Re: [websec] Forwarded review of draft-williams-websec-session-continue-prob-00

Nico Williams <nico@cryptonector.com> Thu, 17 January 2013 16:18 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9058721F8686 for <websec@ietfa.amsl.com>; Thu, 17 Jan 2013 08:18:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.823
X-Spam-Level:
X-Spam-Status: No, score=-3.823 tagged_above=-999 required=5 tests=[AWL=-1.846, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mn+Bs42AIiaH for <websec@ietfa.amsl.com>; Thu, 17 Jan 2013 08:18:18 -0800 (PST)
Received: from homiemail-a74.g.dreamhost.com (caiajhbdcbhh.dreamhost.com [208.97.132.177]) by ietfa.amsl.com (Postfix) with ESMTP id CC5E821F8667 for <websec@ietf.org>; Thu, 17 Jan 2013 08:18:18 -0800 (PST)
Received: from homiemail-a74.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTP id 14EE367C072 for <websec@ietf.org>; Thu, 17 Jan 2013 08:18:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:content-type; s=cryptonector.com; bh=W9YOD6EhDF22i8jbmGT9Wp6 MOZ0=; b=mH7yrAHa1f7PQILc8yBu/opsTbjTM9QfpWeLbKRpw7cE8pSH6/GJst/ h1BmcgLIgSM1trm0gBpmNRvMIoZx0b6dP6mtbRGxcJqiL015oKNCyr8PGXaiU4lc JKS7FpJ3gcpwOnx16JEgJR/WipUF7owqMc2yQ9DtWUYlzAwciZ2o=
Received: from mail-wg0-f46.google.com (mail-wg0-f46.google.com [74.125.82.46]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a74.g.dreamhost.com (Postfix) with ESMTPSA id BBC6867C06B for <websec@ietf.org>; Thu, 17 Jan 2013 08:18:17 -0800 (PST)
Received: by mail-wg0-f46.google.com with SMTP id dr13so1676323wgb.25 for <websec@ietf.org>; Thu, 17 Jan 2013 08:18:16 -0800 (PST)
MIME-Version: 1.0
X-Received: by 10.180.99.227 with SMTP id et3mr9209586wib.6.1358439496562; Thu, 17 Jan 2013 08:18:16 -0800 (PST)
Received: by 10.217.82.73 with HTTP; Thu, 17 Jan 2013 08:18:16 -0800 (PST)
In-Reply-To: <4613980CFC78314ABFD7F85CC302772111986E9B@IL-EX10.ad.checkpoint.com>
References: <4613980CFC78314ABFD7F85CC302772111983941@IL-EX10.ad.checkpoint.com> <4613980CFC78314ABFD7F85CC302772111986E9B@IL-EX10.ad.checkpoint.com>
Date: Thu, 17 Jan 2013 10:18:16 -0600
Message-ID: <CAK3OfOhU-BwkxiWN8rYwAwRXpngsJpdmzJJj-v+fbG0PQ+v-CA@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: websec@ietf.org
Content-Type: text/plain; charset=UTF-8
Subject: Re: [websec] Forwarded review of draft-williams-websec-session-continue-prob-00
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Jan 2013 16:18:19 -0000

On Mon, Jan 14, 2013 at 17:05, Yoav Nir <ynir@checkpoint.com> wrote:
> I've shown this draft to a co-worker of mine (not on this list), and asked for a review. Here's some comments:
>
> - Overall, this is an interesting problem.

There's been quite a few proposals now to solve it all before we
identified this as worth treating as a problem separate from others:

 - draft-hammer-oauth-v2-mac-token
 - draft-hallambaker-httpintegrity
 - draft-williams-http-rest-auth
 - and several others

There's also been a number of recent mentions of this in the context
of CRIME in the HTTPbis WG list.

> - The document is missing a list of deficiencies with using Cookies

Well, for me CRIME is enough :)  But sure, I'll flesh that out a bit.
FWIW, I was under a hard deadline when i submitted the -00.

> - Section 2.1 says that TLS protects against replay. Really?  How? It doesn't have a protected counter like IPsec.

If you try to replay a handshake it won't work: the server will almost
certainly pick different nonces and, if relevant, DH keys, so the
Finished message exchange will fail.

If you try to replay a TLS record layer message... TLS will detect
that too because of its use of sequence numbers.  See RFC5246, search
for "sequence"; see section 6.2.3 in particular.  Search also for
"replay".  This is also true of DTLS.

If you can neither replay handshakes, entire connections, nor
individual records then it's got replay protection :)

> - Will the resulting protocol support a transition from authenticated session to authenticated session for purposes such as re-authenticating after a specified time, or moving from weak authentication to strong authentication for high-value transactions.

If we can make that work securely, then yes.

> Nit: HTTP is HyperText **Transfer** Protocol, not **Transport*.  This one is already fixed in Nico's repository.

There were some instances of one and some of the other.  It was just
me being sloppy as I hurried to meet a hard deadline.

Thanks!

Nico
--