| < draft-ietf-kitten-tls-channel-bindings-for-tls13-11.txt | draft-ietf-kitten-tls-channel-bindings-for-tls13-12.txt > | |||
|---|---|---|---|---|
| Transport Layer Security S. Whited | Transport Layer Security S. Whited | |||
| Internet-Draft 18 October 2021 | Internet-Draft 25 October 2021 | |||
| Updates: 5801, 5802, 5929, 8446 (if approved) | Updates: 5801, 5802, 5929, 7677, 8446 (if | |||
| approved) | ||||
| Intended status: Standards Track | Intended status: Standards Track | |||
| Expires: 21 April 2022 | Expires: 28 April 2022 | |||
| Channel Bindings for TLS 1.3 | Channel Bindings for TLS 1.3 | |||
| draft-ietf-kitten-tls-channel-bindings-for-tls13-11 | draft-ietf-kitten-tls-channel-bindings-for-tls13-12 | |||
| Abstract | Abstract | |||
| This document defines a channel binding type, tls-exporter, that is | This document defines a channel binding type, tls-exporter, that is | |||
| compatible with TLS 1.3 in accordance with RFC 5056, On Channel | compatible with TLS 1.3 in accordance with RFC 5056, On Channel | |||
| Binding. Furthermore it updates the "default" channel binding to the | Binding. Furthermore it updates the "default" channel binding to the | |||
| new binding for versions of TLS greater than 1.2. This document | new binding for versions of TLS greater than 1.2. This document | |||
| updates RFC5801, RFC5802, RFC5929, and RFC8446. | updates RFC5801, RFC5802, RFC5929, RFC7677, and RFC8446. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 21 April 2022. | This Internet-Draft will expire on 28 April 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2021 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 2, line 12 ¶ | skipping to change at page 2, line 21 ¶ | |||
| as described in Section 4.e of the Trust Legal Provisions and are | as described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Simplified BSD License. | provided without warranty as described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 | 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 2 | |||
| 2. The 'tls-exporter' Channel Binding Type . . . . . . . . . . . 3 | 2. The 'tls-exporter' Channel Binding Type . . . . . . . . . . . 3 | |||
| 3. TLS 1.3 with SCRAM or GSS-API over SASL . . . . . . . . . . . 3 | 3. TLS 1.3 with SCRAM or GSS-API over SASL . . . . . . . . . . . 3 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 3 | |||
| 4.1. Use with Legacy TLS . . . . . . . . . . . . . . . . . . . 3 | 4.1. Use with Legacy TLS . . . . . . . . . . . . . . . . . . . 4 | |||
| 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 5.1. Registration of Channel Binding Type . . . . . . . . . . 4 | 5.1. Registration of Channel Binding Type . . . . . . . . . . 4 | |||
| 5.2. Registration of Channel Binding TLS Exporter Label . . . 5 | 5.2. Registration of Channel Binding TLS Exporter Label . . . 5 | |||
| 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | 6.1. Normative References . . . . . . . . . . . . . . . . . . 5 | |||
| 6.2. Informative References . . . . . . . . . . . . . . . . . 5 | 6.2. Informative References . . . . . . . . . . . . . . . . . 6 | |||
| Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 1. Introduction | 1. Introduction | |||
| The "tls-unique" channel binding type defined in [RFC5929] was found | The "tls-unique" channel binding type defined in [RFC5929] was found | |||
| to be vulnerable to the "triple handshake vulnerability" | to be vulnerable to the "triple handshake vulnerability" | |||
| [TRIPLE-HANDSHAKE] without the extended master secret extension | [TRIPLE-HANDSHAKE] without the extended master secret extension | |||
| defined in [RFC7627]. While TLS 1.3 uses a complete transcript hash | defined in [RFC7627]. While TLS 1.3 uses a complete transcript hash | |||
| akin to the extended master secret procedures, the safety of channel | akin to the extended master secret procedures, the safety of channel | |||
| bindings with TLS 1.3 was not analyzed as part of the core protocol | bindings with TLS 1.3 was not analyzed as part of the core protocol | |||
| skipping to change at page 3, line 29 ¶ | skipping to change at page 3, line 35 ¶ | |||
| Length: 32 bytes. | Length: 32 bytes. | |||
| This channel binding mechanism is defined only when TLS cipher | This channel binding mechanism is defined only when TLS cipher | |||
| negotiation results in unique master secrets, which is true of TLS | negotiation results in unique master secrets, which is true of TLS | |||
| 1.3 which always behaves as if it were using the extended master | 1.3 which always behaves as if it were using the extended master | |||
| secret fix required by previous versions of TLS (see [RFC8446] | secret fix required by previous versions of TLS (see [RFC8446] | |||
| appendix D). | appendix D). | |||
| 3. TLS 1.3 with SCRAM or GSS-API over SASL | 3. TLS 1.3 with SCRAM or GSS-API over SASL | |||
| SCRAM [RFC5802] and GSS-API over SASL [RFC5801] define "tls-unique" | SCRAM ([RFC5802], and [RFC7677]) and GSS-API over SASL [RFC5801] | |||
| as the default channel binding to use over TLS. As "tls-unique" is | define "tls-unique" as the default channel binding to use over TLS. | |||
| not defined for TLS 1.3 (and greater), this document updates | As "tls-unique" is not defined for TLS 1.3 (and greater), this | |||
| [RFC5801] and [RFC5802] to use "tls-exporter" as the default channel | document updates [RFC5801], [RFC5802], and [RFC7677] to use "tls- | |||
| binding over TLS 1.3 (and greater). | exporter" as the default channel binding over TLS 1.3 (and greater). | |||
| Note that this document does not change the default channel binding | ||||
| for SCRAM mechanisms over TLS 1.2 [RFC5246], which is still "tls- | ||||
| unique". | ||||
| 4. Security Considerations | 4. Security Considerations | |||
| The channel binding type defined in this document is constructed so | The channel binding type defined in this document is constructed so | |||
| that disclosure of the channel binding data does not leak secret | that disclosure of the channel binding data does not leak secret | |||
| information about the TLS channel and does not affect the security of | information about the TLS channel and does not affect the security of | |||
| the TLS channel. | the TLS channel. | |||
| The Security Considerations sections of [RFC5056], [RFC5705], and | The Security Considerations sections of [RFC5056], [RFC5705], and | |||
| [RFC8446] apply to this document. | [RFC8446] apply to this document. | |||
| skipping to change at page 4, line 33 ¶ | skipping to change at page 4, line 41 ¶ | |||
| Subject: Registration of channel binding tls-exporter | Subject: Registration of channel binding tls-exporter | |||
| Channel binding unique prefix: tls-exporter | Channel binding unique prefix: tls-exporter | |||
| Channel binding type: unique | Channel binding type: unique | |||
| Channel type: TLS [RFC8446] | Channel type: TLS [RFC8446] | |||
| Published specification: draft-ietf-kitten-tls-channel-bindings-for- | Published specification: draft-ietf-kitten-tls-channel-bindings-for- | |||
| tls13-11 | tls13-12 | |||
| Channel binding is secret: no | Channel binding is secret: no | |||
| Description: The EKM value obtained from the current TLS connection. | Description: The EKM value obtained from the current TLS connection. | |||
| Intended usage: COMMON | Intended usage: COMMON | |||
| Person and email address to contact for further information: Sam | Person and email address to contact for further information: Sam | |||
| Whited <sam@samwhited.com>. | Whited <sam@samwhited.com>. | |||
| skipping to change at page 5, line 35 ¶ | skipping to change at page 5, line 41 ¶ | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | [RFC5056] Williams, N., "On the Use of Channel Bindings to Secure | |||
| Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007, | |||
| <https://www.rfc-editor.org/info/rfc5056>. | <https://www.rfc-editor.org/info/rfc5056>. | |||
| [RFC5705] Rescorla, E., "Keying Material Exporters for Transport | [RFC5705] Rescorla, E., "Keying Material Exporters for Transport | |||
| Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, | Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, | |||
| March 2010, <https://www.rfc-editor.org/info/rfc5705>. | March 2010, <https://www.rfc-editor.org/info/rfc5705>. | |||
| [RFC7677] Hansen, T., "SCRAM-SHA-256 and SCRAM-SHA-256-PLUS Simple | ||||
| Authentication and Security Layer (SASL) Mechanisms", | ||||
| RFC 7677, DOI 10.17487/RFC7677, November 2015, | ||||
| <https://www.rfc-editor.org/info/rfc7677>. | ||||
| [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC | |||
| 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, | |||
| May 2017, <https://www.rfc-editor.org/info/rfc8174>. | May 2017, <https://www.rfc-editor.org/info/rfc8174>. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, | |||
| <https://www.rfc-editor.org/info/rfc8446>. | <https://www.rfc-editor.org/info/rfc8446>. | |||
| 6.2. Informative References | 6.2. Informative References | |||
| [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | ||||
| (TLS) Protocol Version 1.2", RFC 5246, | ||||
| DOI 10.17487/RFC5246, August 2008, | ||||
| <https://www.rfc-editor.org/info/rfc5246>. | ||||
| [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | [RFC5801] Josefsson, S. and N. Williams, "Using Generic Security | |||
| Service Application Program Interface (GSS-API) Mechanisms | Service Application Program Interface (GSS-API) Mechanisms | |||
| in Simple Authentication and Security Layer (SASL): The | in Simple Authentication and Security Layer (SASL): The | |||
| GS2 Mechanism Family", RFC 5801, DOI 10.17487/RFC5801, | GS2 Mechanism Family", RFC 5801, DOI 10.17487/RFC5801, | |||
| July 2010, <https://www.rfc-editor.org/info/rfc5801>. | July 2010, <https://www.rfc-editor.org/info/rfc5801>. | |||
| [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, | [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, | |||
| "Salted Challenge Response Authentication Mechanism | "Salted Challenge Response Authentication Mechanism | |||
| (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, | (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, | |||
| DOI 10.17487/RFC5802, July 2010, | DOI 10.17487/RFC5802, July 2010, | |||
| End of changes. 11 change blocks. | ||||
| 14 lines changed or deleted | 28 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||