Re: [TLS] channel id and oob
Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 18 October 2013 12:03 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8504221F9F88 for <tls@ietfa.amsl.com>; Fri, 18 Oct 2013 05:03:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.599
X-Spam-Level:
X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FwLICHRqj+gH for <tls@ietfa.amsl.com>; Fri, 18 Oct 2013 05:03:24 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) by ietfa.amsl.com (Postfix) with ESMTP id 2D3CE11E8102 for <tls@ietf.org>; Fri, 18 Oct 2013 05:03:23 -0700 (PDT)
Received: from [172.16.254.200] ([80.92.116.76]) by mail.gmx.com (mrgmx101) with ESMTPSA (Nemesis) id 0MS1g6-1V9X7Y0MP4-00TCJI for <tls@ietf.org>; Fri, 18 Oct 2013 14:03:22 +0200
Message-ID: <526123A7.5050305@gmx.net>
Date: Fri, 18 Oct 2013 14:03:51 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
MIME-Version: 1.0
To: Dirk Balfanz <balfanz@google.com>, IETF TLS WG <tls@ietf.org>
References: <CADHfa2A7jERE=UTudOLcWnH7KppYH+7hcbRJg4aGZuwFeLBqnw@mail.gmail.com>
In-Reply-To: <CADHfa2A7jERE=UTudOLcWnH7KppYH+7hcbRJg4aGZuwFeLBqnw@mail.gmail.com>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Provags-ID: V03:K0:+0aS8ccBGz9T7VJTX7zOiqJxyKC798vUTFMgKNBTmeBCRhMm/5N 4rPXsUWn0OQ6mMxQz/xyoKFh18vJKzbcWSiwk+JMQvPOzpQ0wM7rIyxE2eKzH00YVXSH6pG 1+vgsLMwLgcQJF0+SS33YUZKnI2gU5Ff0sRbfPnmB42zuGTTBRTJ6PT+N/aT4b5Si58v0xA lAh/LvZ6hgWyoFeOAh5fQ==
Subject: Re: [TLS] channel id and oob
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Oct 2013 12:03:29 -0000
Hi Dirk, thanks for looking at the two specifications. A few remarks below: On 08/02/2013 12:10 PM, Dirk Balfanz wrote: > Hi guys, > > I was asked to write a quick analysis of draft-ietf-tls-oob-pubkey, and > whether it can be applied to the use cases we have in mind for Channel ID. > > My conclusion is that it can not, or that the necessary modifications to > the OOB draft would be too substantial to be considered during Last Call. > > First, the similarities: both proposals allow the client to prove > possession of a key pair. The fact that this proof-of-possession is > forthcoming is negotiated using the TLS extension mechanism (during > ClientHello/ServerHello). > > Now for the differences: > > * We don't want the client public key to be sent in the clear. It's a > client identifier, and shouldn't be known to anyone but the client > and the server. This is an aspect the group agreed to solve via a separate extension, if I remember it correctly since it has wider applicability than just for these documents. Recalling Ekr's presentation about TLS 1.3 from the last IETF meeting he mentioned that this would be one of the features of the new version. Whether it is useful to define an extension that can be used with TLS 1.1/1.2 is a decision the ADs and chairs need to make. > > * We don't want the proof-of-keypair-possession to be part of the > session state, I am not entirely sure what you mean by "proof-of-keypair-possession to be part of the session state". for two reasons: > o It blows up the session state, with ramifications on the size of > the fleet of servers that cache this information. > Remember that > in our use case, we don't intend this to be used for the > occasional client that wants to use non-password authentication > with the server; it's designed to be used by _every_ client > talking to big service providers like Google. Raw public keys > are of course smaller than full certificates, but they still > represent a significant increase in the size of session state. The document does not require servers to store the received raw public key. > o We don't want someone who is not actually wielding the private > key of the keypair to make it appear to the server as if they > were in control of that private key. Session resumption, > however, gives you that power: Let's assume that the private key > of the keypair sits in a hardware-protected secure element, and > is therefore out of reach of malware. Master secrets and other > session information, however, is very likely kept in RAM and > therefore available to thieves. If such a thief extracts the > session data from the client and resumes the session, the server > will treat the thief as the holder of the original private key. > If the proof-of-keypair possession is explicitly declared not > part of the session, then a client has to re-prove possession of > the keypair even during abbreviated handshakes. Thus, a thief of > session secrets (but not of the private key) won't be able to > convince a server that it is in control of that private key. You don't have to use session resumption if you do not want. I also consider the threat a bit unrealistic. If you assume that the end device is compromised then what prevents the malware from obtaining the private key before it gets into the hardware-protected secure element. I believe in your scenario you are not talking about a long-term ephemeral key pair but rather something that is dynamically created on the end device or dynamically provisioned. > > The oob-draft keeps the raw key in the session state, thus > inheriting this problem with session state and session resumption. We actually don't say anything about keeping the key in session state nor about session resumption. I consider those aspects implementation and configuration issues. > > * Channel ID keys are different from key material sent in the > Certificate message, and the certificate message shouldn't be > overloaded with this new semantics: Key material presented in the > Certificate message (even if it's a raw key) presumably carries some > semantics for the application: "this is a certain user", "this is an > enterprise-issued machine", etc., while the Channel-ID keys are > always self-generated and their semantics include (among other > things) "this is the key that will be nuked when the user presses > the 'reset my browsing state' button". It makes for tricky > implementations when those two different semantics get mapped to the > same protocol message. More importantly, applications may want to do > both: authenticate a user with a client cert, and then set a > channel-bound cookie as a result of the authentication. You can't do > that if you only have one proof-of-possession available in the > handshake. With the raw public key we actually do not say what identity the key refers to. You are correct that there is an issue if we want to provide two layers of authentication within TLS and I am not sure whether that is even in scope of your document either since it is not discussed. > > As mentioned above, I don't really see how this issues could possibly be > addressed within the draft-ietf-tls-oob-pubkey draft, especially since > it's in last-call. Just the first point above alone seemed to be > something that folks didn't want to touch until TLS 1.3. > > Thoughts? What we could do is the following: a) Brainstorm whether we see the two layers of authentication as a valid use case. I don't think we both do but maybe someone else does. b) We work on a specification that provides the confidentiality protection of information exchanged by the client. This could be useful in a number of cases, even work that is currently ongoing in the TLS working group right now. c) We clarify the issues regarding the session state. I did not occur to me that this would be something to write about in the document but maybe it is worthwhile to have a discussion about it. Ciao Hannes > > Dirk. > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] channel id and oob Dirk Balfanz
- Re: [TLS] channel id and oob Hannes Tschofenig
- Re: [TLS] channel id and oob Dirk Balfanz
- Re: [TLS] channel id and oob Bodo Moeller
- Re: [TLS] channel id and oob Martin Rex