diff options
author | Simon Josefsson <simon@josefsson.org> | 2006-11-22 09:08:22 +0000 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2006-11-22 09:08:22 +0000 |
commit | 76fd441582391cb1f3b1b3460ea588f38affb051 (patch) | |
tree | 0439b4822fcce121f125e5c32625c85e5ba8eeca | |
parent | 7f48ddbe5b8d3692c71839a9f33825747be626f4 (diff) | |
download | gnutls-76fd441582391cb1f3b1b3460ea588f38affb051.tar.gz |
Add.
-rw-r--r-- | doc/protocol/draft-housley-evidence-extns-01.txt | 1176 |
1 files changed, 1176 insertions, 0 deletions
diff --git a/doc/protocol/draft-housley-evidence-extns-01.txt b/doc/protocol/draft-housley-evidence-extns-01.txt new file mode 100644 index 0000000000..639dd0b481 --- /dev/null +++ b/doc/protocol/draft-housley-evidence-extns-01.txt @@ -0,0 +1,1176 @@ + + + + +Internet-Draft M. Brown +November 2006 RedPhone Security +Expires: May 2007 R. Housley + Vigil Security + + + Transport Layer Security (TLS) Evidence Extensions + <draft-housley-evidence-extns-01.txt> + + + +Status of this Memo + + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + +Copyright Notice + + Copyright (C) The Internet Society (2006). All Rights Reserved. + +Abstract + + This document specifies evidence creation extensions to the Transport + Layer Security (TLS) Protocol. Extension types are carried in the + client and server hello message extensions to confirm that both + parties support the protocol features needed to perform evidence + creation. The syntax and semantics of the evidence creation alerts + and messages are described in detail. + + + + + +Brown & Housley [Page 1] + +Internet-Draft November 2006 + + +1. Introduction + + Transport Layer Security (TLS) protocol [TLS1.0][TLS1.1] is being + used in an increasing variety of operational environments, including + ones that were not envisioned when the original design criteria for + TLS were determined. The extensions specified in this document + support evidence creation in environments where the peers in the TLS + session cooperate to create persistent evidence of the TLS-protected + application data. Such evidence may be necessary to meet business + requirements, including regulatory requirements. Also, evidence may + be used in tandem with authorization information to make high + assurance access control and routing decisions in military and + government environments. Evidence created using this extension may + also be used to audit various aspects of the TLS handshake, including + the cipher suite negotiation and the use of other TLS extensions. In + many cases, the evidence does not need to be validated by third + parties; however, in other cases, the evidence might be validated by + third parties. To accommodate all of these situations, the evidence + is generated using a digital signature. Since validation of a + digital signature requires only public information, evidence + generated with this mechanism is suitable for sharing with third + parties. + + When digital certificates are to be employed in evidence creations, + the client must obtain the public key certificate (PKC) for the + server, and the server must obtain the PKC for the client. This is + most easily accomplished by using the PKCs provided in the Handshake + Protocol Certificate messages. Further, both parties SHOULD have an + opportunity to validate the PKC that will be used by the other party + before evidence creation. Again, this is naturally accomplished + using the Handshake Protocol, where the TLS session can be rejected + if the PKC cannot be validated. + + This document describes evidence creation TLS extensions supporting + both TLS 1.0 and TLS 1.1. These extensions observe the conventions + defined for TLS Extensions [TLSEXT]. The extensions are designed to + be backwards compatible, meaning that the protocol alerts and + messages associated with the evidence creation extensions will be + exchanged only if the client indicates support for them in the client + hello message and the server indicates support for them in the server + hello message. + + Clients typically know the context of the TLS session before it is + established. As a result, the client can request the use of the + evidence creation extensions in sessions where they might be needed. + Servers accept extended client hello messages, even if the server + does not support the all of the listed extensions. However, the + server will not indicate support for any extensions that are not + + + +Brown & Housley [Page 2] + +Internet-Draft November 2006 + + + "understood" by the implementation. At the end of the hello message + exchange, the client may reject communications with servers that do + not support the evidence creation extensions, or the client may + accept the situation and proceed, whichever is appropriate. + +1.1. Conventions + + The syntax for the evidence creation messages is defined using the + TLS Presentation Language, which is specified in Section 4 of + [TLS1.0]. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in RFC 2119 [STDWORDS]. + +1.2. Overview + + Figure 1 illustrates the placement of the evidence creation alerts + and messages in the TLS session. The first pair of evidence creation + alerts indicates the beginning of the protected content that will be + covered by the evidence. The first pair of alerts can appear any + place after the TLS Handshake Protocol Finished messages, which + ensures that they are integrity protected. The second pair of + evidence creation alerts indicates the ending of the protected + content that will be covered by the evidence. Immediately after the + reception of the final alert, a pair of Evidence Protocol messages is + exchanged to create the persistent evidence. + + Generating evidence is not compatible with Diffie-Hellman Ephemeral + (DHE) key exchanges. DHE does not permit the same keying material to + be generated for validation of the evidence after the TLS session is + over. Persistent evidence requires the use of a digital signature so + that it can be validated well after the TLS session is over. + + The ClientHello message includes an indication that the evidence + creation messages are supported. The ServerHello message also + includes an indication that the evidence creation messages are + supported. Both the client and the server MUST indicate support for + the evidence protocol alerts and messages; otherwise they MUST NOT be + employed by either the client or the server. + + + + + + + + + + + +Brown & Housley [Page 3] + +Internet-Draft November 2006 + + + Client Server + + ClientHello --------> + ServerHello + Certificate+ + ServerKeyExchange* + CertificateRequest+ + <-------- ServerHelloDone + Certificate+ + ClientKeyExchange + CertificateVerify+ + ChangeCipherSpec + Finished --------> + ChangeCipherSpec + <-------- Finished + Application Data <-------> Application Data + Alert(evidence_start1) --------> + Application Data + <-------- Alert(evidence_start2) + + Application Data <-------> Application Data + Alert(evidence_end1) --------> + Application Data + <-------- Alert(evidence_end2) + EvidenceRequest --------> + <-------- EvidenceResponse + Application Data <-------> Application Data + + * Indicates optional or situation-dependent messages that + are not always sent. + + Indicates messages optional to the TLS handshake that + MUST be sent when using TLS evidence. + + + Figure 1. Example TLS Session with Evidence Creation. + + + + + + + + + + + + + + + + +Brown & Housley [Page 4] + +Internet-Draft November 2006 + + +2. Evidence Extension Types + + The general extension mechanisms enable clients and servers to + negotiate whether to use specific extensions, and how to use specific + extensions. As specified in [TLSEXT], the extension format used in + the extended client hello message and extended server hello message + within the TLS Handshake Protocol is: + + struct { + ExtensionType extension_type; + opaque extension_data<0..2^16-1>; + } Extension; + + The extension_type identifies a particular extension type, and the + extension_data contains information specific to the particular + extension type. + + As specified in [TLSEXT], for all extension types, the extension type + MUST NOT appear in the extended server hello message unless the same + extension type appeared in the preceding client hello message. + Clients MUST abort the handshake if they receive an extension type in + the extended server hello message that they did not request in the + preceding extended client hello message. + + When multiple extensions of different types are present in the + extended client hello message or the extended server hello message, + the extensions can appear in any order, but there MUST NOT be more + than one extension of the same type. + + This document specifies the use of the evidence_creation extension + type. This specification adds one new type to ExtensionType: + + enum { + evidence_creation(TBD), (65535) + } ExtensionType; + + The evidence_creation extension is relevant when a session is + initiated and also for any subsequent session resumption. However, a + client that requests resumption of a session does not know whether + the server has maintained all of the context necessary to accept this + request, and therefore the client SHOULD send an extended client + hello message that includes the evidence_creation extension type. + This indicates that the client requests the server's continued + cooperation in creating evidence. If the server denies the + resumption request, then the evidence_creation extension will be + negotiated normally using the full Handshake protocol. + + Clients MUST include the evidence_creation extension in the extended + + + +Brown & Housley [Page 5] + +Internet-Draft November 2006 + + + client hello message to indicate their desire to send and receive + evidence creation alerts and messages. The extension_data field + indicates the evidence creation algorithms that are supported. The + format is indicated with the EvidenceCreateList type: + + uint16 EvidenceCreateSuite[2]; + + struct { + EvidenceCreateSuite evidence_suites<2..2^16-1>; + } EvidenceCreateList; + + The EvidenceCreateList enumerates the evidence creation algorithms + that are supported by the client. The client MUST order the entries + from most preferred to least preferred, but all of the entries MUST + be acceptable to the client. Values are defined in Appendix A, and + others can be registered in the future. + + Servers that receive an extended client hello message containing the + evidence_creation extension MUST respond with the evidence_creation + extension in the extended server hello message if the server is + willing to send and receive evidence creation alerts and messages. + The evidence_creation extension MUST be omitted from the extended + server hello message if the server is unwilling to send and receive + using one of the evidence creation algorithm suites identified by the + client. The extension_data field indicates the evidence creation + algorithm suite that the server selected from the list provided by + the client. The format is indicated with the EvidenceCreateSuite + type defined above. + +3. Alert Messages + + This document specifies the use of four new alert message + descriptions: the evidence_start1, evidence_start2, evidence_end1, + and evidence_end2. These descriptions are specified in Sections 3.1, + 3.2, 3.3, and 3.4, respectively. The alert descriptions are + presented below in the order they MUST be sent; sending alerts in an + unexpected order results in a fatal error. These descriptions are + always used with the warning alert level. This specification adds + four new types to AlertDescription: + + enum { + evidence_start1(TBD), + evidence_start2(TBD), + evidence_end1(TBD), + evidence_end2(TBD), + evidence_failure(TBD), + (255) + } AlertDescription; + + + +Brown & Housley [Page 6] + +Internet-Draft November 2006 + + +3.1. The evidence_start1 Description + + The client and the server need to synchronize evidence creation. + Either party may indicate the desire to start creating evidence by + sending the evidence_start1 alert. If the other party is ready to + begin creating evidence, then the other party MUST send an + evidence_start2 alert in response to the evidence_start1 alert that + was sent. If the other party is unwilling to begin creating + evidence, the other party MUST respond with fatal + evidence_failure(TBD) alert and terminate the TLS session. + + Evidence may be collected more than once during a TLS session; + however, evidence gathering MUST NOT be nested. That is, a party + sending the a second evidence_start1 alert before evidence_end2 alert + has occurred and the evidence protocol has completed is a protocol + violation. Reception of an evidence_start1 alert that would result + in evidence nesting MUST be responded to with a fatal + evidence_failure(TBD) alert and terminating the TLS session. + + Digital signatures are used in evidence creation. If an + evidence_start1 alert is received before the other party has provided + a valid PKC, then the evidence_start1 alert recipient MUST terminate + the TLS session using a fatal certificate_unknown alert. + +3.2. The evidence_start2 Description + + The evidence_start2 alert is sent in response to the evidence_start1 + alert. By sending the evidence_start2 alert, the sending party + indicates that they are also ready to begin creating evidence. After + this pair of alerts is exchanged, both the client and the server use + the hash function indicated in the extended server hello message to + start computing the evidence. Each party computes two independent + hash values: one for each octet that is written, and one for each + octet that is read. + + Digital signatures are used in evidence creation. If an + evidence_start2 alert is received before the other party has provided + a valid PKC, then the evidence_start2 alert recipient MUST terminate + the TLS session using a fatal certificate_unknown alert. + +3.3. The evidence_end1 Description + + Either party may initiate the closure of an evidence-creating + interval and the exchange of evidence messages by sending the + evidence_end1 alert. Upon sending evidence_end1, the sender MUST not + send any more application data on this connection until the Evidence + Protocol messages are exchanged. + + + + +Brown & Housley [Page 7] + +Internet-Draft November 2006 + + + The evidence_end1 alert sender MAY initiate the Evidence Protocol as + described in Section 4 at any time following this alert. The + evidence_end1 alert sender SHOULD ensure that it has received all + pending application data writes from the other party before + initiating the Evidence Protocol. One way to ensure that all of the + application data has been received it to wait for the receipt of an + evidence_end2 alert. If the Evidence Protocol begins before all of + the application data is available, the result will be a fatal + evidence_failure(TBD) alert when signature verification fails. + +3.4. The evidence_end2 Description + + The evidence_end2 alert is sent in response to the evidence_end1 + alert. The evidence_end1 alert receiver SHOULD complete any pending + writes. The intent is to include any application data that would be + sent in response to application data that was received before the + evidence_end1 alert as part of evidence creation. Once the pending + writes are complete, the evidence_end1 alert receiver sends the + evidence_end2 alert. + + At this point, each party completes the hash value computations. + + The evidence_end2 alert receiver MUST respond by initiating the + Evidence Protocol as described in Section 4, if it has not already + done so. + +3.5. The evidence_failure Description + + The evidence_failure fatal alert is sent to indicate a failure in + evidence creation. During evidence synchronization, this alert + indicates that the sending party is unwilling to begin evidence + creation. During the Evidence Protocol, this alert indicates that + the evidence provided by the other party is not acceptable or cannot + be validated. + +4. Evidence Protocol + + This document specifies an additional TLS Protocol: the Evidence + Protocol. It is used to create persistent evidence of the TLS + session content. This specification adds one new Record layer + ContentType: + + enum { + evidence(TBD), + (255) + } ContentType; + + + + + +Brown & Housley [Page 8] + +Internet-Draft November 2006 + + + Persistence evidence of the TLS session content is produced by the + TLS Evidence Protocol. Evidence messages are supplied to the TLS + Record Layer, where they are encapsulated within one or more + TLSPlaintext structures, which are processed and transmitted as + specified by the current active session state. + + The Evidence Protocol structure follows: + + enum { + request(1), response(2), (255) + } EvidenceMsgType; + + struct { + EvidenceMsgType evidence_msg_type; + uint24 length; /* number of octets in message */ + select (EvidenceMsgType) { + case request: EvidenceRequest; + case response: EvidenceResponse; + } body; + } EvidenceProtocol; + + The Evidence Protocol messages are presented below in the order they + MUST be sent; sending evidence messages in an unexpected order + results in a fatal unexpected_message(10) alert. The EvidenceRequest + message and the EvidenceResponse message are specified in Section 4.2 + and Section 4.3, respectively. Section 4.1 describes structures that + are used in the EvidenceRequest and EvidenceResponse messages. + +4.1. Certificates and Digital Signatures + + The evidence Protocol makes use of the ASN.1Cert definition used + elsewhere in TLS. It is repeated here for convenience. + + opaque ASN.1Cert<1..2^24-1>; + + + + + + + + + + + + + + + + + +Brown & Housley [Page 9] + +Internet-Draft November 2006 + + + The EvidenceSignature definition is very similar to the Signature + definition used elsewhere in TLS. The EvidenceSignature definition + signs hash[hash_size], but the Signature definition used elsewhere in + TLS signs a combination of an md5_hash and a sha_hash. Also, the + EvidenceSignature definition excludes the anonymous case. + + enum { rsa, dsa, ecdsa } EvidenceSignatureAlgorithm; + + select (EvidenceSignatureAlgorithm) + { case rsa: + digitally-signed struct { + opaque hash[hash_size]; + }; + case dsa: + digitally-signed struct { + opaque hash[hash_size]; + }; + case ecdsa: + digitally-signed struct { + opaque hash[hash_size]; + }; + } EvidenceSignature; + + The hash algorithm and the hash_size depend on evidence create + algorithm suite selected by the server in the evidence_creation + extension. + +4.2. EvidenceRequest Message + + The EvidenceRequest message contains the evidence_end1 alert sender's + contribution to the persistent evidence. It employs the evidence + create algorithm suite selected by the server in the + evidence_creation extension in the extended server hello message. + + struct { + Evidence evidence<1..2^16-1>; + ASN.1Cert party1_certificate; + EvidenceSignature party1_signature; + } EvidenceRequest; + + + + + + + + + + + + +Brown & Housley [Page 10] + +Internet-Draft November 2006 + + + struct { + EvidenceCreateSuite evidence_suite; + uint64 gmt_unix_time; + uint64 app_data_sent_offset; + uint64 app_data_received_offset; + opaque handshake_protocol_hash<1..512>; + opaque app_data_sent_hash<1..512>; + opaque app_data_received_hash<1..512>; + } Evidence; + + The elements of the EvidenceRequest structure are described below: + + evidence + Contains an evidence create algorithm identifier, a timestamp, + and three hash values in the Evidence structure as described + below. + + party1_certificate + Contains the X.509 certificate of the signer. While this + certificate was probably exchanged and validated in the + Handshake Protocol, inclusion here makes it clear which + certificate was employed by the signer when the evidence is + validated in the future, possibly by a third party. + + party1_signature + Contains the digital signature computed by the sender of the + evidence_end1 alert using the evidence creation algorithm suite + identified in evidence_create_suite. The hash value is + computed as: + + Hash(evidence) + + The elements of the Evidence structure are described below: + + evidence_suite + Indicates the evidence creation algorithm suite selected by the + server in the evidence_creation extension in the Handshake + Protocol. This value determines the structure of the hash + values and digital signatures. + + gmt_unix_time + Indicates the current date and time according to the local + system clock used by the sender of the evidence_end1 alert. + This time value is intended to represent the moment in time + that evidence_end1 was sent. Unlike other places in the TLS + protocol, a 64-bit value is used to ensure that time values do + not wrap in 2038. + + + + +Brown & Housley [Page 11] + +Internet-Draft November 2006 + + + app_data_sent_offset + Indicates the number of octets that were sent as part of this + TLS session before evidence collection began. + + app_data_received_offset + Indicates the number of octets that were received as part of + this TLS session before evidence collection began. + + handshake_protocol_hash + Compute as: + + Hash(handshake_messages), + + where handshake_messages refers to all Handshake Protocol + messages sent or received, beginning with the most recent + client hello message. If the double handshake mechanism + described in the security considerations of [TLSAUTHZ] is used + to encrypt the Handshake Protocol, the plaintext form of these + messages is used in calculating this hash value. + + Verification of the handshake_protocol_hash is performed using + the plaintext form of the Handshake protocol messages. For + this hash value to be validated at a later time, this + information must be saved as part of the overall evidence. Any + attempt to save this data must ensure that it is not + inappropriately disclosed by employing suitable physical + protection or cryptographic mechanisms that are at least as + strong as the selected TLS ciphersuite. Suitable controls are + discussed further in the Security Considerations; see Section + 6. + + In the case of successful TLS session resumption, the most + recent client hello message will contain a valid + ClientHello.session_id value as well as extensions, and these + extensions may include sensitive data. The TLS Authorization + Extension [AUTHZ] is one example where an extension might + contain sensitive information. Thus, even when session + resumption is employed, the content of the Handshake protocol + messages ought to be protected. + + TLS users should ensure that the content of the Handshake + protocol messages contain sufficient evidence to determine the + intent of the signers, where "signers" are defined as the + subject identities in the exchanged X.509 certificates. + Clients and servers MAY record the protocol messages containing + an expression of the intent of the signers using a suitable TLS + extension [TLSEXT], such as [TLSAUTHZ]. For example, a client + may request access to a resource provided by the server, + + + +Brown & Housley [Page 12] + +Internet-Draft November 2006 + + + provide sufficient authentication and authorization information + grounds to convince the server to grant the requested access, + and receive an affirmative response from the server. A record + of TLS Handshake protocol messages representing this example + may provide a sufficient record of the intent of both the + client and the server. + + app_data_sent_hash + Compute as: + + Hash(sent_application_data), + + where sent_application_data refers to all of the Application + Data messages sent since the most recent evidence_start1 or + evidence start2 alert was sent, and ending with the sending of + the evidence_end1 alert. The alerts are not application data, + and they are not included in the hash computation. + + app_data_received_hash + Compute as: + + Hash(received_application_data), + + where received_application_data refers to all of the + Application Data messages received since the most recent + evidence_start1 or evidence start2 alert was received, and + ending with the receipt of the evidence_end2 alert. The alerts + are not application data, and they are not included in the hash + computation. + +4.3. EvidenceResponse Message + + The EvidenceResponse message contains the complete persistent + evidence. The value is saved by one or both parties as evidence of + the TLS session content identified by the evidence_start1, + evidence_start2, evidence_end1, and evidence_end2 alerts. + + struct { + Evidence evidence<1..2^16-1>; + ASN.1Cert party1_certificate; + EvidenceSignature party1_signature; + ASN.1Cert party2_certificate; + EvidenceSignature party2_signature; + } EvidenceResponse; + + + + + + + +Brown & Housley [Page 13] + +Internet-Draft November 2006 + + + The elements of the EvidenceResponse structure are described below: + + evidence + Contains an evidence create algorithm identifier, a timestamp, + and three hash values in the Evidence structure as described in + section 4.2. The evidence creation algorithm MUST match the + evidence create algorithm suite selected by the server in the + evidence_creation extension in the extended server hello + message. The timestamp MUST be acceptable to the + EvidenceRequest recipient as the same value is provided in the + EvidenceResponse message. The three hash values received in + the EvidenceRequest message MUST match locally computed values + over the same data. Note that the app_data_sent_hash and the + app_data_received_hash values represent the session from the + perspective of the EvidenceRequest originator, and the values + are not swapped to represent the EvidenceRequest recipient + perspective. If any of these conditions is not met, then the + EvidenceResponse message MUST NOT be sent, and the TLS session + MUST be closed immediately after sending a fatal + evidence_failure(TBD) alert. + + party1_certificate + Contains the X.509 certificate of the sender of the + evidence_end1 alert. If this certificate cannot be validated, + then TLS session must be closed immediately after sending one + of the following fatal alerts: bad_certificate(42), + unsupported_certificate(43), certificate_revoked(44), or + certificate_expired(45). These alerts are described in Section + 7.2.2 of [TLS1.1]. + + party1_signature + Contains the digital signature computed by the sender of the + evidence_end1 alert. If this signature cannot be validated, + then TLS session must be closed immediately after sending a + fatal evidence_failure(TBD) alert. + + party2_certificate + Contains the X.509 certificate of the sender of the + evidence_end2 alert. While this certificate was probably + exchanged and validated in the Handshake Protocol, inclusion + here make it clear which certificate was employed by the signer + when the evidence is validated in the future, possibly by a + third party. + + + + + + + + +Brown & Housley [Page 14] + +Internet-Draft November 2006 + + + Party2_signature + Contains the digital signature computed by the sender of the + evidence_end2 alert using the evidence creation algorithm suite + identified in evidence_suite. The hash value is computed as: + + Hash(evidence) + +5. IANA Considerations + + This document defines one TLS extension: evidence_creation(TBD). + This extension type value is assigned from the TLS Extension Type + registry defined in [TLSEXT]. + + This document defines five TLS alert descriptions: the + evidence_start1(TBD), evidence_start2(TBD), evidence_end1(TBD), + evidence_end2(TBD), and evidence_failure(TBD). These alert + descriptions are assigned from the TLS Alert registry defined in + [TLS1.1]. + + This document defines one TLS ContentType: evidence(TBD). This + ContentType value is assigned from the TLS ContentType registry + defined in [TLS1.1]. + + This document establishes a registry for TLS Evidence Protocol + EvidenceMsgType. The first two entries in the registry are + request(1) and response(2). All additional TLS Evidence Protocol + EvidenceMsgType values are assigned by Standards Action as described + in [IANA]. + + This document establishes a registry for Evidence Create Algorithm + suite identifiers. Appendix A lists the initial values for this + registry. Evidence Create Algorithm suite identifier values with the + first byte in the range 0-191 (decimal) inclusive are assigned by + Standards Action as described in [IANA]. Values with the first byte + in the range 192-254 (decimal) are assigned by Specification Required + as described in [IANA]. Values with the first byte 255 (decimal) are + reserved for Private Use as described in [IANA]. + +6. Security Considerations + + This document describes an extension to the TLS protocol, and the + security considerations in [TLS1.1] and [TLSEXT] apply. + Additionally, temporal and storage security considerations are + discussed below. + + + + + + + +Brown & Housley [Page 15] + +Internet-Draft November 2006 + + +6.1. Temporal Considerations + + Generating evidence that covers Application Data values that do not + explicitly or implicitly indicate the point in time at which the + Application Data was transferred over the TLS session might give rise + to replay attacks, post-dating, pre-dating, or other temporal + disputes. To avoid these concerns, the evidence includes an + indication of the date and time. The TLS implementation MUST NOT + attempt to extract date and time values from the Application Data; + doing so is likely to be error prone. Instead, the date and time + SHOULD come from a local clock or a trustworthy time server. Date + and time are provided by one of the parties, and the other party + determines that the date and time value is sufficiently accurate. + + When a more highly trusted time source is needed, the Time-Stamp + Protocol [TSP] can be used to obtain a time-stamp on the evidence + from a trusted third party. + +6.2. Storage Considerations + + Parties that choose to preserve a plaintext record of Application + Data or Handshake Protocol messages for evidence verification at a + later time must ensure must ensure that this data is not + inappropriately disclosed by employing suitable physical protection + or cryptographic mechanisms that are at least as strong as the + selected TLS ciphersuite. + + Suitable physical controls for the protection of Application Data or + Handshake Protocol messages containing keying material or sensitive + data should use removable storage media in conjunction with durable, + locking storage containers. If the removable media is transferred + from one location to another or backup copies are made, secure + handling protections ought to be employed, which might include the + use of insured or bonded couriers. + + A suitable cryptographic mechanism provides confidentiality + protection, since the hash value in the evidence itself provides + integrity protection. One reasonable solution is to encrypt the + Handshake Protocol messages and Application Data messages with a + fresh symmetric encryption key using the same algorithm that was + negotiated for the selected TLS ciphersuite. The key generation + should follow the recommendations in [RANDOM]. Then, the symmetric + key is encrypted for storage with the party's RSA public key or long- + lived key-encryption key. The Cryptographic Message Syntax (CMS) + [CMS] offers a convenient way to keep all of this information + together. + + + + + +Brown & Housley [Page 16] + +Internet-Draft November 2006 + + + An alternative cryptographic mechanism is to save the TLS session + itself. The negotiated TLS ciphersuite was already used to protect + the Application Data messages, and the Handshake Protocol messages + contain the keying material necessary to decrypt them if the party + retains the private keys and/or pre-shared secrets. + +7. References + +7.1. Normative References + + [IANA] Narten, T., and H. Alvestrand, "Guidelines for Writing + an IANA Considerations Section in RFCs", RFC 3434, + October 1998. + + [DSS] Federal Information Processing Standards Publication + (FIPS PUB) 186, Digital Signature Standard, 2000. + + [PKCS1] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5", + RFC 2313, March 1998. + + [PKIX1] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet + Public Key Infrastructure - Certificate and + Certificate Revocation List (CRL) Profile", RFC 3280, + April 2002. + + [TLS1.0] Dierks, T., and C. Allen, "The TLS Protocol, Version 1.0", + RFC 2246, January 1999. + + [TLS1.1] Dierks, T., and E. Rescorla, "The Transport Layer Security + (TLS) Protocol, Version 1.1", RFC 4346, April 2006. + + [TLSEXT] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., + and T. Wright, "Transport Layer Security (TLS) Extensions", + RFC 4366, April 2006. + + [SHA] Federal Information Processing Standards Publication + (FIPS PUB) 180-2, Secure Hash Algorithm, 2002. + + [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [X9.62] X9.62-1998, "Public Key Cryptography For The Financial + Services Industry: The Elliptic Curve Digital + Signature Algorithm (ECDSA)", January 7, 1999. + + + + + + + +Brown & Housley [Page 17] + +Internet-Draft November 2006 + + +7.2. Informative References + + [AUTHZ] Brown, M., and R. Housley, "Transport Layer Security + (TLS) Authorization Extensions", work in progress, + draft-housley-tls-authz-extns. + + [CMS] Housley, R., "Cryptographic Message Syntax (CMS)", + RFC 3852, July 2004. + + [TSP] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato, + "Internet X.509 Public Key Infrastructure: Time-Stamp + Protocol (TSP)", RFC 3161,August 2001. + +8. Acknowledgements + + Thanks to C. Robert Beattie, J.D. and Randy V. Sabett, J.D., CISSP + for their observations and comparisons between the Uniform Electronic + Transactions Act (1999) prepared by the National Conference of + Commissioners on Uniform State Laws versus the American Bar + Association's Digital Signature Guidelines (1996), their observations + regarding the strengths and weaknesses of these two approaches, and + their desire to promote trust and reduce potential for litigation in + online transactions. Their pro bono contribution of time and + expertise deserves recognition. + + This material is based, in part, upon work supported by the United + States Navy Space and Naval Warfare Systems Command under Contract + No. N00039-06-C-0097. + + + + + + + + + + + + + + + + + + + + + + + +Brown & Housley [Page 18] + +Internet-Draft November 2006 + + +Appendix A. Evidence Create Algorithms + + The following values define the EvidenceCreateSuite identifiers used + in the TLS Evidence Extensions. + + An EvidenceCreateSuite defines a cipher specification supported by + TLS Evidence Extensions. A suite identifier names a public key + signature algorithm and an associated one-way hash function. A + registration is named as follows: + + <SignatureAlgorithm>_WITH_<HashFunction> + + These components have the following meaning: + + <SignatureAlgorithm> + Specifies the digital signature algorithm and key length + associated with the algorithm. It is used to digitally sign + the evidence. The "RSA_1024" value indicates the use of the + PKCS#1 v1.5 [PKCS1] digital signature algorithm using a + 1024-bit public key. The "DSS_1024" value indicates the use of + the DSS digital signature algorithm [DSS] with a 1024-bit + public key. The "ECDSA_P384" value indicates the use of the + ECDSA digital signature algorithm [X9.62] using the P-384 named + elliptic curve. + + <HashFunction> + Specifies the one-way hash function used as part of the digital + signature. The "SHA_1", "SHA_224", "SHA_256", "SHA_384", and + "SHA_512" values identify members of the Secure Hash Algorithm + family of one-way- hash functions [SHA]. + + In most cases it will be appropriate to use the same algorithms and + certified public keys that were negotiated in the TLS Handshake + Protocol. The following additional steps are required in order to + employ the digital signature aspects of a TLS CipherSuite to a valid + EvidenceCreateSuite: + + 1) CipherSuites that do not include signature-capable certificates + cannot be used as EvidenceCreateSuite. + + 2) CipherSuites that specify the use of MD5 one-way hash function + should not be used as EvidenceCreateSuite. + + Of course, any aspect of a CipherSuite that deals with symmetric + ciphers and symmetric cipher key lengths is not relevant to the + EvidenceCreateSuite. + + + + + +Brown & Housley [Page 19] + +Internet-Draft November 2006 + + + All public key certificate profiles used in TLS are defined by the + IETF PKIX working group in [PKIX1]. When a key usage extension is + present, then either the digitalSignature bit or the nonRepudiation + bit MUST be set for the public key to be eligible for signing + evidence. If both bits are set, then this requirement is satisfied. + + The following EvidenceCreateSuite definitions are made at this time. + Section 5 specifies the procedures for registering additional + EvidenceCreateSuite definitions. + + EvidenceCreateSuite RSA_1024_WITH_SHA_1 = { 0x00, 0x01 }; + EvidenceCreateSuite RSA_1024_WITH_SHA_256 = { 0x00, 0x02 }; + EvidenceCreateSuite RSA_2048_WITH_SHA_256 = { 0x00, 0x03 }; + + EvidenceCreateSuite DSS_1024_WITH_SHA_1 = { 0x00, 0x11 }; + EvidenceCreateSuite DSS_2048_WITH_SHA_256 = { 0x00, 0x12 }; + + EvidenceCreateSuite ECDSA_P256_WITH_SHA_256 = { 0x00, 0x21 }; + EvidenceCreateSuite ECDSA_P384_WITH_SHA_384 = { 0x00, 0x22 }; + EvidenceCreateSuite ECDSA_P521_WITH_SHA_512 = { 0x00, 0x23 }; + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Brown & Housley [Page 20] + +Internet-Draft November 2006 + + +Author's Address + + Mark Brown + RedPhone Security + 2019 Palace Avenue + Saint Paul, MN 55105 + USA + mark <at> redphonesecurity <dot> com + + Russell Housley + Vigil Security, LLC + 918 Spring Knoll Drive + Herndon, VA 20170 + USA + housley <at> vigilsec <dot> com + +Full Copyright Statement + + Copyright (C) The Internet Society (2006). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + + This document and translations of it may be copied and furnished to + others, and derivative works that comment on or otherwise explain it + or assist in its implementation may be prepared, copied, published + and distributed, in whole or in part, without restriction of any + kind, provided that the above copyright notice and this paragraph are + included on all such copies and derivative works. However, this + + document itself may not be modified in any way, such as by removing + the copyright notice or references to the Internet Society or other + Internet organizations, except as needed for the purpose of + developing Internet standards in which case the procedures for + copyrights defined in the Internet Standards process must be + followed, or as required to translate it into languages other than + English. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + + + + + + +Brown & Housley [Page 21] |