Re: [TLS] PR for new negotiation syntax

[Ilari Liusvaara]

On Wed, Aug 03, 2016 at 08:30:22AM -0700, Eric Rescorla wrote:
> Folks,
> 
> As promised, I've written a PR that describes the new negotiation
> syntax we discussed in Berlin. I also have prototype implementation of
> this in NSS and it's quite a bit cleaner than the previous negotiation
> design. I think that others have found the same thing.

Yup, looks much cleaner.
 
> https://github.com/tlswg/tls13-spec/pull/559
>
> IMPORTANT: This new negotiation syntax allows for two modes that were
> not previously available with TLS 1.3: PSK and PSK-(EC)DHE with
> server-side signatures. This construction should be safe with
> resumption-PSK (this is why we introduced the resumption_ctx design),
> but as noted in Antoine's recent message [0], this is not safe with
> non-resumption PSK with the all-zeroes resumption context that we now
> use with external PSKs. I have an action item to fix that, so just
> keep that in the back of your head as you review this PR.

The idea is to essentially use "resumption master secret" as PSK
and then to derive the two subkeys off that on handshake, right?


Also I noticed that now there is no indication on if the group
indication in HRR is valid or not (pure-PSK). Dirty hack would be
to grab some reserved value (FF01?) for "I don't need any more
groups" (which isn't the same as "no group"). Or perhaps one could
stick it into extension[1].


Also, now that there are signatures even with 0-RTT, one should recheck
the 0-RTT extension checking logic (the original logic is now invalid,
but I think conclusions[2] for free certificate case are still valid).

However, if the thing does not use free certificates (in which case
the logic should absolutely be specified, or one WILL get massive
interop problems!) the conclusions definitely are not valid..


[1] One design would be to move group to extensions, rename
'extensions' to something like 'problems'. Then require 'problems' to
be non-empty and require clients to abort if they see problem types
they don't recognize (but problem types don't need to be advertized).


[2] The original conclusions were that out of extensions, only
server_name and application_layer_protocol_negotiation matter.



-Ilari

___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

[TLS] PR for new negotiation syntax

[Eric Rescorla]

Folks,

As promised, I've written a PR that describes the new negotiation
syntax we discussed in Berlin. I also have prototype implementation of
this in NSS and it's quite a bit cleaner than the previous negotiation
design. I think that others have found the same thing.

https://github.com/tlswg/tls13-spec/pull/559


IMPORTANT: This new negotiation syntax allows for two modes that were
not previously available with TLS 1.3: PSK and PSK-(EC)DHE with
server-side signatures. This construction should be safe with
resumption-PSK (this is why we introduced the resumption_ctx design),
but as noted in Antoine's recent message [0], this is not safe with
non-resumption PSK with the all-zeroes resumption context that we now
use with external PSKs. I have an action item to fix that, so just
keep that in the back of your head as you review this PR.

Comments welcome.

-Ekr

[0] https://www.ietf.org/mail-archive/web/tls/current/msg20637.html
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Re: [TLS] Keeping TLS extension points working

[David Benjamin]

On Wed, Aug 3, 2016 at 8:52 AM Raja ashok  wrote:

> Hi David & Steven,
>
>
>
> Here our intension is to find out buggy server which implemented a cipher
> suite support with wrong value other than specified in RFC.
>
> -  If that wrong value usage in that buggy server collides with
> any real cipher suite on the period of deployment means, the bug would have
> identified immediately with some other non buggy client.
>
> -  If that wrong value is in the range of unspecified value, then
> that bug thrives and it will come out only after several years when IANA
> assigns that value to some new cipher suite.
>
As ecosystem problems go, this is very tame one. I don't think the
complexity cost of a retry (which is not compatible with existing servers
anyway) far outweighs the ecosystem costs of that particular bug.

Should an implementation, say, copy-and-paste the wrong value for some
cipher suite and use an unallocated one then, yes, if widespread we will
have difficulties using cipher suite value. But then we can simply pick a
different one and document that that value has been lost.

Moreover, making all values into GREASE values will not catch this bug. The
probability of hitting this wrong value randomly is around 1/2^16 which is
well in the noise. Flaky failures won't do any good to prevent bugs.

In contrast, intolerance to *anything* unknown is a huge problem for
deployment. Then we simply can't deploy new things. (At least not without
fallbacks and such which have security consequences, among other problems.)

In this case, can you please tell me why we decided only few values as
> GREASE value {0x0A0A, 0x1A1A, ..}. Whether chrome browser has found a real
> buggy web server which supports these values ?
>
Ultimately the values need to get reserved so people don't try to use them
for real ones. I picked a small-ish number so that people maintaining the
registries would not become too unhappy at me. :-)

Chrome has yet to ship code which does this. I figured I ought to write
something up and send it to this list before squatting on quite so many
values in the registry. For the moment, this idea is merely a spec.

David

Regards,
>
> R Ashok
> --
>
> Raja Ashok VK
> 华为技术有限公司 Huawei Technologies Co., Ltd.
> [image: image001.jpg]
>
> Phone:
> Fax:
> Mobile:
> Email:
> Huawei Technologies Co., Ltd.
> Bangalore, India
> http://www.huawei.com
>
> --
>
> 本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
> 止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
> 的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
> This e-mail and its attachments contain confidential information from
> HUAWEI, which
> is intended only for the person or entity whose address is listed above.
> Any use of the
> information contained herein in any way (including, but not limited to,
> total or partial
> disclosure, reproduction, or dissemination) by persons other than the
> intended
> recipient(s) is prohibited. If you receive this e-mail in error, please
> notify the sender by
> phone or email immediately and delete it!
>
> *From:* David Benjamin [mailto:david...@chromium.org]
> *Sent:* 02 August 2016 19:30
> *To:* Steven Valdez; Raja ashok; tls@ietf.org
> *Subject:* Re: [TLS] Keeping TLS extension points working
>
>
>
> To expand on that a little, since it seems comments (a) and (b) are really
> the same one:
>
>
>
> The purpose of having an explicitly reserved list (b) is precisely so we
> do not have to do a second handshake (a). The purpose here is to ensure we
> exercise the little-used codepaths, not introduce new ones. This is
> intended to be an extremely minimal mechanism. Clients add a tiny bit of
> code to their ClientHello and no server code changes at all. (Note that
> every MUST in the document is just reiterating what TLS already requires.)
>
>
>
> David
>
>
>
> On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez  wrote:
>
> a) It seems like if an implementation has updated to be able to handle a
> specific GREASE alert, it should be able to handle not sending an invalid
> cipher suite. In general, its probably cleaner for the connection to
> fatally shutdown and then restart if the server is behaving that poorly.
> Servers that are sending back non-existent ciphers are also potentially
> broken in other ways, and I don't know whether a client should trust that
> it can reset any handshake state correctly if it were to try doing a
> "warning" alert.
>
>
>
> b) The reasoning behind having an explicit list is so that implementations
> don't send a value that ends up being defined as some other valid value.
> Otherwise its possible that some implementations will update to include
> GREASE values, but they might not update immediately upon new values being
> assigned by IANA, which means that there will be periods of times that some
> clients might send "fake" values that collide with real values, confusing
> the peer implementation into believing 

Re: [TLS] Keeping TLS extension points working

[Raja ashok]

Hi David & Steven,

Here our intension is to find out buggy server which implemented a cipher suite 
support with wrong value other than specified in RFC.

-  If that wrong value usage in that buggy server collides with any 
real cipher suite on the period of deployment means, the bug would have 
identified immediately with some other non buggy client.

-  If that wrong value is in the range of unspecified value, then that 
bug thrives and it will come out only after several years when IANA assigns 
that value to some new cipher suite.

In this case, can you please tell me why we decided only few values as GREASE 
value {0x0A0A, 0x1A1A, ..}. Whether chrome browser has found a real buggy web 
server which supports these values ?

Regards,
R Ashok

Raja Ashok VK
华为技术有限公司 Huawei Technologies Co., Ltd.
[Company_logo]

Phone:
Fax:
Mobile:
Email:
Huawei Technologies Co., Ltd.
Bangalore, India
http://www.huawei.com

本邮件及其附件含有华为公司的保密信息，仅限于发送给上面地址中列出的个人或群组。禁
止任何其他人以任何形式使用（包括但不限于全部或部分地泄露、复制、或散发）本邮件中
的信息。如果您错收了本邮件，请您立即电话或邮件通知发件人并删除本邮件！
This e-mail and its attachments contain confidential information from HUAWEI, 
which
is intended only for the person or entity whose address is listed above. Any 
use of the
information contained herein in any way (including, but not limited to, total 
or partial
disclosure, reproduction, or dissemination) by persons other than the intended
recipient(s) is prohibited. If you receive this e-mail in error, please notify 
the sender by
phone or email immediately and delete it!
From: David Benjamin [mailto:david...@chromium.org]
Sent: 02 August 2016 19:30
To: Steven Valdez; Raja ashok; tls@ietf.org
Subject: Re: [TLS] Keeping TLS extension points working

To expand on that a little, since it seems comments (a) and (b) are really the 
same one:

The purpose of having an explicitly reserved list (b) is precisely so we do not 
have to do a second handshake (a). The purpose here is to ensure we exercise 
the little-used codepaths, not introduce new ones. This is intended to be an 
extremely minimal mechanism. Clients add a tiny bit of code to their 
ClientHello and no server code changes at all. (Note that every MUST in the 
document is just reiterating what TLS already requires.)

David

On Tue, Aug 2, 2016 at 9:47 AM Steven Valdez 
> wrote:
a) It seems like if an implementation has updated to be able to handle a 
specific GREASE alert, it should be able to handle not sending an invalid 
cipher suite. In general, its probably cleaner for the connection to fatally 
shutdown and then restart if the server is behaving that poorly. Servers that 
are sending back non-existent ciphers are also potentially broken in other 
ways, and I don't know whether a client should trust that it can reset any 
handshake state correctly if it were to try doing a "warning" alert.

b) The reasoning behind having an explicit list is so that implementations 
don't send a value that ends up being defined as some other valid value. 
Otherwise its possible that some implementations will update to include GREASE 
values, but they might not update immediately upon new values being assigned by 
IANA, which means that there will be periods of times that some clients might 
send "fake" values that collide with real values, confusing the peer 
implementation into believing they actually support something that they don't 
and resulting in more intolerance issues between outdated GREASE clients and 
newly updated servers, with this intolerance being firmly the GREASE clients 
fault. The hardcoded list gets around this by making sure GREASE never overlaps 
with an actual value, though at the trade-off that badly designed 
implementations could choose to just hard-code ignore the GREASE codepoints.

On Tue, Aug 2, 2016 at 2:59 AM Raja ashok 
> wrote:
Hi Benjamin,

I have gone through the GREASE mechanism which you proposed in your new draft. 
It’s really a nice idea for finding a buggy server before it thrives.

I am having few doubts on this, which are listed below.

a)  What should be the behaviour of client incase if a buggy server 
responded for a GREASE value ?

-  Consider a client sends a GREASE cipher value at first place and 
followed by valid cipher suites, in its client hello.

-  If a buggy server selects that cipher then it will response server 
hello with that GREASE cipher value. At this case if client sends FATAL alert 
then both side TLS and TCP needs to be closed and client needs to recreate a 
new TCP connection, and then restart TLS handshake without GREASE cipher value.

-  Instead of this we can make client to send warning alert (with new 
TLS alert code GREASE_CIPHER_VALUE_SELECTED(111)) and restart TLS handshake by 
sending client hello again.

-  If a server receives this new warning, then it