Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt

Benjamin Kaduk <bkaduk@akamai.com> Tue, 12 July 2016 20:31 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5BEB212D0B8 for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 13:31:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.988
X-Spam-Level:
X-Spam-Status: No, score=-3.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zu5f_wDBnFYY for <tls@ietfa.amsl.com>; Tue, 12 Jul 2016 13:31:28 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id A54BC12D658 for <tls@ietf.org>; Tue, 12 Jul 2016 13:31:27 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id AE2344334B0; Tue, 12 Jul 2016 20:31:21 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id 95FA74334A8; Tue, 12 Jul 2016 20:31:21 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1468355481; bh=J/bOUyYEYOU2gdDXRBph2mxw8asK6mU7fxC2BCanbUY=; l=9121; h=To:References:Cc:From:Date:In-Reply-To:From; b=oPFZig7FLO1s7tAQ/mvq8bg4F+aX7MmldGGFnJA6keDByu8CVpdb21jqw1zZfQe0I 2xUV4/C/UxIDBpgTQ24sCg1HmWEV8I/G9tFDOaYYHQzoo6kgxdB1Fka3tv7zs6CGuz l1vJWSHKi7CXA4dm3YVyCubnL4JFQHXUzBLF7wBQ=
Received: from [172.19.0.25] (bos-lpczi.kendall.corp.akamai.com [172.19.0.25]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 56E971FC94; Tue, 12 Jul 2016 20:31:21 +0000 (GMT)
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Eric Rescorla <ekr@rtfm.com>
References: <CABcZeBMiLmwBeuLt=v4qdcJwe5rdsK_9R4-2TUXYC=sttmwH-g@mail.gmail.com> <20160712041624.GA30472@LK-Perkele-V2.elisa-laajakaista.fi>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <57855399.70201@akamai.com>
Date: Tue, 12 Jul 2016 15:31:21 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.8.0
MIME-Version: 1.0
In-Reply-To: <20160712041624.GA30472@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UCAE5D1AwIfiQ6ggnBsPRaZh3MU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-ietf-tls-tls13-14.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2016 20:31:35 -0000

On 07/11/2016 11:16 PM, Ilari Liusvaara wrote:
> On Mon, Jul 11, 2016 at 12:08:00PM -0700, Eric Rescorla wrote:
>> Folks,
>>
>> I've just submitted draft-ietf-tls-tls13-14.txt and it should
>> show up on the draft repository shortly. In the meantime you
>> can find the editor's copy in the usual location at:
>> As usual, comments welcome.
>> -Ekr
> Did a readthrough, here's a bunch of comments (didn't check the
> issues list):

Should we bulk-open issues for these so they don't get lost?  I will
only cherry-pick a couple to reply to.

> -----------------------------------------------------------------------
>
>> ###  Server Hello
>>
>> cipher_suite
>> : The single cipher suite selected by the server from the list in
>>   ClientHello.cipher_suites.  For resumed sessions, this field is
>>   the value from the state of the session being resumed.
>>   [[TODO: interaction with PSK.]]
> Isn't this the true ciphersuite used on this connection, "resumption"
> or not? Otherwise you can get into all sorts of crazy situations that
> WILL be sources of implementation bugs.

It probably ought to be, yes.

> The idea that it isn't true ciphersuite brings me bad flashbacks about
> TLS 1.2 ticket "maybe resume" craziness (except this would be even
> worse).

I feel like we had discussed what the resumption ciphersuite should be
previously, but I don't seem to be able to find it in my mail archives.

>
>> ### Negotiated Groups
>>
>> As of TLS 1.3, servers are permitted to send the "supported_groups"
>> extension to the client.  If the server has a group it prefers to the
>> ones in the "key_share" extension but is still willing to accept the
>> ClientHello, it SHOULD send "supported_groups" to update the client's
>> view of its preferences.  Clients MUST NOT act upon any information
>> found in "supported_groups" prior to successful completion of the
>> handshake, but MAY use the information learned from a successfully
>> completed handshake to change what groups they offer to a server in
>> subsequent connections.
> Are those supposed to be filtered to be subset of ones client advertised
> or not? E.g. if client didn't indicate support for x448, can the server
> still send x448?

Requiring filtering would prevent the client from learning when the
server supports new schemes, but having the server not filter would
likely end up with the server "always" sending a big pile of stuff even
if the client has no idea that those schemes even exist.  So, on the
balance, I would go with filtering.

>
>
>> [[TODO: Recommendation about what the client offers.
>> Presumably which integer DH groups and which curves.]]
> Bit crazy algorithm: If you haven't heard of this server before,
> pick smallest you support, if you have, pick the one it selected
> the last time.

It does make it clear that things are only as secure as the weakest
algorithm they will accept ... but stateless clients will also always
get that weakest link.  (Okay, "smallest" does not necessarily equal
"weakest", but still.)  With guidance on not supporting silly things,
this algorithm does not seem too crazy...

>
>> ### Early Data Indication
>>
>> obfuscated_ticket_age
>> : The time since the client learned about the server configuration that it is
>>   using, in milliseconds.  This value is added modulo 2^32 to with the
>>   "ticket_age_add" value that was included with the ticket, see
>>   {{NewSessionTicket}}.  This addition prevents passive observers from
>>   correlating sessions unless tickets are reused.  Note: because ticket
>>   lifetimes are restricted to a week, 32 bits is enough to represent any
>>   plausible age, even in milliseconds.
>  
> And the addition also prevents correlating session with its parent,
> even in case of reuse (this was the reason for switching to addition
> from XOR).
>
>> A server MUST validate that the ticket_age is within a small
>> tolerance of the time since the ticket was issued (see {{replay-time}}).
> Good luck with that...

It would be good to not repeat the mistake that is the 5-minute replay
window in Kerberos.  (So, shall we make "small tolerance" a concrete
value or otherwise give guidance?  5 seconds?  4xRTT? other?
But, IIRC, this check does not require absolute time agreement between
peers, only that their clocks advance at a similar rate.  If your clock
steps because you slept your laptop and you have to fall back to a full
handshake, oh well.

> Also, requirement that the server MUST proceed with the handshake and
> reject 0-RTT if that validation fails would be good here...

Definitely.

> Oh, still trial decryption... Got it. 

I had managed to previously forget how we ended up deciding on trial
decryption, but it basically was dkg commenting in the room at Buenos
Aires "are we writing a security protocol or a protocol that is
convenient to implement?" [with respect to the privacy/leakage from
having the alert or other signal be unencrypted].

>
>> #### Replay Properties {#replay-time}
>>
>> There are several potential sources of error that make an exact
>> measurement of time difficult.  Variations in client and server clocks
>> are likely to be minimal, outside of gross time corrections.  Network
>> propagation delays are most likely causes of a mismatch in legitimate
>> values for elapsed time.  Both the NewSessionTicket and ClientHello
>> messages might be retransmitted and therefore delayed, which might be
>> hidden by TCP.
> I don't think variations in clocks are minimal...

Just to check: you mean the rate at which clocks advance, and not the
absolute number reported as the time?

> I wonder what 95% timeskew interval per day is...
>
> (Oh, and have fun with leap seconds!)

It only matters how big the skew is relative to the acceptance window
and how long the ticket is valid for.  Which brings us back to what the
acceptance window is measured in...

>> ###  Encrypted Extensions
>>
>> The same extension types MUST NOT appear in both the ServerHello and
>> EncryptedExtensions.  If the same extension appears in both locations,
>> the client MUST rely only on the value in the EncryptedExtensions
>> block.  All server-sent extensions other than those explicitly listed
>> in {{server-hello}} or designated in the IANA registry MUST only
>> appear in EncryptedExtensions. Extensions which are designated to
>> appear in ServerHello MUST NOT appear in EncryptedExtensions. Clients
>> MUST check EncryptedExtensions for the presence of any forbidden
>> extensions and if any are found MUST terminate the handshake with an
>> "illegal_parameter" alert.
> This seems inconsistent. In implementation, I would write explicit disjoint
> whitelists of extensions for both (and non-whitelisted one is a fatal
> error). Explicit whitelisting is safe even on client side, since the
> extensions are bounded by client-supported ones.

You would have an explicit whitelist of all (including encrypted)
extensions for the server, so that it chokes when a client starts
sending a new one?  Or just that it would not be considered for further
processing [and potential inclusion in ServerHello]?

>
>> ## Random Number Generation and Seeding
>>
>> To estimate the amount of seed material being produced, add the number of bits
>> of unpredictable information in each seed byte. For example, keystroke timing
>> values taken from a PC compatible 18.2 Hz timer provide 1 or 2 secure bits
>> each, even though the total size of the counter value is 16 bits or more.
>> Seeding a 128-bit PRNG would thus require approximately 100 such timer values.
> This seems really obsolete. The timers have not been 18.2Hz for years, and
> applications running on operating systems damn better use OS services for
> random numbers, given that anything else is fraught with peril.
>

Sadly, there is a vocal minority of software implementors that insist
that the OS service is too slow and write their own.  But I agree this
section needs some work; I may be able to contribute some text.

>
>> #  Overview of Security Properties {#security-analysis}
>>
>> [[TODO: This section is still a WIP and needs a bunch more work.]]
>>
>> A complete security analysis of TLS is outside the scope of this document.
>> In this section, we provide an informal description the desired properties
>> as well as references to more detailed work in the research literature
>> which provides more formal definitions.
>>
>> We cover properties of the handshake separately from those of the record layer.
> I think properties of the exporter should be covered as well:

I agree (but am unlikely to be able to contribute text).

-Ben

> - Is it intended to generate secret data (yes)
> - Is it intended to generate connection-unique data (yes)
> - Are values for different labels/contexts intended to be computationally
>   independent (yes)
>
>
> (The TLS 1.2 exporter without EMS failed the middle requirement,
> creating security issues in applications that assumed the data was
> connection-unique.
>
>