IETF Logo Mail Archive

[TLS] TLS 1.3 Authentication and Integrity only Cipher Suites

Ben Smyth <research@bensmyth.com> Thu, 04 February 2021 14:22 UTC

Return-Path: <research@bensmyth.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6A03A15BB for <tls@ietfa.amsl.com>; Thu, 4 Feb 2021 06:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bensmyth.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8dCO14G9W2s for <tls@ietfa.amsl.com>; Thu, 4 Feb 2021 06:22:47 -0800 (PST)
Received: from 7.smtp.34sp.com (7.smtp.34sp.com [IPv6:2a00:1ee0:2:5::2eb7:8ed]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F162E3A1524 for <tls@ietf.org>; Thu, 4 Feb 2021 06:22:42 -0800 (PST)
Received: from smtpauth5.mailarray.34sp.com (lvs5.34sp.com [46.183.13.73]) by 7.smtp.34sp.com (Postfix) with ESMTPS id A62F942B237 for <tls@ietf.org>; Thu, 4 Feb 2021 14:22:25 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bensmyth.com; s=dkim; t=1612448545; bh=PtaZ8brj1Y+Vnf89ke8YhWp7p4GLrmDUuxm5+ZHTMEU=; h=Reply-To:From:Date:Subject:To:Cc; b=c2PXKuk6pHw+Wz6/BCv5Tf9908hsyLH23TQdTWjNCbc/bxencgWcaU0hlnLbqelHN zGeIiHOh6zSY4MxOIlFQ7coSsfe/zGyT2Zc66jFKAbPjdj6I2yI4gLrvyxJK+/ZTtS RBj7SiFX4OLVS9rePPXS7ILA4i2ys9asLX9gnXKU=
Received: from mail-vs1-f42.google.com ([209.85.217.42]:43639) by smtpauth5.mailarray.34sp.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <research@bensmyth.com>) id 1l7fWb-0002sL-Hz for tls@ietf.org; Thu, 04 Feb 2021 14:22:25 +0000
Received: by mail-vs1-f42.google.com with SMTP id q23so1841878vsg.4 for <tls@ietf.org>; Thu, 04 Feb 2021 06:22:25 -0800 (PST)
X-Gm-Message-State: AOAM532wnuFZrPVHGVPyjrzdqTuuNjhYicvAgA/370j40sHaTr/F+f/P pSzFndkL5OrTDSsVG1iWD0jFKB3Cc2w6syr9nLY=
X-Google-Smtp-Source: ABdhPJy7FCIY6inL6Oyse8Bkmf+icWEE02DsrPP4XWiWzrydOJqLukgXE7hY8wPuhnTG2rY2Owy+G/lxfV4negMfUwo=
X-Received: by 2002:a67:2283:: with SMTP id i125mr5112450vsi.21.1612448544130; Thu, 04 Feb 2021 06:22:24 -0800 (PST)
MIME-Version: 1.0
Reply-To: research@bensmyth.com
From: Ben Smyth <research@bensmyth.com>
Date: Thu, 04 Feb 2021 15:21:57 +0100
X-Gmail-Original-Message-ID: <CA+_8xu03uCNW+TAgbkL2f0pfredw21Kam5c6UdAGbdQE6a+d_w@mail.gmail.com>
Message-ID: <CA+_8xu03uCNW+TAgbkL2f0pfredw21Kam5c6UdAGbdQE6a+d_w@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b108fe05ba836e6c"
X-Authenticated-As: f594447444afb5e8e542d6cd3ee989c5ad593da02deb40a8d61181d2a2c508bd
X-OriginalSMTPIP: 209.85.217.42
X-34spcom-MailScanner-Information: Please contact the ISP for more information
X-34spcom-MailScanner-ID: A62F942B237.A6E00
X-34spcom-MailScanner: Found to be clean
X-34spcom-MailScanner-SpamCheck: not spam, SpamAssassin (score=-10.1, required 6.5, autolearn=disabled, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, SPF_PASS -0.00, X34P_ALREADY_MARKED_SPAM 1.00, X34SP_ALLOW_GMAIL_EVEN_IF_BLACKLISTED -10.00, X34SP_OVERRIDE -1.00)
X-34spcom-MailScanner-From: research@bensmyth.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xGf79l_CNcIOmmNtXZlP8w9K2-c>
Subject: [TLS] TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 14:22:58 -0000

Internet-Draft "TLS 1.3 Authentication and Integrity only Cipher Suites" (
https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-08)
highlights TLS use cases with authentication and integrity needs, without
any need for confidentiality. The draft promotes mutual authentication, but
this seems unnecessary, as I'll discuss. I'm also unclear why
certificate-based authentication is mandated, as I'll also discuss. Let me
first summarise application scenarios.

The need to couple authentication and integrity seems clear: Neither makes
sense without the other. (There's little sense in authenticating an
interlocutor, without knowing whether they are communicating thereafter.)
Equally, the case for dropping confidentiality seems clear: Some
applications, including use cases given, simply do not require
confidentiality. (It's worth noting that traffic analysis can anyhow defeat
confidentiality, albeit, I'm unsure of the specifics.)

The need for mutual authentication is unclear to me and seemingly
unsubstantiated
by use cases. For example, in the weather reporting use case, only the
weather reporter need authenticate, a node seeking the report need not.
Although some use cases may require mutual authentication, others seemingly
do not. Given that unilateral authentication reduces computational and
communication burden, whilst eradicating a class of private keys, can the
draft be generalised to permit unilateral or mutual authentication?

Actually, as it stands, the draft does not appear to provide mutual
authentication, since TLS only provides unilateral authentication of a
server by default. To ensure mutual authentication, the draft must mandate
a server sending a CertificateRequest message, and a client responding with
Certificate and CertificateVerify messages (rather than merely a
Certificate message that does not contain a certificate). (For PSK-based
key exchange, a client must include extension post_handshake_auth in their
ClientHello message and a server must send a CertificateRequest after the
handshake completes, but this mode isn't currently supported by the draft.)

The draft mandates that "PSK data MUST NOT be sent in the handshake [due to
the lack of confidentiality]," yet a standard ClientHello message sends PSK
data (listing pre-shared key identifiers and key exchange modes for each)
in the clear, as does a standard ServerHello message (a server-selected
identifier is included). It's only a standard EncryptedExtensions message
that protects handshake data, yet I can't find any PSK data that would be
protected. Is PSK-based authentication viable?

(I suspect a server could even securely issue a NewSessionTicket message,
since such messages don't contain any particularly sensitive information,
perhaps with the exception of the ticket_nonce, but even that shouldn't be
sensitive, given that it merely ensures distinct pre-shared keys. That
said, I haven't thought through the details.)

I appreciate the work by Nancy and Jack on this draft, which covers useful
application scenarios beyond the scope of the TLS 1.3 specification.


Best regards,

Ben

v2.23.0 | Report a Bug | By Email