IETF Logo Mail Archive

Re: [TLS] Summary of discussion regarding spontaneuous authentication

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Wed, 22 October 2014 12:54 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4510D1A8BC4 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 05:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 17ND5pYcu6sd for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 05:54:02 -0700 (PDT)
Received: from emh03.mail.saunalahti.fi (emh03.mail.saunalahti.fi [62.142.5.109]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A22C81A8AFE for <tls@ietf.org>; Wed, 22 Oct 2014 05:54:01 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh03.mail.saunalahti.fi (Postfix) with ESMTP id 793FB1887AC; Wed, 22 Oct 2014 15:53:59 +0300 (EEST)
Date: Wed, 22 Oct 2014 15:53:59 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20141022125359.GA18704@LK-Perkele-VII>
References: <CABkgnnUAhEV=wLZyTew=ne7VgSq50XYR3Fo5EfjNXc8=_hbpyg@mail.gmail.com> <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABkgnnXAk+HU2yaUJdOQ0w-heHwYrPK6Zf3HrH5tU+2Tk7_cCA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/PdNyW-uwN0CirHdyoLrnnJM-Jq4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Summary of discussion regarding spontaneuous authentication
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 12:54:04 -0000

On Wed, Oct 22, 2014 at 05:07:29AM -0700, Martin Thomson wrote:
> I forgot one point that we discussed.
> 
> We discussed the removal of the CertificateRequest and we will permit
> the client to unilaterally send authentication.

CertificateRequest has fields certificate_types and
supported_signature_algorithms (there's also third field, but IMO
that's better sent at application level). Where is the equivalent
data put?
 
> On 22 October 2014 03:04, Martin Thomson <martin.thomson@gmail.com> wrote:
> > The update proposal that ekr sent around was discussed.
> >
> > The primary concern was that the properties of the connection were
> > considered to change with respect to authentication.  Any data
> > received before the authentication, or messages that appear partially
> > before and partially after would have ambiguous properties.
> >
> > Concerns were raised that having the authentication attest to data
> > that was sent prior to the authentication would expose us to a variety
> > of attacks that relied on confusion about the state of the connection.
> > There was also a concern that this would be difficult to analyse.

The behaviour of authentication credentials being updated mid-connection
is highly application-dependent.

In practicular, any application protocol wanting to support such thing
needs to carefully specify, in race-free way, what authority applies
to each piece of data.

So client doesn't send piece of data, thinking it is using authority A,
but server goes and interprets it using authority B.

And for some applications, one wants to be possible to have multiple
authentications at once.

Client and server being confused about authority results in security
holes. And those holes are being exploited in the wild.

> > It was pointed out that update was still interesting, but only from a
> > rekeying perspective, because that had far lesser risks and no real
> > API implications.

Note that rekeying interacts with TLS-EXTRACTOR, which is part of API.

In practicular, how to avoid race conditions between key update and
use of TLS-EXTRACTOR output?


-Ilari

v2.23.0 | Report a Bug | By Email