If > HashAlgorithm contained all PRF hashes (currently it does), one could > use that to designate PRF hash. > > Merging DTLS cookies might be a good idea. However, then group mismatch > wouldn't be the only source of failure (which needs some text adjustment > about the selected_group check). > > s/use for/add to/ in description of selected_group? > > What happens if Ciphersuite and NamedGroup don't match between HRR > and SH/SKS? I expect there be clients that don't check, no matter if it > is MUST or not. > > Heck, I recently heard of servers that only partially(!!!) check client > Finished (or omit the check entierely). > > > 6.3.1.4. (Hello Extensions) > > supported_groups is 10, right? > > Also, for matter of protocol testing, could be useful to give some > free values to temporary squat on for extensions that aren't stable > yet. > > The restriction on extensions appearing also holds for > EncryptedExtensions, not just SH or HRR. > > It could also be useful to deprecate some extensions (client MAY send > for backwards compat, server MUST NOT select). > > Some candidates: > - truncated_hmac: Block modes have been removed. > - encrypt_then_mac: Block modes have been removed. > - extended_master_secret: The THS bug is fixed anyway. > - sessionticket TLS: Session tickets are deprecated. > - renegotiation_info: The renego bug is fixed anyway. > > The interaction of some extensions with PSK-based resumption isn't > that clear. This is further complicated by the fact that PSK can also > start a new session. > > Reference to "error alerts". Should that be "fatal alerts"? > > The part about being careful with extensions modifying handshake > presumably also goes for functions that are sometimes used for > authentication like TLS-EXPORTER or TLS-UNIQUE. > > > 6.3.1.4.1. (Signature Algorithms) > > Anonymous should be removed. It is apparently not used (there is reference > to another section saying that section uses it, but I can't find in that > section how it is actually used). > > Description of signature refers to 6.3,2, which is about SKS, which does > not seem to have anything to do with signatures (leftover from TLS 1.2?) > > Then in description of the extensions there is reference to 6.3.4 and > 6.3.2. 6.3.4 looks relevant, 6.3.2. doesn't look so. > > Also, making signature_algorithms mandatory would allow dropping the > backward compatiblity special cases from here. > > There is text that talks about "offering prior versions". Does that > refer to insecure version downgrade (I don't suppose TLS 1.1 maximum > client would care about what TLS 1.3 spec says). > > > 6.3.1.4.2. (Negotiated Groups) > > One chould add Curve25519 and Curve448, and the corresponding > signature groups (signature groups when CFRG signatures become > stable). > > > 6.3.1.5.1. (Diffie-Hellman Parameters) > > 6.3.1.5.2. (ECDHE Parameters) > > Drop the wrappers? Then DHE and ECDHE could be unified (the unification > is currently blocked by different lengths of the length field). > > The point description might make it more clear that encodings are per- > curve (altough most curves use X9.62). > > Does the note about only single point format apply to signatures too > (if so, ec_point_formats could be deprecated). > > Regarding CFRG curves, the current draft (for TLS 1.2) specifies use > of the native point format (32/56 octets) as if it was uncompressed. > > > 6.3.1.5.4. (Pre-Shared Key Extension) > > Client SHOULD offer at most two PSK identities (one for DH-PSK, > the other for pure-PSK)? > > This would imply that one can't resume pure-PSK sessions, but that > does not look to be useful anyway. > > Also, could be useful to state that the PSK identity hint from > previous versions has been deprecated. > > > 6.3.1.5.5. (Early Data Indication) > > s/MUST not/MUST NOT/ in description of early_data with client auth? > > Also, I would say that 0-RTT data with 0-RTT auth is more dangerous than > 0-RTT data with 1-RTT auth (for reasons mentioned earlier in the draft). > > Eeh, the rule for detecting end of 0RTT data, isn't the next client > handshake message from the next flight at least in some cases (and > waiting would obviously deadlock)? > > Again, how is binding of early handshake messages done (or security > analysis showing this unnecressary)? > > Client receiving rejection knows that auth failed and data failed, it > might try to fix things up in its next flight. > > As for what to sign for client auth, the ClientHello and Certificate > (at least)? One thing to note is that if verify contains randoms, then > server_random isn't available. > > Regarding finished, isn't Finished in second flight? Or is this another > client Finished? > > Regarding cryptographic parameter set, I think one better prepare for > failure (there are multiple causes of server failing to compute keys or > decrypt data). > > Also, how does known_configuration interact with PSK (other than > configurations seemingly not being usable with PSK)? > > Also, the record protection used for early handshake messages should be > indicated. > > I think there are basically two things to signal for 0RTT: > - What key material is used (either by PSK ID or configuration ID) > - What record protection (and KDF to derive keys) is used? > > Tying the latter to client offered ciphersuites is probably not wanted. > > > 6.3.2. (Server Key Share) > > Add that connection will be rekeyed immediately after this message, and > that it MUST be the last message in record it is in? > > > 6.3.3. (Encrypted Extensions) > > Some of the figures have this as mandatory, some optional. Which is it? > > Yeah, would be good to have explicit list of what goes to SH, and what > goes to EE. > > Also, the list is affected by #184, as some extensions introduce extra > messages (esp. status_request{,_v2} and signed_certificate_timestamp). > > > 6.3.4. (Server Certificate) > > > > The certificate MUST be appropriate for the negotiated cipher > > suite's key exchange algorithm and any negotiated extensions. > > If signature_algorithms is mandatory, this would then key to that for > signature algorithm, not ciphersuites (and even if it isn't, it would > then key to its fallback default). > > Could change example of alternative certificate formats to RFC7250 (it > seems better designed than RFC5081). > > Doesn't TLS 1.3 always use the certificate for signing, with indicated > algorithm (which obviously needs to be supported by peer)? Wouldn't it > make more sense to talk about signature algorithms instead of key > exchange algorithms. (Unless some key exchange that uses non-signing > certificates is added). > > > 6.3.6. (Server Configuration) > > Use TTL instead of of explicit time for expiration, as broken clocks > are abound (also, just 32-bit field that only goes up to 2106 or so)? > > Also, considering the dangers of configuration, it might be appropriate > to have other permission flags (especially client and server auth) too? > > Also, Could be useful for client to know what ciphers it can use for > 0-RTT data? > > > 6.3.7. (Server Certificate Verify) > > Should PRF hash designation be added in order to avoid attacks from > weak PRF hashes? > > I think note about checking signature algorithm against ciphersuite > should be removed. > > Also, with regards to complications of DSA, just dump it? :-) > > > 6.3.9. (Client Certificate) > > > Doesn't CertificateRequest override algorithms anyway (and CR isn't an > extension)? > > Again, could use RFC7250 instead of RFC5081 as an example? > > > 6.3.10. (Client Certificate Verify) > > Similar problems as in DSA for server auth. And missing identifier > for PRF too. > > > 6.3.11. (New Session Ticket Message) > > Eh, if server starts transmitting immediately without waiting for > client Finished (as is permitted for case where 1-RTT client auth > is not performed), it can't resume the session? > > > 7.2.3. (Elliptic Curve Diffie-Hellman) > > Probably needs different description for Curve25519 and Curve448. > Those are functions that take in octet strings and output octet strings > (32 or 56 bytes). > > > 11. (IANA Considerations) > > Yeah, looks to need a rewrite. Doesn't register the new stuff, and > furthermore has problems like: > > - signature_algorithms is already defined by RFC5246. > - SignatureAlgorithm registry is already defined. > - HashAlgorithm registry is already defined. > > > A.4. (The Cipher Suite) > > Probably remove note about 001C and 001D, since lots of ciphersuites are > now reserved to avoid collisions with old ones. > > > C.1. (Random Number Generation and Seeding) > > Replace SHA-1 with SHA-256? > > The example is completely obsolete. Any sort of modern PCs have much > faster timers (some reaching multi-GHz rates) and one really should use > Operating System for (seeding) random numbers. > > > C.4. (Implementation Pitfalls) > > - Do you handle required handshake messages being missing or handshake > messages being in wrong order properly (i.e. terminate the connection)? > > Also, ECDSA signing operations need timing protection. > > s/DSA/ECDSA/ in seeding? And shouldn't k be determinstically generated? > > > E.1.1. (Authentication and Key Exchange) > > Would be useful to list what can be used to authenticate peers, in > practicular, are the following valid: > > - Signing TLS-Unique value? > - Signing value from TLS-EXPORTER? > > Both have been seen in the wild, so these better be secure ways. This > also goes for "anonymous" key exchange. > > > E.1.2. (Version Rollback Attacks) > > Is the note about PKCS #1 block type 2 about RSA key exchange, which is > deprecated? > > > -Ilari > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Let's review: draft-ietf-tls-tls13-07 (abri… Ilari Liusvaara
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Dave Garrett
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Eric Rescorla
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Ilari Liusvaara
- Re: [TLS] Let's review: draft-ietf-tls-tls13-07 (… Hubert Kario