IETF Logo Mail Archive

Re: [TLS] [kitten] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Jonathan Hoyland <jonathan.hoyland@gmail.com> Thu, 28 October 2021 17:46 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF763A091E; Thu, 28 Oct 2021 10:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79bIpJ8Ecnkm; Thu, 28 Oct 2021 10:46:39 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EF7C3A090D; Thu, 28 Oct 2021 10:46:39 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id c28so6486860qtv.11; Thu, 28 Oct 2021 10:46:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=kMODBa+9SqhbpD4XJAw/BAUqA0823Hck4w71Ek/7e1o=; b=XFO/jFJmJIxqj7hWQOWF6qUVZIjA5sjrnsIgq4XY3ozOmWuk4cNtwNBNeL/NKK+iRe ctJ/PXz3IvvETk6EZnXjpWjCOYotyMqzfJXRJGJjJwYK0iqdJDluq1nwNJokyOWFt/ly 2kzrWqvak9itD1qh55L8ebTjPFslsV1kX8UdBXNUa55IsAP4ZB0KX1DnU7Q8PhvGYpUW nZZ0/+SNKGEbIBuKvowYj5a3f/tWlZokjuOi8GrimLIv8iRtJgwUw+WZQrjOLosukQoz 7QmDFBSvLlREmHBDoVNTLlZV1mmL/CNUPBZrphQeQIvae5sDsAl7J4ajZJ5TxlVxLa6W aPOQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=kMODBa+9SqhbpD4XJAw/BAUqA0823Hck4w71Ek/7e1o=; b=RDad19nuIcjTWdP1rpDawF9dYaUxAqm9eWFeLaEQHeD+9tYAwQ3zOEUuAmqRjSS4dd v/g2UUIpe9Mz2FbG/d3I91dxut5Qy2rJqMEdbvWXQfXDAClmsjEbGkSXKUTmGfw3l6Sd rME2VZpTu39DGEs322FvP7kB7AbkhFcpAQDbZ+79sxYyj1cTEq5PCmhlp12BEEyByZ1Z ebK5uw5DX81PDJlSznyUnBG+xBMTCc7IAF5OFFYJvMEKKchpjyJX0AqYHAxL82tR5+eF HQh1M4PpzlM76we2ENJ964c/pOj82OsFdayTbvdAv2xRknmlBbKdXWtvsUn+OGn58auC MD5Q==
X-Gm-Message-State: AOAM530qP9d4JG1voeAl/RMsEkDUYteIlg6537lwlimE8rHRhBnvfrO9 owry8Qc11pp49SxoGvQ9sioB0nCXuKegkvSnvyU=
X-Google-Smtp-Source: ABdhPJzaWZgTaLpMbw7G0nV/iS0EEl+GVb3KrPd+w5RXq06mAN1OvEKrle9TETwucHhkgvYVp87GhtbL6vXWpzB/jGM=
X-Received: by 2002:ac8:5c54:: with SMTP id j20mr6275275qtj.190.1635443197943; Thu, 28 Oct 2021 10:46:37 -0700 (PDT)
MIME-Version: 1.0
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com> <e9570c02c4f703780a4e317b26607ac124a3b595.camel@ruff.mobi> <CACykbs3v0FC50WQHNqq-oXwKDE=Jha-o0P=Mgr92OgyeKPS6Ug@mail.gmail.com> <7e862904cee5f86e4b77fce23c451c2abe0dc720.camel@ruff.mobi>
In-Reply-To: <7e862904cee5f86e4b77fce23c451c2abe0dc720.camel@ruff.mobi>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Thu, 28 Oct 2021 18:46:26 +0100
Message-ID: <CACykbs2V0mgxDz_MK2EiqSDBGWWfvq0TAX+UpLSEZKwOoFc8HQ@mail.gmail.com>
To: "Ruslan N. Marchenko" <rufferson@gmail.com>
Cc: KITTEN Working Group <kitten@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000dd227b05cf6d4a3b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/NTKClPjC7VoY5mmwEwAtdVD8dCo>
Subject: Re: [TLS] [kitten] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Oct 2021 17:46:43 -0000

Hi Ruslan,

Yes, two distinct TLS connections having the same exporter key would be
really bad, but I'm specifically talking about two runs of some protocol
bound to a single TLS session.
A single TLS session will return the same key (modulo rekeying, resumption
etc.) if you call the Exporter API with the same label.
This means that the channel bindings it produces, which will then be used
to derive the keys of the higher layer protocol, will produce related keys.

The key reason for making the binding retrieval context-specific is to make
sure that different protocols run in the same TLS session produce disjoint
keys.
When someone tries to copy a message from a SCRAM handshake into some
GSS-API run on a single TLS connection I want to be sure that it will be
rejected, without having to understand exactly how every version of SCRAM
and GSS-API ever (including ones that will be drafted in the future) works
(not to mention every other protocol past, present, and future that uses
the same string.)

In the same way that we include strings in the TLS key schedule to ensure
that handshake messages can't be confused with each other or with earlier
versions of TLS, or even with Exported Authenticators, or MLS, or any other
protocol that uses keys, we should use channel bindings to separate
protocols run over the top of TLS.

Regards,

Jonathan

On Wed, 27 Oct 2021 at 19:39, Ruslan N. Marchenko <rufferson@gmail.com>
wrote:

> Hi Jonathan,
>
> Am Mittwoch, dem 27.10.2021 um 18:02 +0100 schrieb Jonathan Hoyland:
> > Hi Ruslan,
> >
> > Without digging into the guts of GSS-API and SCRAM I can't give you a
> > concrete attack, the issue is that all our assumptions about protocol
> > security assume that different protocols use totally separate key
> > material.
> > For example if I have one protocol that signs arbitrary blobs and
> > another that requires me to sign a challenge to prove I know a private
> > key then even if they're both perfectly secure on their own they are
> > totally broken in composition.
> > This separation of keys is one of the core reasons for the use of
> > HKDFs, it lets us take some source randomness and use it to generate
> > independent keys.
> >
> > Designing a channel binding that explicitly suggests people use the
> > same key material for different things is bad practice and poor
> > protocol design.
> > Pretty much every attack is on the table if you have multiple protocols
> > using the same keys, message forgery, improper authentication, key
> > leakage, etc.
> > The reason for separation of keys is to simply rule out this entire
> > class of vulnerability.
>
> Sorry maybe I'm missing something but why would two unrelated protocols
> have same key? The binding is derived from TLS session key, if two
> unrelated TLS sessions are having the same key this is the problem by
> itself, and binding material is not amplifying it, just falling to the
> same problem bucket. And if they are related (eg resumed) then protocol
> muxing should perhaps be part of applicaiton stack and it should still
> be happy with a common security context.
>
> > If you don't separate the keys then whenever you make any change to any
> > protocol you have to consider its security in composition with every
> > other protocol, including ones that you don't know about or that
> > haven't been written yet.
> >
> > Using different labels for different purposes shouldn't require
> > anything complicated, as it's just changing the input literals to the
> > API call.
> >
> There's a difference in telling TLS stack "give me binding of that
> type" - which is pretty much high level abstract call, and asking TLS
> to perform key derivation (export) for specific label - which requires
> speaking native TLS implementation api. Now that we have a bunch of TLS
> implementations and several abstractions and all other binding types
> are independent of the higher protocol - it may be challenging changing
> the API to make the binding retrieval context-specific. Not that it is
> impossible to make such change, but why?
>
>
>
>

v2.23.0 | Report a Bug | By Email