Re: [TLS] EAP-in-TLS and channel bindings
Nico Williams <nico@cryptonector.com> Mon, 04 April 2011 04:34 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 79A9628C0F3 for <tls@core3.amsl.com>; Sun, 3 Apr 2011 21:34:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.914
X-Spam-Level:
X-Spam-Status: No, score=-1.914 tagged_above=-999 required=5 tests=[AWL=0.063, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fZCHkDalwQAp for <tls@core3.amsl.com>; Sun, 3 Apr 2011 21:34:27 -0700 (PDT)
Received: from homiemail-a34.g.dreamhost.com (caiajhbdccah.dreamhost.com [208.97.132.207]) by core3.amsl.com (Postfix) with ESMTP id 5D8CA28C0E6 for <tls@ietf.org>; Sun, 3 Apr 2011 21:34:27 -0700 (PDT)
Received: from homiemail-a34.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTP id 314AA1005D for <tls@ietf.org>; Sun, 3 Apr 2011 21:36:09 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=dxrkDkLjMSEmZLoBtXvqmUNs2TJLAshIOie/XKmDpOoQ tkdBVx9M/WUvgH/prpE35U8ko7tlNcwUietKA6Btv/xo8ZATtYFNQIJyBiaroBrk Ps7sziCT5uhWBQ0LWw+R/ge7sHYLgVaozeIDRXpSNNSTNbWGJy7gc3FUjP504ro=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type:content-transfer-encoding; s= cryptonector.com; bh=D/bBdpHEnkhVnxDkdR10D6Sx048=; b=MY3OqLK5uCE bXGCmH2v2en1L+GBqutc3RM2UxdRy7LqEj7s36UsXNoPasnWiNosXQv62XaJCVe2 GZ4Ej7078j7Udzu1aSonmEpPDjIhFmnywjfrOt24PQDyf55ApoEOa+UszojdDhBu gol5tEuPKRgCO1WOTAOLPhvaeosdtocU=
Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a34.g.dreamhost.com (Postfix) with ESMTPSA id F35BC10059 for <tls@ietf.org>; Sun, 3 Apr 2011 21:36:08 -0700 (PDT)
Received: by vxg33 with SMTP id 33so4637345vxg.31 for <tls@ietf.org>; Sun, 03 Apr 2011 21:36:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.52.68.65 with SMTP id u1mr3518596vdt.310.1301891768433; Sun, 03 Apr 2011 21:36:08 -0700 (PDT)
Received: by 10.52.157.100 with HTTP; Sun, 3 Apr 2011 21:36:08 -0700 (PDT)
In-Reply-To: <F50A7509-951E-435E-A00B-2D366F240B19@checkpoint.com>
References: <87ipuycqip.fsf@latte.josefsson.org> <AANLkTi=qgzJSizeS22ewyYB3cHZBoESMXrt0xO=QJgHP@mail.gmail.com> <F50A7509-951E-435E-A00B-2D366F240B19@checkpoint.com>
Date: Sun, 03 Apr 2011 23:36:08 -0500
Message-ID: <BANLkTikROgMh-dP=fT6ZQr1o-A90fgnxzQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Simon Josefsson <simon@josefsson.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] EAP-in-TLS and channel bindings
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 04:34:28 -0000
On Sat, Apr 2, 2011 at 1:00 PM, Yoav Nir <ynir@checkpoint.com> wrote: > Thanks for this. One of our earlier versions of our proposal looked like this: > > [...] > > The only difference is that InterimAuth is renamed to "Finished", and the last handshake message is renamed to "EAP-Finished". Putting it like this, it looks very much like figure 2 in your draft. The reason we chose to go with InterimAuth in the middle rather EAP-Finished in the end was because the usual semantic for "Finished" is that the application data follows, while we consider the EAP part to be an extension of the handshake that precedes application data. In your draft, the SASL authentication is sent as data. Indeed! This is very much like my proposal. The key is that the round-trips required by EAP beyond those required by TLS do not hold up the end of the TLS handshake. The application can negotiate the use of EAP in this way via a Hello extensions and then the application can hold off the start of the normal application data protocol until after the EAP (or GSS, or SASL, or whatever) exchange completes. I believe none of the normal objections to earlier proposals apply to such a design because a) only normal TLS extension slots are used, b) the TLS state machine is not changed, only the application protocol is changed. In fact, no changes should be needed to any TLS implementation that provides the necessary extensions hooks, and this is a critical feature. > EAP methods have no use for the tls-unique channel binding. However, I think that whether the EAP message is sent as a handshake message or as application data, the calculation of tls-unique needs to change in case of EAP authentication. Do you think a good value for it would be to take the tls-unique used for the Finished (or "interimAuth") record, concatenate the MSK from EAP, and hash them together? I'm not sure that EAP has no use for tls-unique here... Suppose you're talking to an MITM (see the Comodo CA compromise...). Don't you want to make sure that they are not able to cut-n-paste the EAP exchange to the real service?? I would think that you do! In EAP this would be called "cryptographic binding", not "channel binding" -- we have a sad terminology issue :( > If a proposal like this is more palatable to the group (and doesn't change the state machine as much), I think this can be worked out. I have found it very difficult to elicit approving noises from the TLS WG, but as you know it's quite simple to get the WG to make negative noises. I'm not sure how you'd go about getting approving noises other than to push through and see what happens as your I-D progresses. However, as I said, the key test of whether your proposal plays well with TLS will be whether you need to make any changes to TLS itself. If you can avoid TLS changes (to the spec, to implementations [except for the purpose of adding TLS functionality already specified]) then you're golden. I'd go further: your work wouldn't even fall under the TLS WG charter (though you'd still want to give the WG's participants an opportunity to review your I-D). In other words: just adjust back to the protocol design described above and in my I-D and move forward towards publication. Nico --
- [TLS] EAP-in-TLS and channel bindings Simon Josefsson
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Simon Josefsson
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- [TLS] Modifying the TLS state machine Simon Josefsson
- Re: [TLS] Modifying the TLS state machine Yoav Nir
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Eric Rescorla
- Re: [TLS] EAP-in-TLS and channel bindings Yaron Sheffer
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
- Re: [TLS] Modifying the TLS state machine Eric Rescorla
- Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Martin Rex
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams