Re: [TLS] TLS 1.3 comments
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Mon, 17 August 2015 12:02 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57DF1B2CFB for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 05:02:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j6Px69BpYY-c for <tls@ietfa.amsl.com>; Mon, 17 Aug 2015 05:02:49 -0700 (PDT)
Received: from emh01.mail.saunalahti.fi (emh01.mail.saunalahti.fi [62.142.5.107]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 747421B2CF8 for <tls@ietf.org>; Mon, 17 Aug 2015 05:02:49 -0700 (PDT)
Received: from LK-Perkele-VII (a91-155-194-207.elisa-laajakaista.fi [91.155.194.207]) by emh01.mail.saunalahti.fi (Postfix) with ESMTP id 0D1D6901A0; Mon, 17 Aug 2015 15:02:46 +0300 (EEST)
Date: Mon, 17 Aug 2015 15:02:46 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <20150817120246.GA32255@LK-Perkele-VII>
References: <55D1B5CC.1050005@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <55D1B5CC.1050005@gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/OFYhF476PnlHF8eX8pre9YjvUDw>
Cc: tls@ietf.org
Subject: Re: [TLS] TLS 1.3 comments
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2015 12:02:52 -0000
On Mon, Aug 17, 2015 at 06:22:04AM -0400, Yaron Sheffer wrote: > > Below a long list of comments, generally minor. The document is > already very good - we're making great progress!<br> > The record length field is limited by encrypted-length+2048. > Shouldn't it be 1024? - "Each AEAD cipher MUST NOT produce an > expansion of greater than 1024 bytes". Actually, I think both should be 256 (256-byte expansion from AEAD is already quite much). (This was proposed a while back). > 6: the definition of session contents should also contain > identities. The client's identity, if authenticated by cert, or > the peers' PSK identity. There is lots more missing as well, like symmetric crypto keys, TLS-Exporter secret and TLS-Unique value. IIRC the answer when I brought that up was that the whole thing should be removed. > "Access denied" alert: the description starts with "a valid > certificate was received", but it may also apply to PSK. Agreed. Authorization failure. > Handshake_failure alert seems to be synonymous with > insufficient_security (and Sec. 6.2.1 proves it...). Can we > clarify the difference, or deprecate one of them? >From my reading, the difference would be that if some negotiating some required algorithm failed because none of the options is supported at all, it is handshake_failure. If some algorithms would have been supported but are disabled, it is insufficient_security. Not sure if that makes any actual sense. > Server Configuration: how does the client know to whom the > configuration applies? For example if I connected to > "*.example.com" (a wildcard cert) and now I connect to > "srv.example.com", should I use the stored configuration? It actually gets more interesting when one has multiple potentially applicable configurations and needs to tiebreak. If there is only one config known, not much problem in trying that. > 6.3.2.3.2: it's time we specified that the recipient (in this > case, the server) MUST verify the received ECDHE public key (see > RFC 6989). This is mentioned in Appendix D but only for modular > DH. There is actually two kinds of verification: - Validating received point is on curve. - Validating that the received point is high-order. CFRG Curve25519 and Curve448 specify the needed checks here. As for Weierstrass stuff, some ECC libs have surprising presentations for infinity (which is order-1) and allow importing invalid points, so one has to be careful even with h=1. > 6.3.4: "Perhaps have a whitelist of which extensions can be > unencrypted and everything else MUST be encrypted." - this > doesn't work, because we might come up in the future with an > extension that needs to be unprotected. Maybe we can say > "SHOULD" instead. The registration procedure is "IETF consensus", so RFC updates: might not work. Also, it is unclear if extensions that introduce new messages or otherwise modify the handshake after EncrpytedExtensions are to be in ServerHello or EncryptedExtensions. > 6.3.7: expiration_date: there's no reason to force/assume time > synchronization between client and server. This can just as well > be relative time (number of seconds since negotiation), like > ticket_lifetime_hint. IIRC, the reason why it was that was was publishing configurations off-band. Also, I don't like that field being 32-bit if it is absolute time (even if it isn't signed). > D.1.2: do we really need to worry about version rollback to > SSLv2? I suggest to remove this section. Well, it is not possible to even try to negotiate TLS 1.3 using SSLv2 compat. hello, since that can't transmit extensions, but at least one extension is REQUIRED in order to successfully negotiate TLS 1.3. And the second paragraph seems to be about RSA key exchange, which isn't supported anymore in TLS 1.3. Yes, the section looks like it could be removed. But that isn't the only way rollback attacks can occur, also some clients can be coaxed to downgrade by selectively blocking connections. Unfortunately the intolerance to TLS 1.3 is so bad that many clients will likely be willing to perform unauthenticated downgrade to TLS 1.2 (and FALLBACK_SCSV is useless here). -Ilari
- Re: [TLS] TLS 1.3 comments Martin Thomson
- [TLS] TLS 1.3 comments Yaron Sheffer
- Re: [TLS] TLS 1.3 comments Ilari Liusvaara
- Re: [TLS] TLS 1.3 comments Hubert Kario
- Re: [TLS] TLS 1.3 comments Yaron Sheffer
- Re: [TLS] TLS 1.3 comments Viktor Dukhovni
- Re: [TLS] TLS 1.3 comments Martin Thomson
- Re: [TLS] TLS 1.3 comments Dave Garrett