Re: [TLS] Refactoring client auth/re-key

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 18 October 2014 17:47 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09CDB1A89A9 for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 10:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWou6knqfilF for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 10:46:59 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B981A89AB for <tls@ietf.org>; Sat, 18 Oct 2014 10:46:58 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id DB4CC81816; Sat, 18 Oct 2014 20:46:55 +0300 (EEST)
Date: Sat, 18 Oct 2014 20:46:55 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20141018174655.GB14006@LK-Perkele-VII>
References: <CABcZeBOdpK_JEH4EwnsoTA8Rje5pS5CtSbFGh8rHQzse92m9Wg@mail.gmail.com> <CACsn0cmYs8TMeKcTvqxv1DUGizcp5k7uo86muoqYbGRH4xDQHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACsn0cmYs8TMeKcTvqxv1DUGizcp5k7uo86muoqYbGRH4xDQHA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iyIV9YizhnSvnLT_68Odrx83prc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Refactoring client auth/re-key
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 17:47:01 -0000

On Sat, Oct 18, 2014 at 08:15:19AM -0700, Watson Ladd wrote:
> On Sat, Oct 18, 2014 at 7:32 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >
> So I seem to remember DJB telling me that once you have a properly
> made channel via Diffie-Hellman, that authenticating requires just
> signing a value derived from the key. (Sadly I forgot/don't know the
> proof, so someone will have to check this or tell me I'm completely
> wrong) So we don't need the session hash to include the certificates,
> and so don't need to keep the running hash going past the first
> exchange.

AFAIK, It is sufficient (dunno if DJB told that).

The idea is: Ensure that keys are unique, even in face of active
attack, and only the (true) endpoints can compute those.

This can be done by hashing in transcript of negotiation and key
exchange into keys obtained from DH.

This causes the following:
- If attacker does not tamper with key exchange, the session key
  becomes unknowable.
- If attacker does tamper with key exchange, the two sides will not
  agree about keys (since keys are unique), and later channel
  authentication will fail.
- Attacker can't replay captured credentials, because keys will
  then be different from anything seen so far (uniqueness).


There's a subtle trap here tho: The authentication messages have to be
exchanged via the channel itself, not out-of-band. Otherwise the
authentication is broken. Not much of an issue here.

> Concretely the idea would be as follows: A sends to B g^x, and B
> responds with g^y. Both calculate MS=H(g^xy, g^x, g^y). (Of course, we
> need to hash the actual messages.)

That doesn't quite work (why?) :-)

Hint: What's missing (and it is not "certificate")?

> At this point we can compute channel_AtoB_key=PRF(MS, "channel AtoB
> key"),  channel_BtoA_key=PRF(MS, "channel BtoA key"),
> A_authstr=PRF(MS, "A authstr"), B_authstr=PRF(MS, "B authstr"). The
> channel keys can be used to encrypt each side as in the proposal, and
> the authstrs can be signed and sent over the channel to provide a
> proof of identity. Furthermore, we could extract a channel binding in
> an analogous manner, or application level keys in the same way, or a
> resumption key in the same way.

One subtle decision: Is there a split beween "system" (TLS uses
internally) and "user" keys (handed to application via TLS-EXTRACTOR).

One could imagine that with some of the proposals about fixing key
deriviation, some would want that.

Also, if there is no finished with nontrivial data, one would need
to derive a fake binding value for backward compatiblity (but that's
easy to do).


Also, due to some signature schemes having some real-world nonideal
properties, one wants to also throw the keys used into the message
(easiest way is to throw the whole certificate or hash thereof in).

Also, do client signatures need replay protection (prevents replaying
te same certificate in the same connection)?


Also, could be useful to have some sort of "label" along with client
certificate that gets notified along with the certificate to the
application.

The idea is that TLS would not process the client certificates more
than just validating the signature. Instead, if validation succeeds,
it would fire callback to application, reporting that certificate with
label X and contets Y has been successfully validated.

Then the application could calculate what to do with the certificate
and have latter communications refer to the certificate.

This is AFAIK needed with some applications (along with some more app-
level signaling) to use client authentication safely.


-Ilari