idnits 2.17.1 

draft-ietf-tls-exported-authenticator-02.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 98: '...d to send the authenticator SHOULD use...'
     RFC 2119 keyword, line 126: '...not use the TLS PRF MUST define a hash...'
     RFC 2119 keyword, line 129: '... 1.2, the master secret MUST have been...'
     RFC 2119 keyword, line 138: '...st_context which SHOULD be unique for ...'
     RFC 2119 keyword, line 140: '...   protocol and SHOULD be non-zero len...'
     (8 more instances...)


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (June 20, 2017) is 2502 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-28) exists of
     draft-ietf-tls-tls13-20

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'SIGMAC'


     Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	TLS                                                          N. Sullivan
3	Internet-Draft                                           Cloudflare Inc.
4	Intended status: Standards Track                           June 20, 2017
5	Expires: December 22, 2017

7	                     Exported Authenticators in TLS
8	                draft-ietf-tls-exported-authenticator-02

10	Abstract

12	   This document describes a mechanism in Transport Layer Security (TLS)
13	   to provide an exportable proof of ownership of a certificate that can
14	   be transmitted out of band and verified by the other party.

16	Status of This Memo

18	   This Internet-Draft is submitted in full conformance with the
19	   provisions of BCP 78 and BCP 79.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF).  Note that other groups may also distribute
23	   working documents as Internet-Drafts.  The list of current Internet-
24	   Drafts is at http://datatracker.ietf.org/drafts/current/.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   This Internet-Draft will expire on December 22, 2017.

33	Copyright Notice

35	   Copyright (c) 2017 IETF Trust and the persons identified as the
36	   document authors.  All rights reserved.

38	   This document is subject to BCP 78 and the IETF Trust's Legal
39	   Provisions Relating to IETF Documents
40	   (http://trustee.ietf.org/license-info) in effect on the date of
41	   publication of this document.  Please review these documents
42	   carefully, as they describe your rights and restrictions with respect
43	   to this document.  Code Components extracted from this document must
44	   include Simplified BSD License text as described in Section 4.e of
45	   the Trust Legal Provisions and are provided without warranty as
46	   described in the Simplified BSD License.

48	Table of Contents

50	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
51	   2.  Authenticator . . . . . . . . . . . . . . . . . . . . . . . .   3
52	   3.  API considerations  . . . . . . . . . . . . . . . . . . . . .   4
53	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
54	   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
55	   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   6
56	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

58	1.  Introduction

60	   This document provides a way to authenticate one party of a Transport
61	   Layer Security (TLS) communication to another using a certificate
62	   after the session has been established.  This allows both the client
63	   and server to prove ownership of additional identities at any time
64	   after the handshake has completed.  This proof of authentication can
65	   be exported and transmitted out of band from one party to be
66	   validated by the other party.

68	   This mechanism provides two advantages over the authentication that
69	   TLS natively provides:

71	   multiple identities -  Endpoints that are authoritative for multiple
72	      identities - but do not have a single certificate that includes
73	      all of the identities - can authenticate with those identities
74	      over a single connection.

76	   spontaneous authentication -  Endpoints can authenticate after a
77	      connection is established, in response to events in a higher-layer
78	      protocol, as well as integrating more context.

80	   This document intends to replace much of the functionality of
81	   renegotiation in previous versions of TLS.  It has the advantages
82	   over renegotiation of not requiring additional on-the-wire changes
83	   during a connection.  For simplicity, only TLS 1.2 and later are
84	   supported.

86	   Post-handshake authentication is defined in TLS 1.3, but it has the
87	   disadvantage of requiring additional state to be stored in the TLS
88	   state machine and it composes poorly with multiplexed connection
89	   protocols like HTTP/2.  It is also only available for client
90	   authentication.  This mechanism is intended to be used as part of a
91	   replacement for post-handshake authentication in applications.

93	2.  Authenticator

95	   The authenticator is a structured message that can be exported from
96	   either party of a TLS connection.  It can be transmitted to the other
97	   party of the TLS connection at the application layer.  The
98	   application layer protocol used to send the authenticator SHOULD use
99	   TLS as its underlying transport.

101	   An authenticator message can be constructed by either the client or
102	   the server given an established TLS connection, a certificate, and a
103	   corresponding private key.  This authenticator uses the message
104	   structures from section 4.4. of [I-D.ietf-tls-tls13], but different
105	   parameters.  Also, unlike the Certificate and CertificateRequest
106	   messages in TLS 1.3, the messages described in this draft are not
107	   encrypted with a handshake key.

109	   Each authenticator is computed using a Handshake Context and Finished
110	   MAC Key derived from the TLS session.  The Handshake Context is and
111	   Finished MAC Key are dependent on whether the authenticator is
112	   created by the client or the server.

114	   o  The Handshake Context is an [RFC5705] (for TLS 1.2) or
115	      [I-D.ietf-tls-tls13] (for TLS 1.3) exporter value derived using
116	      the label "EXPORTER-client authenticator handshake context" or
117	      "EXPORTER-server authenticator handshake context", depending on
118	      the sender, and length 64 bytes.  The context_value is absent
119	      (length zero).

121	   o  The Finished MAC Key is an exporter value derived using the label
122	      "EXPORTER-server authenticator finished key" or "EXPORTER-client
123	      authenticator finished key", depending on the sender.  The length
124	      of this key is equal to the length of the output of the hash
125	      function selected in TLS for the pseudorandom function (PRF);
126	      cipher suites that do not use the TLS PRF MUST define a hash
127	      function that can be used for this purpose or they cannot be used.

129	   If the connection is TLS 1.2, the master secret MUST have been
130	   computed with the extended master secret [RFC7627] to avoid key
131	   synchronization attacks.

133	   Certificate  The certificate to be used for authentication and any
134	      supporting certificates in the chain.  This structure is defined
135	      in [I-D.ietf-tls-tls13] section 4.4.2.

137	   The certificate message contains an opaque string called
138	   certificate_request_context which SHOULD be unique for a given
139	   connection.  Its format is be defined by the application layer
140	   protocol and SHOULD be non-zero length.  For example, it may be a
141	   sequence number used by the higher-level protocol during the
142	   transport of the authenticator to the other party.  Using a unique
143	   and unpredictable value ties the authenticator to a given context,
144	   allowing the application to prevent authenticators from being
145	   replayed or precomputed by an attacker with temporary access to a
146	   private key.

148	   CertificateVerify  A signature over the value Hash(Handshake
149	      Context || Certificate)

151	   This is described in section 4.2.3. of [I-D.ietf-tls-tls13].  The
152	   signature scheme MUST be a valid signature scheme for TLS 1.3.  This
153	   excludes all RSASSA-PKCS1-v1_5 algorithms and ECDSA algorithms that
154	   are not supported in TLS 1.3.  For servers, this signature scheme
155	   must match one of the signature and hash algorithms advertised in the
156	   signature_algorithms extension of the ClientHello.

158	   Finished  A HMAC over the value Hash(Handshake Context ||
159	      Certificate || CertificateVerify) using the hash function from the
160	      handshake and the Finished MAC Key as a key.

162	   The certificates used in the Certificate message MUST conform to the
163	   requirements of a Certificate message in the version of TLS
164	   negotiated.  This is described in section 4.2.3. of
165	   [I-D.ietf-tls-tls13] and sections 7.4.2. and 7.4.6. of [RFC5246].
166	   Alternative certificate formats such as [RFC7250] Raw Public Keys are
167	   not supported.

169	   The exported authenticator message is the concatenation of messages:
170	   Certificate || CertificateVerify || Finished

172	   A given exported authenticator can be validated by checking the
173	   validity of the CertificateVerify message and recomputing the
174	   Finished message to see it it matches.  If the underlying connection
175	   is TLS 1.3, CertificateVerify messages with an RSASSA-PKCS1-v1_5
176	   algorithm as its SignatureScheme MUST be rejected.

178	3.  API considerations

180	   The creation and validation of exported authenticators SHOULD be
181	   implemented inside TLS library even if it is possible to implement it
182	   at the application layer.  TLS implementations supporting the use of
183	   exported authenticators MUST provide application programming
184	   interfaces by which clients and servers may request and verify
185	   exported authenticator messages.

187	   Given an established connection, the application SHOULD be able to
188	   call an "authenticate" API which takes as input:

190	   o  certificate_request_context (from 1 to 255 bytes)

192	   o  valid certificate chain for the connection and associated
193	      extensions (OCSP, SCT, etc.)

195	   o  signer (either the private key associated with the certificate, or
196	      interface to perform private key operation)

198	   o  signature scheme

200	   The API returns the exported authentiator as output.

202	   Given an established connection and an exported authenticator
203	   message, the application SHOULD be able to call a "validate" API that
204	   takes an exported authenticator as an input.  If the Finished and
205	   CertificateVerify messages verify correctly, the API returns the
206	   following as output:

208	   o  certificate chain and extensions

210	   o  certificate_request_context

212	   In order for the application layer to be able to choose the
213	   certificates and signature schemes to use when constructing an
214	   authenticator, a TLS server SHOULD expose an API that returns the
215	   content of the signature_algorithms extension of client's ClientHello
216	   message.

218	4.  Security Considerations

220	   The Certificate/Verify/Finished pattern intentionally looks like the
221	   TLS 1.3 pattern which now has been analyzed several times.  In the
222	   case where the client presents an authenticator to a server, [SIGMAC]
223	   presents a relevant framework for analysis.

225	   Authenticators are independent and unidirectional.  There is no
226	   explicit state change inside TLS when an authenticator is either
227	   created or validated.

229	   o  This property makes it difficult to formally prove that a server
230	      is jointly authoritative over multiple certificates, rather than
231	      individually authoritative over each.

233	   o  There is no indication in the TLS layer about which point in time
234	      an authenticator was computed.  Any feedback about the time of
235	      creation or validation of the authenticator should be tracked as
236	      part of the application layer semantics if required.

238	5.  Acknowledgements

240	   Comments on this proposal were provided by Martin Thomson.
241	   Suggestions for the security considerations section were provided by
242	   Karthikeyan Bhargavan.

244	6.  Normative References

246	   [I-D.ietf-tls-tls13]
247	              Rescorla, E., "The Transport Layer Security (TLS) Protocol
248	              Version 1.3", draft-ietf-tls-tls13-20 (work in progress),
249	              April 2017.

251	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
252	              (TLS) Protocol Version 1.2", RFC 5246,
253	              DOI 10.17487/RFC5246, August 2008,
254	              <http://www.rfc-editor.org/info/rfc5246>.

256	   [RFC5705]  Rescorla, E., "Keying Material Exporters for Transport
257	              Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
258	              March 2010, <http://www.rfc-editor.org/info/rfc5705>.

260	   [RFC7250]  Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
261	              Weiler, S., and T. Kivinen, "Using Raw Public Keys in
262	              Transport Layer Security (TLS) and Datagram Transport
263	              Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
264	              June 2014, <http://www.rfc-editor.org/info/rfc7250>.

266	   [RFC7627]  Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
267	              Langley, A., and M. Ray, "Transport Layer Security (TLS)
268	              Session Hash and Extended Master Secret Extension",
269	              RFC 7627, DOI 10.17487/RFC7627, September 2015,
270	              <http://www.rfc-editor.org/info/rfc7627>.

272	   [SIGMAC]   Krawczyk, H., "A Unilateral-to-Mutual Authentication
273	              Compiler for Key Exchange (with Applications to Client
274	              Authentication in TLS 1.3)", 2016,
275	              <https://eprint.iacr.org/2016/711.pdf>.

277	Author's Address

279	   Nick Sullivan
280	   Cloudflare Inc.

282	   Email: nick@cloudflare.com