IETF Logo Mail Archive

Re: [TLS] Server time

Dave Garrett <davemgarrett@gmail.com> Sun, 05 April 2015 20:06 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5E1F1ACE2C for <tls@ietfa.amsl.com>; Sun, 5 Apr 2015 13:06:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uNJd6yLkCFut for <tls@ietfa.amsl.com>; Sun, 5 Apr 2015 13:06:21 -0700 (PDT)
Received: from mail-qk0-x229.google.com (mail-qk0-x229.google.com [IPv6:2607:f8b0:400d:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1EB4B1ACE27 for <tls@ietf.org>; Sun, 5 Apr 2015 13:06:21 -0700 (PDT)
Received: by qku63 with SMTP id 63so11011273qku.3 for <tls@ietf.org>; Sun, 05 Apr 2015 13:06:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=IH6KwcY6PRaGDuwxDoxeIilCw/MPI3DiNLEtv6HFC70=; b=z0BgV4ri0jIawVYLJUynK4b+zet0rlrESRI+fdeFt1RkfPo4cH8AMKswCceO42m/K5 K9Gg/up6/HSWI1mc6Ew1U8GCmMEUi8OAJNouzr7+ABZj6KUreuEBNMA8GAOMx0ngtTuH Q0Pcwsub66rw2+pPXd5ZrK09R+SgfG3n5VdR20gaIgnTTksAeEBu0zeaBBotCOpkJez0 9UdDavS+5orCs437Nc0KSDqsuDrPk0FeG/ydhV5FchIyaDAt0egUdSwuHYKTVbviEsmQ bbEY8i5b34Jc1TkDtFjkFleE9x42KVOQCCCSpMn6K7VsoTLRZ/JM2xk9sLyp5oalynW0 oG/g==
X-Received: by 10.140.145.202 with SMTP id 193mr2226780qhr.43.1428264380275; Sun, 05 Apr 2015 13:06:20 -0700 (PDT)
Received: from dave-laptop.localnet (pool-96-245-254-195.phlapa.fios.verizon.net. [96.245.254.195]) by mx.google.com with ESMTPSA id n13sm1721014qkh.8.2015.04.05.13.06.19 (version=TLSv1 cipher=RC4-SHA bits=128/128); Sun, 05 Apr 2015 13:06:19 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: Brian Smith <brian@briansmith.org>, Hauke Mehrtens <hauke@hauke-m.de>, Jeffrey Walton <noloader@gmail.com>
Date: Sun, 05 Apr 2015 16:06:17 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-73-generic-pae; KDE/4.4.5; i686; ; )
References: <201504041352.12431.davemgarrett@gmail.com> <CAFewVt6T2M04Ta=YjyXV7U2gem6TV8EkNRn=b2zw+8q5ASHYPw@mail.gmail.com>
In-Reply-To: <CAFewVt6T2M04Ta=YjyXV7U2gem6TV8EkNRn=b2zw+8q5ASHYPw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201504051606.18088.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mlmKBXESBX1iMXgMasz-BJKSTxE>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Server time
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 05 Apr 2015 20:06:22 -0000

On Saturday, April 04, 2015 06:10:09 pm Jeffrey Walton wrote:
> I like the idea of a field like ServerHello.time so the server can
> communicate its belief in time. A client can defer a simple failure
> based on time until key exchange completes. If key exchange completes
> successfully, then the client can decide if it wants to accept the
> server's view of time.
> 
> The functionality leads to other attack surfaces, like a rogue server
> rolling back its time and using compromised key. But I think that can
> be solved with a good degree of certainty using Guttmann's security
> diversification techniques.

On Sunday, April 05, 2015 12:32:31 pm Hauke Mehrtens wrote:
> Adding such a field could also result in some stupid developers using
> this field to check if the certificate is valid for every handshake.

On Sunday, April 05, 2015 02:11:49 pm Brian Smith wrote:
> And note that clients often play the server roll in (D)TLS. In
> particular, clients act as both the client and server in DTLS for
> WebRTC. Consequently, there always needs to be a way for the server to
> NOT say what time it thinks it is.

The problems have solutions, but ones that would need to be implemented carefully. In particular, the safest way to handle servers needing time privacy would be to make ServerHello.time the last field, and simply not include it when not desired. (rather than zeroing it out)

Unauthenticated time is safe for sanity checking the client time, but relying on it to verify anything as opposed to just rejecting would be bad. Unauthenticated time sync is a far more narrow case that probably isn't worth having for the general case.

The above is sufficient to convince me that unauthenticated time in the ServerHello is not likely to be worth the risk in the general case. It's not idiot-proof enough.

The time could be integrated elsewhere into the handshake and authenticated, but now it's no longer simple. A basic ping/time protocol would be really simple, though, it'd have to be after the handshake.

As to the actual issue #64, fully prohibiting time in the random field entirely seems appropriate, however. That part seems simple enough. As noted by Brian, not doing so allows the time to accidentally be leaked in P2P usage.


Dave

v2.23.0 | Report a Bug | By Email