IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

Nico Williams <nico@cryptonector.com> Fri, 05 March 2021 19:35 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0762C3A09BD for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 11:35:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWHsDDCmlt_P for <tls@ietfa.amsl.com>; Fri, 5 Mar 2021 11:35:20 -0800 (PST)
Received: from buffalo.birch.relay.mailchannels.net (buffalo.birch.relay.mailchannels.net [23.83.209.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FAE53A09C0 for <tls@ietf.org>; Fri, 5 Mar 2021 11:35:20 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id DE691224EF; Fri, 5 Mar 2021 19:35:15 +0000 (UTC)
Received: from pdx1-sub0-mail-a60.g.dreamhost.com (100-96-18-39.trex.outbound.svc.cluster.local [100.96.18.39]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id B4DF322394; Fri, 5 Mar 2021 19:35:10 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a60.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.18.39 (trex/6.0.2); Fri, 05 Mar 2021 19:35:15 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Spicy-Inform: 3a1e7990113e3590_1614972910997_3633253241
X-MC-Loop-Signature: 1614972910997:330405026
X-MC-Ingress-Time: 1614972910997
Received: from pdx1-sub0-mail-a60.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a60.g.dreamhost.com (Postfix) with ESMTP id D60F87E672; Fri, 5 Mar 2021 11:35:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=Ua3ynV2lKU6pyn Bo9gJDtGhhMaE=; b=YJvGkyZE+PRVzC+AGwfAddRjlMk9WdS0RENKUkY5QDiBRG iTi0gto98RSl8ew/lNdQwT566qsOV2k4hV3A+YvuHkqwf7Fqmrp9LpwVfG7mE2P6 WdiAo7VeXrcVJ9BNJHu7vfZfnr8hUxHOdpgGSiLvemAZj0ZzriRv4Y3q4oTuk=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a60.g.dreamhost.com (Postfix) with ESMTPSA id 86BE585427; Fri, 5 Mar 2021 11:35:05 -0800 (PST)
Date: Fri, 05 Mar 2021 13:35:02 -0600
X-DH-BACKEND: pdx1-sub0-mail-a60
From: Nico Williams <nico@cryptonector.com>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "Fries, Steffen" <steffen.fries@siemens.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20210305193502.GW30153@localhost>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hy5kftXet4ECDEp5wIccJaFQ9jg>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Mar 2021 19:35:22 -0000

On Fri, Mar 05, 2021 at 06:42:40PM +0000, John Mattsson wrote:
> >While renegotiation will never be re-added, there is post-handshake
> >authentication (RFC 8446, section 4.6.2), and while that is currently
> >about authenticating the _client_ to the server, it should be trivial to
> >extend the protocol to support re-authenticating the server to the
> >client as well.
> 
> I think the current Post-Handshake authentication is not really
> suitable for long-term connections. It assures that the other party is
> still alive but it does not shut out any other third parties with
> access to application_traffic_secret_N. Such parties may have gotten
> the key with or without collaboration with one of the nodes.

We assume local security, so the only way the TLS keys could have leaked
to third parties is if either a) the local security assumption fails, in
which case you have bigger problems, or b) the cryptographic security of
TLS itself failed, in which case you have bigger problems, or c) you're
exceeding usage limits on a symmetric cipher.

Changing session keys wouldn't help you in cases (a) or (b).

I think the only interesting case is (c).  If you're using a 128-bit
block cipher, you're not in case (c) as you'd have to transfer something
like 2PB before you exceed AES key usage limits.

At some point you have to be prepared to reconnect.  Application
protocols that work like BGP (destroy the world on RST) simply need
to be fixed to not do that.

> Agree that the negotiation part of renegotiation should not come back.
> Below is a sketch of what I think would be needed Post-Handshake for

That's essentially renego-lite.  Note that there's protocol timing
trickiness in getting this right.  SSHv2, which does have proper
re-keying, has experience with that.

> DTLS/SCTP with DTLS 1.3:

What's special about DTLS vs. TLS?  Why should one get this but not the
other?

Nico
--

v2.23.0 | Report a Bug | By Email