Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Rex]

Watson Ladd wrote:
>Martin Rex  wrote:
>>
>> The suggestion to accept a recognized TLSv1.2 cipher suite code point
>> as an alternative indicator for the highest client-supported protocol
>> version is not really a "mechanism".  It's efficient (with 0-bytes on
>> the wire), intuitive and extremely backwards-compatible (will not upset
>> old servers, neither version-intolerant as the Win2008/2012 servers,
>> nor extension-intolerant servers.
> 
> It's a substantial change made after WG last call. That alone makes it
> improper. If you want to get WG consensus for such a change, go ahead.
> But don't try making this in the dead of night.

The proposed small addition of when the TLS cipher suites can be negotiated
is clearly *NOT* a change, and certainly not substantial.

Implementors that want to completely ignore this small addition
can do so and will remain fully compliant, they will not have to
change a single line of code.

For those implementing the proposed addition there will be two
very desirable effects:

  1) make more TLS handshakes succeed

  2) make more TLS handshakes use TLS protocol version TLSv1.2 rather
 than TLSv1.1 or TLSv1.0

come at an extremely low cost, and this addition has ZERO downsides.
The IETF is about promoting interoperability.

You seem to have a problem with either or both of the above outcomes,
but I fail to understand which and why.


> 
>> It's worse -- there are still TLS servers out there which choke on
>> TLS extensions (and TLS server which choke on extension ordering).
> 
> TLS 1.2 demands extensions work. Sending a TLS 1.2 hello without
> extensions is going to make it impossible to implement many features
> TLS 1.2 security relies on.

Actually, it does not.  TLSv1.2 works just fine without TLS extension,
although there are a few implementations in the installed base which
got this wrong.  rfc5246 appendix E.2 shows that TLSv1.2 interop with
extension-less ClientHellos was desired and assumed to be possible.
Some implementors got it wrong.



> 
>> It seems that there are others facing the same issue:
>>
>> https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows
>>
>> and defer enabling to explicit customer opt-in.
>>
>>
>> Really, a very compatible and extremely robust and useful approach would
>> be to allow implied client protocol version indication through presence of
>> TLSv1.2-only cipher suite codepoints and this would allow large parts
>> of the installed base to quickly start using TLSv1.2--without breaking
>> existing usage scenarios and without the hazzle for users having to opt-in
>> and test stuff.
> 
> The people who have these problems are not "large parts" of the
> install base. They are large parts of *your* install base. Don't
> confuse these two.

The above WinHTTP issue alone applies to Win7, which is about 50% of
the installed base of Desktops PCs.

Refering to ~50% of the installed base as "large parts" seems OK to me. YMMV.


-Martin

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Watson Ladd]

On Tue, May 30, 2017 at 1:03 PM, Martin Rex  wrote:
> Eric Rescorla wrote:
>> On Tue, May 23, 2017 at 9:34 PM, Martin Rex  wrote:
>>>
>>> This change _still_ prohibits the server from negotiating these algorithms
>>> with TLSv1.1 and below.
>>>
>>> Could you elaborate a little on where and why you see a problem with this?
>>>
>>
>> For starters, TLS 1.3 has already designed a completely independent
>> mechanism for doing version negotiation outside of ClientHello.version,
>> so doing another seems pretty odd. In any case, it's not something you
>> do between IETF-LC and IESG approval.
>
> The suggestion to accept a recognized TLSv1.2 cipher suite code point
> as an alternative indicator for the highest client-supported protocol
> version is not really a "mechanism".  It's efficient (with 0-bytes on
> the wire), intuitive and extremely backwards-compatible (will not upset
> old servers, neither version-intolerant as the Win2008/2012 servers,
> nor extension-intolerant servers.

It's a substantial change made after WG last call. That alone makes it
improper. If you want to get WG consensus for such a change, go ahead.
But don't try making this in the dead of night.

>
>
>>
>>> As this changes tries to explain, had such a text been used for all
>>> TLSv1.2 AEAD cipher suite code points, then browsers would have never
>>> needed any "downgrade dance" fallbacks, POODLE would have never
>>> existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid
>>> would not been needed, either.
>>
>> I'm not sure this is true, because there were also servers which did
>> not understand extensions.
>
>
> It's worse -- there are still TLS servers out there which choke on
> TLS extensions (and TLS server which choke on extension ordering).

TLS 1.2 demands extensions work. Sending a TLS 1.2 hello without
extensions is going to make it impossible to implement many features
TLS 1.2 security relies on.

>
> Sending TLS extensions is therefore a negotiation scheme that we
> can not ship as patch into the installed base, because we *KNOW*
> that it will break a few existing usage scenarios.  Stuff that needs
> TLS extensions is therefore an opt-in only scheme -- and even when
> making it opt-in, we may have to additonally provide a TLS extension
> exclusion list of hostnames.
>
> It seems that there are others facing the same issue:
>
> https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows
>
> and defer enabling to explicit customer opt-in.
>
>
> Really, a very compatible and extremely robust and useful approach would
> be to allow implied client protocol version indication through presence of
> TLSv1.2-only cipher suite codepoints and this would allow large parts
> of the installed base to quickly start using TLSv1.2--without breaking
> existing usage scenarios and without the hazzle for users having to opt-in
> and test stuff.

The people who have these problems are not "large parts" of the
install base. They are large parts of *your* install base. Don't
confuse these two.

>
>
> -Martin
>
> ___
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Rex]

Eric Rescorla wrote:
> On Tue, May 23, 2017 at 9:34 PM, Martin Rex  wrote:
>>
>> This change _still_ prohibits the server from negotiating these algorithms
>> with TLSv1.1 and below.
>>
>> Could you elaborate a little on where and why you see a problem with this?
>>
> 
> For starters, TLS 1.3 has already designed a completely independent
> mechanism for doing version negotiation outside of ClientHello.version,
> so doing another seems pretty odd. In any case, it's not something you
> do between IETF-LC and IESG approval.

The suggestion to accept a recognized TLSv1.2 cipher suite code point
as an alternative indicator for the highest client-supported protocol
version is not really a "mechanism".  It's efficient (with 0-bytes on
the wire), intuitive and extremely backwards-compatible (will not upset
old servers, neither version-intolerant as the Win2008/2012 servers,
nor extension-intolerant servers.


> 
>> As this changes tries to explain, had such a text been used for all
>> TLSv1.2 AEAD cipher suite code points, then browsers would have never
>> needed any "downgrade dance" fallbacks, POODLE would have never
>> existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid
>> would not been needed, either.
> 
> I'm not sure this is true, because there were also servers which did
> not understand extensions.


It's worse -- there are still TLS servers out there which choke on
TLS extensions (and TLS server which choke on extension ordering).

Sending TLS extensions is therefore a negotiation scheme that we
can not ship as patch into the installed base, because we *KNOW*
that it will break a few existing usage scenarios.  Stuff that needs
TLS extensions is therefore an opt-in only scheme -- and even when
making it opt-in, we may have to additonally provide a TLS extension
exclusion list of hostnames.

It seems that there are others facing the same issue:

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1.1-and-tls-1.2-as-a-default-secure-protocols-in-winhttp-in-windows

and defer enabling to explicit customer opt-in.


Really, a very compatible and extremely robust and useful approach would
be to allow implied client protocol version indication through presence of
TLSv1.2-only cipher suite codepoints and this would allow large parts
of the installed base to quickly start using TLSv1.2--without breaking
existing usage scenarios and without the hazzle for users having to opt-in
and test stuff.


-Martin

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Daniel Migault]

 Hi,

Please find the version the secretariat just published. I believe all
comments have been addressed. Thank you all for the reviews!

Yours,

Daniel



-Original Message-
From: internet-dra...@ietf.org [mailto:internet-dra...@ietf.org]
Sent: Thursday, May 25, 2017 9:32 AM
To: John Mattsson ; Daniel Migault

Subject: New Version Notification for draft-ietf-tls-ecdhe-psk-aead-05.txt





A new version of I-D, draft-ietf-tls-ecdhe-psk-aead-05.txt

has been successfully submitted by Daniel Migault and posted to the IETF
repository.



Name:  draft-ietf-tls-ecdhe-psk-aead

Revision:  05

Title:  ECDHE_PSK with AES-GCM and AES-CCM Cipher
Suites for Transport Layer Security (TLS) Protocol version 1.2

Document date:   2017-05-24

Group:  tls

Pages:   7

URL:
https://www.ietf.org/internet-drafts/draft-ietf-tls-ecdhe-psk-aead-05.txt

Status:
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/

Htmlized:   https://tools.ietf.org/html/draft-ietf-tls-ecdhe-psk-aead-05

Htmlized:
https://datatracker.ietf.org/doc/html/draft-ietf-tls-ecdhe-psk-aead-05

Diff:
https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-ecdhe-psk-aead-05



Abstract:

   This document defines several new cipher suites for the Transport

   Layer Security (TLS) protocol version 1.2.  The cipher suites are all

   based on the Ephemeral Elliptic Curve Diffie-Hellman with Pre-Shared

   Key (ECDHE_PSK) key exchange together with the Authenticated

   Encryption with Associated Data (AEAD) algorithms AES-GCM and AES-

   CCM.  PSK provides light and efficient authentication, ECDHE provides

   forward secrecy, and AES-GCM and AES-CCM provides encryption and

   integrity protection.










Please note that it may take a couple of minutes from the time of
submission until the htmlized version and diff are available at
tools.ietf.org.



The IETF Secretariat

On Wed, May 24, 2017 at 6:29 PM, Martin Thomson 
wrote:

> On 25 May 2017 at 07:43, Daniel Migault 
> wrote:
> > From your response I understand you do not request changes.
>
>
> I am requesting changes. Just say that
> TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uses AEAD_AES_128_GCM, and so
> forth.  It's not hard to be explicit.
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Thomson]

On 25 May 2017 at 07:43, Daniel Migault  wrote:
> From your response I understand you do not request changes.


I am requesting changes. Just say that
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 uses AEAD_AES_128_GCM, and so
forth.  It's not hard to be explicit.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Daniel Migault]

>From your response I understand you do not request changes.
Yours,
Daniel

On Wed, May 24, 2017 at 4:24 PM, Martin Thomson 
wrote:

> On 25 May 2017 at 07:14, Joseph Salowey  wrote:
> > [Joe] It seems that a reasonable interpretation of the text is that the
> AEAD
> > constructs will pair with the cipher suite that share the same name.  Do
> you
> > still think we need to provide an explicit mapping between the two?
>
>
> Reasonable, sure, even obvious.  I've learned that reasonable doesn't
> work always.  Note that the order that the AEADs are listed doesn't
> match the order of the cipher suites.
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Thomson]

On 25 May 2017 at 07:14, Joseph Salowey  wrote:
> [Joe] It seems that a reasonable interpretation of the text is that the AEAD
> constructs will pair with the cipher suite that share the same name.  Do you
> still think we need to provide an explicit mapping between the two?


Reasonable, sure, even obvious.  I've learned that reasonable doesn't
work always.  Note that the order that the AEADs are listed doesn't
match the order of the cipher suites.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Joseph Salowey]

On Wed, May 24, 2017 at 1:13 PM, Martin Thomson 
wrote:

> On 25 May 2017 at 00:04, Daniel Migault 
> wrote:
>
> > B) It is not true as TLS1.3 enables these cipher suites to be negotiated
> > with TLS1.3.
>
> You can't negotiate the new suites with 1.3, but you can offer them in
> case the server picks 1.2.
>
> Joe's proposal fixes this and other errors.
>
>
> >> You don't anywhere state that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
> >> means to use AEAD_AES_128_GCM (and the same for the other
> >> ciphersuites).  I mention this because the order in which the AEAD
> >> algorithms are mentioned is different to the order of the ciphersuites
> >> in the list.
> >>
> >
> > Unless I miss your comment, I believe the section 3 already addresses
> it. If
> > not please let me knoe what text you would like to see.
> >
> > """
> > 3.  ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites
> >
> >The cipher suites defined in this document are based on the AES-GCM
> >and AES-CCM Authenticated Encryption with Associated Data (AEAD)
> >algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM and AEAD_AES_128_CCM
> >defined in [RFC5116], and AEAD_AES_128_CCM_8 defined in [RFC6655].
> >
> > """
>
> You miss my comment.  This does not prevent someone from deciding that
> TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 should use AEAD_AES_128_CCM_8.
>

[Joe] It seems that a reasonable interpretation of the text is that the
AEAD constructs will pair with the cipher suite that share the same name.
Do you still think we need to provide an explicit mapping between the two?
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Thomson]

On 25 May 2017 at 00:04, Daniel Migault  wrote:

> B) It is not true as TLS1.3 enables these cipher suites to be negotiated
> with TLS1.3.

You can't negotiate the new suites with 1.3, but you can offer them in
case the server picks 1.2.

Joe's proposal fixes this and other errors.


>> You don't anywhere state that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
>> means to use AEAD_AES_128_GCM (and the same for the other
>> ciphersuites).  I mention this because the order in which the AEAD
>> algorithms are mentioned is different to the order of the ciphersuites
>> in the list.
>>
>
> Unless I miss your comment, I believe the section 3 already addresses it. If
> not please let me knoe what text you would like to see.
>
> """
> 3.  ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites
>
>The cipher suites defined in this document are based on the AES-GCM
>and AES-CCM Authenticated Encryption with Associated Data (AEAD)
>algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM and AEAD_AES_128_CCM
>defined in [RFC5116], and AEAD_AES_128_CCM_8 defined in [RFC6655].
>
> """

You miss my comment.  This does not prevent someone from deciding that
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 should use AEAD_AES_128_CCM_8.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Daniel Migault]

Hi,

Thank Joe for the clarification. I removed section 4 and instead have the
following section 3. This is the version 06.

I will post it as soon as the datatracker allows me to submit a new
version, so please let me know if that address all concerns.

Yours,
Daniel

3.  ECDHE_PSK with AES-GCM and AES-CCM Cipher Suites

   The cipher suites defined in this document are based on the AES-GCM
   and AES-CCM Authenticated Encryption with Associated Data (AEAD)
   algorithms AEAD_AES_128_GCM, AEAD_AES_256_GCM and AEAD_AES_128_CCM
   defined in [RFC5116], and AEAD_AES_128_CCM_8 defined in [RFC6655].

   Messages and premaster secret construction in this document are
   defined in [RFC5489].  The ServerKeyExchange and ClientKeyExchange
   messages are used and the premaster secret is computed as for the
   ECDHE_PSK key exchange.  The elliptic curve parameters used in in the
   Diffie-Hellman parameters are negotiated using extensions defined in
   [I-D.ietf-tls-rfc4492bis].

   For TLS 1.2, the following cipher suites are defined:

   TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256   = {0xTBD,0xTBD};
   TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384   = {0xTBD,0xTBD};
   TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 = {0xTBD,0xTBD};
   TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256   = {0xTBD,0xTBD};

   The assigned code points can only be used for TLS 1.2.

   The cipher suites defined in this document MUST NOT be negotiated for
   any version of (D)TLS other than TLS 1.2.  Servers MUST NOT select
   one of these cipher suites when selecting TLS version other than TLS
   1.2.  A client MUST treat the selection of these cipher suites in
   combination with a different version of TLS as an error and generate
   a fatal 'illegal_parameter' TLS alert.

   Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
   TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to
   support equivalent functionality in TLS 1.3 [I-D.ietf-tls-tls13].



On Wed, May 24, 2017 at 11:03 AM, Joseph Salowey  wrote:

> Hi Daniel,
>
> Thanks for putting this revision together.  The original text in draft 4
> went beyond the scope of what should be in the document (I was too hasty in
> my review of the document and discussion on the list).   Your current
> proposal is an improvement, but it still discusses behavior that could
> either conflict with other documents or discusses behavior that is not in
> scope.
>
> My suggestion is to replace section 4 with the following paragraph (I
> think this is similar to what Martin suggests):
>
> "The cipher suites defined in this document MUST NOT be negotiated for any
> version of (D)TLS other than TLS 1.2.  Servers MUST NOT select one of these
> cipher suites when selecting TLS version other than TLS 1.2.  A client MUST
> treat the selection of these cipher suites in combination with a different
> version of TLS as an error and generate a fatal 'illegal_parameter' TLS
> alert."
>
> I think it would also be OK to add the following to point readers to
> equivalent ciphers in 1.3.  Here is some suggested text that could go in
> the revised section 4:
>
> "Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
> TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to support
> equivalent functionality in TLS 1.3 [TLS 1.3]."
>
> Thanks,
>
> Joe
>
>
> On Wed, May 24, 2017 at 7:04 AM, Daniel Migault <
> daniel.miga...@ericsson.com> wrote:
>
>> Hi Martin,
>>
>> Thank you for your review. Some comment were about text in the
>> applicability section. I think I agree with you that this section details
>> and clarifies  the following sentence of the previous section:  """ The
>> assigned code points can only be used for TLS 1.2.""". Most of the text of
>> this section has been added in order to address comments, thus in order to
>> make this section helpful for many readers, I prefer to keep most of the
>> text you mentioned as not useful.
>>
>> Please see inline for more detail responses and let me know if that
>> address your comments.
>>
>> Yours,
>> Daniel
>>
>> On Wed, May 24, 2017 at 12:09 AM, Martin Thomson <
>> martin.thom...@gmail.com> wrote:
>>
>>> Hi Daniel,
>>>
>>> This removes the offending text.
>>>
>>> This is incorrect:
>>>
>>> > Clients MUST NOT offer one of these cipher suites with a (D)TLS
>>> version that differs from TLS 1.2.
>>>
>>> It should be possible to offer these when attempting to negotiate TLS
>>> 1.3.  The server simply cannot negotiate these cipher suites if it
>>> chooses to use 1.3.  I'd remove that sentence (and the one following
>>> it, since it's redundant with the first sentence of the paragraph).
>>>
>>> My understanding is that you suggest to remove "Clients MUST NOT offer
>> one ..." for the following reasons:
>>
>> A) it is redundant with the first sentence of the paragraph: "The cipher
>> suites defined in this document MUST NOT be negotiated ...".  This sentence
>> clarifies on the client side what "MUST NOT be negotiated" means, and the
>> same is 

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Joseph Salowey]

Hi Daniel,

Thanks for putting this revision together.  The original text in draft 4
went beyond the scope of what should be in the document (I was too hasty in
my review of the document and discussion on the list).   Your current
proposal is an improvement, but it still discusses behavior that could
either conflict with other documents or discusses behavior that is not in
scope.

My suggestion is to replace section 4 with the following paragraph (I think
this is similar to what Martin suggests):

"The cipher suites defined in this document MUST NOT be negotiated for any
version of (D)TLS other than TLS 1.2.  Servers MUST NOT select one of these
cipher suites when selecting TLS version other than TLS 1.2.  A client MUST
treat the selection of these cipher suites in combination with a different
version of TLS as an error and generate a fatal 'illegal_parameter' TLS
alert."

I think it would also be OK to add the following to point readers to
equivalent ciphers in 1.3.  Here is some suggested text that could go in
the revised section 4:

"Cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are used to support
equivalent functionality in TLS 1.3 [TLS 1.3]."

Thanks,

Joe


On Wed, May 24, 2017 at 7:04 AM, Daniel Migault  wrote:

> Hi Martin,
>
> Thank you for your review. Some comment were about text in the
> applicability section. I think I agree with you that this section details
> and clarifies  the following sentence of the previous section:  """ The
> assigned code points can only be used for TLS 1.2.""". Most of the text of
> this section has been added in order to address comments, thus in order to
> make this section helpful for many readers, I prefer to keep most of the
> text you mentioned as not useful.
>
> Please see inline for more detail responses and let me know if that
> address your comments.
>
> Yours,
> Daniel
>
> On Wed, May 24, 2017 at 12:09 AM, Martin Thomson  > wrote:
>
>> Hi Daniel,
>>
>> This removes the offending text.
>>
>> This is incorrect:
>>
>> > Clients MUST NOT offer one of these cipher suites with a (D)TLS version
>> that differs from TLS 1.2.
>>
>> It should be possible to offer these when attempting to negotiate TLS
>> 1.3.  The server simply cannot negotiate these cipher suites if it
>> chooses to use 1.3.  I'd remove that sentence (and the one following
>> it, since it's redundant with the first sentence of the paragraph).
>>
>> My understanding is that you suggest to remove "Clients MUST NOT offer
> one ..." for the following reasons:
>
> A) it is redundant with the first sentence of the paragraph: "The cipher
> suites defined in this document MUST NOT be negotiated ...".  This sentence
> clarifies on the client side what "MUST NOT be negotiated" means, and the
> same is done for the server side. If we provide clarification for the
> server side, I would prefer to keep a clarification for the client side as
> well.
>
> B) It is not true as TLS1.3 enables these cipher suites to be negotiated
> with TLS1.3. In the text cipher suites stands for the cipher suites code
> points of the IANA registry.  Maybe we can have a better wording. However I
> believe the next paragraph clarifies that TLS1.3 negotiates these ciphers
> suites in a different way. Would the following wording address your
> comment. If so I will update the section to remove the confusion.
>
> "Clients MUST NOT offer one of the cipher suites code points defined in
> the document with a (D)TLS version that differs from TLS 1.2."
>
> The text in question is:
> """
>The cipher suites defined in this document MUST NOT be negotiated for
>any version of (D)TLS other than TLS 1.2.  Clients MUST NOT offer one
>of these cipher suites with a (D)TLS version that differs from TLS
>1.2.  Servers MUST NOT select one of these cipher suites with a TLS
>version that differs from TLS 1.2.  A client MUST treat the selection
>of these cipher suites in combination with a version of TLS as an
>error and generate a fatal 'illegal_parameter' TLS alert.
>
> """
>
>
>> As others have noted, the paragraph about TLS 1.3 isn't helpful and
>> should be removed.
>>
>>
> Suggestion to remove TLS1.3 related text was to clarify that the cipher
> suites were only defined for TLS1.2. Unless I missed something we have
> removed most of the text that could cause confusion. On the other hand,
> TLS1.3 has been designed, and we also have received comments to position
> the defined cipher suites toward TLS1.3 as we do fro TLS1.0 and TLS1.1.
> This is the intent of the remaining text mentioning TLS1.3.
>
> In the applicable version section, the text for TLS1.3 is intended to
> clarify why the cipher suites are restricted to TLS1.2. I believe this is
> useful for readers not so familiar with TLS1.3 that may not be aware of how
> TLS1.3 negotiate ciphers. My personal opinion is that it might be better to
> 

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Daniel Migault]

Hi Martin,

Thank you for your review. Some comment were about text in the
applicability section. I think I agree with you that this section details
and clarifies  the following sentence of the previous section:  """ The
assigned code points can only be used for TLS 1.2.""". Most of the text of
this section has been added in order to address comments, thus in order to
make this section helpful for many readers, I prefer to keep most of the
text you mentioned as not useful.

Please see inline for more detail responses and let me know if that address
your comments.

Yours,
Daniel

On Wed, May 24, 2017 at 12:09 AM, Martin Thomson 
wrote:

> Hi Daniel,
>
> This removes the offending text.
>
> This is incorrect:
>
> > Clients MUST NOT offer one of these cipher suites with a (D)TLS version
> that differs from TLS 1.2.
>
> It should be possible to offer these when attempting to negotiate TLS
> 1.3.  The server simply cannot negotiate these cipher suites if it
> chooses to use 1.3.  I'd remove that sentence (and the one following
> it, since it's redundant with the first sentence of the paragraph).
>
> My understanding is that you suggest to remove "Clients MUST NOT offer one
..." for the following reasons:

A) it is redundant with the first sentence of the paragraph: "The cipher
suites defined in this document MUST NOT be negotiated ...".  This sentence
clarifies on the client side what "MUST NOT be negotiated" means, and the
same is done for the server side. If we provide clarification for the
server side, I would prefer to keep a clarification for the client side as
well.

B) It is not true as TLS1.3 enables these cipher suites to be negotiated
with TLS1.3. In the text cipher suites stands for the cipher suites code
points of the IANA registry.  Maybe we can have a better wording. However I
believe the next paragraph clarifies that TLS1.3 negotiates these ciphers
suites in a different way. Would the following wording address your
comment. If so I will update the section to remove the confusion.

"Clients MUST NOT offer one of the cipher suites code points defined in the
document with a (D)TLS version that differs from TLS 1.2."

The text in question is:
"""
   The cipher suites defined in this document MUST NOT be negotiated for
   any version of (D)TLS other than TLS 1.2.  Clients MUST NOT offer one
   of these cipher suites with a (D)TLS version that differs from TLS
   1.2.  Servers MUST NOT select one of these cipher suites with a TLS
   version that differs from TLS 1.2.  A client MUST treat the selection
   of these cipher suites in combination with a version of TLS as an
   error and generate a fatal 'illegal_parameter' TLS alert.

"""


> As others have noted, the paragraph about TLS 1.3 isn't helpful and
> should be removed.
>
>
Suggestion to remove TLS1.3 related text was to clarify that the cipher
suites were only defined for TLS1.2. Unless I missed something we have
removed most of the text that could cause confusion. On the other hand,
TLS1.3 has been designed, and we also have received comments to position
the defined cipher suites toward TLS1.3 as we do fro TLS1.0 and TLS1.1.
This is the intent of the remaining text mentioning TLS1.3.

In the applicable version section, the text for TLS1.3 is intended to
clarify why the cipher suites are restricted to TLS1.2. I believe this is
useful for readers not so familiar with TLS1.3 that may not be aware of how
TLS1.3 negotiate ciphers. My personal opinion is that it might be better to
have it explicit rather than implicit, and I would prefer to keep the text
below:

"""
   TLS version 1.3 and later negotiate these features in a different
   manner.  Unlike TLS 1.2, TLS 1.3 separates authentication and cipher
   suite negotiation [I-D.ietf-tls-tls13] Section 1.2.  TLS 1.3 supports
   PSK with ECDHE key exchange and the cipher suites
   TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
   TLS_AES_128_CCM_8_SHA256 and TLS_AES_128_CCM_SHA256 are part of the
   specification.  As a result, TLS 1.3 and higher versions, negotiate
   and support these cipher suites in a different way.

"""




> This:
>
> > In addition, it is worth noting that TLS 1.0 [RFC2246] and TLS 1.2
> [RFC4346] split the pre-master into two  parts.  The PRF results from
> mixing the two pseudorandom streams with distinct hash functions (MD5 and
> SHA-1) by exclusive-ORing them together.
>
> You mean TLS 1.1 rather than 1.2.  But as with the former paragraph,
> talking about the limitations of TLS versions that you explicitly
> don't support isn't useful.  Remove this paragraph also.
>
>
Yes that is TLS1.1. I updated it. I believe the text is useful as it
provides a clear justification on why it should not be used on TLS version
lower than 1.2. More specifically, previous version do not support AEAD,
but this may not prevent someone using AEAD with these versions. The reason
provided is not AEAD related but PSK related. I believe it is useful to
explicitly justify 

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Thomson]

Hi Daniel,

This removes the offending text.

This is incorrect:

> Clients MUST NOT offer one of these cipher suites with a (D)TLS version that 
> differs from TLS 1.2.

It should be possible to offer these when attempting to negotiate TLS
1.3.  The server simply cannot negotiate these cipher suites if it
chooses to use 1.3.  I'd remove that sentence (and the one following
it, since it's redundant with the first sentence of the paragraph).

As others have noted, the paragraph about TLS 1.3 isn't helpful and
should be removed.

This:

> In addition, it is worth noting that TLS 1.0 [RFC2246] and TLS 1.2 [RFC4346] 
> split the pre-master into two  parts.  The PRF results from mixing the two 
> pseudorandom streams with distinct hash functions (MD5 and SHA-1) by 
> exclusive-ORing them together.

You mean TLS 1.1 rather than 1.2.  But as with the former paragraph,
talking about the limitations of TLS versions that you explicitly
don't support isn't useful.  Remove this paragraph also.

Nits:
s/pre-master(| secret)/premaster secret/g

You don't anywhere state that TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256
means to use AEAD_AES_128_GCM (and the same for the other
ciphersuites).  I mention this because the order in which the AEAD
algorithms are mentioned is different to the order of the ciphersuites
in the list.



On 24 May 2017 at 12:37, Daniel Migault  wrote:
> re-sending with the version 05 but removing the diff to be under the 100 KB
> limit.
> Yours,
> Daniel
>
> On Tue, May 23, 2017 at 9:28 PM, Daniel Migault
>  wrote:
>>
>> Hi Eric,
>>
>> Thank you for the feed backs. The version 05 contains all text changes you
>> agreed. In addition, the text explaining dictionary/brute force has been
>> removed and replace by a reference to 4279. The recommendation regarding to
>> all PSK ciphers has been limited to the one of the document.  Please see
>> inline for more details.
>>
>> For some reasons I am not able to validate the submission of version 05. I
>> have attached the diff with version 04 as well as the locally generated
>> version 05.
>>
>> Yours,
>> Daniel
>>
>> On Tue, May 23, 2017 at 7:40 PM, Eric Rescorla  wrote:
>>>
>>>
>>>
>>> On Wed, May 24, 2017 at 6:00 AM, Daniel Migault
>>>  wrote:

 Hi Eric,

 Thank you for your reviews. Please see my responses inline. If you agree
 with the text I will update the draft.

 Yours,
 Daniel

 On Mon, May 22, 2017 at 10:11 PM, Eric Rescorla  wrote:
>
> Eric Rescorla has entered the following ballot position for
> draft-ietf-tls-ecdhe-psk-aead-04: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/
>
>
>
> --
> DISCUSS:
> --
>
> The following text appears to have been added in -04
>
>A server receiving a ClientHello and a client_version indicating
>(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
>this document in ClientHello.cipher_suites can safely assume that
> the
>client supports TLS 1.2 and is willing to use it.  The server MUST
>NOT negotiate these cipher suites with TLS protocol versions earlier
>than TLS 1.2.  Not requiring clients to indicate their support for
>TLS 1.2 cipher suites exclusively through ClientHello.client_hello
>improves the interoperability in the installed base and use of TLS
>1.2 AEAD cipher suites without upsetting the installed base of
>version-intolerant TLS servers, results in more TLS handshakes
>succeeding and obviates fallback mechanisms.
>
> This is a major technical change from -03, which, AFAIK, prohibited
> the server from negotiating these algorithms with TLS 1.1 and below
> and maintained the usual TLS version 1.2 negotiation rules.
>
> This is a very material technical change. I don't consider it wise,
> but in any case it would absolutely need WG consensus, which I
> don't believe that it has given the recent introduction.


 I agree that the text is a technical change, and that it may not be
 appropriated to do so now. The reason I included it was that it was conform
 to the previous text, but I agree that implicit assumption of version 1.2
 may need some 

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Daniel Migault]

re-sending with the version 05 but removing the diff to be under the 100 KB
limit.
Yours,
Daniel

On Tue, May 23, 2017 at 9:28 PM, Daniel Migault  wrote:

> Hi Eric,
>
> Thank you for the feed backs. The version 05 contains all text changes you
> agreed. In addition, the text explaining dictionary/brute force has been
> removed and replace by a reference to 4279. The recommendation regarding to
> all PSK ciphers has been limited to the one of the document.  Please see
> inline for more details.
>
> For some reasons I am not able to validate the submission of version 05. I
> have attached the diff with version 04 as well as the locally generated
> version 05.
>
> Yours,
> Daniel
>
> On Tue, May 23, 2017 at 7:40 PM, Eric Rescorla  wrote:
>
>>
>>
>> On Wed, May 24, 2017 at 6:00 AM, Daniel Migault <
>> daniel.miga...@ericsson.com> wrote:
>>
>>> Hi Eric,
>>>
>>> Thank you for your reviews. Please see my responses inline. If you agree
>>> with the text I will update the draft.
>>>
>>> Yours,
>>> Daniel
>>>
>>> On Mon, May 22, 2017 at 10:11 PM, Eric Rescorla  wrote:
>>>
 Eric Rescorla has entered the following ballot position for
 draft-ietf-tls-ecdhe-psk-aead-04: Discuss

 When responding, please keep the subject line intact and reply to all
 email addresses included in the To and CC lines. (Feel free to cut this
 introductory paragraph, however.)


 Please refer to https://www.ietf.org/iesg/stat
 ement/discuss-criteria.html
 for more information about IESG DISCUSS and COMMENT positions.


 The document, along with other ballot positions, can be found here:
 https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/



 --
 DISCUSS:
 --

 The following text appears to have been added in -04

A server receiving a ClientHello and a client_version indicating
(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
this document in ClientHello.cipher_suites can safely assume that
 the
client supports TLS 1.2 and is willing to use it.  The server MUST
NOT negotiate these cipher suites with TLS protocol versions earlier
than TLS 1.2.  Not requiring clients to indicate their support for
TLS 1.2 cipher suites exclusively through ClientHello.client_hello
improves the interoperability in the installed base and use of TLS
1.2 AEAD cipher suites without upsetting the installed base of
version-intolerant TLS servers, results in more TLS handshakes
succeeding and obviates fallback mechanisms.

 This is a major technical change from -03, which, AFAIK, prohibited
 the server from negotiating these algorithms with TLS 1.1 and below
 and maintained the usual TLS version 1.2 negotiation rules.

 This is a very material technical change. I don't consider it wise,
 but in any case it would absolutely need WG consensus, which I
 don't believe that it has given the recent introduction.

>>>
>>> I agree that the text is a technical change, and that it may not be
>>> appropriated to do so now. The reason I included it was that it was conform
>>> to the previous text, but I agree that implicit assumption of version 1.2
>>> may need some additional discussion especially regarding RFC5246 Appendix
>>> E. Unless you prefer further discussion I assume the text below address
>>> your concern.
>>>
>>> The cipher suites defined in this document MUST NOT be negotiated for
>>> any version of (D)TLS other than TLS 1.2. Clients MUST NOT offer one of
>>> these cipher suites with a (D)TLS version that differs from TLS 1.2.
>>> Servers MUST NOT select one of these cipher suites with a TLS version that
>>> differs from TLS 1.2. A client MUST treat the selection of these cipher
>>> suites in combination with a version of TLS as an error and generate a
>>> fatal 'illegal_parameter' TLS alert. 
>>>
>>
>> Yes, this seems fine
>>
>>
>> The discussion of dictionary attacks here seems inferior to that
 in 4279. In particular, you only need to actively attack one
 connection to capture the data you need for a brute force attack
 despite the text there referring to trying "different keys".
 Please correct that.

 I believe the text below address your concern:
>>>
>>> OLD:
>>> Use of Pre-Shared Keys of limited entropy may allow an active
>>> attacker attempts to connect to the server and try different keys.
>>> For example, limited entropy may be provided by using a short PSK in
>>> which
>>> case an attacker may perform a brute-force attack. Another example
>>> includes the use of a PSK  chosen by a human which thus may be exposed to
>>> dictionary attacks.
>>>
>>> NEW:
>>> Pre-Shared Keys security relies on 

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Daniel Migault]

Hi Eric,

Thank you for your reviews. Please see my responses inline. If you agree
with the text I will update the draft.

Yours,
Daniel

On Mon, May 22, 2017 at 10:11 PM, Eric Rescorla  wrote:

> Eric Rescorla has entered the following ballot position for
> draft-ietf-tls-ecdhe-psk-aead-04: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/
>
>
>
> --
> DISCUSS:
> --
>
> The following text appears to have been added in -04
>
>A server receiving a ClientHello and a client_version indicating
>(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
>this document in ClientHello.cipher_suites can safely assume that
> the
>client supports TLS 1.2 and is willing to use it.  The server MUST
>NOT negotiate these cipher suites with TLS protocol versions earlier
>than TLS 1.2.  Not requiring clients to indicate their support for
>TLS 1.2 cipher suites exclusively through ClientHello.client_hello
>improves the interoperability in the installed base and use of TLS
>1.2 AEAD cipher suites without upsetting the installed base of
>version-intolerant TLS servers, results in more TLS handshakes
>succeeding and obviates fallback mechanisms.
>
> This is a major technical change from -03, which, AFAIK, prohibited
> the server from negotiating these algorithms with TLS 1.1 and below
> and maintained the usual TLS version 1.2 negotiation rules.
>
> This is a very material technical change. I don't consider it wise,
> but in any case it would absolutely need WG consensus, which I
> don't believe that it has given the recent introduction.
>

I agree that the text is a technical change, and that it may not be
appropriated to do so now. The reason I included it was that it was conform
to the previous text, but I agree that implicit assumption of version 1.2
may need some additional discussion especially regarding RFC5246 Appendix
E. Unless you prefer further discussion I assume the text below address
your concern.

The cipher suites defined in this document MUST NOT be negotiated for
any version of (D)TLS other than TLS 1.2. Clients MUST NOT offer one of
these cipher suites with a (D)TLS version that differs from TLS 1.2.
Servers MUST NOT select one of these cipher suites with a TLS version that
differs from TLS 1.2. A client MUST treat the selection of these cipher
suites in combination with a version of TLS as an error and generate a
fatal 'illegal_parameter' TLS alert. 

>
> The discussion of dictionary attacks here seems inferior to that
> in 4279. In particular, you only need to actively attack one
> connection to capture the data you need for a brute force attack
> despite the text there referring to trying "different keys".
> Please correct that.
>
> I believe the text below address your concern:

OLD:
Use of Pre-Shared Keys of limited entropy may allow an active
attacker attempts to connect to the server and try different keys.
For example, limited entropy may be provided by using a short PSK in which
case an attacker may perform a brute-force attack. Another example
includes the use of a PSK  chosen by a human which thus may be exposed to
dictionary attacks.

NEW:
Pre-Shared Keys security relies on its associated entropy, and it is
RECOMMENDED to follow  to ensure the PSK has enough
entropy. Possible reasons for low entropy includes PSK chosen by humans or
PSK of small length as well as using random generators with limited
entropy. 

PSK of limited entropy may allow an attacker to test different PSK
values against a valid output such as master secret or any output derived
from it. In this document, the master secret is generated using the PSK as
well as the ECDHE shared secret. The use of ECDHE limits the possibilities
of passive eavesdropping attackers, as the ECDHE shared secret is not
expected to be derived from the observed ECDH parameters. As a result,
passive eavesdropping is unlikely to happen, and the collection of all
necessary material relies on an active attack.
An active attacker may collect the necessary material by setting a TLS
session as a client with the legitimate server. One PSK is tested for each
session, and a match occurs when key exchange succeeds. On the other hand,
an active attacker may also consider gathering the necessary information
for offline computation. One way consists in getting a legitimate client to
establish a connection with the attacker. It is also assumed 

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Eric Rescorla]

On Tue, May 23, 2017 at 9:34 PM, Martin Rex  wrote:

> Eric Rescorla wrote:
> > draft-ietf-tls-ecdhe-psk-aead-04: Discuss
> >
> > --
> > DISCUSS:
> > --
> >
> > The following text appears to have been added in -04
> >
> >A server receiving a ClientHello and a client_version indicating
> >(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
> >this document in ClientHello.cipher_suites can safely assume that
> > the
> >client supports TLS 1.2 and is willing to use it.  The server MUST
> >NOT negotiate these cipher suites with TLS protocol versions earlier
> >than TLS 1.2.  Not requiring clients to indicate their support for
> >TLS 1.2 cipher suites exclusively through ClientHello.client_hello
> >improves the interoperability in the installed base and use of TLS
> >1.2 AEAD cipher suites without upsetting the installed base of
> >version-intolerant TLS servers, results in more TLS handshakes
> >succeeding and obviates fallback mechanisms.
> >
> > This is a major technical change from -03, which, AFAIK, prohibited
> > the server from negotiating these algorithms with TLS 1.1 and below
> > and maintained the usual TLS version 1.2 negotiation rules.
>
> This change _still_ prohibits the server from negotiating these algorithms
> with TLSv1.1 and below.



> Could you elaborate a little on where and why you see a problem with this?
>

For starters, TLS 1.3 has already designed a completely independent
mechanism for doing version negotiation outside of ClientHello.version,
so doing another seems pretty odd. In any case, it's not something you
do between IETF-LC and IESG approval.


As this changes tries to explain, had such a text been used for all
> TLSv1.2 AEAD cipher suite code points, then browsers would have never
> needed any "downgrade dance" fallbacks, POODLE would have never
> existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid
> would not been needed, either.
>

I'm not sure this is true, because there were also servers which did
not understand extensions.

-Ekr


> -Martin
>
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Rex]

It seems I had a typo in the new text.

Martin Rex wrote:
> Eric Rescorla wrote:
>> draft-ietf-tls-ecdhe-psk-aead-04: Discuss
>> 
>> --
>> DISCUSS:
>> --
>> 
>> The following text appears to have been added in -04
>> 
>>A server receiving a ClientHello and a client_version indicating
>>(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
>>this document in ClientHello.cipher_suites can safely assume that
>> the
>>client supports TLS 1.2 and is willing to use it.  The server MUST
>>NOT negotiate these cipher suites with TLS protocol versions earlier
>>than TLS 1.2.  Not requiring clients to indicate their support for
>>TLS 1.2 cipher suites exclusively through ClientHello.client_hello

That line should say
 through ClientHello.client_version

>>improves the interoperability in the installed base and use of TLS
>>1.2 AEAD cipher suites without upsetting the installed base of
>>version-intolerant TLS servers, results in more TLS handshakes
>>succeeding and obviates fallback mechanisms.
>> 
>> This is a major technical change from -03, which, AFAIK, prohibited
>> the server from negotiating these algorithms with TLS 1.1 and below
>> and maintained the usual TLS version 1.2 negotiation rules.
> 
> This change _still_ prohibits the server from negotiating these algorithms
> with TLSv1.1 and below.
> 
> Could you elaborate a little on where and why you see a problem with this?
> 
> As this change tries to explain, had such a text been used for all
> TLSv1.2 AEAD cipher suite code points, then browsers would have never
> needed any "downgrade dance" fallbacks, POODLE would have never
> existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid
> would not have been needed, either.

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Martin Rex]

Eric Rescorla wrote:
> draft-ietf-tls-ecdhe-psk-aead-04: Discuss
> 
> --
> DISCUSS:
> --
> 
> The following text appears to have been added in -04
> 
>A server receiving a ClientHello and a client_version indicating
>(3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
>this document in ClientHello.cipher_suites can safely assume that
> the
>client supports TLS 1.2 and is willing to use it.  The server MUST
>NOT negotiate these cipher suites with TLS protocol versions earlier
>than TLS 1.2.  Not requiring clients to indicate their support for
>TLS 1.2 cipher suites exclusively through ClientHello.client_hello
>improves the interoperability in the installed base and use of TLS
>1.2 AEAD cipher suites without upsetting the installed base of
>version-intolerant TLS servers, results in more TLS handshakes
>succeeding and obviates fallback mechanisms.
> 
> This is a major technical change from -03, which, AFAIK, prohibited
> the server from negotiating these algorithms with TLS 1.1 and below
> and maintained the usual TLS version 1.2 negotiation rules.

This change _still_ prohibits the server from negotiating these algorithms
with TLSv1.1 and below.

Could you elaborate a little on where and why you see a problem with this?

As this changes tries to explain, had such a text been used for all
TLSv1.2 AEAD cipher suite code points, then browsers would have never
needed any "downgrade dance" fallbacks, POODLE would have never
existed as a browser problem, and the TLS_FALLBACK_SCSV band-aid
would not been needed, either.

-Martin

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] Eric Rescorla's Discuss on draft-ietf-tls-ecdhe-psk-aead-04: (with DISCUSS and COMMENT)

[Eric Rescorla]

Eric Rescorla has entered the following ballot position for
draft-ietf-tls-ecdhe-psk-aead-04: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-tls-ecdhe-psk-aead/



--
DISCUSS:
--

The following text appears to have been added in -04

   A server receiving a ClientHello and a client_version indicating
   (3,1) "TLS 1.0" or (3,2) "TLS 1.1" and any of the cipher suites from
   this document in ClientHello.cipher_suites can safely assume that
the
   client supports TLS 1.2 and is willing to use it.  The server MUST
   NOT negotiate these cipher suites with TLS protocol versions earlier
   than TLS 1.2.  Not requiring clients to indicate their support for
   TLS 1.2 cipher suites exclusively through ClientHello.client_hello
   improves the interoperability in the installed base and use of TLS
   1.2 AEAD cipher suites without upsetting the installed base of
   version-intolerant TLS servers, results in more TLS handshakes
   succeeding and obviates fallback mechanisms.

This is a major technical change from -03, which, AFAIK, prohibited
the server from negotiating these algorithms with TLS 1.1 and below
and maintained the usual TLS version 1.2 negotiation rules.

This is a very material technical change. I don't consider it wise,
but in any case it would absolutely need WG consensus, which I
don't believe that it has given the recent introduction.

The discussion of dictionary attacks here seems inferior to that
in 4279. In particular, you only need to actively attack one
connection to capture the data you need for a brute force attack
despite the text there referring to trying "different keys".
Please correct that.


--
COMMENT:
--

The citations to TLS 1.3 still seem pretty muddled. I think you
should just stop referencing and discussing 1.3.

S 2.
I'm not sure that the discussion of the PRF is helpful here in
mandating the non-use of these cipher suites with TLS 1.1 and
below.


___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls