Re: [TLS] Call for adoption: draft-bhargavan-tls-session-hash

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Mon, 21 July 2014 15:57 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 980181A02F9 for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 08:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id euY1FsH5qHhj for <tls@ietfa.amsl.com>; Mon, 21 Jul 2014 08:57:27 -0700 (PDT)
Received: from mail-qg0-x22e.google.com (mail-qg0-x22e.google.com [IPv6:2607:f8b0:400d:c04::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8C21A02F4 for <tls@ietf.org>; Mon, 21 Jul 2014 08:57:23 -0700 (PDT)
Received: by mail-qg0-f46.google.com with SMTP id z60so5527960qgd.33 for <tls@ietf.org>; Mon, 21 Jul 2014 08:57:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=5lSnoO+pSO0AQ8PmLyy5yNPOWtLwWH8v9zYfeRLGvT4=; b=x5+STMSuKVS5bdZ5u2btvevjet8R8aOZygTloZIbqaJtQIKLwvAmVmsmEZ42iFm4qc bf1rT5rGpAs9RFP6yx4xtPpWxyZ+DX3rydp81Sjkajiz/iEVsvaZ5TLTrlIihHTsRHjI rvA6KAsxLgZbvj69Febxuponb6XpzW/53EFcRwH+AV49LVBOPMnpjryqAcf5sJCC8If8 wb5qJ02+2hdftskpW9fxCSyPDAv/9CuLAUpd0ooCsEC98kQpYBOqU3l2qg+de9Cvdxzp ry+MxlzdQAG4nfso/hUeoYe4KEGLsV3eVuGQDClCQXCrkn52XC+/PzYPiovEVyH4dmS6 p/nw==
X-Received: by 10.224.163.144 with SMTP id a16mr7525177qay.61.1405958242538; Mon, 21 Jul 2014 08:57:22 -0700 (PDT)
Received: from [10.0.1.3] (pool-71-161-98-142.cncdnh.east.myfairpoint.net. [71.161.98.142]) by mx.google.com with ESMTPSA id d69sm16505495qge.35.2014.07.21.08.57.20 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 21 Jul 2014 08:57:21 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_52AB78FB-4FFA-4E59-A4C1-B5301D4414DE"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CACsn0ck=Hz2SWcE6pUHVtjFzrkLbidhNs5yuNmAqBz+p0FEG5g@mail.gmail.com>
Date: Mon, 21 Jul 2014 11:57:19 -0400
Message-Id: <D2D9AFAF-0554-4898-957B-48D52B382610@gmail.com>
References: <502C3758-9F12-4ABC-B595-FD0994A28B18@ieca.com> <CACsn0ck=Hz2SWcE6pUHVtjFzrkLbidhNs5yuNmAqBz+p0FEG5g@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OmP0Ed6cHdW9W6iNHKWmBzB0QlE
Cc: "TLS@ietf.org \(tls@ietf.org\)" <tls@ietf.org>
Subject: Re: [TLS] Call for adoption: draft-bhargavan-tls-session-hash
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jul 2014 15:57:32 -0000

We have ProVerif-based analyses that show that the session hash fixes the triple-handshake problem for clients and servers that implement any combination of:
- TLS-RSA
- TLS-DHE
- Resumption with a Cache or Session Tickets
- Renegotiation with Renegotiation Indication
- SCRAM-SHA-1-PLUS with tls-unique channel binding

The analysis shows that, even if these features of TLS are implemented unchanged (i.e. arbitrary DH groups, no public key validation, renegotiation with any third-party, current definition of tls-unique), the TLS session hash guarantees composite agreement on the sequence of epochs on the current connection and also on their session parameters. The guarantee is similar to that of Giesen et al in CCS’13 [1] but extended to session resumption and extends to some other channel bindings like tls-unique and channel ID.

Having said that, our guarantees are in the symbolic model, and are not yet cryptographic proofs. Proof of the session hash implementation in miTLS is ongoing. 

Moreover, we cannot say anything about other ciphersuites, except to give general guidelines on what to watch out for. 

If there is interest, we’d be happy to make available our formal ProVerif models in some form and cite it within the current session-hash draft.

[1] https://eprint.iacr.org/2012/630


Best regards,
Karthik

On 21 Jul 2014, at 11:19, Watson Ladd <watsonbladd@gmail.com> wrote:

> 
> On Jul 21, 2014 8:09 AM, "Sean Turner" <TurnerS@ieca.com> wrote:
> >
> > At the TLS interim meeting held Sunday the 20th of July 2014, we discussed adopting the following draft:
> >
> > http://datatracker.ietf.org/doc/draft-bhargavan-tls-session-hash/
> >
> > There was consensus to adopt it with the stipulation that the Signaling Cipher Suite Value (SCSV) be removed.  Please indicate whether you object to adoption (and why) by July 25, 2014.
> 
> I cannot say: does this fix the key exchange or not? It is unclear from the MiTLS papers, but because TLS is a mess I don't know if it fixes the problem without the MiTLS proof.
> 
> >
> > spt
> >
> > PS Stay tuned for an early code point assignment thread.
> >
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls