Re: [TLS] Refactoring client auth/re-key
Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sat, 18 October 2014 17:47 UTC
Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09CDB1A89A9 for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 10:47:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TWou6knqfilF for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 10:46:59 -0700 (PDT)
Received: from emh02.mail.saunalahti.fi (emh02.mail.saunalahti.fi [62.142.5.108]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8B981A89AB for <tls@ietf.org>; Sat, 18 Oct 2014 10:46:58 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh02.mail.saunalahti.fi (Postfix) with ESMTP id DB4CC81816; Sat, 18 Oct 2014 20:46:55 +0300 (EEST)
Date: Sat, 18 Oct 2014 20:46:55 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20141018174655.GB14006@LK-Perkele-VII>
References: <CABcZeBOdpK_JEH4EwnsoTA8Rje5pS5CtSbFGh8rHQzse92m9Wg@mail.gmail.com> <CACsn0cmYs8TMeKcTvqxv1DUGizcp5k7uo86muoqYbGRH4xDQHA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CACsn0cmYs8TMeKcTvqxv1DUGizcp5k7uo86muoqYbGRH4xDQHA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/iyIV9YizhnSvnLT_68Odrx83prc
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Refactoring client auth/re-key
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 17:47:01 -0000
On Sat, Oct 18, 2014 at 08:15:19AM -0700, Watson Ladd wrote: > On Sat, Oct 18, 2014 at 7:32 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > > So I seem to remember DJB telling me that once you have a properly > made channel via Diffie-Hellman, that authenticating requires just > signing a value derived from the key. (Sadly I forgot/don't know the > proof, so someone will have to check this or tell me I'm completely > wrong) So we don't need the session hash to include the certificates, > and so don't need to keep the running hash going past the first > exchange. AFAIK, It is sufficient (dunno if DJB told that). The idea is: Ensure that keys are unique, even in face of active attack, and only the (true) endpoints can compute those. This can be done by hashing in transcript of negotiation and key exchange into keys obtained from DH. This causes the following: - If attacker does not tamper with key exchange, the session key becomes unknowable. - If attacker does tamper with key exchange, the two sides will not agree about keys (since keys are unique), and later channel authentication will fail. - Attacker can't replay captured credentials, because keys will then be different from anything seen so far (uniqueness). There's a subtle trap here tho: The authentication messages have to be exchanged via the channel itself, not out-of-band. Otherwise the authentication is broken. Not much of an issue here. > Concretely the idea would be as follows: A sends to B g^x, and B > responds with g^y. Both calculate MS=H(g^xy, g^x, g^y). (Of course, we > need to hash the actual messages.) That doesn't quite work (why?) :-) Hint: What's missing (and it is not "certificate")? > At this point we can compute channel_AtoB_key=PRF(MS, "channel AtoB > key"), channel_BtoA_key=PRF(MS, "channel BtoA key"), > A_authstr=PRF(MS, "A authstr"), B_authstr=PRF(MS, "B authstr"). The > channel keys can be used to encrypt each side as in the proposal, and > the authstrs can be signed and sent over the channel to provide a > proof of identity. Furthermore, we could extract a channel binding in > an analogous manner, or application level keys in the same way, or a > resumption key in the same way. One subtle decision: Is there a split beween "system" (TLS uses internally) and "user" keys (handed to application via TLS-EXTRACTOR). One could imagine that with some of the proposals about fixing key deriviation, some would want that. Also, if there is no finished with nontrivial data, one would need to derive a fake binding value for backward compatiblity (but that's easy to do). Also, due to some signature schemes having some real-world nonideal properties, one wants to also throw the keys used into the message (easiest way is to throw the whole certificate or hash thereof in). Also, do client signatures need replay protection (prevents replaying te same certificate in the same connection)? Also, could be useful to have some sort of "label" along with client certificate that gets notified along with the certificate to the application. The idea is that TLS would not process the client certificates more than just validating the signature. Instead, if validation succeeds, it would fire callback to application, reporting that certificate with label X and contets Y has been successfully validated. Then the application could calculate what to do with the certificate and have latter communications refer to the certificate. This is AFAIK needed with some applications (along with some more app- level signaling) to use client authentication safely. -Ilari
- [TLS] Refactoring client auth/re-key Eric Rescorla
- Re: [TLS] Refactoring client auth/re-key Watson Ladd
- Re: [TLS] Refactoring client auth/re-key Eric Rescorla
- Re: [TLS] Refactoring client auth/re-key Ilari Liusvaara
- Re: [TLS] Refactoring client auth/re-key Manuel Pégourié-Gonnard
- Re: [TLS] Refactoring client auth/re-key Eric Rescorla
- Re: [TLS] Refactoring client auth/re-key Watson Ladd
- Re: [TLS] Refactoring client auth/re-key Karthikeyan Bhargavan
- Re: [TLS] Refactoring client auth/re-key Ilari Liusvaara
- Re: [TLS] Refactoring client auth/re-key Karthikeyan Bhargavan
- Re: [TLS] Refactoring client auth/re-key Martin Thomson
- Re: [TLS] Refactoring client auth/re-key Martin Thomson