IETF Logo Mail Archive

Re: [TLS] secdir review of draft-ietf-tls-ecdhe-psk-aead-03

Daniel Migault <daniel.migault@ericsson.com> Fri, 19 May 2017 16:58 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 159E2129526; Fri, 19 May 2017 09:58:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YEOmbOLhX0KY; Fri, 19 May 2017 09:58:10 -0700 (PDT)
Received: from mail-lf0-x230.google.com (mail-lf0-x230.google.com [IPv6:2a00:1450:4010:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55ED71294F4; Fri, 19 May 2017 09:58:10 -0700 (PDT)
Received: by mail-lf0-x230.google.com with SMTP id 99so4186874lfu.1; Fri, 19 May 2017 09:58:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=+V2BlG7CJ4wjwDCI5HgOPAYPEgdbYUi0drEqepx0PpY=; b=GbUP8NcWDSRJL37PEG3lENkC5o5sqFJGz5ZU0eXFG5i8s9C62XHUXcsNn4cI5OxExJ d97SlGJZCfnO1zDzsb2sYcSN5dLE275JNb2lqCZlCn/tySN5g179k1vLBljS2uCXsTVX zye2rF35ktbC/jQefDZfaABSGc+8NYU6zmznNjcgksl5lIS98BCTXce6jlKic5Xvwt86 wkmTCDXO1yL0cUbu8HLwil0gNYSFV3f+TH1KPM5GtoGIAvclqGGdi6yemYTvshSnvPfX qLJ7DC2Idah65cy0/hRilitcHS+pdCuw5TbTuCl2/AgY3DWyAzggrKGRF9o858tUGMYi H9tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=+V2BlG7CJ4wjwDCI5HgOPAYPEgdbYUi0drEqepx0PpY=; b=HuMMTwJAVABH1Z+DtlrYk6zFcbSZomBlIAxR1ttJlCewDJMllGbK7TUhfG8MrtfCxg wzpyaodv7AkbK3ZrZ4X6w5gDfcgzIpUgowQjB6sz/DfPlU2N2c9M3z+8loNrWjkQFlN5 q7/1+ytbt7cCskkF8ntE4vR/RqUdm/LHR/p1zu3pLpZxThTGzLThws1tz1GBDjIR074F zDmtBrsfr7yS4gUv/yfTadtL58IK2IYxOoe99YeUPVO+DG9f5D4L4zTm7VxwcR+fbBb+ 6VStK2xOt1C/UsaDuxSL5TSXuijlLqWpifSlWCq858zVmzRc8eM7l6WqibY5v+RdCsM2 YflQ==
X-Gm-Message-State: AODbwcBRxwpTAYFV+Ev4iFBYLfpwf0Ib7ogoYG6+SxRKfkTHhkqZ5m+V nlBtL/V+wskUu9dFnwGTp2SAikFITw==
X-Received: by 10.46.69.8 with SMTP id s8mr2564481lja.55.1495213088509; Fri, 19 May 2017 09:58:08 -0700 (PDT)
MIME-Version: 1.0
Sender: mglt.ietf@gmail.com
Received: by 10.46.0.14 with HTTP; Fri, 19 May 2017 09:58:07 -0700 (PDT)
In-Reply-To: <20170519162725.GM39245@kduck.kaduk.org>
References: <20170519043827.GL39245@kduck.kaduk.org> <CADZyTkncMTsTQt6C2S+Z0mw+30uc38bfrTSCOvjWRPn_dJkDLQ@mail.gmail.com> <20170519162725.GM39245@kduck.kaduk.org>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Fri, 19 May 2017 12:58:07 -0400
X-Google-Sender-Auth: 1raqJXhaY3kI7429EhZs5caQhV8
Message-ID: <CADZyTk=id9bDfi31R+K6hC+ZKzWsjsvo8JbSCzqYGaK_1X1j7Q@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: tls <tls@ietf.org>, draft-ietf-tls-ecdhe-psk-aead.all@ietf.org, "ietf@ietf.org" <ietf@ietf.org>, The IESG <iesg@ietf.org>, secdir@ietf.org
Content-Type: multipart/alternative; boundary="001a114b07fe0114c9054fe36d55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XC51zt16yal9ExkjdSlRwQtB5lc>
Subject: Re: [TLS] secdir review of draft-ietf-tls-ecdhe-psk-aead-03
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 16:58:14 -0000

Thank you,

Your comments have all been addressed. I have one remaining clarification.
In my text the SHOULD NOT was intended to the ECDHE_PSK in general, and not
only for the cipher suites of the draft. In your opinion do we clarify
this, and should we use something else than SHOULD NOT ?

Thanks for the reviews!

Yours,
Daniel

> (MD5 and SHA-1) by exclusive-ORing them together. In the case of ECDHE_PSK
> authentication, the PSK and pre-master are treated by distinct hash
> function with distinct properties. This may introduce vulnerabilities over
> the expected security provided by the constructed pre-master. As such
> TLS1.0 and TLS1.1 SHOULD NOT be used with ECDHE_PSK.

The general tenor of this text addresses my concern, yes, but feel
free to use editorial discretion and not bother putting it in, if
you don't think it's useful.  (BTW, I think we are still TLS1.0 and
TLS1.1 MUST NOT be used with these ciphersuites, so maybe the SHOULD
NOT in the last sentence is not quite what is intended.)

On Fri, May 19, 2017 at 12:27 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:

> On Fri, May 19, 2017 at 11:55:35AM -0400, Daniel Migault wrote:
> > Hi Benjamin,
> >
> > Thank you for the review. Please find my comments inline and let me know
> if
> > you agree with the proposed text. I believe the only point not addressed
> > concerns the addition of CCM-256 which has been remove after discussion
> > during the WGLC.
> >
> > Thanks you for the review,
> >
> > Yours,
> > Daniel
> >
> > On Fri, May 19, 2017 at 12:38 AM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> >
> > > Hi all,
> > >
> > > I have reviewed this document as part of the security directorate's
> > > ongoing effort to review all IETF documents being processed by the
> > > IESG.  These comments were written primarily for the benefit of the
> > > security area directors.  Document editors and WG chairs should
> > > treat these comments just like any other last call comments.
> > >
> > > This document is ready with nits.
> > >
> > > Essentially, we are filling in a gap in the TLS (< 1.3) ciphersuite
> > > space, thought of as a cross product of key exchange and
> > > cipher+mac/AEAD -- we have some of the combinations (PSK with ECDHE
> > > but no AES-[GC]CM, PSK with AES-GCM but only non-EC DH, etc.) but
> > > not quite this one.
> > >
> > > That said, it seems a little silly to only partially fill the gap
> > > (by omitting the AES_256_CCM* cipher suites), even though there is
> > > not currently demand for them.
> > >
> > > MGLT: TLS_ECDHE_PSK_WITH_AES_256_CCM_8_SHA256 and
> > TLS_ECDHE_PSK_WITH_AES_256_CCM_SHA384  were mentioned in the 01 and
> removed
> > after  the WGLC. [0] The issue was whether or not introducing new ciphers
> > not supported by TLS1.3. In 01, we though of adding the code point for
> > TLS1.2 and then specify that TLS1.3 was only implementing a **subset** of
> > the cipher suites proposed.In case of needs these could still be
> supported
> > later by TLS1.3. The consensus seems to not introduce ciphers that would
> > not be handled by TLS1.3. If the WG decides otherwise, these could still
> be
> > added.
> >
> > [0]
> > https://mailarchive.ietf.org/arch/msg/tls/M442CwmUMxrYJR8FjCh3h-a69o4/?
> qid=6e4713be1d71bae6718c6e6e6c4b8007
>
> That seems like a reasonable position for the WG to take, given how
> close TLS 1.3 is to publication.  (It would also be reasonable to
> define the full cross-product for TLS 1.2 only and have TLS 1.3 just
> use a subset, but I have no real preference.)
>
> >
> > > This document is just assembling pieces that were already specified
> > > elsewhere, so it need not contain much detail itself, which is fine.
> > > That said, I think section 3 should probably state explicitly which
> > > pieces it uses, instead of a vague reference of being "based on RFC
> > > 4279".  So, "The ServerKeyExchange and ClientKeyExchange messages
> > > from RFC 5489 for ECDHE_PSK are used, and the premaster secret is
> > > computed in the same manner as for ECDHE_PSK key exchange in RFC
> > > 5489."  (I am not sure why RFC 4279 is cited in the current text; it
> > > does not cover ECDHE_PSK.)
> > >
> >
> > MGLT: I agree we coudl be more explicit, here are the changes I propose.
> I
> > believe it address your purpose.
> >
> > OLD:
> >
> > Messages and pre-master secret construction in this
> > document are based on [RFC4279 <https://tools.ietf.org/html/rfc4279>].
> >
> > NEW:
> >
> > Messages and pre-master secret construction in this
> > document are defined in [RFC5489]. The ServerKeyExchange
> > and ClientKeyExchange messages and premaster secret is
> > computed as for  the ECDHE_PSK key exchange.
>
> That basically works for me, though I'd tweak the phrasing slightly
> for clarity/grammar:
>
> NEW2:
>
> Messages and pre-master secret construction in this
> document are defined in [RFC5489]. The ServerKeyExchange
> and ClientKeyExchange messages are used and the premaster secret is
> computed as for the ECDHE_PSK key exchange.
>
>
> >
> > > The premaster_secret structure so used basically ends up putting the
> > > ECDH output first followed by the static PSK; with the pre-TLS 1.2
> > > PRF, that would give the ECDH shared secret to md5 and the PSK to
> > > sha1, which is perhaps another reason to not use these with pre-1.2
> > > worth mentioning (in addition to the AEAD availability).
> > >
> >
> > MGLT: I believe the following text address your concern, however I am
> > wondering if we are not going beyond the scope of expected
> considerations.
>
> It perhaps is and perhaps is not worth mentioning, yes.
>
> > In addition, it is worth noting that TLS1.0 <xref target="RFC2246"/> and
> > TL1.2 <xref target="RFC4346"/> splits the premaster in two parts. The PRF
> > results of mixing the two pseudorandom streams with distinct hash
> functions
>
> "results of" is an unusual phrasing; "results from" might be more
> familiar.
>
> > (MD5 and SHA-1) by exclusive-ORing them together. In the case of
> ECDHE_PSK
> > authentication, the PSK and pre-master are treated by distinct hash
> > function with distinct properties. This may introduce vulnerabilities
> over
> > the expected security provided by the constructed pre-master. As such
> > TLS1.0 and TLS1.1 SHOULD NOT be used with ECDHE_PSK.
>
> The general tenor of this text addresses my concern, yes, but feel
> free to use editorial discretion and not bother putting it in, if
> you don't think it's useful.  (BTW, I think we are still TLS1.0 and
> TLS1.1 MUST NOT be used with these ciphersuites, so maybe the SHOULD
> NOT in the last sentence is not quite what is intended.)
>
> >
> > > The security considerations largely refer to those of the other
> > > documents providing the pieces that are combined together here;
> > > those referenced security considerations sections are more than
> > > adequate here, as this document itself does not really do anything
> > > particularly novel.  That said, if we are going to reiterate the
> > > entropy requirement for PSKs inline, we probably ought to also
> > > reiterate the nonce-reuse considerations for GCM and CCM.  The
> > > relevant constructions help, but there are still ways to mess up and
> > > reuse a nonce when doing crypto in parallel, if I remember the
> > > GCM/TLS document's security considerations correctly.
> > >
> >
> > MGLT: I believe the following text address your comments.
> >
> >  <t>GCM or CCM encryption - even of different clear text - re-using a
> > nonce with a same key undermines the security of GCM and CCM. As a
> > result, GCM and CCM MUST only be used with system guaranteeing nonce
> > uniqueness <xref target="RFC5116"/>.</t>
>
> Sure, sounds good.  (Grammar nit: "a system".)
>
> >
> > >
> > > Some other editorial nits follow.
> > >
> >
> > > In section 2, the RFC 7525 reference that "AEAD algorithms [...] are
> > > strongly recommended" is scoped to just (D)TLS, so the text here
> > > should probably also list that qualification.
> > >
> >
> > MGLT: I believe the following text address your concern:
> >
> > OLD text:
> > <t>AEAD algorithms that combine encryption and integrity protection are
> > strongly recommended for <xref target="RFC7525" /> and non-AEAD
> algorithms
> > are forbidden to use in TLS 1.3 <xref target="I-D.ietf-tls-tls13"/>.
> >
> > NEW text:
> > <t>AEAD algorithms that combine encryption and integrity protection are
> > strongly recommended for (D)TLS <xref target="RFC7525" /> and non-AEAD
> > algorithms
> > are forbidden to use in TLS 1.3 <xref target="I-D.ietf-tls-tls13"/>.
>
> Yes, thanks.
>
> > > In section 4, "... make use of the authenticated encryption with
> > > additional data (AEAD) defined in TLS 1.2" seems to make AEAD into
> > > something of a unique object, as opposed to a class of things with
> > > multiple possible instantiations.  I would consider something like
> > > "... (AEAD) concept".
> > >
> > > In section 4, "these cipher suites MUST NOT be negotiated in TLS
> > > versions prior to 1.2" should probably clarify that "these" cipher
> > > suites are the new ones specified by this document.
> > >
> > > MGLT: I believe the following text address your comment:
> >
> > OLD:
> > these cipher suites MUST NOT be negotiated in TLS  versions prior to 1.2.
> >
> > NEW:
> > the cipher suites defined in this document MUST NOT be negotiated in TLS
> > versions prior to 1.2.
> >
> >  OLD:
> > Clients MUST NOT offer these cipher suites
> >
> > NEW:
> > Clients MUST NOT offer these cipher suites defined in this document
>
> I think I only intended to comment about the first one, but there is
> no harm in changing both.  Thanks!
>
>
> -Ben
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email