headers
Magnus Nyström | 2 Oct 2006 11:51

Follow-up to comments on draft-linn-otp-tls-00

All,

I would like to follow-up on some of the comments that John and I have 
received in the past and also received during the TLS session at the 66th 
IETF in Montreal. Firstly, I'd like to thank all the reviewers; we really 
appreciate you taking the time.

Whether to layer on TLS-PSK or not
----------------------------------
Several reviewers have suggested that it would be architecturally
better if new ciphersuites would be defined rather than attempting to
profile/extend TLS-PSK. There seems to be a few reasons why the
current approach has not been seen as optimal:

a) The term "key exchange" in TLS relates to the whole handshake as
opposed to the actual cryptographic key exchange (Pasi Eronen). Since
we're modifying the handshake (new extensions, new alerts, ...) it
should follow that this is a new key exchange and hence should define
a new ciphersuite (or -suites).

b) Interpretation of certain data (e.g. the psk_identity field) will
vary depending on whether "ordinary" TLS-PSK is performed or not; this
is undesirable as servers will need to be prepared to interpret (and
act upon) this field based on information in the Hello exchanges (Eric
Rescorla).

I don't quite understand a) above. I don't see that RFC4346 says that the
key exchange defines the whole handshake. But even if this is the case,
what about some of the extensions defined in RFC 4366, e.g. the
truncated_hmac one? It seems to me that that extension also modifies the
(Continue reading)

Permalink | Reply | 1 comment |
headers
Pasi.Eronen | 3 Oct 2006 13:00
Picon

RE: Follow-up to comments on draft-linn-otp-tls-00

Magnus Nyström wrote:
> On b) above, I agree that this is undesirable. One way forward that I
> can see - besides defining new ciphersuites - would be to introduce
> (and require use of, when doing a handshake based on OTPs) a new
> extension, along the lines of (obviously the syntax needs to be
> corrected):
> 
>        OTPHandshakeParams otp_handshake_params<0..2^16-1>;>
>        struct {
>            OTPAlgorithm otp_algorithm;
>            ChallengeData challenge_data<0..>;
>            HardeningData hardening_data<0..>;
>            KeyIdentifier key_identifier<0..>;
>            UserIdentifier user_identifier<0..>;
>        } OTPHandshakeParams;
> 
> This approach would allow not only signaling of the intent of basing
> the exchange on OTPs, but also to negotiate the actual OTP algorithm
> as well as related parameters. I note that the above should also take
> away the need to change the meaning of the psk_identity field,
> something we anyway have been recommended not to do.
> 
> What I'd like to ask is if this mandatory "signaling" of OTP use would
> be enough to resolve the concerns raised about the layering on top of
> the TLS-PSK ciphersuites?

It would solve the "coexistence with ordinary TLS-PSK" concern, but the
motivation of this layering still puzzles me... it would make sense
if defining a new ciphersuite was extremely hard and unpleasant thing 
that should be done only if no other option is possible... but to
(Continue reading)

Permalink | Reply | 0 comments |
headers
Olga Kornievskaia | 3 Oct 2006 17:33
Picon
Favicon

[67th IETF] SPKM3 BOF announcement

We would like to announce the following BOF for the 67th IETF meeting.

BOF name:  NFSv4 and Low Infrastructure Public Key Based GSS Security 
Mechanisms
Area: Security Area
Chair: Jeffrey Hutzelman

If this topic is of interest to you please email your questions and 
concerns to the mail list (spkm <at> ietf.org).

Problem Statement:

    The NFSv4 protocol has a need for low infrastructure PKI based GSS 
security mechanism(s) that provide for the creation of a secure channel 
using mutual authentication where    
    1) both user and server authenticate with public key certificates
    2) server authenticates with public key certificates, and the user 
authenticates with a username and password.

Current State:
    RFC3530 "Network File System (NFS) version 4 Protocol" mandates the 
use of RFC2847 "LIPKEY - A Low Infrastructure Public Key Mechanism Using 
SPKM". While RFC2847 fulfills the requirements of the problem
statement, there are areas where RFC2847 is outdated and/or 
underspecified. Futhermore, RFC2847 both replaces and refers to portions 
of RFC2025 "The Simple Public-Key GSS-API Mechanism (SPKM)" and is 
confusing to implementers. None the less, there are two implementations 
(Hummingbird and Linux) based upon RFC2847. 
draft-adamson-rfc2847-bis-01.txt, an update of RFC2847, is intended to 
address RFC2847 shortcomings and provide a complete specification that
(Continue reading)

Permalink | Reply | 0 comments |
headers
Peter Williams | 4 Oct 2006 20:16
Picon
Favicon
Gravatar

RE: Follow-up to comments on draft-linn-otp-tls-00



I see no reason why  TLS ciphers/ciphersuites should not facilitate key exchange or key derivation based on traditional key stream lookups (e.g. an OTP algorithm). This is really no different architecturally to the use of UKMs, in NSA/DoD processes for govt-grade TLS ciphersuites, to vary the the mac/enc TEKs formulated by asymmetric processes byuser/bytime. Whereas a modern UKM modifies the process of TEK key derivation  by moderating the asymmetric process generating the DerivedSessionToken, OTP streams could alternatively moderate external-time-synced tek generation(s) that do specifically to NOT rely on asymmetric algorithms.
 
I've already seen this happen in the TLS-like handshakes used in the OASIS ws-* family, when handling equivalent session token generation processes.  I.e. time synced key derivation processes influencing the TEKs in the derivedSessionToken resulting from a SSL-like handshake based on prior _symmetric_ key distribution to endpoints, only. The linking of external time to the keys protecting security contexts of course impacts the evidentiary value of PDUs. This is arguably far more valuable in internal, (sub)layer 7 security contexts (the ssl-like xml handshake's flowing over ws-reliablemessaging or X.400 RTS in Nato nets), than layer 4 contexts (https/ssl flows over tcp on the public Internet). 



> Date: Mon, 2 Oct 2006 11:51:23 +0200
> From: magnus <at> rsasecurity.com
> To: tls <at> ietf.org
> CC:
> Subject: [TLS] Follow-up to comments on draft-linn-otp-tls-00
>
> All,
>
> I would like to follow-up on some of the comments that John and I have 
> received in the past and also received during the TLS session at the 66th 
> IETF in Montreal. Firstly, I'd like to thank all the reviewers; we really 
> appreciate you taking the time.
>
> Whether to layer on TLS-PSK or not
> ----------------------------------
> Several reviewers have suggested that it would be architecturally
> better if new ciphersuites would be defined rather than attempting to
> profile/extend TLS-PSK. There seems to be a few reasons why the
> current approach has not been seen as optimal:
>
> a) The term "key exchange" in TLS relates to the whole handshake as
> opposed to the actual cryptographic key exchange (Pasi Eronen). Since
> we're modifying the handshake (new extensions, new alerts, ...) it
> should follow that this is a new key exchange and hence should define
> a new ciphersuite (or -suites).
>
> b) Interpretation of certain data (e.g. the psk_identity field) will
> vary depending on whether "ordinary" TLS-PSK is performed or not; this
> is undesirable as servers will need to be prepared to interpret (and
> act upon) this field based on information in the Hello exchanges (Eric
> Rescorla).
>
> I don't quite understand a) above. I don't see that RFC4346 says that the
> key exchange defines the whole handshake. But even if this is the case,
> what about some of the extensions defined in RFC 4366, e.g. the
> truncated_hmac one? It seems to me that that extension also modifies the
> behavior of the parties, without introducing new ciphersuites?
>
> On b) above, I agree that this is undesirable. One way forward that I
> can see - besides defining new ciphersuites - would be to introduce
> (and require use of, when doing a handshake based on OTPs) a new
> extension, along the lines of (obviously the syntax needs to be
> corrected):
>
>        OTPHandshakeParams otp_handshake_params<0..2^16-1>;>
>        struct {
>            OTPAlgorithm otp_algorithm;
>            ChallengeData challenge_data<0..>;
>            HardeningData hardening_data<0..>;
>            KeyIdentifier key_identifier<0..>;
>            UserIdentifier user_identifier<0..>;
>        } OTPHandshakeParams;
>
> This approach would allow not only signaling of the intent of basing
> the exchange on OTPs, but also to negotiate the actual OTP algorithm
> as well as related parameters. I note that the above should also take
> away the need to change the meaning of the psk_identity field,
> something we anyway have been recommended not to do.
>
> What I'd like to ask is if this mandatory "signaling" of OTP use would
> be enough to resolve the concerns raised about the layering on top of
> the TLS-PSK ciphersuites?
>
> The strength of OTPs as a basis for TLS session keys
> ----------------------------------------------------
> There was a discussion about this in Montreal and I just want to
> clarify:
>
> A typical OTP is 6 - 8 decimal digits long, although alphanumerical OTPs 
> are also in use. In addition, some OTP systems employ centralized PINs, 
> meaning that the user provides a PIN in conjunction with the OTP. 
> Typically this would therefore give in the order of 33 - 40 bits of 
> entropy.  Through hardening, one can increase the resistance. For example, 
> hardening by iterative hashes, as suggested in the current draft, could 
> complicate an attack as follows: With 100,000 iterations, the work load of 
> the attacker will be about 17 bits more, in effect adding about 17 bits of 
> strength (admittedly at a cost for the legit parties). For the example 
> above, this would mean 50 - 57 bits of "entropy". Clearly this is less 
> than even the 80-bit level offered through use of RSA 1024-bit keys, and I 
> agree we could make this fact explicit (e.g. through some detailed 
> examples) in the document and also add a recommendation to use the D-H-PSK 
> (with normal caveats about MITM) or RSA-PSK variants in these situations. 
> But I would not want to disallow the "direct" variant, for example since 
> some connected OTP tokens may be able to emit considerably longer OTPs 
> when in connected mode, and therefore would not need D-H (or the use of a 
> PKI with RSA). (Longer OTPs in connected mode do not need to degrade the 
> user experience since the user in these cases only enters the PIN, the OTP 
> is programmatically retrieved. Long OTPs also eliminate or at least reduce 
> the need for "hardening").
>
> -- Magnus
>
>
> _______________________________________________
> TLS mailing list
> TLS <at> lists.ietf.org
> https://www1.ietf.org/mailman/listinfo/tls


Share your special moments by uploading 500 photos per month to Windows Live Spaces Share it! 
_______________________________________________
TLS mailing list
TLS <at> lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
Internet-Drafts | 5 Oct 2006 00:50
Picon
Favicon

I-D ACTION:draft-ietf-tls-psk-null-02.txt

A New Internet-Draft is available from the on-line Internet-Drafts 
directories.
This draft is a work item of the Transport Layer Security Working Group of the IETF.

	Title		: Pre-Shared Key Cipher Suites with NULL Encryption for Transport Layer Security (TLS)
	Author(s)	: U. Blumenthal, P. Goel
	Filename	: draft-ietf-tls-psk-null-02.txt
	Pages		: 5
	Date		: 2006-10-4
	
This document specifies authentication-only cipher suites for the 
   Pre-Shared Key based Transport Layer Security (TLS) protocol to 
   support null encryption. These cipher suites are useful for countries 
   and places with cryptography-related restrictions.

A URL for this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-null-02.txt

To remove yourself from the I-D Announcement list, send a message to 
i-d-announce-request <at> ietf.org with the word unsubscribe in the body of 
the message. 
You can also visit https://www1.ietf.org/mailman/listinfo/I-D-announce 
to change your subscription settings.

Internet-Drafts are also available by anonymous FTP. Login with the 
username "anonymous" and a password of your e-mail address. After 
logging in, type "cd internet-drafts" and then 
"get draft-ietf-tls-psk-null-02.txt".

A list of Internet-Drafts directories can be found in
http://www.ietf.org/shadow.html 
or ftp://ftp.ietf.org/ietf/1shadow-sites.txt

Internet-Drafts can also be obtained by e-mail.

Send a message to:
	mailserv <at> ietf.org.
In the body type:
	"FILE /internet-drafts/draft-ietf-tls-psk-null-02.txt".
	
NOTE:	The mail server at ietf.org can return the document in
	MIME-encoded form by using the "mpack" utility.  To use this
	feature, insert the command "ENCODING mime" before the "FILE"
	command.  To decode the response(s), you will need "munpack" or
	a MIME-compliant mail reader.  Different MIME-compliant mail readers
	exhibit different behavior, especially when dealing with
	"multipart" MIME messages (i.e. documents which have been split
	up into multiple messages), so check your local documentation on
	how to manipulate these messages.

Below is the data which will enable a MIME compliant mail reader
implementation to automatically retrieve the ASCII version of the
Internet-Draft.
Attachment: message/external-body, 136 bytes
Attachment (draft-ietf-tls-psk-null-02.txt): message/external-body, 69 bytes
_______________________________________________
TLS mailing list
TLS <at> lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Permalink | Reply | 0 comments |
headers
The IESG | 5 Oct 2006 20:51
Picon
Favicon

Last Call: 'Pre-Shared Key Cipher Suites with NULL Encryption for Transport Layer Security (TLS)' to Proposed Standard (draft-ietf-tls-psk-null)

The IESG has received a request from the Transport Layer Security WG to 
consider the following document:

- 'Pre-Shared Key Cipher Suites with NULL Encryption for
   Transport Layer Security (TLS)'
   <draft-ietf-tls-psk-null-02.txt> as a Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action.  The IESG is especially interested in
feedback about this document being published as a Standards Track
RFC or an Informational RFC.  The TLS WG as asked for publication as
a Standards Track RFC, and the IESG would like to know if you think
this is the correct course of action or if you think it is more
appropriate to publish as an Informational RFC.  Please send any
comments to the iesg <at> ietf.org or ietf <at> ietf.org mailing lists by
2006-10-19.

The file can be obtained via
http://www.ietf.org/internet-drafts/draft-ietf-tls-psk-null-02.txt
Permalink | Reply | 1 comment |
headers
Peter Gutmann | 17 Oct 2006 08:57
Picon
Picon
Picon
Favicon

Re: PRF in TLS 1.2

David Hopwood <david.nospam.hopwood <at> blueyonder.co.uk> writes:

>I don't see what the motivation is for changing the PRF at all.
>
>Sure, it's an inelegant construction, but that's not important.

What he said :-).

(Apologies for the time-warp reply, I've been travelling with no net access).

Peter.
Permalink | Reply | 5 comments |
headers
Eric Rescorla | 17 Oct 2006 21:38

Open issue: Record Version Numbers

Yngve Petterson has pointed out [0] that there is some confusion
in how to interpret what version numbers ought to appear in
the ClientHello record in TLS handshakes. The issue is that
there are two numbers:

- the record version number
- the client hello version number

The text is quite clear that the second of these should be the
highest version you support. However, the text for the secodn
reads:

   "TLS clients who wish
   to negotiate with SSL 3.0 servers should send client hello messages
   using the SSL 3.0 record format and client hello structure, sending
   {3, 1} for the version field to note that they support TLS 1.0".	

I read this text as saying that if you are a client who supports TLS 1.0
and SSLv3, you should in general send the following values:

- record version number           {3, 0} (SSLv3)
- client hello version number     {3, 1} (TLSv1)

If the server decides to accept TLS 1.0, it should respond with the
following values:

- record version number           {3, 1} (TLSv1)
- client hello version number     {3, 1} (TLSv1)

Pettersen reports that in some cases this causes errors because servers
(inexplicably) use the record version in the negotiation.  However, I
think at the end of the day, that's a clear implementation error
and the spec should just clarify that the above behavior is what's
expected.

Comments?

-Ekr

[0] draft-ietf-pettersen-tls-interop-experience-00 (soon to
    be a TLS-WG draft but not published that way yet).
Permalink | Reply | 36 comments |
headers
Eric Rescorla | 17 Oct 2006 21:45

Open Issue: verify_data processing

Stipulating for the moment that we intend to replace the PRF,
we're left with the issue of how to compute the verify_data.
Currently, the verify_data is computed as:    

           PRF(master_secret, finished_label, MD5(handshake_messages) +
           SHA-1(handshake_messages)) [0..11];

If you're not using MD5 for your PRF, it doesn't make sense to use
it here either. This leaves us with two possibilities:

1. PRF the handshake_messages directly.
2. Hash them first.

The argument for hashing them first is that it avoids having
to store them (2-5k) for the entire handshake. It also will
accomodate PRFs which won't take unlimited size data.

The argument against is that it puts the security of the 
handshake on an unkeyed hash rather than a MAC (since 
you only need to mount a 2nd preimage attack on the hash
and then you have 2nd preimage on MAC(K,hash).).

My preference here would be to move to PRF(messages) and
if new PRFs can't cope with that then they can specify
a hash reduction of their own. Recall that the PRF needs
to be able to deal with fairly large data anyway since
the PMS + randoms could easily be 300+ bytes...

Comments? 

-Ekr

P.S. Please don't use this thread to say you don't want to
replace the PRF at all. The only question here is what we
do if *do* replace the PRF.
Permalink | Reply | 10 comments |
headers
Eric Rescorla | 17 Oct 2006 23:24

Re: Open issue: Record Version Numbers

Eric Rescorla <ekr <at> networkresonance.com> writes:

> Yngve Petterson has pointed out [0] that there is some confusion
> in how to interpret what version numbers ought to appear in
> the ClientHello record in TLS handshakes. The issue is that
> there are two numbers:
>
> - the record version number
> - the client hello version number
>
> The text is quite clear that the second of these should be the
> highest version you support. However, the text for the secodn
> reads:

I had it pointed out to me in private that these are contradictory.
This should read:

  The text is quite clear that the second of these should be the
  highest version you support. However, the text for the first
  reads:

>    "TLS clients who wish
>    to negotiate with SSL 3.0 servers should send client hello messages
>    using the SSL 3.0 record format and client hello structure, sending
>    {3, 1} for the version field to note that they support TLS 1.0".	
>
> I read this text as saying that if you are a client who supports TLS 1.0
> and SSLv3, you should in general send the following values:
>
> - record version number           {3, 0} (SSLv3)
> - client hello version number     {3, 1} (TLSv1)
>
> If the server decides to accept TLS 1.0, it should respond with the
> following values:
>
> - record version number           {3, 1} (TLSv1)
> - client hello version number     {3, 1} (TLSv1)
>
> Pettersen reports that in some cases this causes errors because servers
> (inexplicably) use the record version in the negotiation.  However, I
> think at the end of the day, that's a clear implementation error
> and the spec should just clarify that the above behavior is what's
> expected.

-Ekr
Permalink | Reply | 35 comments |

Gmane