TCPING | E. Rescorla |
Internet-Draft | Mozilla |
Intended status: Standards Track | November 2, 2015 |
Expires: May 5, 2016 |
Using TLS to Protect TCP Streams
draft-ietf-tcpinc-use-tls-00
This document defines the use of TLS [RFC5246] with the TCP-ENO option [I-D.bittau-tcpinc-tcpeno].
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 5, 2016.
Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH The source for this draft is maintained in GitHub. Suggested changes should be submitted as pull requests at https://github.com/ekr/tcpinc-tls. Instructions are on that page as well.
The TCPINC WG is chartered to define protocols to provide ubiquitous, transparent security for TCP connections. The WG is specifying The TCP Encryption Negotiation Option (TCP-ENO) [I-D.bittau-tcpinc-tcpeno] which allows for negotiation of encryption at the TCP layer. This document describes a binding of TLS [RFC5246] to TCP-ENO as what ENO calls an “encryption spec”, thus allowing TCP-ENO to negotiate TLS.
The basic idea behind this draft is simple. The SYN and SYN/ACK messages carry the TCP-ENO options indicating the willingness to do TLS. If both sides want to do TLS, then a TLS handshake is started and once that completes, the data is TLS protected prior to being sent over TCP. Otherwise, the application data is sent as usual.
Client Server SYN + TCP-ENO [TLS]-> <- SYN/ACK + TCP-ENO [TLS] ACK + TCP-ENO -> <---------------- TLS Handshake ---------------> <--------- Application Data over TLS ---------->
Figure 1
Client Server SYN + TCP-ENO [TLS] -> <- SYN/ACK ACK -> <--------- Application Data over TCP ---------->
Figure 2: Fall back to TCP
If use of TLS is negotiated, the data sent over TCP simply is TLS data in compliance with TLS 1.2 [RFC5246] or TLS 1.3 [I-D.ietf-tls-tls13].
Once the TLS handshake has completed, all application data SHALL be sent over that negotiated TLS channel. Application data MUST NOT be sent prior to the TLS handshake.
If the TLS handshake fails, the endpoint MUST tear down the TCP connection and MUST NOT send plaintext data over the connection.
TCP-ENO suboption with cs value set to [TBD]. Specifically, this means that the SYN contains a 1-byte suboption indicating support for this specification.
bit 7 6 5 4 3 2 1 0 +---+---+---+---+---+---+---+---+ | 0 | TBD | +---+---+---+---+---+---+---+---+
[[OPEN ISSUE: It would be nice to indicate the desire to have 0-RTT, but that would require a variable length suboption, which seems perhaps excessive. Maybe that’s the right answer anyway.]]
The SYN/ACK can be in one of two forms:
The ACK simply contains the bare TCP-ENO suboption.
TCP-ENO Section 4.1 defines a session ID feature (not to be confused with TLS Session IDs). When the protocol in use is TLS, the session ID is computed via a TLS Exporter [RFC5705] using the Exporter Label [[TBD]] and without a context value (the TCP-ENO transcript is incorporated via the TCPENOTranscript extension).
Because TLS security is provided in the TCP transport stream rather than at the segment level, the FIN is not an authenticated indicator of end of data. Instead implementations following this specification MUST send a TLS close_notify alert prior to sending a FIN and MUST raise an error if a FIN or RST is receive prior to receiving a close_notify.
The TLS Profile defined in this document is intended to be a compromise between two separate use cases. For the straight TCPINC use case of ubiquitous transport encryption, we desire that implementations solely implement TLS 1.3 [I-D.ietf-tls-tls13] or greater. However, we also want to allow the use of TCP-ENO as a signal for applications to do out-of-band negotiation of TLS, and those applications are likely to already have support for TLS 1.2 [RFC5246]. In order to accomodate both cases, we specify a wire encoding that allows for negotiation of multiple TLS versions (Section 3.1) but encourage implementations to implement only TLS 1.3. Implementations which also implement TLS 1.2 MUST implement the profile described in Section 4.2
TLS 1.3 is the preferred version of TLS for this specification. In order to facilitate implementation, this section provides a non-normative description of the parts of TLS 1.3 which are relevant to TCPINC and defines a normative baseline of algorithms and modes which MUST be supported. Other modes, cipher suites, key exchange algorithms, certificate formats as defined in [I-D.ietf-tls-tls13] MAY also be used and that document remains the normative reference for TLS 1.3. Bracketed references (e.g., [S. 1.2.3.4] refer to the corresponding section in that document.) In order to match TLS terminology, we use the term “client” to indicate the TCP-ENO “A” role (See [I-D.bittau-tcpinc-tcpeno]; Section 3.1) and “server” to indicate the “B” role.
TLS 1.3 as used in TCPINC supports two handshake modes, both based on Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange.
In both case, the server is expected to have an Elliptic-Curve Digital Signature Algorithm (ECDSA) signing key which may either be a freshly-generated key or a long-term key (allowing Trust-On-First-Use (TOFU) style applications). The key need not be associated with any certificate and can simply be a bare key.
Full TLS 1.3 includes support for additional modes based on pre-shared keys, but TCPINC implementations MAY opt to omit them. Implementations MUST implement the 1-RTT mode and SHOULD implement the 0-RTT mode.
Client Server ClientHello + ClientKeyShare + TCPENOTranscript -------> ServerHello ServerKeyShare {EncryptedExtensions} {ServerConfiguration*} {Certificate} {CertificateVerify} <-------- {Finished} <-------- [Application Data] {Finished} --------> [Application Data] <-------> [Application Data] * Indicates optional or situation-dependent messages that are not always sent. {} Indicates messages protected using keys derived from the ephemeral secret. [] Indicates messages protected using keys derived from the master secret.
Figure 3: Message flow for full TLS Handshake
Note: Although these diagrams indicate a message called “Certificate”, this message MAY either contain a bare public key or an X.509 certificate (this is intended to support the out-of-band use case indicated above). Implementations MUST support bare public keys and MAY support X.509 certificates.
In order to initiate the TLS handshake, the client sends a “ClientHello” message [S. 6.3.1.1].
struct { ProtocolVersion client_version = { 3, 4 }; /* TLS v1.3 */ Random random; uint8 session_id_len_RESERVED; /* Must be zero */ CipherSuite cipher_suites<2..2^16-2>; uint8 compression_methods_len_RESERVED; /* Must be zero */ Extension extensions<0..2^16-1>; } ClientHello;
The fields listed here have the following meanings:
extensions contains a set of extension fields. The client MUST include the following extensions:
The client MUST also include a ServerCertTypeExtension containing type “Raw Public Key” [RFC7250], indicating its willingness to accept a raw public key rather than an X.509 certificate in the server’s Certificate message.
The client MUST include a TCPENOTranscript extension containing the TCP-ENO options that were used to negotiate ENO.
TCPENOTranscript TLS Extension is used to carry the TCP ENO negotiation transcript. The body of the extension simply includes the TCP-ENO negotiation transcript as defined in TCP-ENO Section 3.4.
This serves two purposes:
The server MUST validate that the TCPENOTranscript extension matches the transcript. If not, it MUST fail the handshake with a fatal “handshake_failure” exception.
Upon receiving the client’s ClientHello, the server selects a ciphersuite and ECDHE group out of the lists provided by the client in the cipher_suites list and the NamedGroup extension. If the client supplied an appropriate ClientKeyShare for that group, then the server responds with a ServerHello (see Section 4.1.2.3). Otherwise, it replies with a HelloRetryRequest (Section 4.1.3), indicating that the client needs to re-send the ClientHello with an appropriate key share; because all TCPINC implementations are required to support P-256, this should not happen unless P-256 is deprecated by a subsequent specification.
The server responds to the client’s first flight with a sequence of messages:
Once the server has sent the Finished message, it can immediately generate the application traffic keys and start sending application traffic to the client.
Upon receiving the server’s first flight, the client proceeds as follows:
Finally, the client sends a Finished message which contains a MAC over the handshake transcript (except for the server’s Finished). [[TODO: In the upcoming draft of TLS 1.3, the client’s Finished will likely include the server’s Finished.]] Once the client has transmitted the Finished, it can begin sending encrypted traffic to the server.
The server reads the client’s Finished message and verifies the MAC. If the MAC does not verify, the client terminates the handshake with an alert.
Because there are a small number of recommended groups, the ClientKeyShare will generally contain a key share for a group that the server supports. However, it is possible that the client will not send such a key share, but there may be another group that the client and server jointly support. In that case, the server MUST send a HelloRetryRequest indicating the desired group:
struct { ProtocolVersion server_version; CipherSuite cipher_suite; NamedGroup selected_group; Extension extensions<0..2^16-1>; } HelloRetryRequest;
In response to the HelloRetryRequest the client re-sends its ClientHello but with the addition of the group indicated in “selected_group”.
TLS 1.3 allows the server to send its first application data message to the client immediately upon receiving the client’s first handshake message (which the client can send upon receiving the server’s SYN/ACK). However, in the basic handshake, the client is required to wait for the server’s first flight before it can send to the server. TLS 1.3 also includes a “Zero-RTT” feature which allows the client to send data on its first flight to the server.
In order to enable this feature, in an initial handshake the server sends a ServerConfiguration message which contains the server’s semi-static (EC)DH key which can be used for a future handshake:
struct { opaque configuration_id<1..2^16-1>; uint32 expiration_date; NamedGroup group; opaque server_key<1..2^16-1>; EarlyDataType early_data_type; ConfigurationExtension extensions<0..2^16-1>; } ServerConfiguration;
The group and server_key fields contain the server’s (EC)DH key and the early_data_type field is used to indicate what data can be sent in zero-RTT. Because client authentication is forbidden in TCPINC-uses of TLS 1.3 (see Section 4.3), the only valid value here is “early_data”, indicating that the client can send data in 0-RTT.
In a future connection, a client MAY send 0-RTT data only if the following three conditions obtain:
In this case, the client sends an EarlyDataIndication extension in its ClientHello and can start sending data immediately, as shown below.
Client Server ClientHello + ClientKeyShare + EarlyDataIndication + TCPENOTranscript (EncryptedExtensions) (Application Data) --------> ServerHello + EarlyDataIndication ServerKeyShare {EncryptedExtensions} {ServerConfiguration*} {Certificate} {CertificateVerify} <-------- {Finished} <-------- [Application Data] {Finished} --------> [Application Data] <-------> [Application Data] () Indicates messages protected using keys derived from the static secret.
Figure 4: Message flow for a zero round trip handshake
IMPORTANT NOTE: TLS 1.3 Zero-RTT does not provide PFS and therefore MUST only be used when explicitly configured.
Note: TLS 1.3 Zero-RTT data is inherently replayable (see the note in [I-D.ietf-tls-tls13] Section 6.2.2). However, because the client and server have already exchanged data in the TCP handshake, this data can be used to provide anti-replay for a 0-RTT mode TLS handshake via the TCPENOTranscript extension.
TLS 1.3 derives its traffic keys from two input keying material values:
Ephemeral Secret (ES): A secret which is derived from ClientKeyShare and ServerKeyShare.
Static Secret (SS): A secret which which is derived from ClientKeyShare and either ServerKeyShare (in the 1-RTT case) or the public key in the ServerConfiguration (in the 0-RTT case).
The handshake is encrypted under keys derived from ES. The ordinary traffic keys are derived from the combination of ES and SS. The 0-RTT traffic keys are derived solely from ES and therefore have limited forward security. All key derivation is done using the HKDF key-derivation algorithm [RFC5869].
Once the TLS handshake has completed, all data is protected as a series of TLS Records.
struct { ContentType opaque_type = application_data(23); /* see fragment.type */ ProtocolVersion record_version = { 3, 1 }; /* TLS v1.x */ uint16 length; aead-ciphered struct { opaque content[TLSPlaintext.length]; ContentType type; uint8 zeros[length_of_padding]; } fragment; } TLSCiphertext;
Each record is encrypted with an Authenticated Encryption with Additional Data (AEAD) cipher with the following parameters:
The record data MAY BE padded with zeros to the right. Because the content type byte value is always non-zero, the padding is removed by removing bytes from the right until a non-zero byte is encountered.
Implementations MUST implement and require the TLS Extended Master Secret Extension [I-D.ietf-tls-session-hash] and MUST NOT negotiate versions of TLS prior to TLS 1.2. Implementations MUST NOT negotiate non-AEAD cipher suites and MUST use only PFS cipher suites with a key of at least 2048 bits (finite field) or 256 bites (elliptic curve). TLS 1.2 implementations MUST NOT initiate renegotiation and MUST respond to renegotiation with a fatal “no_renegotiation” alert.
When TLS is used with TCPINC, a number of TLS features MUST NOT be used, including:
These features have only minimal advantage in this context and interfere with offering a reduced profile.
Implementations of this specification MUST implement the following cipher suite:
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
These cipher suites MUST support both digital signatures and key exchange with secp256r1 (NIST P-256) and SHOULD support key agrement with X25519 [I-D.irtf-cfrg-curves].
Implementations of this specification SHOULD implement the following cipher suites:
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
The basic operational mode defined by TCP-TLS protects only the application layer content, but not the TCP segment metadata. Upon receiving a packet, implementations MUST first check the TCP checksum and discard corrupt packets without presenting them to TLS. If the TCP checksum passes but TLS integrity fails, the connection MUST be torn down.
Thus, TCP-TLS provides automatic security for the content, but not protection against DoS-style attacks. For instance, attackers will be able to inject RST packets, bogus application segments, etc., regardless of whether TLS authentication is used. Because the application data is TLS protected, this will not result in the application receiving bogus data, but it will constitute a DoS on the connection.
This attack could be countered by using TCP-TLS in combination with TCP-AO [RFC5925], using Application-Layer Protocol Negotiation (ALPN) [RFC7301] to negotiate the use of AO. [[OPEN ISSUE: Is this something we want? Maybe in a separate specification.]]
Needed here:
There are two primary implementation options for TCP-TLS:
The former option obviously achieves easier deployment for applications, which don’t have to do anything, but is more effort for kernel developers and requires a wider interface to the kernel to configure the TLS stack. The latter option is inherently more flexible but does not provide as immediate transparent deployment. It is also possible for systems to offer both options.
If use of TLS is negotiated, the data sent over TCP simply is TLS data in compliance with [RFC5246]. Thus it is extremely likely to pass through NATs, firewalls, etc. The only kind of middlebox that is likely to cause a problem is one which does protocol enforcement that blocks TLS on arbitrary (non-443) ports but also passes unknown TCP options. Although no doubt such devices do exist, because this is a common scenario, a client machine should be able to probe to determine if it is behind such a device relatively readily.
IANA [shall register/has registered] the TCP-ENO suboption XX for TCP-TLS.
IANA [shall register/has registered] the ALPN code point “tcpao” to indicate the use of TCP-TLS with TCP-AO.
The mechanisms in this document are inherently vulnerable to active attack because an attacker can remove the TCP-TLS option, thus downgrading you to ordinary TCP. Even when TCP-AO is used, all that is being provided is continuity of authentication from the initial handshake. If some sort of external authentication mechanism was provided or certificates are used, then you might get some protection against active attack.
Once the TCP-TLS option has been negotiated, then the connection is resistant to active data injection attacks. If TCP-AO is not used, then injected packets appear as bogus data at the TLS layer and will result in MAC errors followed by a fatal alert. The result is that while data integrity is provided, the connection is not resistant to DoS attacks intended to terminate it.
If TCP-AO is used, then any bogus packets injected by an attacker will be rejected by the TCP-AO integrity check and therefore will never reach the TLS layer. Thus, in this case, the connection is also resistant to DoS attacks, provided that endpoints require integrity protection for RST packets. If endpoints accept unauthenticated RST, then no DoS protection is provided.
[I-D.bittau-tcp-crypt] | Bittau, A., Boneh, D., Hamburg, M., Handley, M., Mazieres, D. and Q. Slack, "Cryptographic protection of TCP Streams (tcpcrypt)", Internet-Draft draft-bittau-tcp-crypt-04, February 2014. |
[I-D.ietf-tls-falsestart] | Langley, A., Modadugu, N. and B. Moeller, "Transport Layer Security (TLS) False Start", Internet-Draft draft-ietf-tls-falsestart-01, November 2015. |
[RFC5929] | Altman, J., Williams, N. and L. Zhu, "Channel Bindings for TLS", RFC 5929, DOI 10.17487/RFC5929, July 2010. |
[RFC6919] | Barnes, R., Kent, S. and E. Rescorla, "Further Key Words for Use in RFCs to Indicate Requirement Levels", RFC 6919, DOI 10.17487/RFC6919, April 2013. |
[RFC7301] | Friedl, S., Popov, A., Langley, A. and E. Stephan, "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, July 2014. |