headers
Ulrich Herberg | 20 May 2013 22:47

TLS1.2 vs TLS1.0

Hi,

I have not followed this WG, so please forgive me if a similar
question has already been discussed.

I am participating in another SDO on a standard for automated Demand
Response, called OpenADR (www.openadr.org), an application for the
smart grid. The application is basically a web service, exchanging XML
over HTTP over public networks, and using TLS (with RSA and ECDSA /
SHA1 ciphers for TLS 1.0 and SHA2 for TLS1.2). Currently, the draft
allows for TLS1.0 and 1.1, but recommends using 1.2 (and requires
vendors to provide a migration plan in case TLS1.0 is obsoleted) .
TLS1.0 and 1.1 RFCs have been obsoleted by the IETF; but I am not sure
about the best current practice. Is it absolutely discouraged to use
them? The argument in the OpenADR alliance is that many libraries and
programming languages do not support TLS1.2, so they recommend to
start the handshake with 1.2 and then downgrade - if required - to
1.0. I read that NIST disallows SHA1 after 2013; which would also
affect TLS1.0, which does not support SHA2.

What would be your recommendation in this case? Mandate TLS1.2 and
disallow TLS1.0? Or just strongly recommend ("SHOULD") to use TLS1.2
and SHA2 ciphers, and otherwise to use TLS1.0?

Best regards
Ulrich
Permalink | Reply | 10 comments |
headers
Hannes Tschofenig | 14 May 2013 13:18
Picon

TLS Cached Info Status

Hi all, 
 
I thought it would be a good idea to let the group know what the status of the TLS Cached Info draft is (since Rob just asked me a few minutes ago). 
 
You may recall that we had a discussion about the ability to not only cache a single OCSP response (as defined with RFC 6066) but also OCSP responses of intermediate CA certs, which is functionality http://datatracker.ietf.org/doc/draft-ietf-tls-multiple-cert-status-extension/ provides. Rob raised this issue in his review, see http://www.ietf.org/mail-archive/web/tls/current/msg09352.html
 
To me it sounds reasonable to add the requested functionality and the pros & cons had been discussed on the list. 
 
When I met Ekr at the recent NIST workshop we briefly spoke about the TLS Cached Info document and how to progress it. He came up with the idea to use the Firefox telemetry feature to gather some data so that we can estimage the cache hit/miss ratio. With data we would obviously be in a much better position to make an informed decision. 
 
I hope that we get that data soon. If we cannot get it then we have to switch to plan B. 
 
Ciao
Hannes
 
 
_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
Swarupa | 8 May 2013 05:57
Picon

ECC key exchange messages

Hi ,
I am working on an ECC project, so I wanted to check packet capture for ECC key exchange,but when I run s_server with cipher as ECDH_RSA cipher set and try to connect from s_client,I see alert instead of server hello from server. What is the issue. How can I get openssl to use EDCH ciphers.

Thanks and Regards,
Swarupa
_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 1 comment |
headers
=JeffH | 1 May 2013 02:11

comments on draft-balfanz-tls-channelid

[ for best results use a fixed-pitch font ]

Here's some comments on draft-balfanz-tls-channelid, I hope they're helpful.

=JeffH
------

High-level comments:

1. EncryptedExtensions modification to the TLS handshake ought to be split out 
into a separate spec.

2. What are the ramifications if the TLS WG does not adopt an 
EncryptedExtensions mechanism?  I.e., what are the downsides to the "channel id" 
being publicly exposed, i.e., the security ones as well as the privacy 
implications?

3. In my view, this spec defines how a TLS client generates and subsequently 
wields a unique client identifier/key with a particular TLS server over multiple 
TLS connections (in parallel and serially). Thus it is more about creating a 
"security association" between the client and server (eg, see definitions for 
the latter, as well as "channel", in RFC4949). Thus I would not use the term 
"channel" for this mechanism. Also, TLS unto itself is creating a cryptographic 
channel between client and server and thus using the channel term for this mech 
seems ripe for confusion.  This comment implies some re-writing of the 
introduction (I've made some modest suggestions below).  Perhaps "TLS Security 
Association ID" (TLS-SAIDs) ?

4. The lifecycle for the unique client identifier (aka "channel id") ought to be 
more fully discussed/specified in main portion of the spec. Presently it's 
sprinkled in the introduction and the privacy considerations.

5. There would seem to be considerations for applications in terms of reliance 
on the persistence of a given "channel id" and provisions for the "channel id" 
changing or disappearing, e.g. if an app leverages "channel id" to bind 
long-lived app-layer objects (eg cookies) to the TLS client, and these 
implications/issues should be discussed.

6. This mechanism should be compared/contrasted with TLS Channel Binding 
RFC5929. They don't appear to be mutually exclusive on first thought. What are 
the semantics if they are both employed by an application?  For what might one 
employ one or the other or both concurrently?

7. This is a "trust on first use (TOFU)" mechanism. This should be 
mentioned/discussed explicitly.

Detailed comments/questions:

 > Network Working Group                                         D. Balfanz
 > Internet-Draft                                               R. Hamilton
 > Expires: May 12, 2013                                         Google Inc
 >                                                         November 8, 2012
 >
 >
 >                Transport Layer Security (TLS) Channel IDs
 >                      draft-balfanz-tls-channelid-00
 >
 > Abstract
 >
 >    This document describes a Transport Layer Security (TLS) extension
 >    for identifying client machines at the TLS layer without using bearer
 >    tokens.
 >
snip
 >
 > Table of Contents
 >
 >    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
 >    2.  Why not client certificates  . . . . . . . . . . . . . . . . .  4
 >    3.  Requirements Notation  . . . . . . . . . . . . . . . . . . . .  5
 >    4.  Channel ID Extension . . . . . . . . . . . . . . . . . . . . .  6
 >    5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  8
 >    6.  Privacy Considerations . . . . . . . . . . . . . . . . . . . .  9
 >    7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 10
 >    8.  References . . . . . . . . . . . . . . . . . . . . . . . . . . 11
 >      8.1.  Normative References . . . . . . . . . . . . . . . . . . . 11
 >      8.2.  Informative References . . . . . . . . . . . . . . . . . . 11
 >    Appendix A.  Acknowledgements  . . . . . . . . . . . . . . . . . . 12
 >    Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 13
 >
snip
 >
 > 1.  Introduction
 >
 >    Many applications on the Internet use _bearer tokens_ to authenticate
 >    clients to servers.  The most prominent example is the HTTP-based
 >    World Wide Web, which overwhelmingly uses HTTP cookies to
 >    authenticate client requests.  Other examples include OpenID or SAML
 >    assertions, and OAuth tokens.  All these have in common that the
 >    _bearer_ of the HTTP cookie or authentication token is granted access
 >    to a protected resource, regardless of the channel over which the
 >    token is presented, or who presented it.
 >
 >    As a result, an adversary that manages to steal a bearer token from a
 >    client can impersonate that client to services that require the
 >    token.
 >
 >    This document describes a light-weight mechanism for establishing a
 >    _cryptographic channel_ between client and server.
                     ^^^^^^^                           ^
                security association        , denoted by an ECC public key.

 >                                                        A server can
                                                          ^
                                                    For example,

 >    choose to bind authentication tokens to this channel, thus rendering
                                                   ^^^^^^^
                                                 association

 >    the theft of authentication tokens fruitless - tokens must be sent
 >    over the channel to which they are bound (i.e., by the client to
 >    which they were issued) or else they will be ignored.

suggest..

   ..tokens bound to the security association will be ignored by the
   if they are not sent by the legitimate client.

 >
 >    This document does not prescribe _how_ authentication tokens are
 >    bound to the underlying channel.  Rather, it prescribes how a client
 >    can establish a long-lived channel with a server.
                                 ^^^^^^^
                            security association

 >                                                         Such a channel
                                                                ^^^^^^^^^
                                                           an association

 >    persists across HTTP requests, TLS connections, and even multiple TLS
 >    sessions, as long as the same client communicates with the same
 >    server.
 >
 >    The basic idea is that the client proves, during the TLS handshake,
 >    possession of a private key.  The corresponding public key becomes
 >    the "Channel ID" that identifies this TLS connection.  Clients should
 >    re-use the same private/public key pair across subsequent TLS
 >    connections to the same server, thus creating TLS connections that
 >    share the same Channel ID.
 >
 >    Using private/public key pairs to define a channel (as opposed to,
 >    say, an HTTP session cookie) has several advantages: One, the
 >    credential establishing the channel (the private key) is never sent
 >    from client to server, thus removing it from the reach of
 >    eavesdroppers in the network.  Two, clients can choose to implement
 >    cryptographic operations in a secure hardware module, which further
 >    removes the private key from the reach of eavesdroppers residing on
 >    the client itself.
 >
snip
 >
 > 2.  Why not client certificates
 >
 >    TLS already supports a means of identifying clients without using
 >    bearer tokens: client certificates.  However, a number of problems
 >    with using client certificates motivated the development of an
 >    alternative.
 >
 >    Most importantly, it's not acceptable for a client identifier to be

what are the threats if a long-term, asymmetric-key-based client identifier is 
sent in the clear during TLS handshake?  Is it mostly a privacy concern?  Or is 
it because of anticipated use cases of binding app-layer info to the TLS layer?

 >    transmitted in the clear and client certificates in TLS are sent
 >    unencrypted.  Although we could also define a change to the TLS state
 >    machine to move the client certificates under encryption, such
 >    changes eliminate most of the benefits of reusing something that's
 >    already defined.
 >
 >    TLS client certificates are also defined to be part of the session
 >    state.  This turns session resumption secrets into equivalent barer
                                                                    ^^^^^
                                                                   bearer
 >    tokens; completely defeating our objectives.

I'm curious here...  RFC5246 Appendix F.1.4. indicates..

    When a connection is established by resuming a session, new
    ClientHello.random and ServerHello.random values are hashed with the
    session's master_secret.  Provided that the master_secret has not
    been compromised and that the secure hash operations used to produce
    the encryption keys and MAC keys are secure, the connection should be
    secure and effectively independent from previous connections.

..so I'm not sure how "session resumption secrets" are "equivalent bearer tokens" ?

 >
 >    Client-certificates typically identify a user, while we seek to
 >    identify machines.  Since they are not, conceptually, mutually
 >    exclusive and as only a single client certificate can be provided in
 >    TLS, we don't want to consume that single slot and eliminate the
 >    possibility of also using existing client certificates.
 >
 >    Client certificates are implemented in TLS as X.509 certificates and
 >    we don't wish to require servers to parse arbitrary ASN.1.  ASN.1 is
 >    a complex encoding that has been the source of several security
 >    vulnerabilities in the past and typical TLS servers can currently
 >    avoid doing ASN.1 parsing.
 >
 >    X.509 certificates always include a signature, which would be a self-
 >    signature in this case.  Calculating and transmitting the self-
 >    signature is a waste of computation and network traffic in our use.
 >    Although we could define a null signature algorithm with an empty
 >    signature, such deviations from X.509 eliminate many of the benefits
 >    of reusing something that is already implemented.
 >
 >    Finally, client certificates trigger significant server-side
 >    processing by default and often need to be stored in their entirety
 >    for the duration of the connection.  Since this design is intended to
 >    be widely used, it allows servers to retain only a cryptographic hash
 >    of the client's public key after the handshake completes.
 >
snip
 >
 > 4.  Channel ID Extension
 >
 >    A new extension type ("channel_id(TBD)") is defined and MAY be
 >    included by the client in its "ClientHello" message.  If, and only
 >    if, the server sees this extension in the "ClientHello", it MAY
 >    choose to echo the extension in its "ServerHello".  In both cases,
 >    the "extension_data" field MUST be empty.
 >
 >    enum {
 >      channel_id(TBD), (65535)
 >    } ExtensionType;
 >
 >    A new handshake message type ("encrypted_extensions(TBD)") is
 >    defined.  If the server included a "channel_id" extension in its
 >    "ServerHello" message, the client MUST verify that the selected
 >    cipher suite is sufficiently strong.  If the cipher suite provides <
 >    80-bits of security, the client MUST abort the handshake with a fatal
 >    "illegal_parameter" alert.  Otherwise, the client MUST send an
 >    "EncryptedExtensions" message after its "ChangeCipherSpec" and before
 >    its "Finished" message.
 >
 >    enum {
 >      encrypted_extensions(TBD), (65535)
 >    } HandshakeType;
 >
 >    Therefore a full handshake with "EncryptedExtensions" has the
 >    following flow (contrast with section 7.3 of RFC 5246 [RFC5246]):
 >
 >    Client                                               Server
 >
 >    ClientHello (ChannelID extension)   -------->
 >                                                    ServerHello
 >                                          (ChannelID extension)
 >                                                   Certificate*
 >                                             ServerKeyExchange*
 >                                            CertificateRequest*
 >                                 <--------      ServerHelloDone
 >    Certificate*
 >    ClientKeyExchange
 >    CertificateVerify*
 >    [ChangeCipherSpec]
 >    EncryptedExtensions
 >    Finished                     -------->
 >                                             [ChangeCipherSpec]
 >                                 <--------             Finished
 >    Application Data             <------->     Application Data
 >
 >    An abbreviated handshake with "EncryptedExtensions" has the following
 >
 >
 >
 > Balfanz & Hamilton        Expires May 12, 2013                  [Page 6]
 > 
 > Internet-Draft               TLS Channel ID                November 2012
 >
 >
 >    flow:
 >
 >    Client                                                Server
 >
 >    ClientHello (ChannelID extension)    -------->
 >                                                    ServerHello
 >                                          (ChannelID extension)
 >                                             [ChangeCipherSpec]
 >                                  <--------            Finished
 >    [ChangeCipherSpec]
 >    EncryptedExtensions
 >    Finished                      -------->
 >    Application Data              <------->    Application Data
 >
 >    The "EncryptedExtensions" message contains a series of "Extension"
 >    structures (see section 7.4.1.4 of RFC 5246 [RFC5246]

the below should be separate section...

 >    If the server included a "channel_id" extension in its "ServerHello"
 >    message, the client MUST include an "Extension" with "extension_type"

suggest..

..the client MUST include, within the EncryptedExtensions message, an 
"Extension" with "extension_type"...

 >    equal to "channel_id(TBD)".  The "extension_data" of which has the
 >    following format:
 >
 >    struct {
 >      opaque x[32];
 >      opaque y[32];
 >      opaque r[32];
 >      opaque s[32];
 >    } ChannelIDExtension;
 >
 >    The contents of each of "x", "y", "r" and "s" is a 32-byte, big-
 >    endian number.  The "x" and "y" fields contain the affine coordinates
 >    of a P-256 [DSS] curve point.

you mean that the "x" and "y" fields (of the ChannelIDExtension struct) contain 
the  affine coordinates of a P-256 [DSS] curve point comprising an ECC public 
key "Q" ?

[ where Q = dG, d = ECC private key, G is the curve base point, and other 
elliptic curve "domain parameters" are as given in [DSS] for curve P-256, and 
the key pair is generated according to appendix B.4 in [DSS] aka FIPS-186-3 ? ]

So Q = (x,y) is the "channel id" per se ?  It should be made explicit.

What's the lifecycle management of this identifier (ie "Q")?  Is the TLS server 
(or the server-side app running on top of it) to remember this identifier?  Is 
it to be mapped to other client-side identifying information eg IP address, user 
data (eg account name), etc ?   Even though this I-D is just specifying the 
identifier and proof-of-possession mechanism (aka "holder of key"), some modest 
discussion of example use cases (beyond the mention of binding to 
"authentication tokens" that appears in the Introduction) would be helpful.

Presumably the TLS client stores this identifier keyed by TLS server domain name 
and re-uses it in future TLS connections to that server (the "storage model" 
needs to be discussed/specified)?  When might a TLS client change an established 
identifier?

(Some mention of these lifecycle items is given in the PrivCons section below)

Is it to be remembered on first use?  Is it to be updated in the server-side 
store upon it changing?  What are this identifier's overall semantics?

 >    The "r" and "s" fields contain an
 >    ECDSA [DSS] signature by the corresponding private key of "TLS
 >    Channel ID signature\x00"

suggest..

   The "r" and "s" fields contain an ECDSA [DSS] signature by the
   corresponding private key over this US-ASCII string (not including
   quotes, and where "\x00" represents an octet containing all zero bits):

       "TLS Channel ID signature\x00"

..although we should probably use ABNF (or the RFC5246 notation) to define this 
string and its concatenation with the handshake message hashes.

 >                            followed by the handshake hash(es) prior to
 >    the "EncryptedExtensions" message.

hashes of both the client-sent and server-sent handshake messages, as seen by 
the client?

 >
 >    Unlike many other TLS extensions, this extension does not establish
 >    properties of the session, only of the connection.  When session
 >    resumption or session tickets [RFC5077] are used, the previous
 >    contents of this extension are irrelevant and only the values in the
 >    new handshake messages are considered.

but presumably the same (long-lived?) TLS client identifier Q = (x,y)  used and 
only (r,s) are different ?

Or are new values for all of {x,y,r,s} calculated?  [ "no" is implied by the 
Introduction and Priv. Cons. ]

 > 5.  Security Considerations
 >
 >    There are four classes of attackers against which we consider our
 >    security guarantees: passive network attackers, active network
 >    attackers, active network attackers with misissued certificates and
 >    attackers in possession of the legitimate server's private key.
 >
 >    First, we wish to guarantee that we don't disclose the Channel ID to
 >    passive or active network attackers.

why?  simply for privacy reasons?

Or is the main concern that the "channel id" will be used by app layers, eg in 
HTTP cookies, in order to bind objects to a particular TLS client-server pair, 
and thus the "channel id" should be protected as a secret?

If the "channel id" is simply included in cookies, and those cookies are leaked 
in the clear (which is not uncommon for a variety of reasons), then the "channel 
id" will potentially be divulged in any case.

Since the channel id is a public key, the server could include some nonce, 
encrypted by the channel id key, in messages to the client, the client could 
decrypt it, then encrypt the nonce with its private key, and include that on 
messages back to the server, which the server could decrypt with the client's 
public key and verify. doing something like that could help keep the channel id 
itself out of these messages and their potentially leaky components (such as 
cookies)

if servers who rely upon the Channel ID always do so with a corresponding 
proof-of-possession of the private key on the part of the TLS client (and they 
perform the requisite checks), then what are the security (as opposed to 
privacy) issues if the Channel ID is observable by others?  I suppose it depends 
on the app-layer use cases employing the "channel id".

 >    We do this by sending a
 >    constant-length Channel ID under encryption.  However, since the
 >    Channel ID may be transmitted before the server's Finished message is
 >    received, it's possible that the server isn't in possession of the
 >    certificate that it presented.

do you mean in possession of the corresponding private key (to the cert it 
presented) ?

 >                                In this situation, an active attacker
 >    could cause a Channel ID to be transmitted under a random key in a
 >    cipher suite of their choosing.  Therefore we limit the permissible
 >    cipher suites to those where decrypting the message is infeasible.

these TLS cipher suites should be explicitly listed.

 >
 >    Even with this limit, an active attacker can cause the Channel ID to
 >    be transmitted in a non-forward-secure manner.  Subsequent disclosure
 >    of the server's private key would allow previously recorded Channel
            ^
        legitimate

 >    IDs to be decrypted.
 >
 >    Second, we wish to guarantee that none of the first three attackers
 >    can terminate/hijack a TLS connection and impersonate a Channel ID
 >    from that connection when connecting to the legitimate server.  We
 >    assume that TLS provides sufficient security to prevent a connection
 >    from being hijacked once established by these attackers.

did you mean to say..

We assume that TLS provides sufficient security to prevent these attackers
from being able to hijack the TLS connection.

..?

 >                                                              An active
 >    attacker with a misissued certificate can successfully terminate the
 >    TLS connection and decrypt the Channel ID.

need a definition and perhaps reference for "mis-issued" cert.

 >                                              However, as the signature
 >    covers the handshake hashes, and therefore the server's certificate,
 >    it wouldn't be accepted by the true server.

this essentially means that a attacker server with a mis-issued certificate 
cannot act as a real-time TLS proxy between the TLS client and legit server, yes?

But otherwise such an attacker could potentially mount an impersonation of the 
legitimate server, yes?

 >
 >    Against an attacker with the legitimate server's private key we can
 >    provide the second guarantee only if the legitimate server uses a
 >    forward-secret cipher suite, otherwise the attacker can hijack the
 >    connection.

here "connection" means the long-lived "security association" between TLS client 
and legit server, yes?

the known forward-secret TLS cipher suites should perhaps be listed in an appendix.

 >
snip
 >
 > 6.  Privacy Considerations
 >
 >    The TLS layer does its part in protecting user privacy by
 >    transmitting the Channel ID public key under encryption.  Higher
 >    levels of the stack must ensure that the same Channel ID is not used
 >    with different servers in such a way as to provide a linkable
 >    identifier.  For example, a user-agent must use different Channel IDs
 >    for communicating with different servers.

There's ostensibly privacy implications worth mentioning in that each distinct 
TLS client stack one wields with a particular TLS server will generate a 
distinct "channel id" (TLS-SAID), even if they are "behind" one IP address from 
the server's perspective.

 >                                                   User-agents must also
 >    ensure that Channel ID state can be reset by the user in the same way
 >    as other identifiers, i.e. cookies.

Yes, because otherwise this becomes a "super cookie" mech.

This implies dependent app-layers will need to be able to handle dynamically 
changing "channel id" (TLS-SAID)s.

 >
 >    However, there are some security concerns that could result in the
 >    disclosure of a client's Channel ID to a network attacker.  This is
 >    covered in the Security Considerations section.
 >
snip
 >
 > 7.  IANA Considerations
 >
 >    This document requires IANA to update its registry of TLS extensions
 >    to assign an entry referred to here as "channel_id".
 >
 >    This document also requires IANA to update its registry of TLS
 >    handshake types to assign an entry referred to here as
 >    "encrypted_extensions".
 >
snip
 >
 > 8.  References
 >
 > 8.1.  Normative References
 >
 >    [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
 >               Requirement Levels", BCP 14, RFC 2119, March 1997.
 >
 >    [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
 >               (TLS) Protocol Version 1.2", RFC 5246, August 2008.
 >
 >    [DSS]      National Institute of Standards and Technology, "FIPS
 >               186-3: Digital Signature Standard".
                                                   ^
                                           Issued June, 2009

 >
 > 8.2.  Informative References
 >
 >    [RFC5077]  Salowey, J., Zhou, H., Eronen, P., and H. Tschofenig,
 >               "Transport Layer Security (TLS) Session Resumption without
 >               Server-Side State", RFC 5077, January 2008.
 >
 >
<snip/>

---
end
Permalink | Reply | 1 comment |
headers
=JeffH | 30 Apr 2013 23:01

Re: whither draft-agl-tls-nextprotoneg? EncryptedExtensions? (was: Update on Origin-Bound Certificates: Now called "Channel ID")

AGL replied..

 > On Sun, Nov 11, 2012 at 8:30 PM, Paul Hoffman <paul.hoffman <at> vpnc.org> wrote:
 >>
 >> Is is possible for you to do a separate Internet-Draft on
 >> EncryptedExtensions, and then point to it from draft-balfanz-tls-channelid?
 >> I ask because there are probably other future extensions that will want to
 >> use that extension...
 >
 > EncryptedExtensions is also used in the NPN. I'd be happy to split it off if
 > the WG were to adopt something that required it.

So whither draft-agl-tls-nextprotoneg (in light of 
draft-ietf-tls-applayerprotoneg)?  Informational?

After perusing both draft-agl-tls-nextprotoneg and draft-balfanz-tls-channelid,
I tend to agree with PaulH that EncryptedExtensions ought to be a stand-alone 
spec that is referenced by TLS extension specs as needed.

HTH,

=JeffH
Permalink | Reply | 2 comments |
headers
Dan Sun | 23 Apr 2013 03:57
Picon

HTTPS vs HTTP Data Increase

Hello,

As more and more applications being migrated over TLS, besides encoding /decoding cost and additional RTT on the network, I am wondering how much additional byte are created roughly by encrypting the clear text over TLS compared to HTTP?

There must be some work already done from this angle but hardly to find it on the web. Could you share some good references or white papers for this KPI?

Sorry to bother you in this mail list. But this is where the most expertise is.

Appreciate your help!

Dan

_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
hammondjohnson | 27 Apr 2013 19:52
Favicon

Biggest Fake Conference in Computer Science

We are researchers from different parts of the world and conducted a study on  
the world’s biggest bogus computer science conference WORLDCOMP 
( http://sites.google.com/site/worlddump1 ) organized by Prof. Hamid Arabnia 
from University of Georgia, USA.

We submitted a fake paper to WORLDCOMP 2011 and again (the same paper 
with a modified title) to WORLDCOMP 2012. This paper had numerous 
fundamental mistakes. Sample statements from that paper include: 

(1). Binary logic is fuzzy logic and vice versa
(2). Pascal developed fuzzy logic
(3). Object oriented languages do not exhibit any polymorphism or inheritance
(4). TCP and IP are synonyms and are part of OSI model 
(5). Distributed systems deal with only one computer
(6). Laptop is an example for a super computer
(7). Operating system is an example for computer hardware

Also, our paper did not express any conceptual meaning.  However, it 
was accepted both the times without any modifications (and without 
any reviews) and we were invited to submit the final paper and a 
payment of $500+ fee to present the paper. We decided to use the 
fee for better purposes than making Prof. Hamid Arabnia (Chairman 
of WORLDCOMP) rich. After that, we received few reminders from 
WORLDCOMP to pay the fee but we never responded. 

We MUST say that you should look at the above website if you have any thoughts 
to submit a paper to WORLDCOMP.  DBLP and other indexing agencies have stopped 
indexing WORLDCOMP’s proceedings since 2011 due to its fakeness. See 
http://www.informatik.uni-trier.de/~ley/db/conf/icai/index.html for of one of the 
conferences of WORLDCOMP and notice that there is no listing after 2010. See Section 2 of
http://sites.google.com/site/dumpconf for comments from well-known researchers 
about WORLDCOMP. 

The status of your WORLDCOMP papers can be changed from scientific
to other (i.e., junk or non-technical) at any time. Better not to have a paper than 
having it in WORLDCOMP and spoil the resume and peace of mind forever!

Our study revealed that WORLDCOMP is a money making business, 
using University of Georgia mask, for Prof. Hamid Arabnia. He is throwing 
out a small chunk of that money (around 20 dollars per paper published 
in WORLDCOMP’s proceedings) to his puppet (Mr. Ashu Solo or A.M.G. Solo) 
who publicizes WORLDCOMP and also defends it at various forums, using 
fake/anonymous names. The puppet uses fake names and defames other conferences
to divert traffic to WORLDCOMP. He also makes anonymous phone calls and tries to 
threaten the critiques of WORLDCOMP (See Item 7 of Section 5 of above website). 
That is, the puppet does all his best to get a maximum number of papers published 
at WORLDCOMP to get more money into his (and Prof. Hamid Arabnia’s) pockets. 

Monte Carlo Resort (the venue of WORLDCOMP for more than 10 years, until 2012) has 
refused to provide the venue for WORLDCOMP’13 because of the fears of their image 
being tarnished due to WORLDCOMP’s fraudulent activities. That is why WORLDCOMP’13 
is taking place at a different resort. WORLDCOMP will not be held after 2013. 

The draft paper submission deadline is over but still there are no committee 
members, no reviewers, and there is no conference Chairman. The only contact 
details available on WORLDCOMP’s website is just an email address! 

Let us make a direct request to Prof. Hamid arabnia: publish all reviews for 
all the papers (after blocking identifiable details) since 2000 conference. Reveal 
the names and affiliations of all the reviewers (for each year) and how many 
papers each reviewer had reviewed on average. We also request him to look at 
the Open Challenge (Section 6) at https://sites.google.com/site/moneycomp1 

Sorry for posting to multiple lists. Spreading the word is the only way to stop 
this bogus conference. Please forward this message to other mailing lists and people. 

We are shocked with Prof. Hamid Arabnia and his puppet’s activities 
http://worldcomp-fake-bogus.blogspot.com   Search Google using the 
keyword worldcomp fake for additional links.

_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
Stephan Friedl (sfriedl | 25 Apr 2013 23:19
Picon
Favicon

New Revision: draft-ietf-tls-applayerprotoneg-01 Posted

We have posted a new revision of draft-ietf-tls-applayerprotoneg-01.  Changes to this version include:

 

1.       Revised Introduction

2.       Addition of HTTP/2 in the references section

3.       Removal of paragraph on hash calculations (in response to WG feedback)

4.       Clean up of some references within the document and reference formats

5.       Addition of Adam Langley from Google as a co-author

6.       Addition of Emile Stephan from France Telecom – Orange as a co-author

 

We are very interested in any review comments or feedback that we can use to further improve the draft.

 

Best Wishes,

 

Stephan Friedl

 

_______________________________________________
TLS mailing list
TLS <at> ietf.org
https://www.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
internet-drafts | 25 Apr 2013 23:08
Picon
Favicon

I-D Action: draft-ietf-tls-applayerprotoneg-01.txt


A New Internet-Draft is available from the on-line Internet-Drafts directories.
 This draft is a work item of the Transport Layer Security Working Group of the IETF.

	Title           : Transport Layer Security (TLS) Application Layer Protocol Negotiation Extension
	Author(s)       : Stephan Friedl
                          Andrei Popov
                          Adam Langley
                          Emile Stephan
	Filename        : draft-ietf-tls-applayerprotoneg-01.txt
	Pages           : 8
	Date            : 2013-04-25

Abstract:
   This document describes a Transport Layer Security (TLS) extension
   for application layer protocol negotiation within the TLS handshake.
   For instances in which the TLS connection is established over a well
   known TCP/IP port not associated with the desired application layer
   protocol, this extension allows the application layer to negotiate
   which protocol will be used within the TLS session.

The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-tls-applayerprotoneg

There's also a htmlized version available at:
http://tools.ietf.org/html/draft-ietf-tls-applayerprotoneg-01

A diff from the previous version is available at:
http://www.ietf.org/rfcdiff?url2=draft-ietf-tls-applayerprotoneg-01

Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
Permalink | Reply | 0 comments |
headers
Sean Turner | 23 Apr 2013 19:16

draft-mcgrew-tls-aes-ccm-ecc

Hi,

I've been asked to shepherd this document.  It's a normative reference 
for the core COAP WG specification.

My question is whether this draft should include an MTI curve or whether 
that should be left up to the application.  I ask because no other EC 
TLS cipher suite picks a curve.

spt
Permalink | Reply | 9 comments |
headers
Sean Turner | 16 Apr 2013 16:06

AD review of draft-ietf-tls-oob-pubkey

I'd like to discuss some of these before issuing an IETF LC.  There's no 
implied importance based on the order.

0) abstract: I'd delete the 2nd paragraph it really sounds like 
marketing.  The third paragraph is also a repeat of what's in the 1st 
paragraph - I'd just delete it.  Finally, need to be clear that you're 
also defining two new TLS extensions:

  This document specifies a new certificate type and two TLS extensions,
  one for the client and one for the server, for exchanging raw
  public keys in Transport Layer Security (TLS) and Datagram Transport
  Layer Security (DTLS) for use with out-of-band public key validation.

1) s1 does a good job of motivating the need for server side keys but 
falls a little short on client keys.  Why does the intro to the bullet 
list mention how the client can get the server's certificate with the 
last bullet also talking about the client's key?  Also, is the paragraph 
after the bullets just an explicit example of the last bullet?

Seems like the first sentence should be:

   Traditionally, TLS client and server public keys ...

and then maybe:

  Alternative methods are available that allow a TLS clients/servers
  to obtain the TLS servers/client public key:

    o  TLS clients can obtain the TLS server public key from a
       DNSSEC secured resource records using DANE [RFC6698].

    o  The TLS client or server public key is obtained from a
       [PKIX] certificate chain from an Lightweight Directory
       Access Protocol (LDAP) [LDAP] server or web page.

    o  The TLS client and server public key is provisioned into
       the operating system firmware image, and updated via
       software updates. For example:

       * Some smart objects use the UDP-based Constrained
         Application Protocol (CoAP) [I-D.ietf-core-coap] to
         interact with a Web server to upload sensor data at
         a regular intervals, such as temperature readings.
         CoAP [I-D.ietf-core-coap] can utilize DTLS for securing
         the client-to-server communication.  As part of the
         manufacturing process, the embeded device may be
         configured with the address and the public key of
         a dedicated CoAP server, as well as a public key for
         the client itself.

2) s1: The last paragraph needs to indicate that this document defines 
two new certificate extensions:

  This document registers a new value to the IANA certificate
  types registry for the support of raw public keys.  It also
  defines two new TLS extensions, "client_certificate_type" and
  "server_certificate_type".

3) I think the introduction needs to make it very clear that without the 
out-of-band binding between the public key and the entity that no 
authentication is actually being performed.  Add something like the 
following to the end of s1:

   The mechanism defined herein only provides authentication when
   an out-of-band mechanism is also used to bind the public key
   to the entity presenting the key.

4) s3: r/raw public key certificates/raw public keys

5) wrt Figure 3 maybe we can just list the ones we know about? And, RFC 
5480 updated 3279 wrt ECDSA public keys so it needs to point there:

   [RFC3279] and [RFC5480] define the following OIDs:

Key Type             | Document                   | OID
---------------------+----------------------------+-------------------
RSA                  | Section 2.3.1 of RFC 3279  | 1.2.840.113549.1.1
.....................|............................|...................
Digital Signature    |                            |
Algorithm (DSS)      | Section 2.3.2 of RFC 3279  | 1.2.840.10040.4.1
.....................|............................|...................
Elliptic Curve       |                            |
Digital Signature    |                            |
Algorithm (ECDSA)    | Section 2.1.1 of RFC 5480  | 1.2.840.10045.2.1
---------------------+----------------------------+-------------------

                  Figure 3: Example Algorithm Identifiers.

and add 5480 as reference.

Grumble: would have listed RSASSA-PSS but it's not supported.

6) And on those references, I think the references for 3279 and 5480 end 
up normative.  All are standards track so no downref issues.

7) s3: I think it's not just an algorithm it sometimes includes 
additional parameters.  Also need to include the AlgorithmIdentifier 
syntax. I think that means some slight tweaking:

  The SubjectPublicKeyInfo structure is defined in Section 4.1 of RFC
  5280 [PKIX] and does not only contain the raw keys, such as the
  public exponent and the modulus of an RSA public key, but also an
  algorithm identifier.  The algorithm identifier can also include
  parameters.  The structure, as shown in Figure 2, is
  encoded in an ASN.1 format and therefore contains length information
  as well.  An example is provided in Appendix A.

    SubjectPublicKeyInfo  ::=  SEQUENCE  {
      algorithm            AlgorithmIdentifier,
      subjectPublicKey     BIT STRING  }

    AlgorithmIdentifier  ::=  SEQUENCE  {
      algorithm               OBJECT IDENTIFIER,
      parameters              ANY DEFINED BY algorithm OPTIONAL  }

               Figure 2: SubjectPublicKeyInfo ASN.1 Structure.

ref:

   [RFC5480]  Turner, S., Brown, D., Yiu, K., Housley, R., and T. Polk,
              "Elliptic Curve Cryptography Subject Public Key
              Information", RFC 5480, March 2009.

8) I'm thinking we need to say DER encoded in the above as well:

   an DER encoded ASN.1 [X.690] format

here's the reference:

    [X.690]    ITU-T Recommendation X.690 (2002) | ISO/IEC 8825-1:2002,
               Information technology - ASN.1 encoding rules:
               Specification of Basic Encoding Rules (BER), Canonical
               Encoding Rules (CER) and Distinguished Encoding Rules
               (DER).

9) s4.1: Are some words missing from the following:

  In order to indicate the support of out-of-band raw public keys,
  clients MUST include the 'client_certificate_type' and
  'server_certificate_type' extensions extended client hello message.

extensions "in an" extended client hello message?

10) s4.2:  Maybe reword this slightly:

OLD:

  If the client indicated the support of raw public keys in the
  'client_certificate_type' extension in the client hello and the
  server is able to provide such raw public key then the TLS server
  MUST place the SubjectPublicKeyInfo structure into the Certificate
  payload.

NEW:

  If the client hello indicates support of raw public keys in the
  'client_certificate_type' extension and the
  server also supports raw public keys then the TLS server
  MUST place the SubjectPublicKeyInfo structure into the Certificate
  payload.

But, a more important question is the meaning of that paragraph above. 
Doesn't that override the "sorted by client preference" from s3?

11) s6: Got some questions about the following:

   This information will be needed to make
   authorization decisions.  Without a secure binding,
   man-in-the-middle attacks may be the consequence.

1st isn't that authentication.  2nd isn't it masquerade attacks?  3rd 
it's not really a may it's more an is likely to be?

12) In s6, it indicates:

   This document assumes that such
   binding can be made out-of-band and we list a few examples in
   Section 1.

This statement begs the question as to whether there needs to be a 
requirement on protocols that use this extension to specify the method 
used to provide the out-of-band binding.  In other words something like:

   Specifications that make use of the extension MUST specify the
   mechanism by which the identity and the public key are bound.
   Otherwise, authentication is not possible.

13) How are we supposed to check whether key is still considered "good"? 
  If you can't that might be okay, but you need to mention that there's 
no mechanism to support this yet or that that also needs to be done 
out-of-band.

14) Are there any other extensions that don't make sense to negotiate if 
raw keys are chosen?  For example, if the the client and server settle 
on raw keys do either of the ocsp stapling extensions make sense anymore?

15) In s7, ask IANA to point the Certificate's Type Registry to this draft.

spt
Permalink | Reply | 14 comments |

Gmane