Re: [TLS] comments on draft-balfanz-tls-channelid
Adam Langley <agl@google.com> Tue, 14 May 2013 20:57 UTC
Return-Path: <agl@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8451921F8FED for <tls@ietfa.amsl.com>; Tue, 14 May 2013 13:57:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QuPO9f5aMX0B for <tls@ietfa.amsl.com>; Tue, 14 May 2013 13:57:24 -0700 (PDT)
Received: from mail-gh0-f180.google.com (mail-gh0-f180.google.com [209.85.160.180]) by ietfa.amsl.com (Postfix) with ESMTP id 332FD21F8FEB for <tls@ietf.org>; Tue, 14 May 2013 13:57:23 -0700 (PDT)
Received: by mail-gh0-f180.google.com with SMTP id f18so202476ghb.39 for <tls@ietf.org>; Tue, 14 May 2013 13:57:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=lGhoBwLZdc8imoy8LIvZbtvw0ubLyBNMXABWUJTz+Tw=; b=cD564rrnx5AvvJQNAy/D+86hShg/do5h+v19ZPtQTu4oKR+QPk+tinOjtrNq/pzP63 xL+vL9JV0mPzy9e0mReWiJJTaMyBe6n9Dz7qQyLtii2SGSGTRb2dZVpyjRSZi0CQDbj+ xtCvlELQbUJ2WLX20KlzAP73rbGE1ayuc6Oo7idr8z5CvNfjK2QFWAeVll77jhcVS75X AMLNvLyKdx5uSJCPnEMU9RKTrLAtg2UMiNfhJ8/61ghaqQnfdOdsu2IeeGTfmfAFfQY4 AqpwsTXtVwPRjCvKnAz4oqv268aDHXy/H3a//okQt6zlCJck5Gn7pOkDS67s+2Jk1Jg/ creA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=lGhoBwLZdc8imoy8LIvZbtvw0ubLyBNMXABWUJTz+Tw=; b=IKJxxSv40F2HANWkihPFRRkCFQs5cJQHIjSFX+ukXflif+PnQJIniK8SU6Ghbn6EIz JcbnmH3RHCedo4zn0uiy0r7a+4Uvm+YMhViSe+YqmB1m5D5NDsKmR2drPTdkWmX0D6YY ItviU1GB0VZqLb8D8ntNcKnZZ+6B3cCZmfqRVP0aSaJxDq1h5q7sPEyaXco9O3iGD/ej TqOe4IWvqCnKR8SDtPT+ILzgF8etSF3F5/brsbdwCEnRXy9PLMZoS5jODd1fG+LDLF+x RKgMyeITPTPou1Y0XaTL3Fgz3DQtsjb5MkEqRTlcJYZtZefYjBfS8/gldIbY/K1vrB2q kS6A==
MIME-Version: 1.0
X-Received: by 10.236.135.206 with SMTP id u54mr5695513yhi.31.1368565043538; Tue, 14 May 2013 13:57:23 -0700 (PDT)
Received: by 10.231.162.202 with HTTP; Tue, 14 May 2013 13:57:23 -0700 (PDT)
In-Reply-To: <51805DA9.8000606@KingsMountain.com>
References: <51805DA9.8000606@KingsMountain.com>
Date: Tue, 14 May 2013 16:57:23 -0400
Message-ID: <CAL9PXLxs6GbxhGveJWXVoSfYH00P5TnvaG25nD5CPx-0S8t=kw@mail.gmail.com>
From: Adam Langley <agl@google.com>
To: =JeffH <Jeff.Hodges@kingsmountain.com>
Content-Type: text/plain; charset="UTF-8"
X-Gm-Message-State: ALoCoQlgopfGNqX93TcNn7cA19dcnXPV47DSVZdJp/1pR+ngUFIZFB2KKzVgp8yAejZ7lBu3G75XIx0xrWqLM5OnEaemrdHgzaPtfk+4WIF/qo+aM/JdiUDXgPRAtclu7XRwIxj4iI8A4+csb5cV18x2xGvnAalJPYeqk6PzIlCAnrh597/HOLdEUQ3UOuyyOhlDvdNCUgBT
Cc: IETF TLS WG <tls@ietf.org>
Subject: Re: [TLS] comments on draft-balfanz-tls-channelid
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2013 20:57:29 -0000
Thanks! I can answer a few of the techincal questions. I'll leave your comments on the wording and such to Dirk. > 2. What are the ramifications if the TLS WG does not adopt an > EncryptedExtensions mechanism? I.e., what are the downsides to the "channel > id" being publicly exposed, i.e., the security ones as well as the privacy > implications? It would mean that clients send, in the clear, a unique identifier for each eTLD+1. This would allow TLS connections to be deanonymised etc. > 6. This mechanism should be compared/contrasted with TLS Channel Binding > RFC5929. They don't appear to be mutually exclusive on first thought. What > are the semantics if they are both employed by an application? For what > might one employ one or the other or both concurrently? They are certainly related. Something like ChannelIDs could be implemented at the application layer by signing channel binding values. I think channel bindings were designed to provide exactly this, but to the application. > what are the threats if a long-term, asymmetric-key-based client identifier > is sent in the clear during TLS handshake? Is it mostly a privacy concern? > Or is it because of anticipated use cases of binding app-layer info to the > TLS layer? I think it's primarily a privacy concern. > ..so I'm not sure how "session resumption secrets" are "equivalent bearer > tokens" ? The session resumption information is sufficient to authenticate with a given client certificate. That is, if the client certificate is in a hardware token and signs a TLS handshake, then by stealing the session resumption information (from either end of the connection), an attacker steals something equivalent to the client-cert private key in some sense. > you mean that the "x" and "y" fields (of the ChannelIDExtension struct) > contain the affine coordinates of a P-256 [DSS] curve point comprising an > ECC public key "Q" ? Yes. > hashes of both the client-sent and server-sent handshake messages, as seen > by the client? Yes. > but presumably the same (long-lived?) TLS client identifier Q = (x,y) used > and only (r,s) are different ? It's certainly expected that the client would use the same public key (i.e. (x, y) pair), yes. > why? simply for privacy reasons? Yes. > Or is the main concern that the "channel id" will be used by app layers, eg > in HTTP cookies, in order to bind objects to a particular TLS client-server > pair, and thus the "channel id" should be protected as a secret? No, the Channel ID isn't a security secret. We wouldn't want to broadcast it for privacy reasons but, since one has to prove possession of the private key in order to use it, just the public key isn't sensitive. >> We do this by sending a >> constant-length Channel ID under encryption. However, since the >> Channel ID may be transmitted before the server's Finished message is >> received, it's possible that the server isn't in possession of the >> certificate that it presented. > > do you mean in possession of the corresponding private key (to the cert it > presented) ? Yes. > We assume that TLS provides sufficient security to prevent these attackers > from being able to hijack the TLS connection. Yes. >> However, as the signature >> covers the handshake hashes, and therefore the server's certificate, >> it wouldn't be accepted by the true server. > > this essentially means that a attacker server with a mis-issued certificate > cannot act as a real-time TLS proxy between the TLS client and legit server, > yes? > > But otherwise such an attacker could potentially mount an impersonation of > the legitimate server, yes? Yes, but the worry is that the attacker could impersonate the /client/, not the server. >> Against an attacker with the legitimate server's private key we can >> provide the second guarantee only if the legitimate server uses a >> forward-secret cipher suite, otherwise the attacker can hijack the >> connection. > > > here "connection" means the long-lived "security association" between TLS > client and legit server, yes? I think connection means connection in this case. The attacker could derive the session resumption information, but I don't think that helps them any more than simply hijacking the connection. Cheers AGL