Re: [TLS] new version of draft-dthakore-tls-authz
"Mark Brown" <mark@redphonesecurity.com> Mon, 28 January 2013 20:57 UTC
Return-Path: <mark@redphonesecurity.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30B1A21F870E for <tls@ietfa.amsl.com>; Mon, 28 Jan 2013 12:57:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fm2QHGOU-GXJ for <tls@ietfa.amsl.com>; Mon, 28 Jan 2013 12:56:57 -0800 (PST)
Received: from g2host.com (mailfront3.g2host.com [208.42.184.241]) by ietfa.amsl.com (Postfix) with ESMTP id BFF8D21F88A9 for <tls@ietf.org>; Mon, 28 Jan 2013 12:56:55 -0800 (PST)
Received: from [24.118.98.157] (account mkbrown@visi.com HELO RPUD4) by mailfront3.g2host.com (CommuniGate Pro SMTP 5.3.11) with ESMTPA id 95521295; Mon, 28 Jan 2013 14:56:54 -0600
From: Mark Brown <mark@redphonesecurity.com>
To: 'Darshak Thakore' <d.thakore@cablelabs.com>, tls@ietf.org
References: <003601cdfa7b$af477670$0dd66350$@redphonesecurity.com> <0E515E8C52A54F4DBDF51AB79386333517F3EC6B@EXCHANGE.cablelabs.com>
In-Reply-To: <0E515E8C52A54F4DBDF51AB79386333517F3EC6B@EXCHANGE.cablelabs.com>
Date: Mon, 28 Jan 2013 14:56:49 -0600
Message-ID: <018001cdfd99$fe5f6260$fb1e2720$@redphonesecurity.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0181_01CDFD67.B3C826B0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQG+k/Eiwehat1MRXRszyylUJ3hmS5h+A3eg
Content-Language: en-us
Subject: Re: [TLS] new version of draft-dthakore-tls-authz
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Jan 2013 20:57:02 -0000
Hi Darshak, Thanks for the solid response. Sounds like you're saying: 1) For server_authz you'll generate the RandomNonce message you specify below as a challenge in a challenge-response protocol 2) For client_authz you'll repeat the server's RandomNonce value, plus the certs you're interested in sending, within the envelope (so to speak) of that which is DigitallySigned (per your spec below) 3) To accomplish authorization, the server will verify the signature and validate the RandomNonce value as being "the value that I sent to this client." Does this overcome replay attacks? Not an easy question. We should consider if a MITM could splice in bad RandomNonce values or somehow gain advantage by replaying old signed ones. MITM would *have* to make the server believe that an old RandomNonce value, call it N1, was valid. It seems unlikely, IMO, unless MITM could force a collision such that server thought "Yeah, I just sent this N1 to the client," even when it was the same N1 value some client had signed a while ago. This seems reasonably safe when considering your suggestions from a protocol point of view. So far, then, I think your suggestions are just fine, IMO. How about when considering the implementation point of view? Did you assume that the application layer is going to implement the random number generator (RNG) and the store of N1, N2, . corresponding to TLS handshake H1, H2, . in a "hardened" way? Where I'm headed with this is to suggest that the implementation would be best if you used some existing TLS implementation for the RNG. To explain, I'd start by observing that NIST SP800-90A approves of two DRBG's: AES and SHA. If you seed them properly, these functions will do the job very well. Should the application layer implement SHA? Not if the TLS layer already has done so. And how should it be seeded? The TLS layer already does this very well - using two computers' contributions toward entropy instead of just one, which is a higher bar than most applications like to hit. And how should the relation between N1, N2, . and H1, H2, . be implemented? The TLS layer already does this quite well (each TLS session state includes the running hash I suggested, on a per-handshake basis). If you grant that TLS does a nice job of seeding and maintaining a DRBG on a per-session basis, then should the TLS layer or the application layer reach into the TLS state structures and duplicate the current hash state and finalize it into a hash output? Because problems with weak RNGs implemented by non-crypto developers are historically problematic, I'd recommend sticking with the running handshake message hash as the RNG for this application of tls_authz. Then you could be quite sure your validation step (in 3) would be quite strong for years to come. --mark From: tls-bounces@ietf.org [mailto:tls-bounces@ietf.org] On Behalf Of Darshak Thakore Sent: Sunday, January 27, 2013 7:12 PM To: tls@ietf.org Subject: Re: [TLS] new version of draft-dthakore-tls-authz Hi Mark, Thanks for the feedback and the link to the paper. I agree that the dtcp_authz_data structure currently defined excludes the RandomNonce (or the equivalent running hash as you suggested) out of the signature and it should have included it. I can update the struct accordingly. Given that modification, would there still be a need to put in a running hash of all the messages? My primary concern with including a running hash in the struct is that this structure is a payload of the SupplementalData message and as per RFC4680, it is an application's responsibility to provide this information. I'm not sure if we can assume that an application always has access to all messages at the TLS protocol layer. Also one point of clarification, the client will not be generating its own nonce, rather it will take the nonce it has received from the server in the server's SupplementalData message and include it in its own SupplementalData message. With that modification, the struct would be something like struct { opaque random_bytes[32]; } RandomNonce; struct { RandomNonce nonce; opaque DTCPCert<1..2^24-1>; opaque ASN.1Cert<0..2^24-1>; } DigitallySigned; struct { DigitallySigned certs; opaque signature[40]; } dtcp_authz_data; When the server sends this in its SupplementalData message, it will generate the RandomNonce. When the client sends back its own SupplementalData message, it will include the one it received from the server. With that, if we only consider the scenario of the client sending its DTCP Certificate, there are two possible options, one in which the client is also using its X.509 certificate (i.e. it will send its ClientCertificate and CertificateVerify messages also) and the other is where the client does not have an X.509 certificate to send. For the first case, an example exchange would be something like: 1. Client sends ClientHello, Server Sends ServerHello 2. Server sends SupplementalData that only has a RandomNonce (N1) 3. Server sends Certificate, CertificateRequest and ServerHelloDone 4. Client sends SupplementalData that has [(N1, DTCP Cert, X.509 Cert) Signature covering all three elements] 5. Client sends Certificate message (needs to be the same X.509 Cert as above) 6. Client sends ClientKeyExchange, ChangeCipherSpec and Finished 7. Server sends ChangeCipherSpec and Finished Would this address the replay attack? Regards, Darshak From: Mark Brown <mark@redphonesecurity.com> Date: Thursday, January 24, 2013 2:42 PM To: Darshak Thakore <d.thakore@cablelabs.com>, "tls@ietf.org" <tls@ietf.org> Subject: RE: [TLS] new version of draft-dthakore-tls-authz Hi Darshak, I'm still concerned with replay attacks, despite the updates. The structures in 3.2 haven't changed materially, and the explanations make me more sure there's this problem: the specified RandomNonce won't prevent replay attacks. You might consider prior protocol analyses, for example this paper: http://www2.cs.uidaho.edu/~jimaf/papers/replay02.pdf To (over)simplify, follow the example of TLS CertificateVerify used for client authentication: instead of an arbitrary nonce, take a hash over *all* of the handshake messages sent/received so far (i.e. the output from the hash function run over these concatenated messages). Doing so gives a more useful session-identifying "nonce". Since the session messages "so far at this point" include client nonce, server nonce and server certificate, I'd estimate that you've overcome the 1995 Lowe attack (see http://en.wikipedia.org/wiki/Needham%E2%80%93Schroeder_protocol#Fixing_the_m an-in-the-middle_attack ). How to say this well? The text for CV gives a template, see: http://tools.ietf.org/html/rfc5246#section-7.4.8. Your structures might be: The set of all Handshake Messages in the run so far, using http://tools.ietf.org/html/rfc5246#section-7.4 : handshake_hash = Hash(handshake_messages); Your client_authz must contain an assertion as a component, such as: struct { opaque handshake_hash[hash_length]; opaque DTCPCert<1..2^24-1>; [[opaque ASN.1Cert<1..2^24-1>]]; } DTCPClientAssertion; Your client_authz SupplementalData message should contain the assertion plus its signature, e.g.: assertion_hash = Hash(DTCPClientAssertion); signature = ECDSA_Sign(assertion_hash); struct { DTCPClientAuthz client_assertion; opaque signature<1..2^16-1>; } dtcp_authz_data; This last struct is very similar to http://tools.ietf.org/html/rfc5246#section-4.7 "DigitallySigned", but omits the SignatureAndHashAlgorithm identifier for two reasons: 1) the signature and hash algorithms are DTCP's not TLS's and so the registry and code points may differ 2) the DTCPClientAssertion.DTCPCert should contain this information, and currently it's a mandatory-include part of the message. At this point, I've only presented an assertion that's appropriate for client_authz, but I think that's all that *should* be specified. I would eliminate sending server_authz from the server to the client for your use case. Sincerely, mark
- [TLS] new version of draft-dthakore-tls-authz Darshak Thakore
- Re: [TLS] new version of draft-dthakore-tls-authz Mark Brown
- Re: [TLS] new version of draft-dthakore-tls-authz Nikos Mavrogiannopoulos
- Re: [TLS] new version of draft-dthakore-tls-authz Darshak Thakore
- Re: [TLS] new version of draft-dthakore-tls-authz Darshak Thakore
- Re: [TLS] new version of draft-dthakore-tls-authz Mark Brown