[TLS] channel id and oob
Dirk Balfanz <balfanz@google.com> Fri, 02 August 2013 10:10 UTC
Return-Path: <balfanz@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C89C11E828C for <tls@ietfa.amsl.com>; Fri, 2 Aug 2013 03:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0ZT5kn-9dlwR for <tls@ietfa.amsl.com>; Fri, 2 Aug 2013 03:10:24 -0700 (PDT)
Received: from mail-ob0-x234.google.com (mail-ob0-x234.google.com [IPv6:2607:f8b0:4003:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 5D84C11E8210 for <tls@ietf.org>; Fri, 2 Aug 2013 03:10:24 -0700 (PDT)
Received: by mail-ob0-f180.google.com with SMTP id up14so793658obb.25 for <tls@ietf.org>; Fri, 02 Aug 2013 03:10:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=RRykl+aAUfZFGgjPXVArwe6SEYhjpUbo9Ek7YKz5w7I=; b=mAfopTY1ogOMksk0hnt1FkCBacWjeyFcbRB0KQjooA+jDipu30Db2PG+0Qcbkwmlu9 dWAPpR6wI9IYKqE6nJZzX5pMa0O2pi2urDaWvO25RmBUYmvCIg20CWBXMO21ZqTHsq9N YehsKlJkKoUu9Crqe5JzxZFSGwi4ualERE20R2vCQ8BfvT7yUkg2oFXsbdXSCzvEkGHQ FKQs7fKUS+OgS43amcK6ngpOZub6j9ciYi7oRCmyM7lTQyaQuwlZzAOyEomZZgKujX0h NVw6xfAbEECNkq2knYlRsGlbDQFD52/bwuDhYmpi07b60e3H4RpjWYYz7SRl588Km2AF jrgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=RRykl+aAUfZFGgjPXVArwe6SEYhjpUbo9Ek7YKz5w7I=; b=osAQYZotB9+5CUdnztyYkYLQjVjN1z13fpMkvtIuuMXQRsoNMzjDbHVpwrdVnEwfIx v/hV2WtqpWftzJCdzn7LLmq2zomxGITDxjzCWqeerzGkxgu6c3if4N7lcbg5IMY3Iwhx n2yjqaOhVP9uTvT6ibIRUgmN8eLEg2R87wUikl5/8wJVHmCgkS7kzhwGppBU0jdXqdkY nWjYMHM3/VLYvOSGGNJ6SdkeKKuI5c+t/MNRBCiXXuoJieSzJD690Ur17ts9RyrVqC67 0RnLsgbVrH3RzMRTcZFgvVKhU787gP+W302ygm1OlLVqIiEwu1Q9lCqiGuGmi0tEXTUz T4zg==
X-Gm-Message-State: ALoCoQmBR2pB0SYG3Vf42jRUUiccgl/U6SF8aUdZGC7mML4xujh8hdt/U0tWza7DGkpFCqrfa0KfxdioD8d/Mw1kL1JSuy74kHddztKe4QbDVzcRf9yQ0Dc+DkGTZsDKA8431HnLOVhmge1WYiz5D0/swaG4mXCGmsmftvUcdSViQjKFdV6ZjNNy2gio+GntjLJHn/h5c1l1
MIME-Version: 1.0
X-Received: by 10.50.16.102 with SMTP id f6mr221123igd.41.1375438223742; Fri, 02 Aug 2013 03:10:23 -0700 (PDT)
Received: by 10.64.33.107 with HTTP; Fri, 2 Aug 2013 03:10:23 -0700 (PDT)
Date: Fri, 02 Aug 2013 03:10:23 -0700
Message-ID: <CADHfa2A7jERE=UTudOLcWnH7KppYH+7hcbRJg4aGZuwFeLBqnw@mail.gmail.com>
From: Dirk Balfanz <balfanz@google.com>
To: IETF TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="047d7bdc0cf0bcb44204e2f42a67"
Subject: [TLS] channel id and oob
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2013 10:10:25 -0000
Hi guys, I was asked to write a quick analysis of draft-ietf-tls-oob-pubkey, and whether it can be applied to the use cases we have in mind for Channel ID. My conclusion is that it can not, or that the necessary modifications to the OOB draft would be too substantial to be considered during Last Call. First, the similarities: both proposals allow the client to prove possession of a key pair. The fact that this proof-of-possession is forthcoming is negotiated using the TLS extension mechanism (during ClientHello/ServerHello). Now for the differences: - We don't want the client public key to be sent in the clear. It's a client identifier, and shouldn't be known to anyone but the client and the server. - We don't want the proof-of-keypair-possession to be part of the session state, for two reasons: - It blows up the session state, with ramifications on the size of the fleet of servers that cache this information. Remember that in our use case, we don't intend this to be used for the occasional client that wants to use non-password authentication with the server; it's designed to be used by _every_ client talking to big service providers like Google. Raw public keys are of course smaller than full certificates, but they still represent a significant increase in the size of session state. - We don't want someone who is not actually wielding the private key of the keypair to make it appear to the server as if they were in control of that private key. Session resumption, however, gives you that power: Let's assume that the private key of the keypair sits in a hardware-protected secure element, and is therefore out of reach of malware. Master secrets and other session information, however, is very likely kept in RAM and therefore available to thieves. If such a thief extracts the session data from the client and resumes the session, the server will treat the thief as the holder of the original private key. If the proof-of-keypair possession is explicitly declared not part of the session, then a client has to re-prove possession of the keypair even during abbreviated handshakes. Thus, a thief of session secrets (but not of the private key) won't be able to convince a server that it is in control of that private key. The oob-draft keeps the raw key in the session state, thus inheriting this problem with session state and session resumption. - Channel ID keys are different from key material sent in the Certificate message, and the certificate message shouldn't be overloaded with this new semantics: Key material presented in the Certificate message (even if it's a raw key) presumably carries some semantics for the application: "this is a certain user", "this is an enterprise-issued machine", etc., while the Channel-ID keys are always self-generated and their semantics include (among other things) "this is the key that will be nuked when the user presses the 'reset my browsing state' button". It makes for tricky implementations when those two different semantics get mapped to the same protocol message. More importantly, applications may want to do both: authenticate a user with a client cert, and then set a channel-bound cookie as a result of the authentication. You can't do that if you only have one proof-of-possession available in the handshake. As mentioned above, I don't really see how this issues could possibly be addressed within the draft-ietf-tls-oob-pubkey draft, especially since it's in last-call. Just the first point above alone seemed to be something that folks didn't want to touch until TLS 1.3. Thoughts? Dirk.
- [TLS] channel id and oob Dirk Balfanz
- Re: [TLS] channel id and oob Hannes Tschofenig
- Re: [TLS] channel id and oob Dirk Balfanz
- Re: [TLS] channel id and oob Bodo Moeller
- Re: [TLS] channel id and oob Martin Rex