IETF Logo Mail Archive

Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Ben Schwartz <bemasc@google.com> Mon, 08 February 2021 18:22 UTC

Return-Path: <bemasc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A34C03A0FF5 for <tls@ietfa.amsl.com>; Mon, 8 Feb 2021 10:22:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.499
X-Spam-Level:
X-Spam-Status: No, score=-17.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w7EZjE7-ER_c for <tls@ietfa.amsl.com>; Mon, 8 Feb 2021 10:21:59 -0800 (PST)
Received: from mail-io1-xd30.google.com (mail-io1-xd30.google.com [IPv6:2607:f8b0:4864:20::d30]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1E263A0FEF for <tls@ietf.org>; Mon, 8 Feb 2021 10:21:59 -0800 (PST)
Received: by mail-io1-xd30.google.com with SMTP id n14so16042244iog.3 for <tls@ietf.org>; Mon, 08 Feb 2021 10:21:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=wVYE77FyG47UQE3hSgzY01zIVhJiqUuIs3KDKb9j9z8=; b=aUh48VViN3s27eFjmsz7CvCAOsyDg4MwR1wlTglSoEmJTSgJ4y/F37Qy9Yihx9un5a o0/l669UYIaIFFEL2XmU2SpuRhO1HFZs5cLCnFefhaAhhAFfKp3O94Geff55KslKTdLM e/1n5D5DO4nlCX0Y0j0ILj1yhC1PsoXl4Zgd9QLpgLnZ6DZb2A5AZmGOSL4f2wq1z7kw Cp/udjo0cxrXemSz6TV7nzcGYQ2E39XYmQtzGNFCdCBGmUKJlASVxJSLVawSBqp+/6w4 nrgJqd/PDKrNcOKNEKc+hsVwZbVK/prg7B7Sh+jDtw/JOTGV22DBCRYKN9Fc3xfvXVyQ oNDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=wVYE77FyG47UQE3hSgzY01zIVhJiqUuIs3KDKb9j9z8=; b=EDt5ULekeAsELhDEkbw/qgsQX+uq61mKXXdiPTBvTiNdLi9Q+9+9al3fxt1nfypwG/ w4T70Bc+XMfX+Ojl9/b00/GYLrRCf/l+WPr1sa6lbYmoi+ldn5yM5j8QibCf3bxMahCK sSYRhjIbC5Ou33HKtd5JPvEjEVdw7Y/HxcHezTPFb4j0PPXh1hY1jZSPEDVNaTdd/zhy beqEdN188F0nuWFMlIepXjUaFDzEA63uPU+RX2i8pvFE3qInzo8nlHtVXywJlW4mwU61 bL9m67RqMf1wMLK1Bp7gWCi2MxUSXnEqbqMQt9NZPF6yiOeUbALkLrn6w9Xn9ur+guOG rfUA==
X-Gm-Message-State: AOAM531YdnS+W8M/ivXO21aQM1ApS6ASfGdyKTaXIVg8hZylsTxeYpM8 tuGydhq88yLcFAlMEel6RrFn0Go14u+t8ZaTtlrOWE++71Q=
X-Google-Smtp-Source: ABdhPJz+tC1XglOugWD8ltr1PEnkVTtYONpdauMjyivIRXb5qxb63TdmyBQJUoNyFR6Uez2PGbFA02KWrkVuQB7JNSA=
X-Received: by 2002:a6b:be86:: with SMTP id o128mr15895493iof.111.1612808518776; Mon, 08 Feb 2021 10:21:58 -0800 (PST)
MIME-Version: 1.0
References: <CA+_8xu03uCNW+TAgbkL2f0pfredw21Kam5c6UdAGbdQE6a+d_w@mail.gmail.com> <DM5PR2201MB1643A9CE6A15BC5C5B8FA4B399B29@DM5PR2201MB1643.namprd22.prod.outlook.com>
In-Reply-To: <DM5PR2201MB1643A9CE6A15BC5C5B8FA4B399B29@DM5PR2201MB1643.namprd22.prod.outlook.com>
From: Ben Schwartz <bemasc@google.com>
Date: Mon, 08 Feb 2021 13:21:47 -0500
Message-ID: <CAHbrMsA5wyaAfsHrOjQmw89KhZAQCvut4aw=temu5d+TOsby4Q@mail.gmail.com>
To: Jack Visoky <jmvisoky=40ra.rockwell.com@dmarc.ietf.org>
Cc: "research@bensmyth.com" <research@bensmyth.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000df2e3f05bad73e6c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/pe6Bf9TekJJBQmoA2a_2kLhrd-0>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 18:22:02 -0000

If you are updating the text, I would recommend removing the claim about
performance.  In general, the ciphersuites specified in the text are likely
to be slower than popular AEAD ciphersuites like AES-GCM.

On Fri, Feb 5, 2021 at 5:38 PM Jack Visoky <jmvisoky=
40ra.rockwell.com@dmarc.ietf.org> wrote:

> Hi Ben,
>
>
>
> Thanks for the feedback, I think you have some good insights. I agree that
> there are cases where mutual authentication is not required, we’ll update
> to reflect that. Same for PSKs, on thinking about this there doesn’t seem
> to be a good reason why PSKs cannot be used. We’ll make some updates to the
> draft and post them.
>
>
>
> Thanks!
>
>
>
> --Jack
>
>
>
>
>
> *From:* Ben Smyth <research@bensmyth.com>
> *Sent:* Thursday, February 4, 2021 9:22 AM
> *To:* <tls@ietf.org> <tls@ietf.org>
> *Cc:* ncamwing@cisco.com; Jack Visoky <jmvisoky@ra.rockwell.com>
> *Subject:* EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher
> Suites
>
>
>
> [Use caution with links & attachments]
>
>
>
> Internet-Draft "TLS 1.3 Authentication and Integrity only Cipher Suites" (
> https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-08
> <https://urldefense.com/v3/__https:/tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-08__;!!JhrIYaSK6lFZ!4VGEXZ1YyVlF7PaLHd9fzg61-tgLBvP9317XM7khFlKZVYOSILmLuTHQR6G95fWDR-k2$>)
> highlights TLS use cases with authentication and integrity needs, without
> any need for confidentiality. The draft promotes mutual authentication, but
> this seems unnecessary, as I'll discuss. I'm also unclear why
> certificate-based authentication is mandated, as I'll also discuss. Let me
> first summarise application scenarios.
>
>
>
> The need to couple authentication and integrity seems clear: Neither makes
> sense without the other. (There's little sense in authenticating an
> interlocutor, without knowing whether they are communicating thereafter.)
> Equally, the case for dropping confidentiality seems clear: Some
> applications, including use cases given, simply do not require
> confidentiality. (It's worth noting that traffic analysis can anyhow defeat
> confidentiality, albeit, I'm unsure of the specifics.)
>
>
>
> The need for mutual authentication is unclear to me and seemingly
> unsubstantiated by use cases. For example, in the weather reporting use
> case, only the weather reporter need authenticate, a node seeking the
> report need not. Although some use cases may require mutual authentication,
> others seemingly do not. Given that unilateral authentication reduces
> computational and communication burden, whilst eradicating a class of
> private keys, can the draft be generalised to permit unilateral or mutual
> authentication?
>
>
>
> Actually, as it stands, the draft does not appear to provide mutual
> authentication, since TLS only provides unilateral authentication of a
> server by default. To ensure mutual authentication, the draft must mandate
> a server sending a CertificateRequest message, and a client responding with
> Certificate and CertificateVerify messages (rather than merely a
> Certificate message that does not contain a certificate). (For PSK-based
> key exchange, a client must include extension post_handshake_auth in their
> ClientHello message and a server must send a CertificateRequest after the
> handshake completes, but this mode isn't currently supported by the draft.)
>
>
>
> The draft mandates that "PSK data MUST NOT be sent in the handshake [due
> to the lack of confidentiality]," yet a standard ClientHello message sends
> PSK data (listing pre-shared key identifiers and key exchange modes for
> each) in the clear, as does a standard ServerHello message (a
> server-selected identifier is included). It's only a standard
> EncryptedExtensions message that protects handshake data, yet I can't find
> any PSK data that would be protected. Is PSK-based authentication viable?
>
>
>
> (I suspect a server could even securely issue a NewSessionTicket message,
> since such messages don't contain any particularly sensitive information,
> perhaps with the exception of the ticket_nonce, but even that shouldn't be
> sensitive, given that it merely ensures distinct pre-shared keys. That
> said, I haven't thought through the details.)
>
>
>
> I appreciate the work by Nancy and Jack on this draft, which covers useful
> application scenarios beyond the scope of the TLS 1.3 specification.
>
>
>
>
>
> Best regards,
>
>
>
> Ben
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email