idnits 2.17.1 

draft-sullivan-tls-exported-authenticator-01.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

  ** The document seems to lack an IANA Considerations section.  (See Section
     2.2 of https://www.ietf.org/id-info/checklist for how to handle the case
     when there are no actions for IANA.)

  ** The document seems to lack a both a reference to RFC 2119 and the
     recommended RFC 2119 boilerplate, even if it appears to use RFC 2119
     keywords. 

     RFC 2119 keyword, line 120: '... 1.2, the master secret MUST have been...'
     RFC 2119 keyword, line 128: '...st_context which MUST be unique for a ...'
     RFC 2119 keyword, line 130: '...   protocol and MUST be non-zero lengt...'
     RFC 2119 keyword, line 141: '...ertificate message MUST conform to the...'
     RFC 2119 keyword, line 152: '...   MUST provide application programmin...'


  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (March 13, 2017) is 2600 days in the past.  Is this
     intentional?


  Checking references for intended status: Proposed Standard
  ----------------------------------------------------------------------------

     (See RFCs 3967 and 4897 for information about using normative references
     to lower-maturity documents in RFCs)

  == Outdated reference: A later version (-28) exists of
     draft-ietf-tls-tls13-19

  ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446)

  -- Possible downref: Non-RFC (?) normative reference: ref. 'SIGMAC'


     Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 2 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.

--------------------------------------------------------------------------------


2	TLS                                                          N. Sullivan
3	Internet-Draft                                           Cloudflare Inc.
4	Intended status: Standards Track                          March 13, 2017
5	Expires: September 14, 2017

7	                     Exported Authenticators in TLS
8	              draft-sullivan-tls-exported-authenticator-01

10	Abstract

12	   This document describes a mechanism in Transport Layer Security (TLS)
13	   to provide an exportable proof of ownership of a certificate that can
14	   be transmitted out of band and verified by the other party.

16	Status of This Memo

18	   This Internet-Draft is submitted in full conformance with the
19	   provisions of BCP 78 and BCP 79.

21	   Internet-Drafts are working documents of the Internet Engineering
22	   Task Force (IETF).  Note that other groups may also distribute
23	   working documents as Internet-Drafts.  The list of current Internet-
24	   Drafts is at http://datatracker.ietf.org/drafts/current/.

26	   Internet-Drafts are draft documents valid for a maximum of six months
27	   and may be updated, replaced, or obsoleted by other documents at any
28	   time.  It is inappropriate to use Internet-Drafts as reference
29	   material or to cite them other than as "work in progress."

31	   This Internet-Draft will expire on September 14, 2017.

33	Copyright Notice

35	   Copyright (c) 2017 IETF Trust and the persons identified as the
36	   document authors.  All rights reserved.

38	   This document is subject to BCP 78 and the IETF Trust's Legal
39	   Provisions Relating to IETF Documents
40	   (http://trustee.ietf.org/license-info) in effect on the date of
41	   publication of this document.  Please review these documents
42	   carefully, as they describe your rights and restrictions with respect
43	   to this document.  Code Components extracted from this document must
44	   include Simplified BSD License text as described in Section 4.e of
45	   the Trust Legal Provisions and are provided without warranty as
46	   described in the Simplified BSD License.

48	Table of Contents

50	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
51	   2.  Authenticator . . . . . . . . . . . . . . . . . . . . . . . .   2
52	   3.  API considerations  . . . . . . . . . . . . . . . . . . . . .   4
53	   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   4
54	   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
55	   6.  Normative References  . . . . . . . . . . . . . . . . . . . .   5
56	   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

58	1.  Introduction

60	   This document provides a way to authenticate one party of a Transport
61	   Layer Security (TLS) communication to another using a certificate
62	   after the session has been established.  This allows both the client
63	   and server to prove ownership of additional identities at any time
64	   after the handshake has completed.  This proof of authentication can
65	   be exported and transmitted out of band from one party to be
66	   validated by the other party.

68	   This mechanism is useful in the following situations:

70	   o  servers that are authoritative for multiple domains the same
71	      connection but do not have a certificate that is simultaneously
72	      authoritative for all of them

74	   o  servers that have resources that require client authentication to
75	      access and need to request client authentication after the
76	      connection has started

78	   o  clients that want to assert ownership over an identity to a server
79	      after a connection has been established

81	   This document intends to replace much of the functionality of
82	   renegotiation in previous versions of TLS.  It has the advantages
83	   over renegotiation of not requiring additional on-the-wire changes
84	   during a connection.  For simplicity, only TLS 1.2 and later are
85	   supported.

87	2.  Authenticator

89	   The authenticator is a structured message that can be exported from
90	   either party of a TLS connection.  It can be sent out-of-band to the
91	   other party of a TLS connection to be validated.

93	   An authenticator message can be constructed by either the client or
94	   the server given an established TLS connection, a certificate, and a
95	   corresponding private key.  This authenticator uses the message
96	   structures from section 4.4. of [I-D.ietf-tls-tls13], but different
97	   parameters.  Also, unlike the Certificate and CertificateRequest
98	   messages in TLS 1.3, the messages described in this draft are not
99	   encryped with a handshake key.

101	   Each Authenticator is computed using a Handshake Context and Finished
102	   MAC Key derived from the TLS session.  The Handshake Context is
103	   identical for both parties of the TLS connection, the Finished MAC
104	   Key is dependent on whether the Authenticator is created by the
105	   client or the server.

107	   o  The Handshake Context is an [RFC5705] (for TLS 1.2) or
108	      [I-D.ietf-tls-tls13] exporter value derived using the label
109	      "authenticator handshake context" and length 64 bytes.

111	   o  The Finished MAC Key is an exporter value derived using the label
112	      "server authenticator finished key" or "client authenticator
113	      finished key", depending on the sender.  The length of this key is
114	      equal to the length of the output of the hash function negotiated
115	      in TLS.  For TLS 1.3, it's the hash algorithm of the cipher suite.
116	      For TLS 1.2, it's the hash algorithm selected for the PRF for AEAD
117	      ciphers, or the hash algorithm used as the HMAC in non-AEAD
118	      ciphers.

120	   If the connection is TLS 1.2, the master secret MUST have been
121	   computed with the extended master secret [RFC7627] to avoid key
122	   synchronization attacks.

124	   Certificate  The certificate to be used for authentication and any
125	      supporting certificates in the chain.

127	   The certificate message contains an opaque string called
128	   certificate_request_context which MUST be unique for a given
129	   connection.  Its format should be defined by the application layer
130	   protocol and MUST be non-zero length.  For example, it may be a
131	   randomly chosen identifier used by the higher-level protocol during
132	   the transport of the Authenticator to the other party.

134	   CertificateVerify  A signature over the value Hash(Handshake
135	      Context || Certificate)

137	   Finished  A HMAC over the value Hash(Handshake Context ||
138	      Certificate || CertificateVerify) using the hash function from the
139	      handshake and the Finished MAC Key as a key.

141	   The certificates used in the Certificate message MUST conform to the
142	   requirements of a Certificate message in the version of TLS
143	   negotiated.  This is described in section 4.2.3. of
144	   [I-D.ietf-tls-tls13] and sections 7.4.2. and 7.4.6. of [RFC5246].

146	   The exported authenticator message is the concatenation of messages:
147	   Certificate || CertificateVerify || Finished

149	3.  API considerations

151	   TLS implementations supporting the use of exported authenticators
152	   MUST provide application programming interfaces by which clients and
153	   servers may request and verify exported authenticator messages.

155	   Given an established connection, the application should be able to
156	   obtain an authenticator by providing the following:

158	   o  certificate_request_context (from 1 to 255 bytes)

160	   o  valid certificate chain for the connection and associated
161	      extensions (OCSP, SCT, etc.)

163	   o  signer (either the private key associated with the certificate, or
164	      interface to perform private key operation)

166	   Given an established connection and an exported authenticator
167	   message, the application should be able to provide the authenticator
168	   to the connection.  If the Finished and CertificateVerify messages
169	   verify, the TLS library should return the following:

171	   o  certificate chain and extensions

173	   o  certificate_request_context

175	   In order for the application layer to communicate which certificates
176	   it will accept, an API should be exposed that returns an array of TLS
177	   1.3 SignatureScheme objects that corresponds to the signature
178	   algorithms that the library is willing to validate in an exported
179	   authenticator message.

181	4.  Security Considerations

183	   The Certificate/Verify/Finished pattern intentionally looks like the
184	   TLS 1.3 pattern which now has been analyzed several times.  In the
185	   case where the client presents an authenticator to a server, [SIGMAC]
186	   presents a relevant framework for analysis.

188	   From a formal security perspective, one drawback of this mechanism is
189	   that there is no explicit signaling mechanism for one party to
190	   acknowledge an Authenticator to the party who computed it.  Nothing
191	   about the state of the connection is changed when a new Authenticator
192	   is exported, and the Handshake Context of the TLS connection is
193	   unchanged after creating or validating an authenticator.  This
194	   property makes it difficult to formally prove that a server is
195	   jointly authoritative over multiple certificates, rather than
196	   individually authoritative on each certificate.

198	   Another result of the unidirectional nature of Authenticator messages
199	   is that the view of which certificates the other party is
200	   authoritative over does not reside in the TLS state machine.  Not
201	   knowing when the exported authenticator was created or validated at
202	   the TLS layer also means that assumptions about when the other party
203	   is considered authoritative can not be determined purely from where
204	   in the in the TLS record layer it was sent.  A valid authenticator
205	   can be created at any time during the connection.  If it matters to
206	   the application whether or not an authenticator was acknowledged
207	   before or after a particular piece of data, it should be tracked as
208	   part of the application layer semantics.

210	5.  Acknowledgements

212	   Comments on this proposal were provided by Martin Thomson.
213	   Suggestions for the security considerations section were provided by
214	   Karthikeyan Bhargavan.

216	6.  Normative References

218	   [I-D.ietf-tls-tls13]
219	              Rescorla, E., "The Transport Layer Security (TLS) Protocol
220	              Version 1.3", draft-ietf-tls-tls13-19 (work in progress),
221	              March 2017.

223	   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
224	              (TLS) Protocol Version 1.2", RFC 5246,
225	              DOI 10.17487/RFC5246, August 2008,
226	              <http://www.rfc-editor.org/info/rfc5246>.

228	   [RFC5705]  Rescorla, E., "Keying Material Exporters for Transport
229	              Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
230	              March 2010, <http://www.rfc-editor.org/info/rfc5705>.

232	   [RFC7627]  Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
233	              Langley, A., and M. Ray, "Transport Layer Security (TLS)
234	              Session Hash and Extended Master Secret Extension",
235	              RFC 7627, DOI 10.17487/RFC7627, September 2015,
236	              <http://www.rfc-editor.org/info/rfc7627>.

238	   [SIGMAC]   Krawczyk, H., "A Unilateral-to-Mutual Authentication
239	              Compiler for Key Exchange (with Applications to Client
240	              Authentication in TLS 1.3)", 2016,
241	              <https://eprint.iacr.org/2016/711.pdf>.

243	Author's Address

245	   Nick Sullivan
246	   Cloudflare Inc.

248	   Email: nick@cloudflare.com