TLS Working Group P. Gutmann Internet-Draft University of Auckland Intended status: Standards Track March 18, 2016 Expires: September 19, 2016 TLS 1.2 Long-term Support Profile draft-gutmann-tls-lts-01 Abstract This document specifies a profile of TLS 1.2 for long-term support, one that represents what's already deployed for TLS 1.2 but with the security holes and bugs fixed. This represents a stable, known-good profile that can be deployed now to systems that can't roll out patches every month or two when the next attack on TLS is published. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 19, 2016. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Gutmann Expires September 19, 2016 [Page 1] Internet-Draft TLS-LTS March 2016 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Conventions Used in This Document . . . . . . . . . . . . 3 2. TLS-LTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.1. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 3 3. The TLS-LTS Profile . . . . . . . . . . . . . . . . . . . . . 3 3.1. Encryption/Authentication . . . . . . . . . . . . . . . . 3 3.2. Message Formats . . . . . . . . . . . . . . . . . . . . . 5 3.3. Miscellaneous . . . . . . . . . . . . . . . . . . . . . . 5 3.4. Implementation Issues . . . . . . . . . . . . . . . . . . 6 3.5. Rationale . . . . . . . . . . . . . . . . . . . . . . . . 7 4. Security Considerations . . . . . . . . . . . . . . . . . . . 7 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 7.1. Normative References . . . . . . . . . . . . . . . . . . 8 7.2. Informative References . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction TLS [2] and DTLS [4], by nature of their enormous complexity and the inclusion of large amounts of legacy material, contain numerous security issues that have been known to be a problem for many years and that keep coming up again and again in attacks (there are simply too many of these to provide references for, and in any case more will have been published by the time you read this). This document presents a minimal, known-good profile of mechanisms that defend against all currently-known weaknesses in TLS, that would have defended against them ten years ago, and that have a good chance of defending against them ten years from now, providing the long-term stability that's required by many systems in the field. In particular it takes inspiration from numerous published analyses of TLS [8] [9] [10] [11] [12] [13] [14] [15] [16] along with two decades of implementation and deployment experience to select a standard interoperable feature set that provides the best chance of long-term stability and resistance to attack. This is intended for use in systems that need to run in a fixed configuration for a long time after they're deployed, with little or no ability to roll out patches every month or two when the next attack on TLS is published. Unlike the full TLS 1.2, TLS-LTS is not meant to be all things to all people. It represents a fixed, safe solution that's appropriate for users who require a simple, secure, and long-term stable means of getting data from A to B. This represents the majority of the non- Gutmann Expires September 19, 2016 [Page 2] Internet-Draft TLS-LTS March 2016 browser use of TLS, particularly in the embedded systems that are most in need of a long-term stable protocol profile. 1.1. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1]. 2. TLS-LTS The use of TLS-LTS is negotiated via TLS/DTLS extensions as defined in TLS Extensions [3]. On connecting, the client includes the tls_lts extension in its client_hello if it wishes to use the TLS-LTS profile. If the server is capable of meeting this requirement, it responds with an tls_lts in its server_hello. The "extension_type" value for this extension SHALL be TBD (0xTBD) and the "extension_data" field of this extension SHALL be empty. The client and server MUST NOT use the TLS-LTS profile unless both sides have successfully exchanged tls_lts extensions. 2.1. Rationale The use of extensions precludes use with SSL 3.0, but then it's likely that anything still using this nearly two decades-old protocol will be vulnerable to any number of other attacks anyway, so there seems little point in bending over backwards to accomodate SSL 3.0. 3. The TLS-LTS Profile The TLS-LTS profile specifies a few simple restrictions on TLS options and parameters to limit the protocol to a known-good subset. Since this makes explicit various parameter choices that otherwise need to be negotiated through the use of a slew of TLS extensions, the use of these extensions is made optional when two TLS-LTS conformant implementations are communicating with each other. If a TLS-LTS implementation needs to communicate with a non-TLS-LTS implementation, it SHOULD still include all of the extensions that are mentioned below. 3.1. Encryption/Authentication TLS-LTS restricts the more or less unlimited TLS 1.2 with its more than three hundred cipher suites, over forty ECC parameter sets, and zoo of supplementary algorithms, parameters, and parameter formats, to just two, one traditional one with DHE + AES-CBC + HMAC-SHA-256 + RSA-SHA-256/PSK and one ECC one with ECDHE-P256 + AES-GCM + HMAC- SHA-256 + ECDSA-P256-SHA-256/PSK with uncompressed points: Gutmann Expires September 19, 2016 [Page 3] Internet-Draft TLS-LTS March 2016 o TLS-LTS implementations MUST support TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_PSK_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 and TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256. As the use of SHA-256 with RSA or ECDSA is implicit in TLS-LTS, there is no need to signal it via the signature_algorithms extension. In addition the almost universally-ignored requirement that all certificates provided by the server must be signed by the algorithm(s) specified in the signature_algorithms extension is removed both implicitly by not sending the extension and explicitly by removing this requirement. As the use of P256 with uncompressed points is implicit in TLS- LTS, there is no need to signal it via the elliptic_curves and ec_point_formats extensions. [Question: There's a gap in the suites with TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 missing, although it's present for all manner of non-AES ciphers, should we specify TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 or fill the current hole with TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256?]. TLS-LTS only permits encrypt-then-MAC, not MAC-then-encrypt, fixing 20 years of attacks on this mechanism: o TLS-LTS implementations MUST implement encrypt-then-MAC [5] rather than the earlier MAC-then-encrypt. As the use of encrypt-then-MAC is implicit in TLS-LTS, there is no need to signal it via the encrypt_then_mac extension. TLS-LTS drops the IPsec cargo-cult MAC truncation, which serves no obvious purpose and leads to security concerns: o TLS-LTS implementations MUST use full-length MAC values (for example 256 bits for SHA-256). In particular MAC values MUST NOT be truncated to 96 bits/12 bytes, removing the verify_data_length constraint in the Finished message. TLS-LTS recommends that implementations take measures to protect against side-channel attacks: o Implementations SHOULD take steps to protect against timing attacks, for example by using constant-time implementations of algorithms and by using blinding for non-randomised algorithms like RSA. o Implementations SHOULD take steps to protect against fault attacks, in particular for the extremely brittle ECC algorithms whose typical failure mode if a fault occurs is to leak the Gutmann Expires September 19, 2016 [Page 4] Internet-Draft TLS-LTS March 2016 private key. One simple countermeasure is to use the public key to verify any signatures generated before they are sent over the wire. [Question: Should the PRF be replaced with HKDF? There's no pressing need for this, but it could be part of the general cleanup]. 3.2. Message Formats TLS-LTS sends the full set of DH parameters, X9.42/FIPS 186 style, not p and g only, PKCS #3 style. This allows verification of the DH parameters, which the current format doesn't allow: o TLS-LTS implementations MUST send the DH domain parameters as { p, g, q } rather than { p, g }. This makes the ServerDHParams field: struct { opaque dh_p<1..2^16-1>; opaque dh_g<1..2^16-1>; opaque dh_q<1..2^16-1>; opaque dh_Ys<1..2^16-1>; } ServerDHParams; /* Ephemeral DH parameters */ The domain parameters MUST be verified as specified in FIPS 186 [6]. TLS-LTS adds a hash of the domain parameters into the master secret to protect against the use of manipulated curves/domain parameters: o TLS-LTS implementations MUST include a SHA-256 hash of the EDH or ECDH parameters in the master secret computation by concatenating the hash to the pre_master_secret value. In the case of EDH, the value that's hashed is the ServerDHParams structure. In the case of ECDH the value that's hashed is the ServerECDHParams structure. This means that the master_secret computation becomes: master_secret = PRF(pre_master_secret || param_hash, "master secret", ClientHello.random + ServerHello.random) [0..47]; 3.3. Miscellaneous TLS-LTS drops the need to send the current time in the random data, which serves no obvious purpose and leaks the client/server's time to attackers: Gutmann Expires September 19, 2016 [Page 5] Internet-Draft TLS-LTS March 2016 o TLS-LTS implementations SHOULD NOT include the time in the Client/ ServerHello random data. The data SHOULD consists entirely of random bytes. TLS-LTS drops compression and rehandshake, which have led to a number of attacks: o TLS-LTS implementations MUST NOT implement compression or rehandshake. 3.4. Implementation Issues TLS-LTS requires that RSA signature verification be done as encode- then-compare, which fixes all known padding-manipulation issues: o TLS-LTS implementations MUST verify RSA signatures by using encode-then-compare as described in PKCS #1 [7], meaning that they encode the expected signature result and perform a constant-time compare against the recovered signature data. The constant-time compare isn't strictly necessary for security in this case, but it's generally good hygiene and is explicitly required when comparing secret data values: o All operations on crypto- or security-related values SHOULD be performed in a manner that's as timing-independent as possible. For example compares of MAC values such as those used in the Finished message and data packets SHOULD be performed using a constant-time memcmp() or equivalent so as not to leak timing data to an attacker. The TLS protocol has historically and somewhat arbitrarily been described as a state machine, which has led to a number of implementation flaws when state transitions weren't very carefully considered and enforced. A more logical means of representing the protocol is as a ladder diagram, which hardcodes the transitions into the diagram and removes the need to juggle a large amount of state: o Implementations SHOULD consider representing/implementing the protocol as a ladder diagram rather than a state machine, since the state-diagram form has led to a number of implementation errors in the past which are avoided through the use of the ladder diagram form. Gutmann Expires September 19, 2016 [Page 6] Internet-Draft TLS-LTS March 2016 3.5. Rationale A question that may be asked at this point is, why not use TLS 1.3 instead of creating a secure profile of TLS 1.2? The reason is that TLS 1.3 rolls back the 20 years of experience that we have with all the things that can go wrong in TLS and starts again from scratch with an almost entirely new protocol based on bleeding-edge/ experimental ideas, mechanisms, and algorithms. When SSLv3 was introduced, it used ideas that were 10-20 years old (DH, RSA, DES, and so on were all long-established algorithms, only SHA-1 was relatively new). These were mature algorithms with large amounts of of research published on them, and yet we're still fixing issues with them 20 years later (the DH algorithm was published in 1976, SSLv3 dates from 1996, and the latest DH issue, Logjam, dates from 2015. With TLS 1.3 we currently have zero implementation and deployment experience, which means that we're likely to have another 10-20 years of patching holes and fixing protocol and implementation problems ahead of us. It's for this reason that this profile uses the decades of experience we have with SSL and TLS to simplify TLS 1.2 into a known-good subset that leverages about 15 years of analysis and 20 years of implementation experience, rather than betting on what's almost an entirely new protocol based on bleeding-edge/experimental ideas, mechanisms, and algorithms. The intent is to create a long- term stable protocol profile that can be deployed once, not deployed and then patched, updated, and fixed constantly for the lifetime of the equipment that it's used with. 4. Security Considerations This document defines a minimal, known-good subset of TLS 1.2 that attempts to address all known weaknesses in the protocol, mostly by simply removing known-insecure mechanisms but also by updating the ones that remain to take advantage of many years of security research and implementation experience. 5. IANA Considerations IANA has added the extension code point TBD (0xTBD) for the tls_lts extension to the TLS ExtensionType values registry as specified in TLS [2]. 6. Acknowledgements The author would like to thank the members of the TLS mailing list for their feedback on this document. Gutmann Expires September 19, 2016 [Page 7] Internet-Draft TLS-LTS March 2016 7. References 7.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [3] Eastlake 3rd, D., "Transport Layer Security (TLS) Extensions", RFC 6066, January 2011. [4] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, January 2012. [5] Gutmann, P., "Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", RFC 7366, September 2014. [6] "Digital Signature Standard (DSS)", FIPS 186, July 2013. [7] Jonsson, J. and B. Kaliski, "Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1", RFC 3447, February 2003. 7.2. Informative References [8] Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P., and S. Zanella-Beguelin, "Proving the TLS handshake secure (as is)", Springer-Verlag LNCS 8617, August 2014. [9] Brzuska, C., Fischlin, M., Smart, N., Warinschi, B., and S. Williams, "Less is more: relaxed yet compatible security notions for key exchange", IACR ePrint archive 2012/242, April 2012. [10] Dowling, B. and D. Stebila, "Modelling ciphersuite and version negotiation in the TLS protocol", Springer-Verlag LNCS 9144, June 2015. [11] Firing, T., "Analysis of the Transport Layer Security protocol", June 2010. [12] Gajek, S., Manulis, M., Pereira, O., Sadeghi, A., and J. Schwenk, "Universally Composable Security Analysis of TLS", Springer-Verlag LNCS 5324, November 2008. Gutmann Expires September 19, 2016 [Page 8] Internet-Draft TLS-LTS March 2016 [13] Jager, T., Kohlar, F., Schaege, S., and J. Schwenk, "On the security of TLS-DHE in the standard model", Springer- Verlag LNCS 7417, August 2012. [14] Giesen, F., Kohlar, F., and D. Stebila, "On the security of TLS renegotiation", ACM CCS 2013, November 2013. [15] Meyer, C. and J. Schwenk, "Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses", Cryptology ePrint Archive 2013/049, January 2013. [16] Krawczyk, H., Paterson, K., and H. Wee, "On the security of the TLS protocol", Springer-Verlag LNCS 8042, August 2013. [17] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks", RFC 7507, April 2015. Author's Address Peter Gutmann University of Auckland Department of Computer Science University of Auckland New Zealand Email: pgut001@cs.auckland.ac.nz Gutmann Expires September 19, 2016 [Page 9]