Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
draft-ietf-tls-session-hash-06

[Ballot comment]
The last paragraph of Section 4 makes me wonder whether this should "update" 5246.  Basically, while this is an extension (which wouldn't normally use "updates"), it's one that you're proposing as standard behavior, and not really as an extension.

[Ballot discuss]
This is a DISCUSS purely because I want to discuss it; whatever the result is, I will be clearing the DISCUSS, and not delaying the document on this point:  The last paragraph of Section 4 makes me wonder whether this should "update" 5246.  Basically, while this is an extension (which wouldn't normally use "updates"), it's one that you're proposing as standard behavior, and not really as an extension.

[Ballot comment]
Thank you for your work on this and a well-written draft!  The considerations are very thorough, every time I had a question, I was able to find an answer in the draft.  I do think a couple more references could be helpful though.

1. I think it would be good for section 6.4 to note that SSL 3.0 has been deprecated in https://datatracker.ietf.org/doc/draft-ietf-tls-sslv3-diediedie/
It's ahead of this draft in the RFC editor queue.

2. It might be good to have a pointer to the UTA TLS Attack RFC7457 as this attack is described in section 2.11 and there is no reference to a fix.  It would be nice to show that known attacks are being resolved.
https://tools.ietf.org/html/rfc7457#section-2.11

IESG/Authors/WG Chairs:

IANA has reviewed draft-ietf-tls-session-hash-04. Please report any inaccuracies as soon as possible.

IANA's reviewer has the following comments:

IANA understands that, upon approval of this document, there is a single action that must be completed.

In the ExtensionType Values registry under the Transport Layer Security (TLS) Extensions heading at

https://www.iana.org/assignments/tls-extensiontype-values/

the extension code point 23 (0x0017) for the "extended_master_secret" extension will be changed from a temporary assignment to a permanent assignment with a reference pointing to [ RFC-to-be ].

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC:
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension) to Proposed Standard


The IESG has received a request from the Transport Layer Security WG
(tls) to consider the following document:
- 'Transport Layer Security (TLS) Session Hash and Extended Master Secret
  Extension'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2015-04-13. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  The Transport Layer Security (TLS) master secret is not
  cryptographically bound to important session parameters such as the
  server certificate.  Consequently, it is possible for an active
  attacker to set up two sessions, one with a client and another with a
  server, such that the master secrets on the two sessions are the
  same.  Thereafter, any mechanism that relies on the master secret for
  authentication, including session resumption, becomes vulnerable to a
  man-in-the-middle attack, where the attacker can simply forward
  messages back and forth between the client and server.  This
  specification defines a TLS extension that contextually binds the
  master secret to a log of the full handshake that computes it, thus
  preventing such attacks.




The file can be obtained via
http://datatracker.ietf.org/doc/draft-ietf-tls-session-hash/

IESG discussion can be tracked via
http://datatracker.ietf.org/doc/draft-ietf-tls-session-hash/ballot/


No IPR declarations have been submitted directly on this I-D.

ID-NITs says this uses "NOT RECOMMENDED" but that that's not
called out as a term. We'll fix that.

1. Summary

Ever heard of the “triple handshake attack” (https://www.secure-resumption.com/)? If not that’s okay because the draft explains the attack and documents an implemented solution that cryptographically bind the master secret to a log of the full handshake.  This document is bound for standards track (even though the header doesn’t indicate so) because it’s a TLS extension.

Please note this draft applies to all version of TLS prior to 1.3.  TLS 1.3 is going to also going to adopt this work directly into its draft.

Sean Turner is the document shepherd and Stephen Farrell is our über Area Director!

2. Review and Consensus

This document has been reviewed by the WG on the mailing list and has been discussed at numerous TLS meetings (both regularly scheduled IETF meeting and TLS interims).  It not only reflects WG consensus it documents an implemented solution.

3. Intellectual Property

[Confirming this as of 2015-03-13]

The shepherd has confirmed the author's direct, personal knowledge of any IPR related to this document has already been disclosed, in conformance with BCPs 78 and 79.

4. Other Points

DOWNREFs: None.

IANA Considerations: An early IANA code point assignment was made for this registry.  When published IANA will make this permanent.  The instructions for IANA are well documented.