IETF Logo Mail Archive

Re: [TLS] Defining "TLS channel"

Nicolas Williams <Nicolas.Williams@sun.com> Mon, 07 December 2009 21:38 UTC

Return-Path: <Nicolas.Williams@sun.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DA6F628C0E9 for <tls@core3.amsl.com>; Mon, 7 Dec 2009 13:38:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.882
X-Spam-Level:
X-Spam-Status: No, score=-5.882 tagged_above=-999 required=5 tests=[AWL=0.164, BAYES_00=-2.599, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PvvNZzcCz9as for <tls@core3.amsl.com>; Mon, 7 Dec 2009 13:38:55 -0800 (PST)
Received: from sca-ea-mail-4.sun.com (sca-ea-mail-4.Sun.COM [192.18.43.22]) by core3.amsl.com (Postfix) with ESMTP id D80D928C0E4 for <tls@ietf.org>; Mon, 7 Dec 2009 13:38:55 -0800 (PST)
Received: from dm-central-02.central.sun.com ([129.147.62.5]) by sca-ea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id nB7LcjmQ013790 for <tls@ietf.org>; Mon, 7 Dec 2009 21:38:45 GMT
Received: from binky.Central.Sun.COM (binky.Central.Sun.COM [129.153.128.104]) by dm-central-02.central.sun.com (8.13.8+Sun/8.13.8/ENSMAIL, v2.2) with ESMTP id nB7LcjRH018463 for <tls@ietf.org>; Mon, 7 Dec 2009 14:38:45 -0700 (MST)
Received: from binky.Central.Sun.COM (localhost [127.0.0.1]) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3) with ESMTP id nB7LQwNn001039; Mon, 7 Dec 2009 15:26:58 -0600 (CST)
Received: (from nw141292@localhost) by binky.Central.Sun.COM (8.14.3+Sun/8.14.3/Submit) id nB7LQwNY001038; Mon, 7 Dec 2009 15:26:58 -0600 (CST)
X-Authentication-Warning: binky.Central.Sun.COM: nw141292 set sender to Nicolas.Williams@sun.com using -f
Date: Mon, 07 Dec 2009 15:26:57 -0600
From: Nicolas Williams <Nicolas.Williams@sun.com>
To: David-Sarah Hopwood <david-sarah@jacaranda.org>
Message-ID: <20091207212656.GK861@Sun.COM>
References: <200912030002.nB3026Cg024685@fs4113.wdf.sap.corp> <4B171AC0.6090403@jacaranda.org> <20091203221420.GZ773@Sun.COM> <808FD6E27AD4884E94820BC333B2DB774F31A4F497@NOK-EUMSG-01.mgdnok.nokia.com> <4B1D70D8.3070108@jacaranda.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <4B1D70D8.3070108@jacaranda.org>
User-Agent: Mutt/1.5.7i
Cc: tls@ietf.org
Subject: Re: [TLS] Defining "TLS channel"
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2009 21:38:56 -0000

On Mon, Dec 07, 2009 at 09:17:12PM +0000, David-Sarah Hopwood wrote:
> Pasi.Eronen@nokia.com wrote:
> > Well, I think one thing we've learned here is that none of the
> > reasonable-looking definitions of "TLS channel" are exactly what
> > typical TLS libraries offer to applications (via their APIs -- and
> > there's some variation between APIs, too).
> 
> I would expect a definition of "TLS channel" to inform the design of
> new APIs or API abstractions. I wouldn't expect it to change existing
> abstractions in current APIs, except possibly those that already have
> an abstraction that almost-but-not-quite corresponds to a TLS channel,
> and where the change to make it exactly correspond can be done compatibly.

Look at draft-altman-tls-channel-bindings.  The impact on APIs is really
rather trivial.  All APIs will have some sort of handle to a TLS
connection.  A connection is almost a channel.  From a connection you
need a way to extract the channel bindings.

Now, the only question is: is a series of connections resulting from
re-negotiations one channel?  Or is a channel == to a connection?

(Here I'm using "connection" to mean something that's barely referred by
that name in RFC5246, but which is: the state established by a TLS
handshake and the record layer messages exchanged under its protection.)

SSHv2 also does re-negotiations, but with proper binding of
re-negotiations to the prior state.  SSHv2 even has a proper unique
channel binding: SSHv2 session IDs (which are derived by hashing all
negotiation and key exchange messages).  The SSHv2 session ID does not
change even when re-negotiations occur.

>From an RFC5056 point of view, the SSHv2 view is the correct one.  The
application sets up a channel, runs some additional application-layer
authentication mechanism over that channel with channel binding to that
channel, and then proceeds.  It would be most unfortunate if after the
authentication + channel binding operation the channel could be
replaced, without the app's knowledge, with another one that might have
an MITM.

> > Also, different people seem to have somewhat different expectations
> > what properties such a "channel" should have. For example, if the
> > certificate of peer changes in renegotiation, is that just a different
> > certificate for the same identity, or a different identity? Does the
> > application need to determine which received application_data byte
> > corresponds to which certificate?
> 
> The abstraction of "channel" most useful for understanding the attack
> and the authentication properties of TLS, is one such that every
> completed handshake begins a new channel -- whether or not there are
> changes in identity information, and independent of whether the
> handshake is abbreviated or full.

For understanding the attack, yes.  But see below.

> (I was mistaken in claiming earlier that only full handshakes should
> be considered to start a new channel. Any pair of Finished messages
> creates a new channel identifier, and therefore should be considered
> to create a new channel.)

Prior to fixing the re-negotiation vulnerability we should have
considered each negotiation as resulting in a separate channel: then
applying channel binding as an analysis tool would have made the MITM
problem instantly apparent.

Following the fix to the re-negotiation vulnerability I think we should
say that the first negotiation establishes a channel and that the
subsequent ones do not, just as in SSHv2.

> > Either way, I don't think we need to answer the question about 
> > RFC5056 "channel" in draft-ietf-tls-renegotiation.
> 
> I disagree; the draft currently uses the term "channel" in the
> Introduction without defining it. It does reference
> draft-altman-tls-channel-bindings, but this isn't sufficient
> to define the term because 'It is inappropriate to use
> Internet-Drafts as reference material or to cite them other than
> as "work in progress."'.
> 
> The draft could, however, informatively cite RFC5056. I think it
> should.

I don't care which I-D introduces a proper definition of "TLS channel",
but I do care to see RFC5246 updated by whichever I-D does it.

Nico
--

v2.29.0 | Report a Bug | By Email | System Status