Re: [TLS] TLS 1.2 draft comments
<home_pw@msn.com> Sat, 30 December 2006 23:01 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0nDA-0007uj-Dx; Sat, 30 Dec 2006 18:01:56 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0nD8-0007uX-Ht for tls@ietf.org; Sat, 30 Dec 2006 18:01:54 -0500
Received: from bay0-omc1-s21.bay0.hotmail.com ([65.54.246.93]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H0nCq-0007IZ-PS for tls@ietf.org; Sat, 30 Dec 2006 18:01:54 -0500
Received: from hotmail.com ([65.54.174.83]) by bay0-omc1-s21.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 30 Dec 2006 15:01:36 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 30 Dec 2006 15:01:36 -0800
Message-ID: <BAY103-DAV11DA83F4D284EDFC78F75A92C50@phx.gbl>
Received: from 69.227.152.254 by BAY103-DAV11.phx.gbl with DAV; Sat, 30 Dec 2006 23:01:33 +0000
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: tls@ietf.org
References: <BAY103-DAV17E2A403A0F53177A5D23792C50@phx.gbl>
Subject: Re: [TLS] TLS 1.2 draft comments
Date: Sat, 30 Dec 2006 15:01:47 -0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 30 Dec 2006 23:01:36.0068 (UTC) FILETIME=[74C4A840:01C72C66]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 69ad46fbd0e474a7c7f3312d9e320336
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1359267085=="
Errors-To: tls-bounces@lists.ietf.org
More detailed comments, this time to do with the protocol. These contrast with the earlier comments on the early-doc rationale and claims (that were largely expressed in "netscape-speak", and need further professionalization - before TLS gets too much higher in the standards track) 1. signature "master secret A 48 byte secret shared between the two peers in the connection." Is it appropriate to now specify the length of this, and the client random component of the hello nonces? If so, give a rationale for the value in light of the fundamental PRF architecture changes going on in TLS 1.2 Right now, this all defines a particular signature for the key_block = PRF(SecurityParameters.master_secret, "key expansion", SecurityParameters.server_random + SecurityParameters.client_random); If in TLS1.2 a PRF MAY be defined by a ciphersuite and not by the standard, need it have the same signature as the TLS PRF of old? Why should the ciphersuite not define the types for the input values? Cannot the ciphersuite not specify the length of the master_secret 2. wrapped KEK/IVs in finished Im dubious about the new/amended means of protecting the integrity of the handshake, in the finished process. I cannot follow all its diddling with masks, and its impact on wrapped key/iv mechanisms when creating the first enciphered block under a server.write key. This may be more Peter problem, than spec problem. Perhaps I just have to read it a 100 times, more. 3. timing channels vs key This is all funny on first reading, given all the recent discussion of NULL MAC in general!: Implementation Note: Canvel et. al. [CBCTIME] have demonstrated a timing attack on CBC padding based on the time required to compute the MAC. In order to defend against this attack, implementations MUST ensure that record processing time is essentially the same whether or not the padding is correct. Mac secrets are not "key", and are therefore assured not to influence the keyed confidentiality mechanism. if you use a secret vs key in a crypto SEF, you get what you expect. Futzing with timing is not addressing the root cause of the design flaw. Futz with timing in the message dispatcher in the record layer generally, not in the handling of a particular message, or use of a mechanism. This all looks like a hack/workaround not a standard. 4. AEAD well at least I know what it is now, and how it relates to compression. Ill study the background issues to this some more, offline, before commenting in detail. But, interesting to see null length MAC getting involved, again -) And, interesting to see the failure alert: "fatal bad_record_mac alert" If I now calculate 2 + 2 = 5, the confidentiality service based on an AEAD mechanism is providing data origin authentication, and that DOA can control the record_layer integrity service, and the disconnect event. Hmm. I don't like it, at first glance. Its smells wrong. I need further rationale, in terms of function and assurance claims. 5. "However, you SHOULD never send data over a link encrypted with 40 bit security unless you feel that data is worth no more than the effort required to break that encryption. I think its time for this to go... if only because we have no "links", above the TLS. We have channels or bridges. If its kept, perhaps consider "However, you SHOULD never send data over a link encrypted with 40 bit OR LESS security unless you feel that data is worth no more than the effort required to break that encryption. This updates the text to address ciphersuites with null confidentiality regimes. 6. I notice case certificate_url: CertificateURL; case certificate_status: CertificateStatus; These need adding to the "major changes section of the summary". I can not see these in RFC 4346. enum { hello_request(0), client_hello(1), server_hello(2), certificate(11), server_key_exchange (12), certificate_request(13), server_hello_done(14), certificate_verify(15), client_key_exchange(16), finished(20), (255) } HandshakeType; Given the description (they are part and parcel of the extension mechanism from other docs being folded into TLS 1.2) I think I see what's going on. a) I like certificate URL, and it moves us beyond Nescape's tunnel vision on the format of the bag of certs (forwardCertPath). The bag can now contain HSM certs, for example from the client, where the architect has defined an "enhanced X.509 Certificate" cert type, per the rationale. It can also be a set of SAML assertions, getting us beyond X.509's aging formats. There is a strong danger that this extension will get badly abused, I feel. And, many military implementations are NOT going to be willy-nilly going out and resolving URLs sent by a (enhanced) handshake protocol, even if the handshake messages are being protected by an active (assured and sufficiently strong) TLS Connection. I can see such handshakes being used to ping a mgt port for a given user, and thus go collect data from certified repositories (over TLS), stuffing their response in caches. This is just X.500 revisted, tho. b) What nut pushed for that OCSP stuff in certificate_status? Don't folks understand that it was just to annoy VeriSign over the Micali patents? With TLS extensions, we will be able to recover cert status from a TLS responder, without bothering with OCSP. It can be authoritative as OCSP can be, once it starts putting digital signatures on sets of record fragments. c) concerning SAML certs " If the protocol used is HTTP, then the HTTP server can be configured to use the Cache-Control and Expires directives described in [HTTP] to specify whether and for how long certificates or certificate chains should be cached. The TLS server is not required to follow HTTP redirects when retrieving the certificates or certificate chain. The URLs used in this extension SHOULD therefore be chosen not to depend on such redirects." I like this, as one can follow the various SAML profiles, their redirects, session cookies; session URLs, auto postings, artifact resolution, etc. I do feel that the SHOULD ought to be tied only to X.509 cerificate type, tho, CLEARLY, allow other cert types to specify other constraints on required processing behaviour, including none of that which is stated currently. Then SAML2 can retrieve the certs, attributes properly etc. rather than fuzting around with all this HTTP-land mime type stuff. I can get my SAML2 evaluated when co-resident with a TLS protocol engine: little chance if I have to stick HTTP and MIME in the boundary, tho. More later; once I've read the back half or Eric's book, now. Peter.
_______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 draft comments home_pw
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments home_pw
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments home_pw
- Re: [TLS] TLS 1.2 draft comments Omirjan Batyrbaev
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments Omirjan Batyrbaev
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments home_pw