diff options
Diffstat (limited to 'doc/protocol/draft-funk-tls-inner-application-extension-00.txt')
-rw-r--r-- | doc/protocol/draft-funk-tls-inner-application-extension-00.txt | 1947 |
1 files changed, 0 insertions, 1947 deletions
diff --git a/doc/protocol/draft-funk-tls-inner-application-extension-00.txt b/doc/protocol/draft-funk-tls-inner-application-extension-00.txt deleted file mode 100644 index d9c056db79..0000000000 --- a/doc/protocol/draft-funk-tls-inner-application-extension-00.txt +++ /dev/null @@ -1,1947 +0,0 @@ - - - - - -TLS Working Group Paul Funk -Internet-Draft Funk Software, Inc. -Category: Standards Track Simon Blake-Wilson -<draft-funk-tls-inner-application-extension-00.txt> Basic Commerce & - Industries, Inc. - Ned Smith - Intel Corp. - Hannes Tschofenig - Siemens AG - October 2004 - - - - TLS Inner Application Extension - (TLS/IA) - - - -Status of this Memo - - This document is an Internet-Draft and is subject to all provisions - of section 3 of RFC 3667. By submitting this Internet-Draft, each - author represents that any applicable patent or other IPR claims of - which he or she is aware have been or will be disclosed, and any of - which he or she become aware will be disclosed, in accordance with - RFC 3668. - - Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. - - Internet-Drafts are draft documents valid for a maximum of six - months and may be updated, replaced, or obsoleted by other documents - at any time. It is inappropriate to use Internet-Drafts as - reference material or to cite them other than as "work in progress." - - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - - -Copyright Notice - - Copyright (C) The Internet Society (2001 - 2004). All Rights - Reserved. - -Abstract - -Internet-Draft October 2004 - - - This document defines a new TLS extension called "Inner - Application". When TLS is used with the Inner Application extension - (TLS/IA), additional messages are exchanged during the TLS - handshake, each of which is an encrypted sequence of Attribute- - Value-Pairs (AVPs) from the RADIUS/Diameter namespace. Hence, the - AVPs defined in RADIUS and Diameter have the same meaning in TLS/AI; - that is, each attribute code point refers to the same logical - attribute in any of these protocols. Arbitrary "applications" may be - implemented using the AVP exchange. Possible applications include - EAP or other forms of user authentication, client integrity - checking, provisioning of additional tunnels, and the like. Use of - the RADIUS/Diameter namespace provides natural compatibility between - TLS/IA applications and widely deployed AAA infrastructures. - - It is anticipated that TLS/IA will be used with and without - subsequent protected data communication within the tunnel - established by the handshake. For example, TLS/IA may be used to - secure an HTTP data connection, allowing more robust password-based - user authentication to occur within the TLS handshake than would - otherwise be possible using mechanisms available in HTTP. TLS/IA may - also be used for its handshake portion alone; for example, EAP- - TTLSv1 encapsulates a TLS/IA handshake in EAP as a means to mutually - authenticate a client and server and establish keys for a separate - data connection. - -Table of Contents - -1 Introduction......................................................3 -1.1 A Bit of History..............................................4 -1.2 Handshake-Only vs. Full TLS Usage.............................5 -2 The InnerApplication Extension to TLS.............................5 -2.1 TLS/IA Overview...............................................6 -2.2 Message Exchange..............................................8 -2.3 Master Key Permutation........................................8 -2.3.1 Application Session Key Material.........................10 -2.4 Session Resumption...........................................11 -2.5 Error Termination............................................12 -2.6 Computing Verification Data..................................12 -2.7 TLS/IA Messages..............................................14 -2.8 Negotiating the Inner Application Extension..................14 -2.8.1 ClientInnerApplication...................................14 -2.8.2 ServerInnerApplication...................................15 -2.9 The PhaseFinished Handshake Message..........................16 -2.10 The ApplicationPayload Handshake Message.....................16 -2.11 The InnerApplicationFailure Alert............................16 -3 Encapsulation of AVPs within ApplicationPayload Messages.........16 -3.1 AVP Format...................................................17 -3.2 AVP Sequences................................................18 -3.3 Guidelines for Maximum Compatibility with AAA Servers........18 -4 Tunneled Authentication within Application Phases................19 -4.1 Implicit challenge...........................................19 - - - -Paul Funk expires April 2005 [Page 2] - -Internet-Draft October 2004 - - -4.2 Tunneled Authentication Protocols............................20 -4.2.1 EAP ......................................................20 -4.2.2 CHAP .....................................................21 -4.2.3 MS-CHAP..................................................22 -4.2.4 MS-CHAP-V2...............................................22 -4.2.5 PAP ......................................................24 -4.3 Performing Multiple Authentications..........................24 -5 Example Message Sequences........................................25 -5.1 Full Initial Handshake with Intermediate and Final Application -Phases 25 -5.2 Resumed Session with Single Application Phase................26 -5.3 Resumed Session with No Application Phase....................27 -6 Security Considerations..........................................27 -7 References.......................................................30 -7.1 Normative References.........................................30 -7.2 Informative References.......................................31 -8 Authors' Addresses...............................................31 -9 Intellectual Property Statement..................................32 - - -1 Introduction - - This specification defines the TLS "Inner Application" extension. - The term "TLS/IA" refers to the TLS protocol when used with the - Inner Application extension. - - In TLS/IA, the TLS handshake is extended to allow an arbitrary - exchange of information between client and server within a protected - tunnel established during the handshake but prior to its completion. - The initial phase of the TLS handshake is virtually identical to - that of a standard TLS handshake; subsequent phases are conducted - under the confidentiality and integrity protection afforded by that - initial phase. - - The primary motivation for providing such communication is to allow - robust user authentication to occur as part of the handshake, in - particular, user authentication that is based on password - credentials, which is best conducted under the protection of an - encrypted tunnel to preclude dictionary attack by eavesdroppers. For - example, Extensible Authentication Protocol (EAP) may be used to - authenticate using any of a wide variety of methods as part of the - TLS handshake. The multi-phase approach of TLS/IA, in which a strong - authentication, typically based on a server certificate, is used to - protected a password-based authentication, distinguishes it from - other TLS variants that rely entirely on a pre-shared key or - password for security; for example [TLS-PSK]. - - The protected exchange accommodates any type of client-server - application, not just authentication, though authentication may - often be the prerequisite that allows other applications to proceed. - For example, TLS/IA may be used to set up HTTP connections, - - - -Paul Funk expires April 2005 [Page 3] - -Internet-Draft October 2004 - - - establish IPsec security associations (as an alternative to IKE), - obtain credentials for single sign-on, provide for client integrity - verification, and so on. - - The new messages that are exchanged between client and server are - encoded as sequences of Attribute-Value-Pairs (AVPs) from the - RADIUS/Diameter namespace. Use of the RADIUS/Diameter namespace - provides natural compatibility between TLS/IA applications and - widely deployed AAA infrastructures. This namespace is extensible, - allowing new AVPs and, thus, new applications to be defined as - needed, either by standards bodies or by vendors wishing to define - proprietary applications. - -1.1 A Bit of History - - The TLS protocol has its roots in the Netscape SSL protocol, which - was originally intended to secure HTTP. It provides either one-way - or mutual authentication of client and server based on certificates. - In its most typical use in HTTP, the client authenticates the server - based on the server's certificate and establishes a tunnel through - which HTTP traffic is passed. - - For the server to authenticate the client within the TLS handshake, - the client must have its own certificate. In cases where the client - must be authenticated without a certificate, HTTP, not TLS, - mechanisms would have to be employed. For example, HTTP headers have - been defined to perform user authentications. However, these - mechanisms are primitive compared to other mechanisms, most notably - EAP, that have been defined for contexts other than HTTP. - Furthermore, any mechanisms defined for HTTP cannot be utilized when - TLS is used to protect non-HTTP traffic. - - The TLS protocol has also found an important use in authentication - for network access, originally within PPP for dial-up access and - later for wireless and wired 802.1X access. Several EAP types have - been defined that utilize TLS to perform mutual client-server - authentication. The first to appear, EAP-TLS, uses the TLS handshake - to authenticate both client and server based on the certificate of - each. - - Subsequent protocols, such EAP-TTLSv0 and EAP-PEAP, utilize the TLS - handshake to allow the client to authenticate the server based on - the latter's certificate, then utilize the tunnel established by the - TLS handshake to perform user authentication, typically based on - password credentials. Such protocols are called "tunneled" EAP - protocols. The authentication mechanism used inside the tunnel may - itself be EAP, and the tunnel may also be used to convey additional - information between client and server. - - TLS/IA is in effect a merger of the two types of TLS usage described - above, based on the recognition that tunneled authentication would - - - -Paul Funk expires April 2005 [Page 4] - -Internet-Draft October 2004 - - - be useful in other contexts besides EAP. However, the tunneled - protocols mentioned above are not directly compatible with a more - generic use of TLS, because they utilize the tunneled data portion - of TLS, thus precluding its use for other purposes such as carrying - HTTP traffic. - - The TLS/IA solution to this problem is to fold the tunneled - authentication into the TLS handshake itself, making the data - portion of the TLS exchange available for HTTP or any other protocol - or connection that needs to be secured. - -1.2 Handshake-Only vs. Full TLS Usage - - It is anticipated that TLS/IA will be used with and without - subsequent protected data communication within the tunnel - established by the handshake. - - For example, TLS/IA may be used to secure an HTTP data connection, - allowing more robust password-based user authentication to occur - within the TLS handshake than would otherwise be possible using - mechanisms available in HTTP. - - TLS/IA may also be used for its handshake portion alone. For - example, EAP-TTLSv1 encapsulates a TLS/IA handshake in EAP as a - means to mutually authenticate a client and server and establish - keys for a separate data connection; no subsequent data portion is - required. Another example might be use of TLS/IA directly over TCP - to provide a user with credentials for single sign-on. - -2 The InnerApplication Extension to TLS - - The InnerApplication extension to TLS follows the guidelines of RFC - 3546. The client proposes use of this extension by including a - ClientInnerApplication message in its ClientHello handshake message, - and the server confirms its use by including a - ServerInnerApplication message in its ServerHello handshake message. - - Two new handshake messages are defined for use in TLS/IA: - - - The PhaseFinished message. This message is similar to the - standard TLS Finished message; it allows the TLS/IA handshake to - operate in phases, with message and key confirmation occurring at - the end of each phase. - - - The ApplicationPayload message. This message is used to carry AVP - (Attribute-Value Pair) sequences within the TLS/IA handshake, in - support of client-server applications such as authentication. - - A new alert code is also defined for use in TLS/IA: - - - The InnerApplicationFailure alert. This error alert allows either - - - -Paul Funk expires April 2005 [Page 5] - -Internet-Draft October 2004 - - - party to terminate the handshake due to a failure in an - application implemented via AVP sequences carried in - ApplicationPayload messages. - -2.1 TLS/IA Overview - - In TLS/IA, the handshake is divided into phases. The first phase, - called the "initial phase", is a standard TLS handshake; it is - followed by zero or more "application phases". The last phase is - called the "final phase"; this will be an application phase if a - such a phase is present, otherwise the standard TLS handshake is - both the initial and final phase. Any application phases between the - initial and final phase are called "intermediate phases". - - A typical handshake consists of an initial phase and a final phase, - with no intermediate phases. Intermediate phases are only necessary - if interim confirmation key material generated during an application - phase is desired. - - Each application phase consists of ApplicationPayload handshake - messages exchanged by client and server to implement applications - such as authentication, plus concluding messages for cryptographic - confirmation. - - All application phases are encrypted. A new master secret and cipher - spec are negotiated at the conclusion of each phase, to be applied - in the subsequent phase. The master secret and cipher spec - negotiated at the conclusion of the final phase are applied to the - data exchange following the handshake. - - All phases prior to the final phase use PhaseFinished rather than - Finished as the concluding message. The final phase concludes with - the Finished message. - - Application phases may be omitted entirely only when session - resumption is used, provided both client and server agree that no - application phase is required. The client indicates in its - ClientHello whether it is willing to omit application phases in a - resumed session. - - In each application phase, the client sends the first - ApplicationPayload message. ApplicationPayload messages are then - traded one at a time between client and server, until the server - concludes the phase by sending, in response to an ApplicationPayload - message from the client, a ChangeCipherSpec and PhaseFinished - sequence to conclude an intermediate phase, or a ChangeCipherSpec - and Finished sequence to conclude the final phase. The client then - responds with its own ChangeCipherSpec and PhaseFinished sequence, - or ChangeCipherSpec and Finished sequence. - - - - - -Paul Funk expires April 2005 [Page 6] - -Internet-Draft October 2004 - - - Note that the server MUST NOT send a ChangeCipherSpec plus Finished - or PhaseFinished message immediately after sending an - ApplicationPayload message. It must allow the client to send an - ApplicationPayload message prior to concluding the phase. Thus, - within any application phase, there will be one more - ApplicationPayload message sent by the client than sent by the - server. - - The server determines which type of concluding message is used, - either PhaseFinished or Finished, and the client MUST echo the same - type of concluding message. Each PhaseFinished or Finished message - provides cryptographic confirmation of the integrity of all - handshake messages and keys generated from the start of the - handshake through the current phase. - - Each ApplicationPayload message contains opaque data interpreted as - an AVP (Attribute-Value Pair) sequence. Each AVP in the sequence - contains a typed data element. The exchanged AVPs allow client and - server to implement "applications" within a secure tunnel. An - application may be any procedure that someone may usefully define. A - typical application might be authentication; for example, the server - may authenticate the client based on password credentials using EAP. - Other possible applications include distribution of keys, validating - client integrity, setting up IPsec parameters, setting up SSL VPNs, - and so on. - - The TLS master secret undergoes multiple permutations until a final - master secret is computed at the end of the entire handshake. Each - phase of the handshake results in a new master secret; the master - secret for each phase is confirmed by the PhaseFinished or Finished - message exchange that concludes that phase. - - The initial master secret is computed during the initial phase of - the handshake, using the standard TLS-defined procedure. This - initial master secret is confirmed via the first exchange of - ChangeCipherSpec and PhaseFinished messages, or, in the case of a - resumed session with no subsequence application phase, the exchange - of ChangeCipherSpec and Finished messages. - - Each subsequent master secret for an application phase is computed - using a PRF based on the current master secret, then mixing into the - result any session key material generated during authentications - during that phase. Each party computes a new master secret prior to - the conclusion of each application phase, and uses that new master - secret is to compute fresh keying material (that is, a TLS - "key_block", consisting of client and server MAC secrets, write keys - and IVs). The new master secret and keying material become part of - the pending read and write connection states. Following standard TLS - procedures, these connection states become current states upon - sending or receiving ChangeCipherSpec, and are confirmed via the - PhaseFinished or Finished message. - - - -Paul Funk expires April 2005 [Page 7] - -Internet-Draft October 2004 - - - The final master secret, computed during the final handshake phase - and confirmed by an exchange of ChangeCipherSpec and Finished - messages, becomes the actual TLS master secret that defines the - session. This final master secret is the surviving master secret, - and each prior master secrets SHOULD be discarded when a new - connection state is instantiated. The final master secret is used - for session resumption, as well as for any session key derivation - that protocols defined over TLS may require. - -2.2 Message Exchange - - Each intermediate handshake phase consists of ApplicationPayload - messages sent alternately by client and server, and a concluding - exchange of {ChangeCipherSpec, PhaseFinished} messages. The first - and last ApplicationPayload message in each intermediate phase is - sent by the client; the first {ChangeCipherSpec, PhaseFinished} - message sequence is sent by the server. Thus the client begins the - exchange with an ApplicationPayload message and the server - determines when to conclude it by sending {ChangeCipherSpec, - PhaseFinished}. When it receives the server's {ChangeCipherSpec, - PhaseFinished} messages, the client sends its own {ChangeCipherSpec, - PhaseFinished} messages, followed by an ApplicationPayload message - to begin the next handshake phase. - - The final handshake proceeds in the same manner as the intermediate - handshake, except that the Finished message is used rather than the - PhaseFinished message, and the client does not send an - ApplicationPayload message for the next phase because there is no - next phase. - - At the start of each application handshake phase, the server MUST - wait for the client's opening ApplicationPayload message before it - sends its own ApplicationPayload message to the client. The client - MAY NOT initiate conclusion of an application handshake phase by - sending the first {ChangeCipherSpec, PhaseFinished} or - {ChangeCipherSpec, Finished message} sequence; it MUST allow the - server to initiate the conclusion of the phase. - -2.3 Master Key Permutation - - Each permutation of the master secret from one phase to the next - begins with the calculation of a preliminary 48 octet vector - (pre_vector) based on the current master secret: - - pre_vector = PRF(SecurityParameters.master_secret, - "inner application preliminary vector", - SecurityParameters.server_random + - SecurityParameters.client_random) [0..48]; - - Session key material generated by applications during the current - application phase are mixed into the preliminary vector by - - - -Paul Funk expires April 2005 [Page 8] - -Internet-Draft October 2004 - - - arithmetically adding each session key to it to compute the new - master secret. The preliminary vector is treated as a 48-octet - integer in big-endian order; that is, the first octet is of the - highest significance. Each session key is also treated as a big- - endian integer of whatever size it happens to be. Arithmetic carry - past the most significant octet is discarded; that is, the addition - is performed modulo 2 ^ 384. - - Thus, the logical procedure for computing the next master secret - (which may also be a convenient implementation procedure) is as - follows: - - 1 At the start of each application handshake phase, use the current - master secret to compute pre_vector for the next master secret. - - 2 Each time session key material is generated from an - authentication or other exchange, arithmetically add that session - key material to pre_vector. - - 3 At the conclusion of the application handshake phase, copy the - current contents of pre_vector (which now includes addition of - all session key material) into the master secret, prior to - computing verify_data. - - Note that the master secret is the only element of the TLS - SecurityParameters that is permuted from phase to phase. The - client_random, server_random, bulk_cipher_algorithm, mac_algorithm, - etc. remain constant throughout all phases of the handshake. - - The purpose of using a PRF to compute a preliminary vector is to - ensure that, even in the absence of session keys, the master secret - is cryptographically distinct in each phase of the handshake. - - The purpose of adding session keys into the preliminary vector is to - ensure that the same client entity that negotiated the original - master secret also negotiated the inner authentication(s). In the - absence of such mixing of keys generated from the standard TLS - handshake with keys generated from inner authentication, it is - possible for a hostile agent to mount a man-in-the-middle attack, - acting as server to an unsuspecting client to induce it to perform - an authentication with it, which it can then pass through the TLS - tunnel to allow it to pose as that client. - - An application phase may include no authentications that produce a - session key, may include one such authentication, or may include - several. Arithmetic addition was chosen as the mixing method because - it is commutative, that is, it does not depend on the order of - operations. This allows multiple authentications to proceed - concurrently if desired, without having to synchronize the order of - master secret updates between client and server. - - - - -Paul Funk expires April 2005 [Page 9] - -Internet-Draft October 2004 - - - Addition was chosen rather than XOR in order to avoid what is - probably a highly unlikely problem; namely, that two separate - authentications produce the same session key, which, if XORed, would - mutually cancel. This might occur, for example, if two instances of - an authentication method were to be applied against different forms - of a user identity that turn out in a some cases to devolve to the - same identity. - - Finally, it was decided that a more complex mixing mechanism for - session key material, such as hashing, besides not being - commutative, would not provide any additional security, due to the - pseudo-random character of the preliminary vector and the powerful - PRF function which is applied to create derivative secrets. - -2.3.1 Application Session Key Material - - Many authentication protocols used today generate session keys that - are bound to the authentication. Such keying material is normally - intended for use in a subsequent data connection for encryption and - validation. For example, EAP-TLS, MS-CHAP-V2 and its alter ego EAP- - MS-CHAP-V2 each generate session keys. - - Session keying material generated during an application phase MUST - be used to permute the TLS/IA master secret between one phase and - the next, and MUST NOT be used for any other purpose. Permuting the - master secret based on session keying material is necessary to - preclude man-in-the-middle attacks, in which an unsuspecting client - is induced to perform an authentication outside a tunnel with an - attacker posing as a server; the attacker can then introduce the - authentication protocol into a tunnel such as provided by TLS/IA, - fooling an authentic server into believing that the attacker is the - authentic user. - - By mixing keying material generated during application phase - authentication into the master secret, such attacks are thwarted, - since only a single client identity could both authenticate - successfully and have derived the session keying material. Note that - the keying material generated during authentication must be - cryptographically related to the authentication and not derivable - from data exchanged during authentication in order for the keying - material to be useful in thwarting such attacks. - - In addition, the fact that the master secret cryptographically - incorporates keying material from application phase authentications - provides additional protection when the master secret is used as a - basis for generating additional keys for use outside of the TLS - exchange. If the master secret did not include keying material from - inner authentications, an eavesdropper who somehow knew the server's - private key could, in an RSA-based handshake, determine the master - secret and hence would be able to compute the additional keys that - are based on it. When inner authentication keying material is - - - -Paul Funk expires April 2005 [Page 10] - -Internet-Draft October 2004 - - - incorporated into the master secret, such an attack becomes - impossible. - - The RECOMMENDED amount of keying material to mix into the master - secret is 32 octets. Up to 48 octets MAY be used. - - Each authentication protocol may define how the keying material it - generates is mapped to an octet sequence of some length for the - purpose of TLS/IA mixing. However, for protocols which do not - specify this (including the multitude of protocols that pre-date - TLS/IA) the following rules are defined. The first rule that applies - SHALL be the method for determining keying material: - - - If the authentication protocol maps its keying material to the - RADIUS attributes MS-MPPE-Recv-Key and MS-MPPE-Send-Key - [RFC2548], then the keying material for those attributes are - concatenated (with MS-MPPE-Recv-Key first), the concatenated - sequence is truncated to 32 octets if longer, and the result is - used as keying material. (Note that this rule applies to MS-CHAP- - V2 and EAP-MS-CHAP-V2.) - - - If the authentication protocol uses a pseudo-random function to - generate keying material, that function is used to generate 32 - octets for use as keying material. - -2.4 Session Resumption - - A TLS/IA initial handshake phase may be resumed using standard - mechanisms defined in RFC 2246. When the initial handshake phase is - resumed, client and server may not deem it necessary to exchange - AVPs in one or more additional application phases, as the resumption - itself may provide all the security needed. - - The client indicates within the InnerApplication extension whether - it requires AVP exchange when session resumption occurs. If it - indicates that it does not, then the server may at its option omit - subsequent application phases and complete the resumed handshake in - a single phase. - - Note that RFC 3546 specifically states that when session resumption - is used, the server MUST ignore any extensions in the ClientHello. - However, it is not possible to comply with this requirement for the - Inner Application extension, since even in a resumed session it may - be necessary to include application phases, and whether they must be - included is negotiated in the extension message itself. Therefore, - the RFC 3546 provision is specifically overridden for the single - case of the Inner Application extension, which is considered an - exception to this rule. - - - - - - -Paul Funk expires April 2005 [Page 11] - -Internet-Draft October 2004 - - -2.5 Error Termination - - The TLS/IA handshake may be terminated by either party sending a - fatal alert, following standard TLS procedures. - -2.6 Computing Verification Data - - In standard TLS, the "verify_data" vector of the Finished message is - computed as follows: - - PRF(master_secret, finished_label, MD5(handshake_messages) + - SHA-1(handshake_messages)) [0..11]; - - This allows both parties to confirm the master secret as well as the - integrity of all handshake messages that have been exchanged. - - In TLS/IA, verify_data for the initial handshake phase is computed - in exactly the same manner. - - In the subsequent application phases, a slight variation of this - formula is used. The data that is hashed is the hash of the - handshake messages computed in the previous phase plus all handshake - messages that have been exchanged since that previous hash was - computed. Thus, for each application phase, the MD5 hash input to - the PRF is a hash of the MD5 hash computed in the previous phase - concatenated with all subsequent handshake messages through the - current phase; the SHA-1 hash is computed in the same way, but using - the SHA-1 hash computed for the previous phase. - - Also, the master secret used in the PRF computation in each - application phase is the new master secret generated at the - conclusion of that phase. - - For clarity, this is best expressed in formal notation. - - Let phases be numbered from 0, where phase 0 is the initial phase. - - Let: - - Secret[n] be the master secret determined at the conclusion of - phase n. - - Messages[n] be the additional handshake messages exchanged since - the hashes were computed in phase n - 1, where n > 0; or all - handshake messages exchanged to date starting from ClientHello, - where n = 0. - - MD5[n] be the MD5 hash of handshake message material for phase n. - - SHA-1[n] be the SHA-1 hash of handshake message material for - phase n. - - - -Paul Funk expires April 2005 [Page 12] - -Internet-Draft October 2004 - - - PRF[n] be the verify_data generated via PRF in phase n. - - Hash computations for phase 0 are as follows: - - MD5[0] = MD5(Messages[0]) - - SHA-1[0] = SHA-1(Messages[0]) - - Hash computations for phase i, where i > 0 (i.e. application phases) - are as follows: - - MD5[i] = MD5(MD5[i-1] + Messages[i]) - - SHA-1[i] = SHA-1(SHA-1[i-1] + Messages[i]) - - The PRF computation to generate verify_data for any phase i - (including i = 0) is as follows: - - PRF[i] = PRF(Secret[i], finished_label, MD5[i] + SHA-1[i]) - [0..11] - - Note that for phase 0, the PRF computation is identical to the - standard TLS computation. Variations to the algorithm occur only in - application phases, in the use of new master secrets and the - inclusion of hashes of previous handshake messages as input to the - hashing algorithms. - - During an application phase, the handshake messages input to the - hashing algorithm include all handshake messages exchanged since the - last PRF computation was performed. This will always include either - one or two PhaseFinished messages from the previous phase. To see - why, assume that in the previous phase the client issued its - PhaseFinished message first, and the server's PhaseFinished message - in response thus included the client's PhaseFinished message. This - means that the server has not yet fed its PhaseFinished message into - the PRF, and the client has fed neither its own PhaseFinished - message nor the server's PhaseFinished response message into the - PRF. Therefore these messages from the previous phase must be fed - into the PhaseFinished messages along with handshake messages from - the current phase into the PRF that validates the current phase. - - Note that the only handshake messages that appear in an application - phase are InnerApplication messages and Finished or Phase Finished - messages. ChangeCipherSpec messages are not handshake messages and - are therefore never included in the hash computations. - - Note also that for TLS/IA, just as for standard TLS, client and - server include a somewhat different set of handshake messages in - hash computations. Therefore, both client and server must compute - two PRFs for each handshake phase: one to include the verify_data - - - - -Paul Funk expires April 2005 [Page 13] - -Internet-Draft October 2004 - - - that it transmits, and one to use to check the verify_data received - from the other party. - -2.7 TLS/IA Messages - - All specifications of TLS/IA messages follow the usage defined in - RFC 2246. - - TLS/IA defines a new TLS extension, two new handshake messages, and - a new alert code. The new types and codes are (decimal): - - - "InnerApplication" extension type: 37703 - - - "PhaseFinished" type: 78 - - - "ApplicationPayload" type: 79 - - - "InnerApplicationFailure" code: 208 - - [Note: I have not checked these types yet against types defined in - RFCs or drafts. pf] - -2.8 Negotiating the Inner Application Extension - - Use of the InnerApplication extension follows RFC 3546. The client - proposes use of this extension by including the - ClientInnerApplication message in the client_hello_extension_list of - the extended ClientHello. If this message is included in the - ClientHello, the server MAY accept the proposal by including the - ServerInnerApplication message in the server_hello_extension_list of - the extended ServerHello. If use of this extension is either not - proposed by the client or not confirmed by the server, the - variations to the TLS handshake described here MUST NOT be used. - -2.8.1 ClientInnerApplication - - When the client wishes to propose use of the Inner Application - extension, it must include ClientInnerApplication in the - "extension_data" vector in the Extension structure in its extended - ClientHello message, where: - - enum { - not_required(0), required(1), (255) - } AppPhaseOnResumption; - - struct { - AppPhaseOnResumption app_phase_on_resumption; - } ClientInnerApplication; - - The AppPhaseOnResumption enumeration allow client and server to - negotiate an abbreviated, single-phase handshake when session - - - -Paul Funk expires April 2005 [Page 14] - -Internet-Draft October 2004 - - - resumption is employed. If the server is able to resume a previous - session, and if the client sets app_phase_on_resumption to - not_required, then the server MAY conclude the initial handshake - phase with a Finished message, thus completing the handshake in a - single phase. If the client sets app_phase_on_resumption to - required, then the server MUST conclude the initial handshake phase - with PhaseFinished, thus allowing one or more subsequent application - phases to follow the initial handshake phase. - - The value of app_phase_on_resumption applies to the current - handshake only. For example, it is possible for - app_phase_on_resumption to have different values in two handshakes - that are both resumed from the same original TLS session. - - Note that the server may initiate one or more application phases - even if the client sets app_phase_on_resumption to not_required, as - the server itself may have reason to proceed with one or more - application phases. - - Note also that if session resumption does not occur, the - app_phase_on_resumption variable is ignored, the server MUST - conclude the initial phase with a PhaseFinished message and one or - more application phases MUST follow the initial handshake phase. - -2.8.2 ServerInnerApplication - - When the server wishes to confirm use of the Inner Application - extension that has been proposed by the client, it must include - ServerInnerApplication in the "extension_data" vector in the - Extension structure in its extended ServerHello message, where: - - struct { - } ServerInnerApplication; - - Note that the ServerInnerApplication message contains no data; - however, it's presence is required to confirm use of the Inner - Application extension when proposed by the client. - - If the client set app_phase_on_resumption to not_required and the - server agrees and will not initiate an application phase, the server - MUST NOT include ServerInnerApplication in its ServerHello and it - must conclude the initial (and only) handshake phase with the - Finished message. If, the server includes ServerInnerApplication, it - MUST conclude the initial handshake phase with PhaseFinished, - indicating that one or more application phases will follow the - initial handshake phase. - - - - - - - - -Paul Funk expires April 2005 [Page 15] - -Internet-Draft October 2004 - - -2.9 The PhaseFinished Handshake Message - - The PhaseFinished message concludes all handshake phases prior to - the final handshake phase. It MUST be immediately preceded by a - ChangeCipherSpec message. It is defined as follows: - - struct { - opaque verify_data[12]; - } PhaseFinished; - -2.10 The ApplicationPayload Handshake Message - - The ApplicationPayload message carries an AVP sequence during an - application handshake phase. It is defined as follows: - - struct { - opaque avps[Handshake.length]; - } ApplicationPayload; - - where Handshake.length is the 24-bit length field in the - encapsulating Handshake message. - - Note that the "avps" element has its length defined in square - bracket rather than angle bracket notation, implying a fixed rather - than variable length vector. This avoids the having the length of - the AVP sequence specified redundantly both in the encapsulating - Handshake message and as a length prefix in the avps element itself. - -2.11 The InnerApplicationFailure Alert - - An InnerApplicationFailure error alert may be sent by either party - during an application phase. This indicates that the sending party - considers the negotiation to have failed due to an application - carried in the AVP sequences, for example, a failed authentication. - - The AlertLevel for an InnerApplicationFailure alert MUST be set to - "fatal". - - Note that other alerts are possible during an application phase; for - example, decrypt_error. The InnerApplicationFailure alert relates - specifically to the failure of an application implemented via AVP - sequences; for example, failure of an EAP or other authentication - method, or information passed within the AVP sequence that is found - unsatisfactory. - -3 Encapsulation of AVPs within ApplicationPayload Messages - - During application phases of the TLS handshake, information is - exchanged between client and server through the use of attribute- - value pairs (AVPs). This data is encrypted using the then-current - cipher state established during the preceding handshake phase. - - - -Paul Funk expires April 2005 [Page 16] - -Internet-Draft October 2004 - - - The AVP format chosen for TLS/IA is compatible with the Diameter AVP - format. This does not in any way represent a requirement that - Diameter be supported by any of the devices or servers participating - in the TLS/IA conversation, whether directly as client or server or - indirectly as a backend authenticator. Use of this format is merely - a convenience. Diameter is a superset of RADIUS and includes the - RADIUS attribute namespace by definition, though it does not limit - the size of an AVP as does RADIUS. RADIUS, in turn, is a widely - deployed AAA protocol and attribute definitions exist for all - commonly used password authentication protocols, including EAP. - - Thus, Diameter is not considered normative except as specified in - this document. Specifically, the AVP Codes used in TLS/IA are - semantically equivalent to those defined for Diameter, and, by - extension, RADIUS. - - Use of the RADIUS/Diameter namespace allows a TLS/IA server to - easily translate between AVPs it uses to communicate with clients - and the protocol requirements of AAA servers that are widely - deployed. Plus, it provides a well-understood mechanism to allow - vendors to extend that namespace for their particular requirements. - -3.1 AVP Format - - The format of an AVP is shown below. All items are in network, or - big-endian, order; that is, they have most significant octet first. - - 0 1 2 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | AVP Code | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - |V M r r r r r r| AVP Length | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Vendor-ID (opt) | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | Data ... - +-+-+-+-+-+-+-+-+ - - AVP Code - - The AVP Code is four octets and, combined with the Vendor-ID - field if present, identifies the attribute uniquely. The first - 256 AVP numbers represent attributes defined in RADIUS. AVP - numbers 256 and above are defined in Diameter. - - AVP Flags - - The AVP Flags field is one octet, and provides the receiver with - information necessary to interpret the AVP. - - - - -Paul Funk expires April 2005 [Page 17] - -Internet-Draft October 2004 - - - The 'V' (Vendor-Specific) bit indicates whether the optional - Vendor-ID field is present. When set to 1, the Vendor-ID field is - present and the AVP Code is interpreted according to the - namespace defined by the vendor indicated in the Vendor-ID field. - - The 'M' (Mandatory) bit indicates whether support of the AVP is - required. If this bit is set to 0, this indicates that the AVP - may be safely ignored if the receiving party does not understand - or support it. If set to 1, this indicates that the receiving - party must fail the negotiation if it does not understand the - AVP; for a server, this would imply returning EAP-Failure, for a - client, this would imply abandoning the negotiation. - - The 'r' (reserved) bits are unused and must be set to 0. - - AVP Length - - The AVP Length field is three octets, and indicates the length of - this AVP including the AVP Code, AVP Length, AVP Flags, Vendor-ID - (if present) and Data. - - Vendor-ID - - The Vendor-ID field is present if and only if the 'V' bit is set - in the AVP Flags field. It is four octets, and contains the - vendor's IANA-assigned "SMI Network Management Private Enterprise - Codes" [RFC1700] value. Vendors defining their own AVPs must - maintain a consistent namespace for use of those AVPs within - RADIUS, Diameter and TLS/IA. - - A Vendor-ID value of zero is semantically equivalent to absence - of the Vendor-ID field altogether. - -3.2 AVP Sequences - - Data encapsulated within the TLS Record Layer must consist entirely - of a sequence of zero or more AVPs. Each AVP must begin on a 4-octet - boundary relative to the first AVP in the sequence. If an AVP is not - a multiple of 4 octets, it must be padded with 0s to the next 4- - octet boundary. - - Note that the AVP Length does not include the padding. - -3.3 Guidelines for Maximum Compatibility with AAA Servers - - When maximum compatibility with AAA servers is desired, the - following guidelines for AVP usage are suggested: - - - Non-vendor-specific AVPs should be selected from the set of - attributes defined for RADIUS; that is, attributes with codes - less than 256. This provides compatibility with both RADIUS and - - - -Paul Funk expires April 2005 [Page 18] - -Internet-Draft October 2004 - - - Diameter. - - - Vendor-specific AVPs should be defined in terms of RADIUS. - Vendor-specific RADIUS attributes translate to Diameter - automatically; the reverse is not true. RADIUS vendor-specific - attributes use RADIUS attribute 26 and include vendor ID, vendor- - specific attribute code and length; see [RFC2865] for details. - -4 Tunneled Authentication within Application Phases - - TLS/IA permits user authentication information to be tunneled within - an application phase between client and server, protecting the - security of the authentication information against active and - passive attack. - - Any type of password or other authentication may be tunneled. Also, - multiple tunneled authentications may be performed. Normally, - tunneled authentication is used when the client has not been issued - a certificate and the TLS handshake provides only one-way - authentication of the server to the client; however, in certain - cases it may be desired to perform certificate authentication of the - client during the initial handshake phase as well as tunneled user - authentication in a subsequent application phase. - - This section establishes rules for using common authentication - mechanisms within TLS/IA. Any new authentication mechanism should in - general be covered by these rules if it is defined as an EAP type. - Authentication mechanisms whose use within TLS/IA is not covered - within this specification may require separate standardization, - preferably within the standard that describes the authentication - mechanism in question. - -4.1 Implicit challenge - - Certain authentication protocols that use a challenge/response - mechanism rely on challenge material that is not generated by the - authentication server, and therefore require special handling. - - In PPP protocols such CHAP, MS-CHAP and MS-CHAP-V2, for example, the - Network Access Server (NAS) issues a challenge to the client, the - client then hashes the challenge with the password and forwards the - response to the NAS. The NAS then forwards both challenge and - response to a AAA server. But because the AAA server did not itself - generate the challenge, such protocols are susceptible to replay - attack. - - If the client were able to create both challenge and response, - anyone able to observe a CHAP or MS-CHAP exchange could pose as that - user by replaying that challenge and response into a TLS/IA - conversation. - - - - -Paul Funk expires April 2005 [Page 19] - -Internet-Draft October 2004 - - - To make these protocols secure in TLS/IA, it is necessary to provide - a mechanism to produce a challenge that the client cannot control or - predict. - - When a challenge-based authentication mechanism is used, both client - and server use the TLS PRF function to generate as many octets as - are required for the challenge, using the constant string "inner - application challenge", based on the then-current master secret and - random values established during the initial handshake phase: - - IA_challenge = PRF(SecurityParameters.master_secret, - "inner application challenge", - SecurityParameters.server_random + - SecurityParameters.client_random); - -4.2 Tunneled Authentication Protocols - - This section describes the rules for tunneling specific - authentication protocols within TLS/IA. - - For each protocol, the RADIUS RFC that defines the relevant - attribute formats is cited. Note that these attributes are - encapsulated as described in section 3.1; that is, as Diameter - attributes, not as RADIUS attributes. In other words, the AVP Code, - Length, Flags and optional Vendor-ID are formatted as described in - section 3.1, while the Data is formatted as described by the cited - RADIUS RFC. - - All tunneled authentication protocols except EAP must be initiated - by the client in the first ApplicationPayload message of an - application phase. EAP may be initiated by the client in the first - ApplicationPayload message of an application phase; it may also be - initiated by the server in any ApplicationPayload message. - - The authentication protocols described below may be performed - directly by the TLS/IA server or may be forwarded to a backend AAA - server. For authentication protocols that generate session keys, the - backend server must return those session keys to the TLS/IA server - in order to allow the protocol to succeed within TLS/IA. RADIUS or - Diameter servers are suitable backend AAA servers for this purpose. - RADIUS servers typically return session keys in MS-MPPE-Recv-Key and - MS-MPPE-Send-Key attributes [RFC2548]; Diameter servers return - session keys in the EAP-Master-Session-Key AVP [AAA-EAP]. - -4.2.1 EAP - - EAP is described in [RFC3784]; RADIUS attribute formats are - described in [RFC3579]. - - - - - - -Paul Funk expires April 2005 [Page 20] - -Internet-Draft October 2004 - - - When EAP is the tunneled authentication protocol, each tunneled EAP - packet between the client and server is encapsulated in an EAP- - Message AVP. - - Either client or server may initiate EAP. - - The client is the first to transmit within any application phase, - and it may include an EAP-Response/Identity AVP in its - ApplicationPayload message to begin an EAP conversation. - Alternatively, if the client does not initiate EAP the server may, - by including an EAP-Request/Identity AVP in its ApplicationPayload - message. - - The client's EAP-Response/Identity provides the actual username; the - privacy of the user's identity is now guaranteed by the TLS - encryption. This username must be a Network Access Identifier (NAI) - [RFC2486]; that is, it must be in the following format: - - username@realm - - The @realm portion is optional, and is used to allow the server to - forward the EAP message sequence to the appropriate server in the - AAA infrastructure when necessary. - - The EAP authentication between client and server proceeds normally, - as described in [RFC3784]. However, upon completion the server does - not send an EAP-Success or EAP-Failure AVP. Instead, the server - signals success when it concludes the application phase by issuing a - Finished or PhaseFinished message, or it signals failure by issuing - an InnerApplicationFailure alert. - - Note that the client may also issue an InnerApplicationFailure - alert, for example, when authentication of the server fails in a - method providing mutual authentication. - -4.2.2 CHAP - - The CHAP algorithm is described in [RFC1994]; RADIUS attribute - formats are described in [RFC2865]. - - Both client and server generate 17 octets of challenge material, - using the constant string "inner application challenge" as described - above. These octets are used as follows: - - CHAP-Challenge [16 octets] - CHAP Identifier [1 octet] - - The client initiates CHAP by including User-Name, CHAP-Challenge and - CHAP-Password AVPs in the first ApplicationPayload message in any - application phase. The CHAP-Challenge value is taken from the - challenge material. The CHAP-Password consists of CHAP Identifier, - - - -Paul Funk expires April 2005 [Page 21] - -Internet-Draft October 2004 - - - taken from the challenge material; and CHAP response, computed - according to the CHAP algorithm. - - Upon receipt of these AVPs from the client, the server must verify - that the value of the CHAP-Challenge AVP and the value of the CHAP - Identifier in the CHAP-Password AVP are equal to the values - generated as challenge material. If either item does not match - exactly, the server must reject the client. Otherwise, it validates - the CHAP-Challenge to determine the result of the authentication. - -4.2.3 MS-CHAP - - The MS-CHAP algorithm is described in [RFC2433]; RADIUS attribute - formats are described in [RFC2548]. - - Both client and server generate 9 octets of challenge material, - using the constant string "inner application challenge" as described - above. These octets are used as follows: - - MS-CHAP-Challenge [8 octets] - Ident [1 octet] - - The client initiates MS-CHAP by including User-Name, MS-CHAP- - Challenge and MS-CHAP-Response AVPs in the first ApplicationPayload - message in any application phase. The MS-CHAP-Challenge value is - taken from the challenge material. The MS-CHAP-Response consists of - Ident, taken from the challenge material; Flags, set according the - client preferences; and LM-Response and NT-Response, computed - according to the MS-CHAP algorithm. - - Upon receipt of these AVPs from the client, the server must verify - that the value of the MS-CHAP-Challenge AVP and the value of the - Ident in the client's MS-CHAP-Response AVP are equal to the values - generated as challenge material. If either item does not match - exactly, the server must reject the client. Otherwise, it validates - the MS-CHAP-Challenge to determine the result of the authentication. - -4.2.4 MS-CHAP-V2 - - The MS-CHAP-V2 algorithm is described in [RFC2759]; RADIUS attribute - formats are described in [RFC2548]. - - Both client and server generate 17 octets of challenge material, - using the constant string "inner application challenge" as described - above. These octets are used as follows: - - MS-CHAP-Challenge [16 octets] - Ident [1 octet] - - The client initiates MS-CHAP-V2 by including User-Name, MS-CHAP- - Challenge and MS-CHAP2-Response AVPs in the first ApplicationPayload - - - -Paul Funk expires April 2005 [Page 22] - -Internet-Draft October 2004 - - - message in any application phase. The MS-CHAP-Challenge value is - taken from the challenge material. The MS-CHAP2-Response consists of - Ident, taken from the challenge material; Flags, set to 0; Peer- - Challenge, set to a random value; and Response, computed according - to the MS-CHAP-V2 algorithm. - - Upon receipt of these AVPs from the client, the server must verify - that the value of the MS-CHAP-Challenge AVP and the value of the - Ident in the client's MS-CHAP2-Response AVP are equal to the values - generated as challenge material. If either item does not match - exactly, the server must reject the client. Otherwise, it validates - the MS-CHAP2-Challenge. - - If the MS-CHAP2-Challenge received from the client is correct, the - server tunnels the MS-CHAP2-Success AVP to the client. - - Upon receipt of the MS-CHAP2-Success AVP, the client is able to - authenticate the server. In its next InnerApplicationPayload message - to the server, the client does not include any MS-CHAP-V2 AVPs. - (This may result in an empty InnerApplicationPayload if no other - AVPs need to be sent.) - - If the MS-CHAP2-Challenge received from the client is not correct, - the server tunnels an MS-CHAP2-Error AVP to the client. This AVP - contains a new Ident and a string with additional information such - as error reason and whether a retry is allowed. If the error reason - is an expired password and a retry is allowed, the client may - proceed to change the user's password. If the error reason is not an - expired password or if the client does not wish to change the user's - password, it issues an InnerApplicationFailure alert. - - If the client does wish to change the password, it tunnels MS-CHAP- - NT-Enc-PW, MS-CHAP2-CPW, and MS-CHAP-Challenge AVPs to the server. - The MS-CHAP2-CPW AVP is derived from the new Ident and Challenge - received in the MS-CHAP2-Error AVP. The MS-CHAP-Challenge AVP simply - echoes the new Challenge. - - Upon receipt of these AVPs from the client, the server must verify - that the value of the MS-CHAP-Challenge AVP and the value of the - Ident in the client's MS-CHAP2-CPW AVP match the values it sent in - the MS-CHAP2-Error AVP. If either item does not match exactly, the - server must reject the client. Otherwise, it validates the MS-CHAP2- - CPW AVP. - - If the MS-CHAP2-CPW AVP received from the client is correct, and the - server is able to change the user's password, the server tunnels the - MS-CHAP2-Success AVP to the client and the negotiation proceeds as - described above. - - - - - - -Paul Funk expires April 2005 [Page 23] - -Internet-Draft October 2004 - - - Note that additional AVPs associated with MS-CHAP-V2 may be sent by - the server; for example, MS-CHAP-Domain. The server must tunnel such - authentication-related AVPs along with the MS-CHAP2-Success. - -4.2.5 PAP - - PAP RADIUS attribute formats are described in [RFC2865]. - - The client initiates PAP by including User-Name and User-Password - AVPs in the first ApplicationPayload message in any application - phase. - - In RADIUS, User-Password is padded with nulls to a multiple of 16 - octets, then encrypted using a shared secret and other packet - information. - - A TLS/IA, however, does not RADIUS-encrypt the password since all - application phase data is already encrypted. The client SHOULD, - however, null-pad the password to a multiple of 16 octets, to - obfuscate its length. - - Upon receipt of these AVPs from the client, the server may be able - to decide whether to authenticate the client immediately, or it may - need to challenge the client for more information. - - If the server wishes to issue a challenge to the client, it MUST - tunnel the Reply-Message AVP to the client; this AVP normally - contains a challenge prompt of some kind. It may also tunnel - additional AVPs if necessary, such the Prompt AVP. Upon receipt of - the Reply-Message AVPs, the client tunnels User-Name and User- - Password AVPs again, with the User-Password AVP containing new - information in response to the challenge. This process continues - until the server determines the authentication has succeeded or - failed. - -4.3 Performing Multiple Authentications - - In some cases, it is desirable to perform multiple user - authentications. For example, a AAA/H may want first to authenticate - the user by password, then by token card. - - The server may perform any number of additional user authentications - using EAP, simply by issuing a EAP-Request with a new protocol type - once the previous authentication has completed.. - - For example, a server wishing to perform MD5-Challenge followed by - Generic Token Card would first issue an EAP-Request/MD5-Challenge - AVP and receive a response. If the response is satisfactory, it - would then issue EAP-Request/Generic Token Card AVP and receive a - response. If that response were also satisfactory, it would consider - the user authenticated. - - - -Paul Funk expires April 2005 [Page 24] - -Internet-Draft October 2004 - - -5 Example Message Sequences - - This section presents a variety of possible TLS/IA message - sequences. These examples do not attempt to exhaustively depict all - possible scenarios. - - Parentheses indicate optional TLS messages. Brackets indicate - optional message exchanges. Ellipsis (. . .) indicates optional - repetition of preceding messages. - -5.1 Full Initial Handshake with Intermediate and Final Application -Phases - - The diagram below depicts a full initial handshake phase followed by - two application phases. - - Note that the client concludes the intermediate phase and starts the - final phase in an uninterrupted sequence of three messages: - ChangeCipherSpec and PhaseFinished belong to the intermediate phase, - and ApplicationPayload belongs to the final phase. - - Client Server - ------ ------ - - *** Initial Phase: - ClientHello --------> - ServerHello - (Certificate) - ServerKeyExchange - (CertificateRequest) - <-------- ServerHelloDone - (Certificate) - ClientKeyExchange - (CertificateVerify) - ChangeCipherSpec - PhaseFinished --------> - ChangeCipherSpec - <-------- PhaseFinished - - *** Intermediate Phase: - ApplicationPayload --------> - - [ - <-------- ApplicationPayload - - ApplicationPayload --------> - - ... - ] - ChangeCipherSpec - <-------- PhaseFinished - - - -Paul Funk expires April 2005 [Page 25] - -Internet-Draft October 2004 - - - ChangeCipherSpec - PhaseFinished - *** Final Phase: - ApplicationPayload --------> - - [ - <-------- ApplicationPayload - - ApplicationPayload --------> - - ... - ] - <-------- ChangeCipherSpec - Finished - ChangeCipherSpec - Finished --------> - -5.2 Resumed Session with Single Application Phase - - The diagram below depicts a resumed session followed by a single - application phase. - - Note that the client concludes the initial phase and starts the - final phase in an uninterrupted sequence of three messages: - ChangeCipherSpec and PhaseFinished belong to the initial phase, and - ApplicationPayload belongs to the final phase. - - Client Server - ------ ------ - - *** Initial Phase: - ClientHello --------> - ServerHello - ChangeCipherSpec - <-------- PhaseFinished - ChangeCipherSpec - PhaseFinished - *** Final Phase: - ApplicationPayload --------> - - [ - <-------- ApplicationPayload - - ApplicationPayload --------> - - ... - ] - <-------- ChangeCipherSpec - Finished - ChangeCipherSpec - Finished --------> - - - -Paul Funk expires April 2005 [Page 26] - -Internet-Draft October 2004 - - - -5.3 Resumed Session with No Application Phase - - The diagram below depicts a resumed session without any subsequent - application phase. This will occur if the client indicates in its - ClientInnerApplication message that no application phase is required - and the server concurs. - - Note that this message sequence is identical to that of a standard - TLS resumed session. - - Client Server - ------ ------ - - *** Initial/Final Phase: - ClientHello --------> - ServerHello - ChangeCipherSpec - <-------- Finished - ChangeCipherSpec - Finished - -6 Security Considerations - - This document introduces a new TLS extension called "Inner - Application". When TLS is used with the Inner Application extension - (TLS/IA), additional messages are exchanged during the TLS - handshake. Hence a number of security issues need to be taken into - consideration. Since the security heavily depends on the information - (called "applications") which are exchanged between the TLS client - and the TLS server as part of the TLS/IA extension we try to - classify them into two categories: The first category considers the - case where the exchange results in the generation of keying - material. This is, for example, the case with many EAP methods. EAP - is one of the envisioned main "applications". The second category - focuses on cases where no session key is generated. The security - treatment of the latter category is discouraged since it is - vulnerability to man-in-the-middle attacks if the two sessions - cannot be bound to each other as shown in [MITM]. - - Subsequently, we investigate a number of security issues: - - - Architecture and Trust Model - - For many of the use cases in this document we assume that three - functional entities participate in the protocol exchange: TLS - client, TLS server and a AAA infrastructure (typically consisting - of a AAA server and possibly a AAA broker). The protocol exchange - described in this document takes place between the TLS client and - the TLS server. The interaction between the AAA client (which - corresponds to the TLS server) and the AAA server is described in - - - -Paul Funk expires April 2005 [Page 27] - -Internet-Draft October 2004 - - - the respective AAA protocol documents and therefore outside the - scope of this document. The trust model behind this architecture - with respect to the authentication, authorization, session key - establishment and key transport within the AAA infrastructure is - discussed in [KEYING]. - - - Authentication - - This document assumes that the TLS server is authenticated to the - TLS client as part of the authentication procedure of the initial - TLS Handshake. This approach is similar to the one chosen with - the EAP support in IKEv2 (see [IKEv2]). Typically, public key - based server authentication is used for this purpose. More - interesting is the client authentication property whereby - information exchanged as part of the Inner Application is used to - authenticate (or authorize) the client. For example, if EAP is - used as an inner application then EAP methods are used to perform - authentication and key agreement between the EAP peer (most - likely the TLS client) and the EAP server (i.e., AAA server). - - - Authorization - - Throughout this document it is assumed that the TLS server can be - authorized by the TLS client as a legitimate server as part of - the authentication procedure of the initial TLS Handshake. The - entity acting as TLS client can be authorized either by the TLS - server or by the AAA server (if the authorization decision is - offloaded). Typically, the authenticated identity is used to - compute the authorization decision but credential-based - authorization mechanisms may be used as well. - - - Man-in-the-Middle Attack - - Man-in-the-middle attacks have become a concern with tunneled - authentication protocols because of the discovered - vulnerabilities (see [MITM]) of a missing cryptographic binding - between the independent protocol sessions. This document also - proposes a tunneling protocol, namely individual inner - application sessions are tunneled within a previously executed - session. The first protocol session in this exchange is the - initial TLS Handshake. To avoid man-in-the-middle attacks a - number of sections address how to establish such a cryptographic - binding (see Section 2.3 and 2.6). - - - User Identity Confidentiality - - The TLS/IA extension allows splitting the authentication of the - TLS server from the TLS client into two separate sessions. As one - of the advantages, this provides active user identity - confidentiality since the TLS client is able to authenticate the - TLS server and to establish a unilateral authenticated and - - - -Paul Funk expires April 2005 [Page 28] - -Internet-Draft October 2004 - - - confidentiality-protected channel prior to starting the client- - side authentication. - - - Session Key Establishment - - TLS [RFC2246] defines how session key material produced during - the TLS Handshake is generated with the help of a pseudo-random - function to expand it to keying material of the desired length - for later usage in the TLS Record Layer. Section 2.3 gives some - guidelines with regard to the master key generation. Since the - TLS/IA extension supports multiple exchanges whereby each phase - concludes with a generated keying material. In addition to the - keying material established as part of TLS itself, most inner - applications will produce their keying material. For example, - keying material established as part of an EAP method must be - carried from the AAA server to the AAA client. Details are - subject to the specific AAA protocol (for example, EAP usage in - Diameter [AAA-EAP]. - - - Denial of Service Attacks - - This document does not modify the initial TLS Handshake and as - such, does not introduce new vulnerabilities with regard to DoS - attacks. Since the TLS/IA extension allows to postpone the - client-side authentication to a later stage in the protocol - phase. As such, it allows malicious TLS clients to initiate a - number of exchanges while remaining anonymous. As a consequence, - state at the server is allocated and computational efforts are - required at the server side. Since the TLS client cannot be - stateless this is not strictly a DoS attack. - - - Confidentiality Protection and Dictionary Attack Resistance - - Similar to the user identity confidentiality property the usage - of the TLS/IA extension allows to establish a unilateral - authenticated tunnel which is confidentiality protected. This - tunnel protects the inner application information elements to be - protected against active adversaries and therefore provides - resistance against dictionary attacks when password-based - authentication protocols are used inside the tunnel. In general, - information exchanged inside the tunnel experiences - confidentiality protection. - - - Downgrading Attacks - - This document defines a new extension. The TLS client and the TLS - server indicate the capability to support the TLS/IA extension as - part of the client_hello_extension_list and the - server_hello_extension_list payload. More details can be found in - Section 2.8. To avoid downgrading attacks whereby an adversary - - - - -Paul Funk expires April 2005 [Page 29] - -Internet-Draft October 2004 - - - removes a capability from the list is avoided by the usage of the - Finish or PhaseFinished message as described in Section 2.6. - -7 References - -7.1 Normative References - - [RFC1700] Reynolds, J., and J. Postel, "Assigned Numbers", RFC - 1700, October 1994. - - [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication - Protocol (CHAP)", RFC 1994, August 1996. - - [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate - Requirement Levels", RFC 2119, March 1997. - - [RFC2246] Dierks, T., and C. Allen, "The TLS Protocol Version - 1.0", RFC 2246, November 1998. - - [RFC2433] Zorn, G., and S. Cobb, "Microsoft PPP CHAP Extensions", - RFC 2433, October 1998. - - [RFC2486] Aboba, B., and M. Beadles, "The Network Access - Identifier", RFC 2486, January 1999. - - [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes", - RFC 2548, March 1999. - - [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", - RFC 2759, January 2000. - - [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, - "Remote Authentication Dial In User Service (RADIUS)", - RFC 2865, June 2000. - - [RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, - J., and T. Wright, "Transport Layer Security (TLS) - Extensions", RFC 3546, June 2003. - - [RFC3579] Aboba, B., and P.Calhoun, "RADIUS (Remote Authentication - Dial In User Service) Support For Extensible - Authentication Protocol (EAP)", RFC 3579, September - 2003. - - [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J. - Arkko, "Diameter Base Protocol", RFC 3588, July 2003. - - [RFC3784] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and - H. Levkowetz, "PPP Extensible Authentication Protocol - (EAP)", RFC 3784, June 2004. - - - - -Paul Funk expires April 2005 [Page 30] - -Internet-Draft October 2004 - - - -7.2 Informative References - - [RFC1661] Simpson, W. (Editor), "The Point-to-Point Protocol - (PPP)", STD 51, RFC 1661, July 1994. - - [RFC2716] Aboba, B., and D. Simon, "PPP EAP TLS Authentication - Protocol", RFC 2716, October 1999. - - [EAP-TTLS] Funk, P., and S. Blake-Wilson, " EAP Tunneled TLS - Authentication Protocol (EAP-TTLS)", draft-ietf-pppext- - eap-ttls-05.txt, July 2004. - - [EAP-PEAP] Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., - and S. Josefsson, "Protected EAP Protocol (PEAP) Version - 2", draft-josefsson-pppext-eap-tls-eap-08.txt, July - 2004. - - [TLS-PSK] Eronen, P., and H. Tschofenig, "Pre-Shared Key - Ciphersuites for Transport Layer Security (TLS)", draft- - ietf-tls-psk-01.txt, August 2004. - - [802.1X] IEEE Standards for Local and Metropolitan Area Networks: - Port based Network Access Control, IEEE Std 802.1X-2001, - June 2001. - - [MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle - in Tunneled Authentication", - http://www.saunalahti.fi/~asokan/research/mitm.html, - Nokia Research Center, Finland, October 24 2002. - - [KEYING] Aboba, B., Simon, D., Arkko, J. and H. Levkowetz, "EAP - Key Management Framework", draft-ietf-eap-keying-01.txt - (work in progress), October 2003. - - [IKEv2] C.Kaufman, "Internet Key Exchange (IKEv2) Protocol", - draft-ietf-ipsec-ikev2-16.txt (work in progress), - September 2004. - - [AAA-EAP] Eronen, P., Hiller, T. and G. Zorn, "Diameter Exntesible - Authentication Protocol (EAP) Application", draft-ietf- - aaa-eap-03.txt (work in progress), October 2003. - -8 Authors' Addresses - - Questions about this memo can be directed to: - - Paul Funk - Funk Software, Inc. - 222 Third Street - Cambridge, MA 02142 - - - -Paul Funk expires April 2005 [Page 31] - -Internet-Draft October 2004 - - - USA - Phone: +1 617 497-6339 - E-mail: paul@funk.com - - Simon Blake-Wilson - Basic Commerce & Industries, Inc. - 96 Spadina Ave, Unit 606 - Toronto, Ontario M5V 2J6 - Canada - Phone: +1 416 214-5961 - E-mail: sblakewilson@bcisse.com - - Ned Smith - Intel Corporation - MS: JF1-229 - 2111 N.E. 25th Ave. - Hillsboro, OR 97124 - Phone: +1 503 264-2692 - E-mail: ned.smith@intel.com - - Hannes Tschofenig - Siemens - Otto-Hahn-Ring 6 - Munich, Bayern 81739\ - Germany - Phone: +49 89 636 40390 - E-mail: Hannes.Tschofenig@siemens.com - -9 Intellectual Property Statement - - The IETF takes no position regarding the validity or scope of any - Intellectual Property Rights or other rights that might be claimed - to pertain to the implementation or use of the technology described - in this document or the extent to which any license under such - rights might or might not be available; nor does it represent that - it has made any independent effort to identify any such rights. - Information on the procedures with respect to rights in RFC - documents can be found in BCP 78 and BCP 79. - - Copies of IPR disclosures made to the IETF Secretariat and any - assurances of licenses to be made available, or the result of an - attempt made to obtain a general license or permission for the use - of such proprietary rights by implementers or users of this - specification can be obtained from the IETF on-line IPR repository - at http://www.ietf.org/ipr. - - The IETF invites any interested party to bring to its attention any - copyrights, patents or patent applications, or other proprietary - rights that may cover technology that may be required to implement - this standard. Please address the information to the IETF at ietf- - ipr@ietf.org. - - - -Paul Funk expires April 2005 [Page 32] - -Internet-Draft October 2004 - - -Disclaimer of Validity - - This document and the information contained herein are provided on - an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE - REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE - INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR - IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF - THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED - WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. - -Copyright Statement - - Copyright (C) The Internet Society (2001 - 2004). This document is - subject to the rights, licenses and restrictions contained in BCP - 78, and except as set forth therein, the authors retain all their - rights. - -Acknowledgment - - Funding for the RFC Editor function is currently provided by the - Internet Society. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Paul Funk expires April 2005 [Page 33] - - - |