[TLS] TLS 1.3 Authentication and Integrity only Cipher Suites
Ben Smyth <research@bensmyth.com> Thu, 04 February 2021 14:22 UTC
Return-Path: <research@bensmyth.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E6A03A15BB for <tls@ietfa.amsl.com>; Thu, 4 Feb 2021 06:22:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bensmyth.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8dCO14G9W2s for <tls@ietfa.amsl.com>; Thu, 4 Feb 2021 06:22:47 -0800 (PST)
Received: from 7.smtp.34sp.com (7.smtp.34sp.com [IPv6:2a00:1ee0:2:5::2eb7:8ed]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F162E3A1524 for <tls@ietf.org>; Thu, 4 Feb 2021 06:22:42 -0800 (PST)
Received: from smtpauth5.mailarray.34sp.com (lvs5.34sp.com [46.183.13.73]) by 7.smtp.34sp.com (Postfix) with ESMTPS id A62F942B237 for <tls@ietf.org>; Thu, 4 Feb 2021 14:22:25 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bensmyth.com; s=dkim; t=1612448545; bh=PtaZ8brj1Y+Vnf89ke8YhWp7p4GLrmDUuxm5+ZHTMEU=; h=Reply-To:From:Date:Subject:To:Cc; b=c2PXKuk6pHw+Wz6/BCv5Tf9908hsyLH23TQdTWjNCbc/bxencgWcaU0hlnLbqelHN zGeIiHOh6zSY4MxOIlFQ7coSsfe/zGyT2Zc66jFKAbPjdj6I2yI4gLrvyxJK+/ZTtS RBj7SiFX4OLVS9rePPXS7ILA4i2ys9asLX9gnXKU=
Received: from mail-vs1-f42.google.com ([209.85.217.42]:43639) by smtpauth5.mailarray.34sp.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <research@bensmyth.com>) id 1l7fWb-0002sL-Hz for tls@ietf.org; Thu, 04 Feb 2021 14:22:25 +0000
Received: by mail-vs1-f42.google.com with SMTP id q23so1841878vsg.4 for <tls@ietf.org>; Thu, 04 Feb 2021 06:22:25 -0800 (PST)
X-Gm-Message-State: AOAM532wnuFZrPVHGVPyjrzdqTuuNjhYicvAgA/370j40sHaTr/F+f/P pSzFndkL5OrTDSsVG1iWD0jFKB3Cc2w6syr9nLY=
X-Google-Smtp-Source: ABdhPJy7FCIY6inL6Oyse8Bkmf+icWEE02DsrPP4XWiWzrydOJqLukgXE7hY8wPuhnTG2rY2Owy+G/lxfV4negMfUwo=
X-Received: by 2002:a67:2283:: with SMTP id i125mr5112450vsi.21.1612448544130; Thu, 04 Feb 2021 06:22:24 -0800 (PST)
MIME-Version: 1.0
Reply-To: research@bensmyth.com
From: Ben Smyth <research@bensmyth.com>
Date: Thu, 04 Feb 2021 15:21:57 +0100
X-Gmail-Original-Message-ID: <CA+_8xu03uCNW+TAgbkL2f0pfredw21Kam5c6UdAGbdQE6a+d_w@mail.gmail.com>
Message-ID: <CA+_8xu03uCNW+TAgbkL2f0pfredw21Kam5c6UdAGbdQE6a+d_w@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b108fe05ba836e6c"
X-Authenticated-As: f594447444afb5e8e542d6cd3ee989c5ad593da02deb40a8d61181d2a2c508bd
X-OriginalSMTPIP: 209.85.217.42
X-34spcom-MailScanner-Information: Please contact the ISP for more information
X-34spcom-MailScanner-ID: A62F942B237.A6E00
X-34spcom-MailScanner: Found to be clean
X-34spcom-MailScanner-SpamCheck: not spam, SpamAssassin (score=-10.1, required 6.5, autolearn=disabled, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, SPF_PASS -0.00, X34P_ALREADY_MARKED_SPAM 1.00, X34SP_ALLOW_GMAIL_EVEN_IF_BLACKLISTED -10.00, X34SP_OVERRIDE -1.00)
X-34spcom-MailScanner-From: research@bensmyth.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xGf79l_CNcIOmmNtXZlP8w9K2-c>
Subject: [TLS] TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 14:22:58 -0000
Internet-Draft "TLS 1.3 Authentication and Integrity only Cipher Suites" ( https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-08) highlights TLS use cases with authentication and integrity needs, without any need for confidentiality. The draft promotes mutual authentication, but this seems unnecessary, as I'll discuss. I'm also unclear why certificate-based authentication is mandated, as I'll also discuss. Let me first summarise application scenarios. The need to couple authentication and integrity seems clear: Neither makes sense without the other. (There's little sense in authenticating an interlocutor, without knowing whether they are communicating thereafter.) Equally, the case for dropping confidentiality seems clear: Some applications, including use cases given, simply do not require confidentiality. (It's worth noting that traffic analysis can anyhow defeat confidentiality, albeit, I'm unsure of the specifics.) The need for mutual authentication is unclear to me and seemingly unsubstantiated by use cases. For example, in the weather reporting use case, only the weather reporter need authenticate, a node seeking the report need not. Although some use cases may require mutual authentication, others seemingly do not. Given that unilateral authentication reduces computational and communication burden, whilst eradicating a class of private keys, can the draft be generalised to permit unilateral or mutual authentication? Actually, as it stands, the draft does not appear to provide mutual authentication, since TLS only provides unilateral authentication of a server by default. To ensure mutual authentication, the draft must mandate a server sending a CertificateRequest message, and a client responding with Certificate and CertificateVerify messages (rather than merely a Certificate message that does not contain a certificate). (For PSK-based key exchange, a client must include extension post_handshake_auth in their ClientHello message and a server must send a CertificateRequest after the handshake completes, but this mode isn't currently supported by the draft.) The draft mandates that "PSK data MUST NOT be sent in the handshake [due to the lack of confidentiality]," yet a standard ClientHello message sends PSK data (listing pre-shared key identifiers and key exchange modes for each) in the clear, as does a standard ServerHello message (a server-selected identifier is included). It's only a standard EncryptedExtensions message that protects handshake data, yet I can't find any PSK data that would be protected. Is PSK-based authentication viable? (I suspect a server could even securely issue a NewSessionTicket message, since such messages don't contain any particularly sensitive information, perhaps with the exception of the ticket_nonce, but even that shouldn't be sensitive, given that it merely ensures distinct pre-shared keys. That said, I haven't thought through the details.) I appreciate the work by Nancy and Jack on this draft, which covers useful application scenarios beyond the scope of the TLS 1.3 specification. Best regards, Ben
- [TLS] TLS 1.3 Authentication and Integrity only C… Ben Smyth
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ben Schwartz
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Peter Gutmann
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ben Schwartz
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Salz, Rich
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Rob Sayre
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Salz, Rich
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Viktor Dukhovni
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Stephen Farrell
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Benjamin Kaduk
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Bill Frantz
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Ira McDonald
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Eric Rescorla
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… Jack Visoky
- Re: [TLS] EXTERNAL: TLS 1.3 Authentication and In… John Mattsson