| < draft-ietf-kitten-tls-channel-bindings-for-tls13-09.txt | draft-ietf-kitten-tls-channel-bindings-for-tls13-10.txt > | |||
|---|---|---|---|---|
| Transport Layer Security S. Whited | Transport Layer Security S. Whited | |||
| Internet-Draft 1 October 2021 | Internet-Draft 15 October 2021 | |||
| Updates: 5801, 5802, 5929, 8446 (if approved) | Updates: 5801, 5802, 5929, 8446 (if approved) | |||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 4 April 2022 | Expires: 18 April 2022 | |||
| Channel Bindings for TLS 1.3 | Channel Bindings for TLS 1.3 | |||
| draft-ietf-kitten-tls-channel-bindings-for-tls13-09 | draft-ietf-kitten-tls-channel-bindings-for-tls13-10 | |||
| Abstract | Abstract | |||
| This document defines a channel binding type, tls-exporter, that is | This document defines a channel binding type, tls-exporter, that is | |||
| compatible with TLS 1.3 in accordance with RFC 5056, On Channel | compatible with TLS 1.3 in accordance with RFC 5056, On Channel | |||
| Binding. Furthermore it updates the "default" channel binding to the | Binding. Furthermore it updates the "default" channel binding to the | |||
| new binding for versions of TLS greater than 1.2. This document | new binding for versions of TLS greater than 1.2. This document | |||
| updates RFC5801, RFC5802, RFC5929, and RFC8446. | updates RFC5801, RFC5802, RFC5929, and RFC8446. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 4 April 2022. | This Internet-Draft will expire on 18 April 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Simplified BSD License text | extracted from this document must include Simplified BSD License text | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 | 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 | |||
| 2. The 'tls-exporter' Channel Binding Type . . . . . . . . . . . 3 | 2. The 'tls-exporter' Channel Binding Type . . . . . . . . . . . 3 | |||
| 3. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 3. TLS 1.3 with SCRAM or GSS-API over SASL . . . . . . . . . . . 3 | |||
| 3.1. Use with Legacy TLS . . . . . . . . . . . . . . . . . . . 3 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 4.1. Use with Legacy TLS . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.1. Registration of Channel Binding Type . . . . . . . . . . 4 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.2. Registration of Channel Binding TLS Exporter Label . . . 4 | 5.1. Registration of Channel Binding Type . . . . . . . . . . 4 | |||
| 5. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 5.2. Registration of Channel Binding TLS Exporter Label . . . 5 | |||
| 5.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 5.2. Informative References . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | ||||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| The "unique" channel binding types defined in [RFC5929] were found to | The "tls-unique" channel binding type defined in [RFC5929] was found | |||
| be vulnerable to the "triple handshake vulnerability" | to be vulnerable to the "triple handshake vulnerability" | |||
| [TRIPLE-HANDSHAKE] without the extended master secret extension | [TRIPLE-HANDSHAKE] without the extended master secret extension | |||
| defined in [RFC7627]. While TLS 1.3 uses a complete transcript hash | defined in [RFC7627]. While TLS 1.3 uses a complete transcript hash | |||
| akin to the extended master secret procedures, the safety of channel | akin to the extended master secret procedures, the safety of channel | |||
| bindings with TLS 1.3 was not analyzed as part of the core protocol | bindings with TLS 1.3 was not analyzed as part of the core protocol | |||
| work, and so the specification of channel bindings for TLS 1.3 was | work, and so the specification of channel bindings for TLS 1.3 was | |||
| deferred. [RFC8446] section C.5 notes the lack of channel bindings | deferred. [RFC8446] section C.5 notes the lack of channel bindings | |||
| for TLS 1.3; as this document defines such channel bindings, it | for TLS 1.3; as this document defines such channel bindings, it | |||
| updates [RFC8446] to note that this gap has been filled. | updates [RFC8446] to note that this gap has been filled. | |||
| Furthermore, this document updates [RFC5929] by adding an additional | Furthermore, this document updates [RFC5929] by adding an additional | |||
| unique channel binding type that replaces some usage of "tls-unique". | unique channel binding type, "tls-exporter", that replaces some usage | |||
| of "tls-unique". | ||||
| 1.1. Conventions and Terminology | 1.1. Conventions and Terminology | |||
| Throughout this document the acronym "EKM" is used to refer to | Throughout this document the acronym "EKM" is used to refer to | |||
| Exported Keying Material as defined in [RFC5705]. | Exported Keying Material as defined in [RFC5705]. | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119] [RFC8174] when, and only when, they appear in all | 14 [RFC2119] [RFC8174] when, and only when, they appear in all | |||
| skipping to change at page 3, line 17 ¶ | skipping to change at page 3, line 17 ¶ | |||
| Channel binding mechanisms are not useful until TLS implementations | Channel binding mechanisms are not useful until TLS implementations | |||
| expose the required data. To facilitate this, "tls-exporter" uses | expose the required data. To facilitate this, "tls-exporter" uses | |||
| exported keying material (EKM) which is already widely exposed by TLS | exported keying material (EKM) which is already widely exposed by TLS | |||
| implementations. The EKM is obtained using the keying material | implementations. The EKM is obtained using the keying material | |||
| exporters for TLS as defined in [RFC5705] and [RFC8446] section 7.5 | exporters for TLS as defined in [RFC5705] and [RFC8446] section 7.5 | |||
| by supplying the following inputs: | by supplying the following inputs: | |||
| Label: The ASCII string "EXPORTER-Channel-Binding" with no | Label: The ASCII string "EXPORTER-Channel-Binding" with no | |||
| terminating NUL. | terminating NUL. | |||
| Context value: Empty context value. | Context value: Zero-length string. | |||
| Length: 32 bytes. | Length: 32 bytes. | |||
| This channel binding mechanism is defined only when TLS cipher | ||||
| negotiation results in unique master secrets, which is true of TLS | ||||
| 1.3 when renegotiation is disabled. | ||||
| 3. TLS 1.3 with SCRAM or GSS-API over SASL | ||||
| SCRAM [RFC5802] and GSS-API over SASL [RFC5801] define "tls-unique" | SCRAM [RFC5802] and GSS-API over SASL [RFC5801] define "tls-unique" | |||
| as the default channel binding to use over TLS. As "tls-unique" is | as the default channel binding to use over TLS. As "tls-unique" is | |||
| not defined for TLS 1.3 (and greater), this document updates | not defined for TLS 1.3 (and greater), this document updates | |||
| [RFC5801] and [RFC5802] to use "tls-exporter" as the default channel | [RFC5801] and [RFC5802] to use "tls-exporter" as the default channel | |||
| binding over TLS 1.3 (and greater). | binding over TLS 1.3 (and greater). | |||
| 3. Security Considerations | 4. Security Considerations | |||
| The channel binding type defined in this document is constructed so | The channel binding type defined in this document is constructed so | |||
| that disclosure of the channel binding data does not leak secret | that disclosure of the channel binding data does not leak secret | |||
| information about the TLS channel and does not affect the security of | information about the TLS channel and does not affect the security of | |||
| the TLS channel. Implementations MUST NOT use the channel binding to | the TLS channel. | |||
| protect secret information. | ||||
| The Security Considerations sections of [RFC5056], [RFC5705], and | The Security Considerations sections of [RFC5056], [RFC5705], and | |||
| [RFC8446] apply to this document. | [RFC8446] apply to this document. | |||
| 3.1. Use with Legacy TLS | 4.1. Use with Legacy TLS | |||
| While it is possible to use this channel binding mechanism with TLS | While it is possible to use this channel binding mechanism with TLS | |||
| versions below 1.3, extra precaution must be taken to ensure that the | versions below 1.3, extra precaution must be taken to ensure that the | |||
| chosen cipher suites always result in unique master secrets. For | chosen cipher suites always result in unique master secrets. For | |||
| more information see [RFC7627] and the Security Considerations | more information see [RFC7627] and the Security Considerations | |||
| section of [RFC5705]. | section of [RFC5705]. | |||
| When TLS renegotiation is enabled on a connection the "tls-exporter" | When TLS renegotiation is enabled on a connection the "tls-exporter" | |||
| channel binding type is not defined for that connection and | channel binding type is not defined for that connection and | |||
| implementations MUST NOT support it. | implementations MUST NOT support it. | |||
| In general, users wishing to take advantage of channel binding should | In general, users wishing to take advantage of channel binding should | |||
| upgrade to TLS 1.3 or later. | upgrade to TLS 1.3 or later. | |||
| The derived data MUST NOT be used for any purpose other than channel | The derived data MUST NOT be used for any purpose other than channel | |||
| bindings as described in [RFC5056]. | bindings as described in [RFC5056]. In particular, implementations | |||
| MUST NOT use channel binding as a secret key to protect privileged | ||||
| information. | ||||
| 4. IANA Considerations | 5. IANA Considerations | |||
| 4.1. Registration of Channel Binding Type | 5.1. Registration of Channel Binding Type | |||
| This document adds the following registration in the "Channel-Binding | This document adds the following registration in the "Channel-Binding | |||
| Types" registry: | Types" registry: | |||
| Subject: Registration of channel binding tls-exporter | Subject: Registration of channel binding tls-exporter | |||
| Channel binding unique prefix: tls-exporter | Channel binding unique prefix: tls-exporter | |||
| Channel binding type: unique | Channel binding type: unique | |||
| Channel type: TLS [RFC8446] | Channel type: TLS [RFC8446] | |||
| Published specification: draft-ietf-kitten-tls-channel-bindings-for- | Published specification: draft-ietf-kitten-tls-channel-bindings-for- | |||
| tls13-09 | tls13-10 | |||
| Channel binding is secret: no | Channel binding is secret: no | |||
| Description: The EKM value obtained from the current TLS connection. | Description: The EKM value obtained from the current TLS connection. | |||
| Intended usage: COMMON | Intended usage: COMMON | |||
| Person and email address to contact for further information: Sam | Person and email address to contact for further information: Sam | |||
| Whited <sam@samwhited.com>. | Whited <sam@samwhited.com>. | |||
| Owner/Change controller name and email address: IESG. | Owner/Change controller name and email address: IESG. | |||
| Expert reviewer name and contact information: IETF KITTEN or TLS WG | Expert reviewer name and contact information: IETF KITTEN or TLS WG | |||
| (kitten@ietf.org or tls@ietf.org, failing that, ietf@ietf.org). | (kitten@ietf.org or tls@ietf.org, failing that, ietf@ietf.org). | |||
| Note: See the published specification for advice on the | Note: See the published specification for advice on the | |||
| applicability of this channel binding type. | applicability of this channel binding type. | |||
| 4.2. Registration of Channel Binding TLS Exporter Label | 5.2. Registration of Channel Binding TLS Exporter Label | |||
| This document adds the following registration in the "TLS Exporter | This document adds the following registration in the "TLS Exporter | |||
| Labels" registry: | Labels" registry: | |||
| Value: EXPORTER-Channel-Binding | Value: EXPORTER-Channel-Binding | |||
| DTLS-OK: Y | DTLS-OK: Y | |||
| Recommended: Y | Recommended: Y | |||
| Reference: This document | Reference: This document | |||
| 5. References | 6. References | |||
| 5.1. Normative References | 6.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||
| Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | |||
| <https://www.rfc-editor.org/info/rfc5056>. | <https://www.rfc-editor.org/info/rfc5056>. | |||
| skipping to change at page 5, line 31 ¶ | skipping to change at page 5, line 43 ¶ | |||
| March 2010, <https://www.rfc-editor.org/info/rfc5705>. | March 2010, <https://www.rfc-editor.org/info/rfc5705>. | |||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| 5.2. Informative References | 6.2. Informative References | |||
| [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | |||
| Service Application Program Interface (GSS-API) Mechanisms | Service Application Program Interface (GSS-API) Mechanisms | |||
| in Simple Authentication and Security Layer (SASL): The | in Simple Authentication and Security Layer (SASL): The | |||
| GS2 Mechanism Family", RFC 5801, DOI 10.17487/RFC5801, | GS2 Mechanism Family", RFC 5801, DOI 10.17487/RFC5801, | |||
| July 2010, <https://www.rfc-editor.org/info/rfc5801>. | July 2010, <https://www.rfc-editor.org/info/rfc5801>. | |||
| [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, | [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, | |||
| "Salted Challenge Response Authentication Mechanism | "Salted Challenge Response Authentication Mechanism | |||
| (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, | (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, | |||
| End of changes. 21 change blocks. | ||||
| 28 lines changed or deleted | 38 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||