Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)

Simon Josefsson <simon@josefsson.org> Wed, 28 October 2009 14:23 UTC

Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id C266F3A688A; Wed, 28 Oct 2009 07:23:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.703
X-Spam-Level:
X-Spam-Status: No, score=-2.703 tagged_above=-999 required=5 tests=[AWL=-0.104, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VZRpSDlW+eE5; Wed, 28 Oct 2009 07:23:59 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [83.241.177.39]) by core3.amsl.com (Postfix) with ESMTP id 8715B3A6802; Wed, 28 Oct 2009 07:23:58 -0700 (PDT)
Received: from mocca.josefsson.org (c80-216-24-211.bredband.comhem.se [80.216.24.211]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5) with ESMTP id n9SEO9A5017808 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Wed, 28 Oct 2009 15:24:11 +0100
From: Simon Josefsson <simon@josefsson.org>
To: Larry Zhu <larry.zhu@microsoft.com>
References: <20091005162704.8C1B43A6873@core3.amsl.com> <D3DC9D45B39CFC4CB312B2DD279B354C29BAE0E5@TK5EX14MBXW653.wingroup.windeploy.ntdev.microsoft.com> <87ocnrpq0f.fsf@mocca.josefsson.org>
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
X-Hashcash: 1:22:091028:larry.zhu@microsoft.com::qCr4riIOKTCzZhd5:2Nly
X-Hashcash: 1:22:091028:sasl@ietf.org::/qW9gdiPsqOxoR6Q:6gs2
X-Hashcash: 1:22:091028:tls@ietf.org::mZpenux+wCdG4ep7:8Ngg
X-Hashcash: 1:22:091028:channel-binding@ietf.org::pddBusMwiZxZOSpQ:FPqa
Date: Wed, 28 Oct 2009 15:24:09 +0100
In-Reply-To: <87ocnrpq0f.fsf@mocca.josefsson.org> (Simon Josefsson's message of "Wed, 28 Oct 2009 15:11:28 +0100")
Message-ID: <87hbtjppfa.fsf@mocca.josefsson.org>
User-Agent: Gnus/5.110011 (No Gnus v0.11) Emacs/23.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Virus-Scanned: clamav-milter 0.95.2 at yxa-v
X-Virus-Status: Clean
Cc: "channel-binding@ietf.org" <channel-binding@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "sasl@ietf.org" <sasl@ietf.org>
Subject: Re: [TLS] lasgt call comments (st Call: draft-altman-tls-channel-bindings (Channel Bindings for TLS) to Proposed Standard)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Oct 2009 14:23:59 -0000

Simon Josefsson <simon@josefsson.org>; writes:

> http://josefsson.org/sasl-gs2/draft-josefsson-sasl-tls-cb-02.txt
>
> It makes sure to bind the channel binding uniquely to BOTH the current
> connection and the current session.  The
> draft-altman-tls-channel-bindings-07 document only binds to the current
> TLS connection.  So from this perspective, my work has the same issue,
> but it is different in other aspects.

This reminded me of an earlier observation, and it might be relevant to
re-iterate it here.  Consider this:

Day 1:

1. Client establish TLS anon-anon to server.
2. User authenticates using SCRAM with channel binding to the TLS
   channel
3. User/client disconnects

Day 2:

4. Client resumes the TLS anon-anon connection
5. Client rehandshake with X.509 client + server authentication
6. User authenticates using SCRAM with channel binding to the
   TLS channel
7. User/client disconnects

Day 3:

7. Client resumes the TLS session
8. Client rehandshake it as anon-anon
9. User authenticates using SCRAM with channel binding to the
   TLS channel
10. User/client disconnects

With draft-altman-tls-channel-bindings-07, the channel binding data used
in all three SCRAM authentications is the same bit sequence.  That means
there is only an indirect cryptographic binding between the SCRAM user
authentication and the X.509 client authentication.

/Simon