idnits 2.17.1 

draft-davidben-tls13-pkcs1-00.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (July 29, 2019) is 1732 days in the past.  Is this
     intentional?


  Checking references for intended status: Experimental
  ----------------------------------------------------------------------------

     No issues found here.

     Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	tls                                                          D. Benjamin
3	Internet-Draft                                                Google LLC
4	Intended status: Experimental                              July 29, 2019
5	Expires: January 30, 2020

7	            Legacy RSASSA-PKCS1-v1_5 codepoints for TLS 1.3
8	                     draft-davidben-tls13-pkcs1-00

10	Abstract

12	   This document allocates code points for the use of RSASSA-PKCS1-v1_5
13	   with client certificates in TLS 1.3.

15	Status of This Memo

17	   This Internet-Draft is submitted in full conformance with the
18	   provisions of BCP 78 and BCP 79.

20	   Internet-Drafts are working documents of the Internet Engineering
21	   Task Force (IETF).  Note that other groups may also distribute
22	   working documents as Internet-Drafts.  The list of current Internet-
23	   Drafts is at https://datatracker.ietf.org/drafts/current/.

25	   Internet-Drafts are draft documents valid for a maximum of six months
26	   and may be updated, replaced, or obsoleted by other documents at any
27	   time.  It is inappropriate to use Internet-Drafts as reference
28	   material or to cite them other than as "work in progress."

30	   This Internet-Draft will expire on January 30, 2020.

32	Copyright Notice

34	   Copyright (c) 2019 IETF Trust and the persons identified as the
35	   document authors.  All rights reserved.

37	   This document is subject to BCP 78 and the IETF Trust's Legal
38	   Provisions Relating to IETF Documents
39	   (https://trustee.ietf.org/license-info) in effect on the date of
40	   publication of this document.  Please review these documents
41	   carefully, as they describe your rights and restrictions with respect
42	   to this document.  Code Components extracted from this document must
43	   include Simplified BSD License text as described in Section 4.e of
44	   the Trust Legal Provisions and are provided without warranty as
45	   described in the Simplified BSD License.

47	Table of Contents

49	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
50	   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   2
51	   3.  PKCS#1 v1.5 SignatureScheme Types . . . . . . . . . . . . . .   2
52	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
53	   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
54	   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   4
55	     6.1.  Normative References  . . . . . . . . . . . . . . . . . .   4
56	     6.2.  Informative References  . . . . . . . . . . . . . . . . .   5
57	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   5

59	1.  Introduction

61	   TLS 1.3 [RFC8446] removed support for RSASSA-PKCS1-v1_5 [RFC8017] in
62	   CertificateVerify messages in favor of RSASSA-PSS.  While RSASSA-PSS
63	   is a long-established signature algorithm, some legacy hardware
64	   cryptographic devices lack support for it.  Due to performance
65	   requirements, such devices are uncommon in TLS servers, but are
66	   sometimes used by TLS clients for client certificates.  Moreover, TLS
67	   negotiates the protocol version before client certificates, so this
68	   limitation can further impact adjacent connections that do not use
69	   affected keys.

71	   This document allocates code points to use these legacy keys with
72	   client certificates in TLS 1.3.

74	2.  Conventions and Definitions

76	   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
77	   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
78	   "OPTIONAL" in this document are to be interpreted as described in BCP
79	   14 [RFC2119] [RFC8174] when, and only when, they appear in all
80	   capitals, as shown here.

82	3.  PKCS#1 v1.5 SignatureScheme Types

84	   The following SignatureScheme values are defined for use with TLS
85	   1.3.

87	       enum {
88	           rsa_pkcs1_sha256_legacy(TBD1),
89	           rsa_pkcs1_sha384_legacy(TBD2),
90	           rsa_pkcs1_sha512_legacy(TBD3),
91	       } SignatureScheme;

93	   The above code points indicate a signature algorithm using RSASSA-
94	   PKCS1-v1_5 [RFC8017] with the corresponding hash algorithm as defined
95	   in [SHS].  They are only defined for signatures in the client
96	   CertificateVerify message and are not defined for use in other
97	   contexts.  In particular, servers intending to advertise support for
98	   RSASSA-PKCS1-v1_5 signatures in the certificates themselves should
99	   use the rsa_pkcs1_* constants defined in [RFC8446].

101	   Clients MUST NOT advertise these values in the "signature_algorithms"
102	   extension of the ClientHello.  They MUST NOT accept these values in
103	   the server CertificateVerify message.

105	   Servers that wish to support clients authenticating with legacy
106	   RSASSA-PKCS1-v1_5-only keys MAY send these values in the
107	   "signature_algorithms" extension of the CertificateRequest message
108	   and accept them in the client CertificateVerify message.  Clients
109	   with such legacy keys MAY negotiate the use of these signature
110	   algorithms if offered by the server.  Clients SHOULD NOT negotiate
111	   them with keys that support RSASSA-PSS.

113	4.  Security Considerations

115	   Prior to this document, legacy RSA keys would prevent client
116	   certificate deployments from adopting TLS 1.3.  The new code points
117	   allow such deployments to upgrade without replacing the keys.  TLS
118	   1.3 fixes a privacy flaw [PRIVACY] with client certificates, so
119	   upgrading is a particular benefit to these deployments.

121	   Additionally, TLS negotiates protocol versions before client
122	   certificates.  When sending a ClientHello, a TLS-1.3-capable client
123	   cannot determine if the server will request a legacy key.  It may
124	   then offer TLS 1.3, to upgrade connections to other servers.  A TLS-
125	   1.3-capable server that requests client certificates cannot then
126	   distinguish such a client from one with modern keys.  It may then
127	   negotiate TLS 1.3 and send a CertificateRequest.  The connection
128	   would then fail due to the legacy key, when it previously succeeded
129	   at TLS 1.2.

131	   To recover from this failure, one side must globally disable TLS 1.3
132	   or the client must implement an external fallback.  Disabling TLS 1.3
133	   impacts connections that would otherwise be unaffected by this issue,
134	   while external fallbacks break TLS's security analysis and may
135	   introduce vulnerabilities [POODLE].  The new code points reduce the
136	   pressure on implementations to select one of these mitigations.

138	   However, the new code points also reduce the pressure on
139	   implementations to migrate to RSASSA-PSS.  The above considerations
140	   do not apply to server keys, so these new code points are forbidden
141	   for use with server certificates.  RSASSA-PSS continues to be
142	   required for TLS 1.3 servers using RSA keys.

144	   Finally, when implemented incorrectly, RSASSA-PKCS1-v1_5 admits
145	   signature forgeries [MFSA201473].  Implementations producing or
146	   verifying signatures with these algorithms MUST implement RSASSA-
147	   PKCS1-v1_5 as specified in section 8.2 of [RFC8017].  In particular,
148	   clients MUST include the mandatory NULL parameter in the DigestInfo
149	   structure and produce a valid DER [X690] encoding.  Servers MUST
150	   reject signatures which do not meet these requirements.

152	5.  IANA Considerations

154	   IANA is requested to create the following entries in the TLS
155	   SignatureScheme registry, defined in [RFC8446].  The "Recommended"
156	   column should be set to "N", and the "Reference" column should be set
157	   to this document.

159	                    +-------+-------------------------+
160	                    | Value | Description             |
161	                    +-------+-------------------------+
162	                    | TBD1  | rsa_pkcs1_sha256_legacy |
163	                    |       |                         |
164	                    | TBD2  | rsa_pkcs1_sha384_legacy |
165	                    |       |                         |
166	                    | TBD3  | rsa_pkcs1_sha512_legacy |
167	                    +-------+-------------------------+

169	6.  References

171	6.1.  Normative References

173	   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
174	              Requirement Levels", BCP 14, RFC 2119,
175	              DOI 10.17487/RFC2119, March 1997,
176	              <https://www.rfc-editor.org/info/rfc2119>.

178	   [RFC8017]  Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
179	              "PKCS #1: RSA Cryptography Specifications Version 2.2",
180	              RFC 8017, DOI 10.17487/RFC8017, November 2016,
181	              <https://www.rfc-editor.org/info/rfc8017>.

183	   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
184	              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
185	              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

187	   [RFC8446]  Rescorla, E., "The Transport Layer Security (TLS) Protocol
188	              Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
189	              <https://www.rfc-editor.org/info/rfc8446>.

191	   [SHS]      Dang, Q., "Secure Hash Standard", National Institute of
192	              Standards and Technology report,
193	              DOI 10.6028/nist.fips.180-4, July 2015.

195	   [X690]     ITU-T, "Information technology - ASN.1 encoding Rules:
196	              Specification of Basic Encoding Rules (BER), Canonical
197	              Encoding Rules (CER) and Distinguished Encoding Rules
198	              (DER)", ISO/IEC 8825-1:2002, 2002.

200	6.2.  Informative References

202	   [MFSA201473]
203	              Delignat-Lavaud, A., "RSA Signature Forgery in NSS",
204	              September 2014, <https://www.mozilla.org/en-
205	              US/security/advisories/mfsa2014-73/>.

207	   [POODLE]   Moeller, B., "This POODLE bites: exploiting the SSL 3.0
208	              fallback", October 2014,
209	              <https://security.googleblog.com/2014/10/
210	              this-poodle-bites-exploiting-ssl-30.html>.

212	   [PRIVACY]  Wachs, M., Scheitle, Q., and G. Carle, "Push away your
213	              privacy: Precise user tracking based on TLS client
214	              certificate authentication", 2017 Network Traffic
215	              Measurement and Analysis Conference (TMA),
216	              DOI 10.23919/tma.2017.8002897, June 2017.

218	Author's Address

220	   David Benjamin
221	   Google LLC

223	   Email: davidben@google.com