Re: [TLS] Deprecating tls-unique for TLS 1.3
Andrei Popov <Andrei.Popov@microsoft.com> Wed, 04 November 2015 08:43 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F0B0D1AC3CD for <tls@ietfa.amsl.com>; Wed, 4 Nov 2015 00:43:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gq_ec4Z4PHjO for <tls@ietfa.amsl.com>; Wed, 4 Nov 2015 00:43:37 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0754.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:754]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CBA31A92BC for <tls@ietf.org>; Wed, 4 Nov 2015 00:43:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=m/74IoS+rWo5g0DVzXm5AxV+TAgrLgFTH+jZdZt5smw=; b=Eud8xM38Jf+WeBM6mJOdjSOpvYmGKtklSbnyVBpW3yMfb1oAJgYm9WX2q47VqKcKptsMFfsN8jRLEuWFGusOr/QaJm8bEK3ILNZXn0SkTtshyGqRnO/6lOoKGqWHmWMPYxVRTuCp3Qy8piPDEuYanbg+nWJ78fQwd2R+E/8JyME=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1395.namprd03.prod.outlook.com (10.163.81.141) with Microsoft SMTP Server (TLS) id 15.1.312.18; Wed, 4 Nov 2015 08:43:18 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0312.014; Wed, 4 Nov 2015 08:43:18 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, Martin Thomson <martin.thomson@gmail.com>
Thread-Topic: [TLS] Deprecating tls-unique for TLS 1.3
Thread-Index: AQHRFqZDUwDvKAI6N0ymNo51TIx4056LH5qAgABLDwCAAAGQgIAABOiAgAAZkxA=
Date: Wed, 04 Nov 2015 08:43:17 +0000
Message-ID: <BLUPR03MB13966EE3EF73BBF0689A00BE8C2A0@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <F7D995DF-98C9-4093-AA6A-8EA251E7274C@isode.com> <CABcZeBMbQyePbr8TQe8SuT5dLDcOoS8Ni6BjnBpKFtwqboMk1g@mail.gmail.com> <5639A8D8.1060400@isode.com> <CABkgnnXatS440EJJCijzjjt2WArWGUhpXXzWxZnyOFkT62xuNw@mail.gmail.com> <5639AE45.2030909@isode.com>
In-Reply-To: <5639AE45.2030909@isode.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [118.243.125.71]
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1395; 5:L4eL4iNlCllI2Hq5dO3C5b/9eZg0a+AT39qCsZqqDnsc9thaTl+YMfDEZq6hBnDJQ4FxXmETZsCH/IFZyF/gK+JK9iQizKX5is2RpXwPSxviB+DRO028BN8Ii5QBxUVi7u0HeJdmzpdzLyVjQ/EmmQ==; 24:JARONdL3r3GCtJHqnsXMfvyWAqmlkLM2VkAwmM3QBToKIU6ueZowyI0WqG/ZxVLMoIERk/wQPxpSI/9cztPVprUnkrEwjFCV+l5oDyOPeio=; 20:pVMBJLFYm9rbzP70xzUti6fuivJTN8MKz/0UsyxQWRObCviyRz34vypX4mpK16LuUCJjoesUCG7q6gemFYn+Kg==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1395;
x-microsoft-antispam-prvs: <BLUPR03MB139523DCE44E8A9E560564438C2A0@BLUPR03MB1395.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(8121501046)(5005006)(10201501046)(3002001)(61426024)(61427024); SRVR:BLUPR03MB1395; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1395;
x-forefront-prvs: 0750463DC9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(189002)(199003)(24454002)(13464003)(479174004)(50944005)(86612001)(102836002)(2950100001)(2900100001)(15975445007)(8990500004)(5005710100001)(5004730100002)(10400500002)(92566002)(40100003)(5007970100001)(81156007)(189998001)(11100500001)(74316001)(5008740100001)(77096005)(10290500002)(122556002)(5001960100002)(86362001)(5002640100001)(575784001)(33656002)(66066001)(99286002)(97736004)(106356001)(106116001)(101416001)(105586002)(54356999)(10090500001)(76176999)(50986999)(87936001)(93886004)(19580395003)(5003600100002)(19580405001)(76576001)(5001770100001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1395; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Nov 2015 08:43:17.7693 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1395
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/rxVgbWDKGeVM4vOgDN9FhDJ3-3A>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Deprecating tls-unique for TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 08:43:41 -0000
I agree with Alexey that we can't just start returning the new, longer, tls-unique from the same API call. So perhaps the simplest fix is to update RFC 5929 to say that tls-unique is deprecated and EKM should be used instead, with certain recommended parameters. This does mean that any protocols that rely on tls-unique will need to negotiate a new revision. Cheers, Andrei -----Original Message----- From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Alexey Melnikov Sent: Wednesday, November 4, 2015 4:06 PM To: Martin Thomson <martin.thomson@gmail.com> Cc: tls@ietf.org Subject: Re: [TLS] Deprecating tls-unique for TLS 1.3 On 04/11/2015 15:48, Martin Thomson wrote: > What is wrong with getTlsUnique2() or getBetterTlsUnique() ? That would be fine, but see below. > It's not a drop-in replacement, If it is not a drop in replacement, it should have a different name. Channel bindings are referenced by names in various protocols (and some implementations can support more than one channel binding type), in particular in SASL SCRAM and SASL GS2. > but it indicates that the app understands the change. Otherwise, we > might have to signal this in TLS 1.2 proper. > 1.3 can just be fixed. My point are: 1) "tls-unique" is defined in TLS version-independent way, so it is currently defined for TLS 1.3 (as long as TLS 1.3 still uses Finished messages). 2) It would be much better to implement a single recommended TLS channel binding that works for both TLS 1.2 and TLS 1.3 3) We can't redefine how tls-unique works for TLS 1.2 without breaking existing implementations (I can explain this in more details, if needed). All of these made me think that defining a new channel binding that works for both TLS 1.2 and TLS 1.3 would be a better option. > On 4 November 2015 at 15:42, Alexey Melnikov <alexey.melnikov@isode.com> wrote: >> On 04/11/2015 11:13, Eric Rescorla wrote: >>> Can you expand on this a bit? Perhaps propose some text. >> >> So, tls-unique is defined in RFC 5929 as: >> >> Description: The first TLS Finished message sent (note: the Finished >> struct, not the TLS record layer message containing it) in the most >> recent TLS handshake of the TLS connection being bound to (note: TLS >> connection, not session, so that the channel binding is specific to >> each connection regardless of whether session resumption is used). >> If TLS renegotiation takes place before the channel binding >> operation, then the first TLS Finished message sent of the latest/ >> inner-most TLS connection is used. Note that for full TLS >> handshakes, the first Finished message is sent by the client, while >> for abbreviated TLS handshakes (session resumption), the first >> Finished message is sent by the server. >> >> This is currently independent of the version of TLS used. This is >> also broken for TLS 1.2 due to the triple handshake vulnerability. >> >> I don't think we can just redefine this for TLS 1.3 and expect this >> to work, because APIs for getting this information out of TLS >> libraries are going to be different if Exporters are used. >> Also, if "tls-unique" is redefined, an old implementation of >> "tls-unique" would be unable to talk to a new implementation. For >> example if one end is IMAP client using SCRAM or GS2 against IMAP >> server implementing the same. >> >> I think there is desire to fix this for both TLS 1.2 and 1.3. I think >> the best way would be to take Simon's draft-josefsson-sasl-tls-cb-03 >> (Channel Bindings for TLS based on the PRF) and update it for TLS >> 1.3. I think conceptually what Simon did is very similar to what was >> proposed in the TLS meeting today. >> >> >>> -Ekr >>> >>> >>> On Wed, Nov 4, 2015 at 11:12 AM, Alexey Melnikov >>> <alexey.melnikov@isode.com <mailto:alexey.melnikov@isode.com>> wrote: >>> >>> Just to clarify, I think it is fine to define TLS 1.3 replacement >>> for tls-unique using Exporters. But I suggest for interoperability >>> this should be defined as a new channel binding with a new name, as >>> opposed to just redefining tls-unique. >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww. >> ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40mic >> rosoft.com%7c5848f661843a4a6bdf2f08d2e4e676db%7c72f988bf86f141af91ab2 >> d7cd011db47%7c1&sdata=eo0A63TBIz1CdZKzpBRb9o2A7y1CW12IEtXPltbiohY%3d _______________________________________________ TLS mailing list TLS@ietf.org https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c5848f661843a4a6bdf2f08d2e4e676db%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=eo0A63TBIz1CdZKzpBRb9o2A7y1CW12IEtXPltbiohY%3d
- [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Eric Rescorla
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Yoav Nir
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Martin Thomson
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Alexey Melnikov
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Karthikeyan Bhargavan
- Re: [TLS] Deprecating tls-unique for TLS 1.3 Andrei Popov