IETF Logo Mail Archive

Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections

"Fries, Steffen" <steffen.fries@siemens.com> Mon, 08 March 2021 08:51 UTC

Return-Path: <steffen.fries@siemens.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 814513A27FD for <tls@ietfa.amsl.com>; Mon, 8 Mar 2021 00:51:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PTUhDdpVGGd4 for <tls@ietfa.amsl.com>; Mon, 8 Mar 2021 00:51:35 -0800 (PST)
Received: from gw-eagle2.siemens.com (gw-eagle2.siemens.com [194.138.20.69]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 797CA3A27FB for <tls@ietf.org>; Mon, 8 Mar 2021 00:51:35 -0800 (PST)
Received: from mail1.dc4ca.siemens.de (mail1.dc4ca.siemens.de [139.25.224.78]) by gw-eagle2.siemens.com (Postfix) with ESMTPS id 28C7746804B; Mon, 8 Mar 2021 09:51:32 +0100 (CET)
Received: from DEMCHDC89XA.ad011.siemens.net (demchdc89xa.ad011.siemens.net [139.25.226.103]) by mail1.dc4ca.siemens.de (Postfix) with ESMTPS id ADD3218DA3940; Mon, 8 Mar 2021 09:51:31 +0100 (CET)
Received: from DEMCHDC89XA.ad011.siemens.net (139.25.226.103) by DEMCHDC89XA.ad011.siemens.net (139.25.226.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Mon, 8 Mar 2021 09:51:31 +0100
Received: from DEMCHDC89XA.ad011.siemens.net ([139.25.226.103]) by DEMCHDC89XA.ad011.siemens.net ([139.25.226.103]) with mapi id 15.01.2106.013; Mon, 8 Mar 2021 09:51:31 +0100
From: "Fries, Steffen" <steffen.fries@siemens.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Nico Williams <nico@cryptonector.com>, John Mattsson <john.mattsson@ericsson.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
Thread-Index: AQHXEeEgKe23eiCLoE+KwrPix1Q1lap1l0qAgAAS1ACAAA6hAIACZKcAgAGaHsA=
Date: Mon, 08 Mar 2021 08:51:31 +0000
Message-ID: <40166b1968e04cc392c16e2de559e684@siemens.com>
References: <DE27E5E0-4AB9-4B53-92F6-1057015A8F6C@ericsson.com> <20210305173516.GV30153@localhost> <701E874C-EA40-47FD-A4E4-C4C595E96337@ericsson.com> <20210305193502.GW30153@localhost> <AM0PR08MB3716A4C8D0F9BB007F9A0CBCFA949@AM0PR08MB3716.eurprd08.prod.outlook.com>
In-Reply-To: <AM0PR08MB3716A4C8D0F9BB007F9A0CBCFA949@AM0PR08MB3716.eurprd08.prod.outlook.com>
Accept-Language: en-US, de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2021-03-08T08:51:29Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=66994b2b-0874-43e6-bdbf-d1350e740c2a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
document_confidentiality: Restricted
x-originating-ip: [139.21.146.198]
x-tm-as-product-ver: SMEX-14.0.0.1158-8.6.1012-26016.006
x-tm-as-result: No-10--35.275000-8.000000
x-tmase-matchedrid: hHkZHYbuAkwaWGjWtG8govgvzSw1wUIjDDw2a573DPfAsQvj68mG04HZ B8pBnDKZtwi3bXRtaAjfrAEUZTjrwRDxiJino9R211/jD0G83IlBqWBRXcf7s4vqrlGw2G/kAQ+ 35UHH2f25qmTBFUv1z441Yiw6vZQgO4yldbVi98A/kFnnBD3GZxHQbVLgwnYM70a2q2D7J4BReW nUUdhI9cuSXx71bvSL9WXm+yhJKygKU8kZtOj9iXm3rlWwtGYxZ2iIC1YlK8LJkecgyZD4OEFJj qTH4zXxCnaX2vSsl/98XFgH34vv46nmUhxSyJDb7XZKqEbkxl0PgCQ1Nx/qoA0QY5VnQyANpWOB fK9L1z8S39b8+3nDx6QLN1aAr87KFfpc/lC98Dwwb+Fhu2r36FY569CIrYvbLyz9QvAyHjoYgyD j5TiRtSaTNbgbq25FFxPfMusXQ5aLYCqQJUBx8O7oiMjz9NDrhwvV+A7ti/OKR0fcRBoRNYx4V4 9TS24wth6QveQfsqMpSnLCjOAr5lXfVZa2dw5b8EvY1eii2/OP/06+pI4U7grgwFF/sjumYM9s6 twyNwlSMUnCl2ZytB/poFKGNxRg6YxfRGjlruNigshoWTkI/W/2fi9+y8WVTdXSSx0pfOyA6f0P MYIXsy62hjZS0WoYRr7gV267sGKUKCR2YUmlVTblGqhdTCq7AioGpYo1Fp2aVoAi2I40/f6lpfp te41hLpyJAwh9QY2M0RMcf031NjEB0okod0PTrLxasEOdu7v5UoylJjUxCNjoQZHeT+6K0NnUUV MlTKa6UxUMwwJyKvyL40XovS1aGEXSzEniJe1ftuJwrFEhTbew1twePJJB3QfwsVk0UbslCGssf kpInQ==
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
x-tmase-result: 10--35.275000-8.000000
x-tmase-version: SMEX-14.0.0.1158-8.6.1012-26016.006
x-tm-snts-smtp: D9512BED7667379ED0A85124D525117731D0ED6F712B1B10F6BF2F5B763C9A482000:8
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kQ_PBesXGw7_EdwDz59VBK9vX_g>
Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long lasting connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Mar 2021 08:51:37 -0000

Hi,

First of all thanks for all the discussion on that question, which is great input also to the discussion in IEC. 

> From: TLS <tls-bounces@ietf.org> On Behalf Of Hannes Tschofenig
> I think it is useful to start with the problem description.
The problem that was addressed so far with the session renegotiation in TLS 1.2 was motivated by different points. 
- Recommendation in RFC 5246 regarding the use of the SessionID  lifetime
- Regular session key update for the ongoing TLS Session
- Trigger to verify the certificates used by both sides on a regular base, ideally in relation to the update of locally available revocation information

For the latter, the assumption was that some of the processes, when a long term key is compromised, may not be perfectly synchronized, meaning that  the entity with a potentially compromised certificate/private key (long term key) is not immediately taken from the network. If the certificate is put onto a CRL , the RP would realize this during the next complete handshake and tear down the connection. An alternative of this could indeed be to utilize an external trigger like whenever the CRL is refreshed (which should happen every 24 hours), the certificates of ongoing connections are validated regarding their status. As this is independent of TLS, it would work also with TLS 1.3.

By comparing, what has been used in TLS 1.2 we simply stumbled about the fact that the trigger to perform the revocation check is no longer available for both sides, client and server. As said, the client could be authenticated using post authentication but not the server. This would mean to solve the problem of identifying a revoked certificate in an ongoing session could be done externally of TLS but the result would be fed back to TLS, if a connection needs to be closed due to a revoked certificate. 

Regards
Steffen



> 
> It seems that you are concerned that there is a possibility for leakage or
> compromise of keying material during the lifetime of the session.
> What could happen?
> 
> * Long-term keys*,
> * Some keys used in the key hierarchy,
> * keys used for protecting the application traffic
> 
> Additionally, you could also consider the case that the trust anchor store gets
> compromised.
> 
> In any case, you seem to be concerned about the leakage of long-term keys (at
> least that's what I get from the email thread).
> 
> If your long-term keys got compromised then you have a serious problem. Re-
> running even the full handshake will not indicate problem. It will just work fine.
> 
> You will somehow have to find out that these long-term keys have been leaked,
> which will not be easy. Then, you need to isolate the endpoints using those
> compromised keys and reprovision new keys to them. You might want to
> terminate ongoing connections as well. Since you will often not know what
> exactly has been compromised (at least not quickly enough), you might need to
> take a range of steps to re-set it to a known good state (such as doing a
> firmware update, in case of an IoT device).
> 
> Many of these aspects are, however, outside the scope of TLS itself.
> 
> Could you elaborate on the threats you are trying to address?
> 
> Ciao
> Hannes
> 
> *: Often a device has more than one long-term key pair (used for different
> purposes). Without further complicating things, the impact depend a bit on
> which keys have been leaked.
> 
> -----Original Message-----
> From: TLS <tls-bounces@ietf.org> On Behalf Of Nico Williams
> Sent: Friday, March 5, 2021 8:35 PM
> To: John Mattsson <john.mattsson@ericsson.com>
> Cc: tls@ietf.org
> Subject: Re: [TLS] Question to TLS 1.3 and certificate revocation checks in long
> lasting connections
> 
> On Fri, Mar 05, 2021 at 06:42:40PM +0000, John Mattsson wrote:
> > >While renegotiation will never be re-added, there is post-handshake
> > >authentication (RFC 8446, section 4.6.2), and while that is currently
> > >about authenticating the _client_ to the server, it should be trivial
> > >to extend the protocol to support re-authenticating the server to the
> > >client as well.
> >
> > I think the current Post-Handshake authentication is not really
> > suitable for long-term connections. It assures that the other party is
> > still alive but it does not shut out any other third parties with
> > access to application_traffic_secret_N. Such parties may have gotten
> > the key with or without collaboration with one of the nodes.
> 
> We assume local security, so the only way the TLS keys could have leaked to
> third parties is if either a) the local security assumption fails, in which case you
> have bigger problems, or b) the cryptographic security of TLS itself failed, in
> which case you have bigger problems, or c) you're exceeding usage limits on a
> symmetric cipher.
> 
> Changing session keys wouldn't help you in cases (a) or (b).
> 
> I think the only interesting case is (c).  If you're using a 128-bit block cipher,
> you're not in case (c) as you'd have to transfer something like 2PB before you
> exceed AES key usage limits.
> 
> At some point you have to be prepared to reconnect.  Application protocols that
> work like BGP (destroy the world on RST) simply need to be fixed to not do that.
> 
> > Agree that the negotiation part of renegotiation should not come back.
> > Below is a sketch of what I think would be needed Post-Handshake for
> 
> That's essentially renego-lite.  Note that there's protocol timing trickiness in
> getting this right.  SSHv2, which does have proper re-keying, has experience with
> that.
> 
> > DTLS/SCTP with DTLS 1.3:
> 
> What's special about DTLS vs. TLS?  Why should one get this but not the other?
> 
> Nico
> --
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended recipient,
> please notify the sender immediately and do not disclose the contents to any
> other person, use it for any purpose, or store or copy the information in any
> medium. Thank you.
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email