Re: [TLS] tls-unique

Eric Rescorla <ekr@rtfm.com> Thu, 08 October 2015 10:23 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADC151AD35F for <tls@ietfa.amsl.com>; Thu, 8 Oct 2015 03:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ca8F6YEEF4Pi for <tls@ietfa.amsl.com>; Thu, 8 Oct 2015 03:23:56 -0700 (PDT)
Received: from mail-wi0-f175.google.com (mail-wi0-f175.google.com [209.85.212.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 26BCE1B29DC for <tls@ietf.org>; Thu, 8 Oct 2015 03:23:54 -0700 (PDT)
Received: by wicfx3 with SMTP id fx3so18262133wic.0 for <tls@ietf.org>; Thu, 08 Oct 2015 03:23:52 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=bOIW6Wf4Lc19UuHxyzL9zpQ1yjuyOD6aFL65dATiQt0=; b=cjNB9TpcN6FBH/PF0Lqa/cDaRSBOp7Ogwq5RE6nQ/yxcSZZSO6np+QPRQ1+n6rom08 Iby4UgyB6ZxEWw5xi38MAk3cp1ASgxjreSMwiFQ1ce9yzw7PXOwSWrguxjxRnBHTR8oU FAU6/Pv9NMJ0qa29TzszepnE/B5y1hfQUVXWr/JWu39VHJ8SLgoq/o3P08QxrMYpNsl7 oE8LDBpWXgjc2veKfFLbD8BLdcPLfJCO8jLbEOewQdN1cCuUojP7qGzxEZfa+Jz82i7L bcp9vXJvHh25jmT0hs1eCMNNaWX9JdoVLeJ4MQUVVwo+B1UyEXbengO4hqqkcdx6OmUK rlng==
X-Gm-Message-State: ALoCoQmAFi0LcTyzxf8JyrfskhvrlEPtzd8sivZjP3M3E9CwJMXdIbx598bG8VqdK017vg2qnyTd
X-Received: by 10.194.133.129 with SMTP id pc1mr6821263wjb.148.1444299832739; Thu, 08 Oct 2015 03:23:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.79.200 with HTTP; Thu, 8 Oct 2015 03:23:13 -0700 (PDT)
In-Reply-To: <87612hpsw8.fsf@latte.josefsson.org>
References: <A1F63168-7736-452D-BC1B-23B665D81989@sn3rd.com> <87vbahu2r2.fsf@latte.josefsson.org> <CABcZeBNuSCB8i--TqYouiPyrPu6ZSunNeK40JHaO+DdBEnUL+A@mail.gmail.com> <87612hpsw8.fsf@latte.josefsson.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 8 Oct 2015 12:23:13 +0200
Message-ID: <CABcZeBPqJXnOy7RPHZshiJqTrpj=+WbKXUHw9JyFsC1kN7s1gQ@mail.gmail.com>
To: Simon Josefsson <simon@josefsson.org>
Content-Type: multipart/alternative; boundary=089e01227d947ad5df0521954244
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ji5SBx9AvHp7TDuEHbpgPOQNi6g>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] tls-unique
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Oct 2015 10:23:57 -0000

On Thu, Oct 8, 2015 at 12:16 PM, Simon Josefsson <simon@josefsson.org>
wrote:

> Eric Rescorla <ekr@rtfm.com> writes:
>
> > On Thu, Oct 8, 2015 at 11:29 AM, Simon Josefsson <simon@josefsson.org>
> > wrote:
> >
> >> The notes from the interim meeting mentions 'tls-unique' and points to
> >> issue #228 on github.  I want to get your attention on the draft below.
> >> Doesn't it do what you are looking for?  There is a little in the way of
> >> a problem statement in the TLS interim meeting notes, so it is hard to
> >> tell what the perceived problem with 'tls-unique' is in this context.
> >> Does my draft need to be updated for TLS 1.3 in any way?  It might serve
> >> as a starting point for future work.
> >>
> >> https://tools.ietf.org/html/draft-josefsson-sasl-tls-cb-03
> >
> >
> > Well, TLS 1.3 doesn't have a PRF, but instead explicitly uses HKDF.
> >
> > With that said, I don't really understand the structure of your draft:
> > Instead of referencing the PRF and session_hash directly, why not instead
> > use RFC 5705 exporters and require the use of the session_hash
> > extension?
>
> The introduction says:
>
>    There exists a TLS extension [I-D.ietf-tls-session-hash] that modify
>    TLS so that the definition of 'tls-unique' [RFC5929] has the intended
>    properties.  If widely implemented and deployed, the channel binding
>    type in this document would not offer any additional protection.  The
>    purpose of this document is to provide an alternative channel binding
>    that offers the intended properties without requiring TLS protocol
>    changes.  However, keep in mind that TLS implementations needs to
>    offer the appropriate APIs necessary to be able to implement the
>    channel binding described in this document.
>
> I agree that one alternative is to require session_hash for all
> connections.


Given that you need to modify *some* software in any case, it seems
like one ought to adopt session-hash.



>   But then what is the problem with use of 'tls-unique'?
>

The general consensus is that 96 bits is too short.

-Ekr