Re: [TLS] TLS 1.2 draft comments
<home_pw@msn.com> Sat, 30 December 2006 23:01 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0nDA-0007uj-Dx; Sat, 30 Dec 2006 18:01:56 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H0nD8-0007uX-Ht for tls@ietf.org; Sat, 30 Dec 2006 18:01:54 -0500
Received: from bay0-omc1-s21.bay0.hotmail.com ([65.54.246.93]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H0nCq-0007IZ-PS for tls@ietf.org; Sat, 30 Dec 2006 18:01:54 -0500
Received: from hotmail.com ([65.54.174.83]) by bay0-omc1-s21.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Sat, 30 Dec 2006 15:01:36 -0800
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Sat, 30 Dec 2006 15:01:36 -0800
Message-ID: <BAY103-DAV11DA83F4D284EDFC78F75A92C50@phx.gbl>
Received: from 69.227.152.254 by BAY103-DAV11.phx.gbl with DAV; Sat, 30 Dec 2006 23:01:33 +0000
X-Originating-IP: [69.227.152.254]
X-Originating-Email: [home_pw@msn.com]
X-Sender: home_pw@msn.com
From: home_pw@msn.com
To: tls@ietf.org
References: <BAY103-DAV17E2A403A0F53177A5D23792C50@phx.gbl>
Subject: Re: [TLS] TLS 1.2 draft comments
Date: Sat, 30 Dec 2006 15:01:47 -0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Live Mail desktop 8.0.1223
X-MimeOLE: Produced By Microsoft MimeOLE V8.0.1223
X-OriginalArrivalTime: 30 Dec 2006 23:01:36.0068 (UTC) FILETIME=[74C4A840:01C72C66]
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 69ad46fbd0e474a7c7f3312d9e320336
Cc:
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============1359267085=="
Errors-To: tls-bounces@lists.ietf.org
More detailed comments, this time to do with the protocol. These contrast with the earlier
comments on the early-doc rationale and claims (that were largely expressed in "netscape-speak",
and need further professionalization - before TLS gets too much higher in the standards track)
1. signature
"master secret
A 48 byte secret shared between the two peers in the connection."
Is it appropriate to now specify the length of this, and the client random component
of the hello nonces? If so, give a rationale for the value in light of the fundamental
PRF architecture changes going on in TLS 1.2
Right now, this all defines a particular signature for the
key_block = PRF(SecurityParameters.master_secret,
"key expansion",
SecurityParameters.server_random +
SecurityParameters.client_random);
If in TLS1.2 a PRF MAY be defined by a ciphersuite and not by the standard, need it have the same
signature as the TLS PRF of old? Why should the ciphersuite not define the types for the input values? Cannot
the ciphersuite not specify the length of the master_secret
2. wrapped KEK/IVs in finished
Im dubious about the new/amended means of protecting the integrity of the handshake, in the
finished process. I cannot follow all its diddling with masks, and its impact on wrapped key/iv
mechanisms when creating the first enciphered block under a server.write key. This may be
more Peter problem, than spec problem. Perhaps I just have to read it a 100 times, more.
3. timing channels vs key
This is all funny on first reading, given all the recent discussion of NULL MAC in general!:
Implementation Note: Canvel et. al. [CBCTIME] have demonstrated a
timing attack on CBC padding based on the time required to
compute the MAC. In order to defend against this attack,
implementations MUST ensure that record processing time is
essentially the same whether or not the padding is correct.
Mac secrets are not "key", and are therefore assured not to influence the keyed
confidentiality mechanism. if you use a secret vs key in a crypto SEF, you get what
you expect. Futzing with timing is not addressing the root cause of the design flaw.
Futz with timing in the message dispatcher in the record layer generally, not in the handling
of a particular message, or use of a mechanism.
This all looks like a hack/workaround not a standard.
4. AEAD
well at least I know what it is now, and how it relates to compression. Ill study the background issues
to this some more, offline, before commenting in detail.
But, interesting to see null length MAC getting involved, again -)
And, interesting to see the failure alert: "fatal bad_record_mac alert"
If I now calculate 2 + 2 = 5, the confidentiality service based on an AEAD mechanism is providing data origin authentication,
and that DOA can control the record_layer integrity service, and the disconnect event. Hmm.
I don't like it, at first glance. Its smells wrong. I need further rationale, in terms of function and assurance claims.
5. "However, you SHOULD never send data over a link encrypted with 40 bit
security unless you feel that data is worth no more than the effort
required to break that encryption.
I think its time for this to go... if only because we have no "links", above the TLS. We have
channels or bridges. If its kept, perhaps consider
"However, you SHOULD never send data over a link encrypted with 40 bit OR LESS
security unless you feel that data is worth no more than the effort
required to break that encryption.
This updates the text to address ciphersuites with null confidentiality regimes.
6. I notice
case certificate_url: CertificateURL;
case certificate_status: CertificateStatus;
These need adding to the "major changes section of the summary". I can not see these in
RFC 4346.
enum {
hello_request(0), client_hello(1), server_hello(2),
certificate(11), server_key_exchange (12),
certificate_request(13), server_hello_done(14),
certificate_verify(15), client_key_exchange(16),
finished(20), (255)
} HandshakeType;
Given the description (they are part and parcel of the extension mechanism from other docs
being folded into TLS 1.2) I think I see what's going on.
a) I like certificate URL, and it moves us beyond Nescape's tunnel vision on the format
of the bag of certs (forwardCertPath). The bag can now contain HSM certs, for example
from the client, where the architect has defined an "enhanced X.509 Certificate" cert type, per
the rationale. It can also be a set of SAML assertions, getting us beyond X.509's aging formats.
There is a strong danger that this extension will get badly abused, I feel. And, many
military implementations are NOT going to be willy-nilly going out and resolving URLs
sent by a (enhanced) handshake protocol, even if the handshake messages are being
protected by an active (assured and sufficiently strong) TLS Connection. I can see such
handshakes being used to ping a mgt port for a given user, and thus go collect data from certified
repositories (over TLS), stuffing their response in caches. This is just X.500 revisted, tho.
b) What nut pushed for that OCSP stuff in certificate_status? Don't folks understand that it was just
to annoy VeriSign over the Micali patents?
With TLS extensions, we will be able to recover cert status from a TLS responder, without
bothering with OCSP. It can be authoritative as OCSP can be, once it starts putting
digital signatures on sets of record fragments.
c) concerning SAML certs
" If the protocol used is HTTP, then the HTTP server can be configured
to use the Cache-Control and Expires directives described in [HTTP]
to specify whether and for how long certificates or certificate
chains should be cached.
The TLS server is not required to follow HTTP redirects when
retrieving the certificates or certificate chain. The URLs used in
this extension SHOULD therefore be chosen not to depend on such
redirects."
I like this, as one can follow the various SAML profiles, their redirects,
session cookies; session URLs, auto postings, artifact resolution, etc. I do feel that
the SHOULD ought to be tied only to X.509 cerificate type, tho,
CLEARLY, allow other cert types to specify other constraints on required
processing behaviour, including none of that which is stated currently. Then
SAML2 can retrieve the certs, attributes properly etc. rather than fuzting around
with all this HTTP-land mime type stuff. I can get my SAML2 evaluated when
co-resident with a TLS protocol engine: little chance if I have to stick HTTP
and MIME in the boundary, tho.
More later; once I've read the back half or Eric's book, now.
Peter.
_______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] TLS 1.2 draft comments home_pw
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments home_pw
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments home_pw
- Re: [TLS] TLS 1.2 draft comments Omirjan Batyrbaev
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments Omirjan Batyrbaev
- Re: [TLS] TLS 1.2 draft comments EKR
- Re: [TLS] TLS 1.2 draft comments home_pw