IETF Logo Mail Archive

Re: [TLS] Server time

Hauke Mehrtens <hauke@hauke-m.de> Sun, 05 April 2015 16:32 UTC

Return-Path: <hauke@hauke-m.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57F271A89ED for <tls@ietfa.amsl.com>; Sun, 5 Apr 2015 09:32:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.562
X-Spam-Level:
X-Spam-Status: No, score=-1.562 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u701OLymsRPE for <tls@ietfa.amsl.com>; Sun, 5 Apr 2015 09:32:36 -0700 (PDT)
Received: from hauke-m.de (hauke-m.de [5.39.93.123]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DABA21A895D for <tls@ietf.org>; Sun, 5 Apr 2015 09:32:35 -0700 (PDT)
Received: from [192.168.178.22] (ip-109-43-19-230.web.vodafone.de [109.43.19.230]) by hauke-m.de (Postfix) with ESMTPSA id 424ED20541; Sun, 5 Apr 2015 18:32:33 +0200 (CEST)
Message-ID: <5521639F.4070500@hauke-m.de>
Date: Sun, 05 Apr 2015 18:32:31 +0200
From: Hauke Mehrtens <hauke@hauke-m.de>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: noloader@gmail.com, Dave Garrett <davemgarrett@gmail.com>
References: <201504041352.12431.davemgarrett@gmail.com> <CAKC-DJj0rKNVXc1XJ4W2yiGY2bXYsXtAfubGEmO8JsoBu2kfvA@mail.gmail.com> <201504041757.05854.davemgarrett@gmail.com> <CAH8yC8=wAaZBm0QzDC4oMOM8Ywzj9pnVCbYNpjmdOhxYOoorqg@mail.gmail.com>
In-Reply-To: <CAH8yC8=wAaZBm0QzDC4oMOM8Ywzj9pnVCbYNpjmdOhxYOoorqg@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ffeD9kUS6z89X2bEoMtr32TN8ls>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2015 16:32:37 -0000

On 04/05/2015 12:10 AM, Jeffrey Walton wrote:
> On Sat, Apr 4, 2015 at 5:57 PM, Dave Garrett <davemgarrett@gmail.com> wrote:
>> ...
>>
>> Do a ping with a time request after authentication and it would be protected, measure latency, and easily provide precise remote time adjusted for response time. Might be overkill, though it'd be simple enough to add.
>>
> I think the problem here is channel setup will fail *if* the client's
> clock is wrong. The client will fail to validate the end-entity
> certificate due to problems with the notBefore and notAtfer (even
> though its correct). You won't have a channel to perform the ping.

If the client trusts the servers clock the notBefore and notAtfer check
is useless, because a bad server could change the time of the check to a
value where the certificate check is valid. If you take the time from
the same entity where you get your certificate to check from the time
check is useless.

There is a big problem with embedded devices, which do not have a real
time clock.

One solution would be that you burn a valid certificate or CA
certificate into a firmware and your device trusts this certificate
regardless of the validity period. And this server could be used to get
the time from. But wouldn't it be better to deign this as an extra
protocol on top of TLS/DTLS?

The German electronic identity card is unable to do any online checks
and does not have a real time clock. It stores the issue date of the
most recent certificate it saw and checks every other certificate if it
was at least valid at this date. (The certificates used there are
normally only valid for some days and there is no revocation mechanism)

> I like the idea of a field like ServerHello.time so the server can
> communicate its belief in time. A client can defer a simple failure
> based on time until key exchange completes. If key exchange completes
> successfully, then the client can decide if it wants to accept the
> server's view of time.

Adding such a field could also result in some stupid developers using
this field to check if the certificate is valid for every handshake.

> The functionality leads to other attack surfaces, like a rogue server
> rolling back its time and using compromised key. But I think that can
> be solved with a good degree of certainty using Guttmann's security
> diversification techniques.
> 
> Jeff

v2.23.0 | Report a Bug | By Email