IETF Logo Mail Archive

Re: [TLS] [kitten] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard

Dave Cridland <dave@cridland.net> Tue, 09 November 2021 16:13 UTC

Return-Path: <dave@cridland.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 675263A0AEE for <tls@ietfa.amsl.com>; Tue, 9 Nov 2021 08:13:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cridland.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gEakpzXEmETt for <tls@ietfa.amsl.com>; Tue, 9 Nov 2021 08:13:38 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F09D3A0B21 for <tls@ietf.org>; Tue, 9 Nov 2021 08:13:16 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id y196so16287284wmc.3 for <tls@ietf.org>; Tue, 09 Nov 2021 08:13:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cridland.net; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=S99AO/YNNmz7KLLOZOoNfN5RDZthHdMQLq4ro64eEA8=; b=cJFBjxftMXfq/w0zf/LpTeJUbgfK7/TtZuO70WsFjBqKmSe5WmSsfIfx8CSJhPwkWc r7KOy7+k7v4u2SJegkYer5aFJzE80XjPNCzcIf0T83nZ7KiXBdPcEeZknWMJr3+wL8VU YsF4cv2/TGcFqJ3CgXaf94Zn6zQrWHlsZYpGQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=S99AO/YNNmz7KLLOZOoNfN5RDZthHdMQLq4ro64eEA8=; b=PH6knwssFXV8wafhJ9Y0I/f5oiDpE6C3PXQiG+NBU6To7VEoRTAu+O1EGt4Si3aY96 CPsJRy//8+JMoSolF6BGnidunt8G/nTO2ZAuG9fhc90Vi1cK6+2TaAgHiAN7xRtRIQib ozI3n1R21ycDw0R4qE6gv0xTDWXyPO6vYSqS6PEecTqEnoXUcPqMU1jj020D4wak+NmW OuV3j5xoje1Sdip79SXqCMPuEUbzJa1XRcjNiQMGwkhel0EJMCN9vboNvjxXckEfFitg qcRoMnoX5rBSTgu4vCHiDl0QUHHb4fqfGMIr3eqkQv2qoDBoLDC4tTQlwbXxhohK5QNd UUZQ==
X-Gm-Message-State: AOAM5301QZHWV6mGF64/rT/gLrMhj8aMp0VU3WIaupmYSVG1NruAwXoI DCMXZM8tdT59AcUctbG5TaT5K1VFpKB3g/440ua5Vg==
X-Google-Smtp-Source: ABdhPJzaOOlPpjHiZyQKl2ZhwgnUVXmAtfAqdCXsLWN4/zXakyZzwKylkoXrIvFREsRiLX9roEFexuUyT8+vzHRuW+Y=
X-Received: by 2002:a05:600c:b46:: with SMTP id k6mr8381832wmr.45.1636474392432; Tue, 09 Nov 2021 08:13:12 -0800 (PST)
MIME-Version: 1.0
References: <163311243544.13917.11736165165419008870@ietfa.amsl.com> <20211001190002.GC98042@kduck.mit.edu> <CABcZeBPQG82xJdwMrmj4-=9aJymo1xts=D6VZedBW5X9k+34cQ@mail.gmail.com> <92ed26c1-bfde-43c1-93f4-2bbdbd4f6ec1@www.fastmail.com> <CAChr6Sw6Rs42DfS8KgD3qasPcWM_gGZhWN5C4b7W7JsPy0wDzw@mail.gmail.com> <8796f867-12b8-41f8-b124-82b3ab0e2d32@www.fastmail.com> <CAChr6SyKAnBcE9t68coGGXFt9WPLuDuWtVKoCXrK+QrwAVtPXw@mail.gmail.com> <f1bcd676-13ad-49b3-a8e8-8a272e0124e3@www.fastmail.com> <CABcZeBNo0gKjNZOKPYJYraioaw6G=z5ibTqh-o9GkWsDkfDmSQ@mail.gmail.com> <c4d6f2e5-0712-42a6-aef5-0cbada7e149e@www.fastmail.com> <CABcZeBM6y-6ZqaLGZ=8qr+uBnWOOgczhcx=ruy5S=n-YrHweKg@mail.gmail.com> <ca676a77-b2c9-4926-9842-d1d6587206ed@www.fastmail.com> <CACykbs11rHUweXmR1NSU0N2rRjcQ8Sf1S+DY2LO7T+e6cLt+5w@mail.gmail.com> <CAKHUCzz5ErY0xuBXVRuoNeZ3RS-7MwKrGH37kgZ=qwyqb-CgOg@mail.gmail.com> <CACykbs251Tn77jMN_YjcL8RxSax0NcFp8RNRT+oJp1Z=Z+qB2A@mail.gmail.com>
In-Reply-To: <CACykbs251Tn77jMN_YjcL8RxSax0NcFp8RNRT+oJp1Z=Z+qB2A@mail.gmail.com>
From: Dave Cridland <dave@cridland.net>
Date: Tue, 09 Nov 2021 16:13:01 +0000
Message-ID: <CAKHUCzw=_QRTdOovSBwV0VeN1M-7b9fSXonTyfF_oo4_VAGaBQ@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Sam Whited <sam@samwhited.com>, KITTEN Working Group <kitten@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/drXCl4RrvQpIhMtyWj7IzD9Rohk>
Subject: Re: [TLS] [kitten] Fwd: Last Call: <draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt> (Channel Bindings for TLS 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Nov 2021 16:13:43 -0000

On Tue, 9 Nov 2021 at 16:01, Jonathan Hoyland
<jonathan.hoyland@gmail.com> wrote:
>
> Hi All,
>
> My specific solution is to simply include a different fixed string for each variant of SCRAM and GSS-API, and ideally a nonce.

I think you may mean SASL and GSS-API, but more probably I think you
need to decide what it is you mean.

SCRAM *already* includes a nonce in its hash calculations. Your
proposal is to include another, to avoid an unspecified attack.

> Given that applications will have to update their stacks anyway to accommodate the new fixed string in the current proposal I don't see that as a hugely difficult proposition.
>
> The goal of labels in material that is used to derive keys (yes, material that is used to derive keys is necessarily secret, yes material derived from keys is not necessarily secret), is to exclude classes of attack.
> It is good protocol design.
>
> One of the things use of a TLS channel binding gives you is protection for the upper level protocol against TLS being MITMed.
> Using a fixed string for multiple protocols probably gives you that protection (assuming the channel binding is correctly agreed by both sides).
>
> Using a distinct channel binding, even if the upper level protocol is not secure, means that if both sides agree on the channel binding they agree on the intent of the upper layer protocol, i.e. it gives you some level assurance that the client and server agree on what was intended.
> This eliminates classes of attack such as message confusion.
> Adding this protection costs virtually nothing, given that you are _already_ commiting to updating this section of code (no code currently makes this specific call to the TLS-Exporter interface).
> Leaving it out means that people like me who do formal analysis can't reasonably analyse these designs.
> I build models of protocols and prove they meet certain properties.
> The only way to keep that analysis viable (we're already talking hundreds of hours of work) is to eliminate classes of attack wholesale.
> Yes, you can add unique and clever protections into every sub-protocol, but it makes formally proving anything about the security exponentially harder (and yes, I mean that in the literal / mathematical sense).

SASL (and GSS-API) are pluggable authentication systems which means
that if you want a formal proof (or even just a finger-in-the-air
back-of-the-envelope one) you have to do it against a specific SASL
(or GSS-API) mechanism.

Without knowing the mechanism, it's impossible to perform a formal
proof, because you don't know how the channel binding is exchanged and
proven, and so you would be missing an absolutely crucial part of your
model.

Dave.

v2.23.0 | Report a Bug | By Email