LURK | D. Migault |
Internet-Draft | Ericsson |
Intended status: Standards Track | I. Boureanu |
Expires: January 3, 2019 | University of Surrey |
July 02, 2018 |
LURK Extension version 1 for (D)TLS 1.2 Authentication
draft-mglt-lurk-tls12-01
This document describes the LURK Extension 'tls12' which enables interactions between a LURK Client and a LURK Server in a context of authentication with (D)TLS 1.2.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 3, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
This document describes the LURK Extension for TLS 1.2 so the LURK Server can implement a Cryptographic Service in a TLS 1.2 [RFC5246] and DTLS 1.2 [RFC6347] context.
More specifically, the LURK Server will be in charge of performing the cryptographic operations associated to the private key of the TLS Server, while other aspects of the termination of the TLS session is handled by other services in the same administrative domain or in a different administrative domain. Most Cryptographic Operations are related to the TLS authentication and the current document limits the Cryptographic Operations to the following authentication methods: RSA and ECDHE_RSA defined in [RFC5246], [RFC6347] as well as ECDHE_ECDSA defined in [I-D.ietf-tls-rfc4492bis].
A more detailed description of some use cases foreseen in a TLS context can be found in [I-D.mglt-lurk-tls-use-cases].
HTTPS delegation has been the main concern of the Content Delivery Networks Interconnection (cdni) Working Group and several mechanisms have been designed to delegate the load from an upstream entity to a downstream entity. Entities can be of different nature and may designated differently according to the context. Typically designations includes Content Owner, CDN Provider, Domain Name Owner for example. [I-D.fieau-cdni-https-delegation] provides a details comparison of the various mechanisms applies to the CDN Interconnection, and the remaining of this section positions these mechanisms at a very high level view.
STAR [I-D.ietf-acme-star], [I-D.sheffer-acme-star-request] describes a methods where the domain name owner or the content owner orchestrates the refreshing process between a CA and the CDN (terminating the TLS session). The CDN refreshes regularly and automatically its certificates using [I-D.ietf-acme-acme], which allows the use of short term certificates.
Delegated credentials [I-D.rescorla-tls-subcerts] consists having a certificate that enables the servers to generates some "delegated credentials".
STAR and "delegated credentials" both require some changes performed by the CA - new certificate type for the delegated credentials and new interfaces for the delegated and delegating entity for STAR. In both case the TLS Client authenticates the delegated entity. While STAR does not require changes on the TLS Client, the "delegated credential" solution does. In both cases, the delegation is controlled by limiting in time (7 days), which is also the limit of use of a stolen key or a rogue server. Such delegation provides a high scalability of the architecture and prevents additional delays when a TLS session is established.
The LURK Architecture [I-D.mglt-lurk-lurk] and the LURK Extension 'tls12' do not proceed to the delegation of the HTTPS delegation by delegating the entire TLS termination. Instead, the TLS termination is split into sub services, for example one associated to the networking part and one associated to the cryptographic operation. While micro services associated to the networking part are delegated, the micro service associated to the cryptographic operation may not be delegated. As a result, LURK Architecture is focused on the protection of the Cryptographic Material and prevents leakage of the Cryptographic Material for example by avoiding node exposed to the Internet to host the Cryptographic Material. In addition, LURK provides means to instantaneously suspend the delegation with a suspicious node. On the other hand the LURK Extension 'tls12' introduces some latency, and is not as scalable as STAR or delegated credential solutions.
The LURK Extension 'tls12' is seen as a complementary to the STAR and "delegated credentials". The LURK Extension 'tls12' is a backend solution that does not require any modifications from TLS Client or the CA. It is also aimed at protecting the Cryptographic Material.
<IB: a comparison should be made here, i.e., STAR/"delegated credentials" vs LURK>
LURK may also be deployed within an administrative domain in order to to provide a more controlled deployment of TLS Servers.
This document re-uses the terminology defined in [I-D.mglt-lurk-lurk].
LURK / TLS 1.2 is a LURK Extension that introduces a new designation "tls12". This document assumes that Extension is defined with designation set to "tls12" and version set to 1. The LURK Extension extends the LURKHeader structure defined in [I-D.mglt-lurk-lurk] as follows:
enum { tls12 (1), (255) } Designation; enum { capabilities (0), ping (1), rsa_master (2), rsa_extended_master (3), ecdhe (4), (255) }TLS12Type; enum { // generic values reserved or aligned with the // LURK Protocol request (0), success (1), undefined_error (2), invalid_payload_format (3), // code points for rsa authentication invalid_key_id_type (4), invalid_key_id (5), invalid_tls_random (6), invalid_prf (7), invalid_encrypted_premaster (8), invalid_finished (9) //code points for ecdhe authentication invalid_ec_type (10), invalid_ec_curve (11), invalid_poo_prf (12), invalid_poo (13), (255) }TLS12Status struct { Designation designation = "tls12"; int8 version = 1; } Extension; struct { Extension extension; select( Extension ){ case ("tls12", 1): TLS12Type; } type; select( Extension ){ case ("tls12", 1): TLS12Status; } status; uint64 id; unint32 length; } LURKHeader;
An exchange of type "rsa_master" or "rsa_master_with_poh" enables the LURK Client to delegate the RSA Key Exchange and authentication as defined in [RFC5246]. The LURK Server returns the master secret.
"rsa_master" provides the necessary parameters and details to generate the master secret, as well as to hinder replaying of old handshake messages by a corrupt LURK Client. I.e., some attestation of message-freshness is acquired by the LURK Server.
In addition, the"rsa_master_with_poh" provides a proof of handshake (PoH). The proof of handshake consists in providing the Finished message of the TLS Client to the LURK Server, so that latter can perform more checks that in the "rsa_master" mode. Notably, herein, the LURK Server also checks that the LURK request is performed in a context of a TLS handshake.
While "rsa_master" and "rsa_master_with_poh" exchange have respectively different requests, the response is the same. The motivation for having different type is that the parameters provided to the LURK Server are provided using different format. "rsa_master" provides them explicitly, while "rsa_master_with_poh" provides them via handshake messages.
A rsa_master request payload has the following structure:
enum { sha256_32 (0), (255) }KeyPairIdType; struct { KeyPairIdType type; opaque data; // length defined by the type } KeyPairID; enum{ sha256 (0), (255) } PFSAlgorithm struct { KeyPairID key_id; PFSAlgorithm freshness_funct; Random client_random; // see RFC5246 section 7.4.1.2 Random server_random; EncryptedPreMasterSecret pre_master; // see RFC5246 section 7.4.7.1 // Length depends on the key. } } TLS12RSAMasterRequestPayload;
server_random: the random value associated to the TLS Server as defined in [RFC5246] Section 7.4.1.2.
EncryptedPreMasterSecret : The encrypted master secret as defined in [RFC5246] Section 7.4.7.1.
A rsa_master_with_poh request payload has the following structure:
struct { KeyPairID key_id; PFSAlgorithm freshness_funct; opaque handshake_messages<2...2^16-2> // see RFC5246 section 7.4.9 Finished finished } TLS12RSAMasterWithPoHRequestPayload;
key_id, freshness_funct are defined above
This document defines a mechanism which uses a function called freshness_funct, to prevent an attacker to send a request to the LURK Server in such a way that the said attacker can obtain back the mastersecret for an old handshake. In other words, the use of this function helps prevent a forward-secrecy attack on an old TLS session, where the attack would make use that session's handshake-data observed by the adversary.
This design achieves PFS with freshness_funct being a collision-resistant hash function (CHRF). By CRHF, we mean a one-way hash function (OWHF) which also has collision resistance; the latter means that it is computationally infeasible to find any two inputs x1 and x2 such that freshness_funct(x1) = freshness_funct(x2). By one-way hash function (OWHF) we mean, as standard, a hash function freshness_funct that satisfies preimage resistance and 2nd-preimage resistance. That is, given a hash value y, it is computationally infeasible to find an x such that freshness_funct(x) = y, and respectively– given a value x1 and its hash freshness_funct(x1), it is computationally infeasible to find another x2 such that freshness_funct(x2) = freshness_funct(x1).
For the concrete use of our freshness_funct funtions, let S be a fresh, randomly picked value generated by the LURK Client. The value of server_random in the TLS exchange is then equal to freshness_funct(S), i.e., server_random=freshness_funct(S). Between the TLS Client and the LURK Server only server-random is exchanged. The LURK Client sends S to the Key Server, in the query. Note that the latter SHOULD happen over a secure channel.
A man-in-the-middle attacker observing the (plaintext) TLS handshake between a TLS Client and the LURK Client does not see S, but only server_random. The preimage resistance guaranted by the freshness_funct makes it such that this man-in-the-middle cannot retrieve S out of the observed server-random. As such, this man-in-the-middle attacker cannot query the S corresponding to an (old) observed handshake to the Key Server. Moreover, the collision resistance guaranteed by the freshness_funct makes it such that if the aforementioned man-in-the-middle cannot find S' such that freshness_funct(S)=freshness_funct(S').
As discussed in Section 9, PFS may be achieved in other ways (i.e., not using a CRHF and the aforementioned exchanges but other cryptographic primitives and other exchanges). These may offer better computational efficiency. These may be standardized in future versions of the LURK extension "tls12.
The server_random MUST follow the structure of [RFC5246] section 7.4.1.2, which carries the gmt_unix_time in the first four bytes. So, the ServerHello.random of the TLS exchange is derived from the server_random of the LURK exchange as defined below:
gmt_unix_time = server_random[0..3]; ServerHello.random = freshness_funct( server_random + "tls12 pfs" ); ServerHello.random[0..3] = gmt_unix_time;
The operation MUST be performed by the LURK Server as well as the TLS Server, upon receiving the master secret or the signature of the ecdhe_params from the LURK Client.
The "rsa_master" response payload contains the master secret and has the following structure:
struct { opaque master[0..47]; } TLS12RSAMasterResponsePayload;
A LURK Client initiates an rsa_master or an rsa_master_with_poh exchange in order to retrieve the master secret. The LURK exchange happens on the TLS Server side (Edge Server). Upon receipt of the master_secret the Edge Server generates the session keys and finish the TLS key exchange protocol.
A LURK Client MAY use the rsa_master_with_poh to provide the LURK Server evidences that the LURK exchange is performed in the context of a TLS handshake. The Proof of TLS Hanshake (POH) helps the LURK Server to audit the context associated to the query.
The LURK Client MUST ensure that the transmitted values for server_random is S such as server_random = freshness_funct( S ).
Upon receipt of a rsa_master or a rsa_master_with_poh request, the LURK Server proceeds according to the following steps:
A exchange of type "rsa_extended_master" enables the LURK Client to delegate the RSA Key Exchange and authentication. The LURK Server returns the extended master secret as defined in [RFC7627].
The "rsa_extended_master" request has the following structure:
enum { sha256 (0), (255) } PRFAlgorithm enum { null(0), sha256_128(1), sha256_256(2), (255) }POOPRF struct { KeyPairID key_id PFSAlgorithm freshness_funct // see RFC5246 section 6.1 opaque handshake_messages<2...2^16-2> // see RFC7627 section 4 }TLS12ExtendedMasterRSARequestPayload;
The "rsa_extended_master_with_poh" request has the following structure:
struct { KeyPairID key_id PFSAlgorithm freshness_funct // see RFC5246 section 6.1 opaque handshake_messages<2...2^16-2> // see RFC5246 section 7.4.9 Finished finished } }TLS12ExtendedMasterRSAWithPoHRequestPayload;
rsa_extended_master response payload has a similar structure as the rsa_master response payload Section 4.2.
The LURK Client proceeds as described in {{sec-rsa-master-clt}. The main difference is that the necessary element to generate the master secret are included in the handshake and or not provided separately.
The LURK Server proceeds as described in Section 4.4 except that the generation of the extended master is processed as described in [RFC7627].
A exchange of type "ecdhe" enables the LURK Client to delegate the ECDHE_RSA [RFC5246] or the ECDHE_ECDSA [I-D.ietf-tls-rfc4492bis] authentication.
The "ecdhe" request payload has the following structure:
enum { null(0), sha256_128(1), sha256_256(2), (255) }POOPRF struct { POOPRF poo_prf; select( poo_prf) { case ( "null" ): case ( "sha256_128" or "sha256_256" ): ECPoint rG; //I-D.ietf-tls-rfc4492bis section 5.4 ECPoint tG; } } TLS12POOParams; struct { KeyPairID key_id; PRFAlgorithm freshness_funct; Random client_random; // see RFC5246 section 7.4.1.2 Random server_random; SignatureAndHashAlgorithm sig_and_hash //RFC 5246 section 4.7 ServerECDHParams ecdhe_params; // I-D.ietf-tls-rfc4492bis section 5.4 POOParams poo_params; } TLS12ECDHERequestPayload;
The proof of ownership consists in the LURK Client proving the knowledge of the private random b, while not disclosing b.
c MUST NOT be under the control of the LURK Client. To achieve that goal, c is generated as described below:
c = poo_prf ( base + ecdhe_params + "tls12 poo")
The LURK Client computes t = cb + r and sends rG, tG, in poo_params and bG in the ecdhe_params
The LURK Server computes c(bG) + rG and compares the output with tG. The equality proves the ownership of b by the LURK Client.
Note r and c may be treated as "very short-term secrets" but MUST remain non-predictable. It is RECOMMENDED to use a length equivalent to the expected level of security, that is 128 bit length (resp. 256 bit length) for a 128 (resp 256) bit security level. Given b, we RECOMMEND r and c to be at least half the size of b.
The "ecdhe" response payload has the following structure:
struct { Signature signed_params; // I-D.ietf-tls-rfc4492bis section 5.4 } TLS12ECDHEResponsePayload;
The LURK Client builds the base as described in Section 4.1. The LURK Client computes c, t, rG and tG as described in Section 6.1.
Upon receiving the response payload, the LURK Client MAY check the signature. If the signature does not match an error SHOULD be reported.
Upon receiving an ecdhe request, the LURK Server proceeds as follows:
Error are expected to provide the LURK Client an indication of the cause that resulted in the error. When an error occurs the LURK Server MAY ignore the request, or provide more generic error codes such as "undefined_error" or "invalid_format".
A exchange of type "capabilities" enables the LURK Client to be informed of the supported operations performed by the LURK Server. The supported parameters are provided on a per type basis.
A LURK "capabilities" request has no payload.
The "capabilities" response payload lists for each supported type, the supported certificates, the supported signatures and hash associated. The "capabilities" payload has the following structure:
struct { KeyPairID key_id_type_list<0..255>; PFSAlgorithmList freshness_funct_list<0..255> OptionList option_list<0..255> Certificate certificate_list } TLS12RSACapability; struct { TLS12RSACapability rsa_cap; SignatureAndHashAlgorithm sig_and_hash_list<0..255> NameCurve ecdsa_curves_list<0..255>; NameCurve ecdhe_curves_list<0..255> POOPRF poo_prf_list<0..255> } TLS12ECDHECapability; struct { uint32 length; TLS12Type type Select( type ) { case rsa_master : TLS12RSACapability, case rsa_extended_master : TLS12RSACapability, case ecdhe : TLS12ECDHECapability } capability ; } TLS12Capability struct { TLS12Capability capability_list; opaque state<32>; } TLS12CapabilitiesResponsePayload;
The LURK Client performs a capability request in order to determine the possible operations.
The LURK Client is expected to keep the state value to be able to detect a change in the LURK Server configuration when an error occurs.
Upon receiving a capabilities request, the LURK Extension MUST return the capabilities payload associated to a "success" status to the LURK Server. These information are then forwarded by the LURK Server to the LURK Client.
A exchange of type "ping" enables the LURK Client to check the reachability in a context of the defined LURK Extension.
A "ping" request has no payload.
A "ping" response has no payload.
The LURK Client sends a "ping" request to test the reachability of the LURK Server. The reachability is performed for the tls12 LURK Extension.
Upon receiving a ping request, the LURK Extension MUST return the ping response associated with a "success" status to the LURK Server. These information are then forwarded by the LURK Server to the LURK Client.
The security considerations defined in [I-D.mglt-lurk-lurk] applies to the LURK Extension "tls12" defined in this document.
Anti-replay mechanisms rely in part on the security of channel between the LURK Client and the LURK Server. As such the channel between the LURK Client and the LURK Server MUST be ensuring confidentiality and integrity. More specifically, the exchanges between the LURK Client and the LURK Server MUST be an encrypted with authentication encryption, and the two parties had previously mutually authenticated.
The LURK Extension "tls12" is expected to have response smaller that the request or at least not significantly larger, which makes "tls12" relatively robust to amplification attacks. This is especially matters when LURK is using UDP. The use of an authenticated channel reduces also the risk of amplification attacks even when UDP is being used.
The LURK Client and the LURK Server use time in their way to generate the server_random. Care MUST be taken so the LURK Client and LURK Server remain synchronized.
The rsa_master and rsa_extended_master returns the master_secret instead of the premaster. The additional hashing operation necessary to generate the master secret is expected to improve the protection of the RSA private key against cryptographic analysis based on the observation of a set of clear text and corresponding encrypted text.
The standard TLS1.2 is robust against Bleichenbacher attack as it provides no means to detect if the error comes from a TLS version mismatch or from the premaster format. This properties remain with LURK, and so LURK does not present vulnerabilities toward Bleichenbacher attack, and cannot be used as a decryption oracle.
A passive attacker observing the ecdhe exchange may collect a sufficient amount of clear text and corresponding signature to perform a cryptographic analysis or to reuse the signature for other purposes. As a result, it remains important to encrypt the ecdhe exchange between the LURK Client and the LURK Server. Note that this vulnerability is present in TLS 1.2 as a TLS Client can accumulate these data as well. The difference with LURK is by listening the LURK Server, the accumulation is achieved for all TLS Clients.
As previously mentioned, the LURK Server may be used as signing oracle for the specific string:
SHA(ClientHello.random + ServerHello.random + ServerKeyExchange.params);
More specifically, the ECDHE_RSA and ECDHE_DSA mechanisms does not associate the signature to a TLS1.2 context. As a result, an attacker could re-used the signature in another context.
The attack may operate by collecting a large collection of clear text and their corresponding signature. When the attacker want to provide a signature, it checks in its database, a match occurs between the two contents to be signed. The probability of a collision increases with number of available hashes. The attack is related the pre-image and collision resistance properties of the hash function.
The attacker may also given a clear text to be signed, generate a collision such that a collision occurs which provides is related to the second pre-image and collision resistance property of the hash function.
The surface of attack is limited by:
This document uses sha256 as the freshness_funct, in order to achieve PFS Section 4.1.1 as described above. By construction of the server_random, of the output of freshness_funct we will keep only the last 28 bytes. The PFS property is in place as long as this truncated version of freshness_funct can be considered a CRHF and that the 28 bytes of randomness carried by the server_random are sufficient. Otherwise, the mechanism described in this document will not be considered as safe.
Details on the truncation will be added. Alternatively, we could use a hash function like SHA3 (or, more explicitly SHAKE) which considers variable output length as part of its design. The SHAKE functions allow arbitrary output lengths and the PFS-input S can be of arbitrary length too. However, for SHAKE128-d, if the truncated output is of length d as low as 224 bits (28 bytes), then one only gets 224/2=112 bits security w.r.t. collision-resistance, > 112 bits w.r.t. preimage resistance and 112 bits security w.r.t. second preimage resistance.
One reason why we have the hash-based solution to is to reduce communication costs between the LURK Client and the LURK Server, whilst still getting more than some security w.r.t. a MiM corrupting a LURK Client and then attempting a PFS attack.
But, if we disregard the overhaed on communication costs, we can consider other mechanisms not based on CRHF for attaining PFS security. See I and II below.
I. For example, as freshness_funct, one can use an instance of a pseudo random function (PRF), keyed on a key K that the LURK Server already shares with the LURK Client. I.e., server_random=freshness_funct(S;K). In this case, the mechanisms to achieve PFS are as follows: 1. The LURK Client and the LURK Server run a key-establishment protocol before every LURK session to establish such a new key K for every LURK session. Alternatively, the export this key of the key-establishment run to secure the channel. The time-to-live of K is one session only. 2. The LURK Server generates the value S on its side and send the server_random to the LURK Client. 3. The LURK Client uses this server_random with the TLS Client 4. The LURK Server checks the correctness of the use of the said server_random when the query for the master_secret is made, with the messages forwarded therein;
II. In fact, since the channel between the LURK Client and the LURK Server MUST be encrypted by default, all for 2 steps in point I above can be combined into 1 step (without the need of a specially executed key-establishment): a. the LURK Server sends the server_random to the LURK Client. b. the LURK Client uses this server_random with the TLS Client c. the LURK Server checks the correctness of the use of the said server_random when the query for the master_secret is made, with the messages forwarded therein;
Yet, option I and option II are more expensive on the communication than the version achieving PFS with a hash function. I.e., in I and II, the LURK Server needs to be involved on the first part of the TLS handshake to produce the S or server_random for the LURK Client. However, note that the LURK Client no longer queries S, hence the risk of a man-in-the-middle querying an old S is eliminated by design.
Option II above is akin to what "Content delivery over TLS: a cryptographic analysis of keyless SSL," by K. Bhargavan, I. Boureanu, P. A. Fouque, C. Onete and B. Richard at 2017 IEEE European Symposium on Security and Privacy (EuroS&P), Paris, 2017, pp. 1-16, suggested in order to amend (forward-secrecy) attacks on Keyless SSL.
The requested information is defined in [I-D.mglt-lurk-lurk].
LURK Extension Designation: tls12 LURK Extension Reference: [RFD-TBD] LURK Extension Description: RSA, ECDHE_RSA and ECDHE_ECDSA for (D)TLS 1.2.
LURK tls12 Extension Status Value Description Reference --------------------------------------------------- 0 - 1 Reserved [RFC-TBD-LURK] 2 undefined_error [RFC-TBD] 3 invalid_payload_format [RFC-TBD] 4 invalid_key_id_type [RFC-TBD] 5 invalid_key_id [RFC-TBD] 6 invalid_tls_random [RFC-TBD] 7 invalid_prf [RFC-TBD] 8 invalid_encrypted_premaster [RFC-TBD] 9 invalid_finished [RFC-TBD] 10 invalid_ec_type [RFC-TBD] 11 invalid_ec_curve [RFC-TBD] 12 invalid_poo_prf [RFC-TBD] 13 invalid_poo [RFC-TBD] 14 - 255 UNASSIGNED LURK tls12 Extension Type Value Description Reference ---------------------------------------------- 0 capabilities [RFC-TBD] 1 ping [RFC-TBD] 2 rsa_master [RFC-TBD] 2 rsa_master_with_poh [RFC-TBD] 3 rsa_extended_master [RFC-TBD] 3 rsa_extended_master_with_poh [RFC-TBD] 4 ecdhe [RFC-TBD] 16 - 255 UNASSIGNED
We would like to thank for their very useful feed backs: Yaron Sheffer, Yoav Nir, Stephen Farrell, Eric Burger, Thomas Fossati, Eric Rescorla Mat Naslung, Rich Salz. Many ideas in this document are from [I-D.erb-lurk-rsalg].
We would also like to thank those that have supported LURK or raised interesting discussions. This includes among others Robert Skog, Hans Spaak, Salvatore Loreto, John Mattsson, Alexei Tumarkin, Yaron Sheffer, Richard Brunner, Stephane Dault, Dan Kahn Gillmor, Joe Hildebrand, Kelsey Cairns.
## LURK Exchange for TLS RSA Master Secret
TLS Client Edge Server Key Server ClientHello server_version client_random cipher_suite TLS_RSA_*, ... --------> S = server_random server_random = freshness_funct( S ) ServerHello tls_version server_random Cipher_suite=TLS_RSA Certificate RSA Public Key ServerHelloDone <-------- ClientKeyExchange EncryptedPremasterSecret [ChangeCipherSpec] Finished --------> TLS12 Request Header TLS12MasterRSARequestPayload key_id client_random S freshness_funct EncryptedPremasterSecret --------> server_random = freshness_funct( S ) master_secret = PRF(\ pre_master_secret + \ "master secret" +\ client_random +\ server_random)[0..47]; TLS12 Response Header TLS12MasterResponsePayload master <-------- [ChangeCipherSpec] Finished <-------- Application Data <-------> Application Data
TLS Client Edge Server Key Server ClientHello tls_version cipher_suite TLS_RSA_*, ... Extension 0x0017 --------> ServerHello edge_server_version cipher_suite=TLS_RSA Extension 0x0017 Certificate RSA Public Key ServerHelloDone <-------- ClientKeyExchange EncryptedPremasterSecret [ChangeCipherSpec] Finished --------> TLS12 Request Header TLS12ExtendedMasterRSAInputPayload key_id tls_version master_prf session_hash EncryptedPreMasterSecret --------> 1. Computing Master Secret master_secret = master_prf( pre_master_secret +\ "extended master secret" +\ session_hash)[0..47] TLS12 Response Header TLS12MasterPayload master <-------- [ChangeCipherSpec] Finished <-------- Application Data <-------> Application Data
TLS Client Edge Server Key Server ClientHello tls_version client_random cipher_suite TLS_ECDHE_ECDSA_*, TLS_ECDHE_RSA_*, ... Extension Supported EC, Supported Point Format --------> S = server_random server_random = freshness_funct( S ) TLS12 Request Header TLS12ECDHEInputPayload key_id client_random S ecdhe_params --------> server_random = freshness_funct( S ) signature = ECDSA( client_random +\ server_random + ecdhe_params ) TLS12 Response Header TLS12DigitallySignedPayloads signature <-------- ServerHello tls_version server_random Cipher_suite=TLS_ECDHE_ECDSA Extension Supported EC, Supported Point Format Certificate ECDSA Public Key ServerKeyExchange ecdhe_params signature ServerHelloDone <-------- ClientKeyExchange [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] Finished <-------- Application Data <-------> Application Data
[I-D.erb-lurk-rsalg] | Erb, S. and R. Salz, "A PFS-preserving protocol for LURK", Internet-Draft draft-erb-lurk-rsalg-01, May 2016. |
[I-D.fieau-cdni-https-delegation] | Fieau, F., Emile, S. and S. Mishra, "HTTPS delegation in CDNI", Internet-Draft draft-fieau-cdni-https-delegation-02, July 2017. |
[I-D.ietf-acme-acme] | Barnes, R., Hoffman-Andrews, J., McCarney, D. and J. Kasten, "Automatic Certificate Management Environment (ACME)", Internet-Draft draft-ietf-acme-acme-12, April 2018. |
[I-D.ietf-acme-star] | Sheffer, Y., Lopez, D., Dios, O., Pastor, A. and T. Fossati, "Support for Short-Term, Automatically-Renewed (STAR) Certificates in Automated Certificate Management Environment (ACME)", Internet-Draft draft-ietf-acme-star-03, March 2018. |
[I-D.ietf-tls-tls13] | Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-tls13-28, March 2018. |
[I-D.mglt-lurk-lurk] | Migault, D., "LURK Protocol version 1", Internet-Draft draft-mglt-lurk-lurk-00, February 2018. |
[I-D.mglt-lurk-tls-use-cases] | Migault, D., Ma, K., Salz, R., Mishra, S. and O. Dios, "LURK TLS/DTLS Use Cases", Internet-Draft draft-mglt-lurk-tls-use-cases-02, June 2016. |
[I-D.rescorla-tls-subcerts] | Barnes, R., Iyengar, S., Sullivan, N. and E. Rescorla, "Delegated Credentials for TLS", Internet-Draft draft-rescorla-tls-subcerts-02, October 2017. |
[I-D.sheffer-acme-star-request] | Sheffer, Y., Lopez, D., Dios, O., Pastor, A. and T. Fossati, "Generating Certificate Requests for Short-Term, Automatically-Renewed (STAR) Certificates", Internet-Draft draft-sheffer-acme-star-request-02, June 2018. |