summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-funk-tls-inner-application-extension-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/draft-funk-tls-inner-application-extension-01.txt')
-rw-r--r--doc/protocol/draft-funk-tls-inner-application-extension-01.txt1885
1 files changed, 0 insertions, 1885 deletions
diff --git a/doc/protocol/draft-funk-tls-inner-application-extension-01.txt b/doc/protocol/draft-funk-tls-inner-application-extension-01.txt
deleted file mode 100644
index 39404fc40c..0000000000
--- a/doc/protocol/draft-funk-tls-inner-application-extension-01.txt
+++ /dev/null
@@ -1,1885 +0,0 @@
-
-
-
-
-TLS Working Group Paul Funk
-Internet-Draft Funk Software, Inc.
-Category: Standards Track Simon Blake-Wilson
-<draft-funk-tls-inner-application-extension-01.txt> Basic Commerce &
- Industries, Inc.
- Ned Smith
- Intel Corp.
- Hannes Tschofenig
- Siemens AG
- Thomas Hardjono
- VeriSign Inc.
- February 2005
-
-
-
- TLS Inner Application Extension
- (TLS/IA)
-
-
-
-Status of this Memo
-
- This document is an Internet-Draft and is subject to all provisions
- of section 3 of RFC 3667. By submitting this Internet-Draft, each
- author represents that any applicable patent or other IPR claims of
- which he or she is aware have been or will be disclosed, and any of
- which he or she become aware will be disclosed, in accordance with
- RFC 3668.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six
- months and may be updated, replaced, or obsoleted by other documents
- at any time. It is inappropriate to use Internet-Drafts as
- reference material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2001 - 2005). All Rights
- Reserved.
-
-Abstract
-
-Internet-Draft February 2005
-
-
- This document defines a new TLS extension called "Inner
- Application". When TLS is used with the Inner Application extension
- (TLS/IA), additional messages are exchanged after completion of the
- TLS handshake, in effect providing an extended handshake prior to
- the start of upper layer data communications. Each TLS/IA message
- contains an encrypted sequence of Attribute-Value-Pairs (AVPs) from
- the RADIUS/Diameter namespace. Hence, the AVPs defined in RADIUS and
- Diameter have the same meaning in TLS/AI; that is, each attribute
- code point refers to the same logical attribute in any of these
- protocols. Arbitrary "applications" may be implemented using the AVP
- exchange. Possible applications include EAP or other forms of user
- authentication, client integrity checking, provisioning of
- additional tunnels, and the like. Use of the RADIUS/Diameter
- namespace provides natural compatibility between TLS/IA applications
- and widely deployed AAA infrastructures.
-
- It is anticipated that TLS/IA will be used with and without
- subsequent protected data communication within the tunnel
- established by the handshake. For example, TLS/IA may be used to
- secure an HTTP data connection, allowing more robust password-based
- user authentication to occur than would otherwise be possible using
- mechanisms available in HTTP. TLS/IA may also be used for its
- handshake portion alone; for example, EAP-TTLSv1 encapsulates a
- TLS/IA handshake in EAP as a means to mutually authenticate a client
- and server and establish keys for a separate data connection.
-
-Table of Contents
-
-1 Introduction................................................... 3
-1.1 A Bit of History .......................................... .. 4
-1.2 TLS With or Without Upper Layer Data Communications.......... 5
-2 The Inner Application Extension to TLS......................... 5
-2.1 TLS/IA Overview.............................................. 7
-2.2 Message Exchange ............................................ 8
-2.3 Inner Secret................................................. 9
-2.3.1 Computing the Inner Secret................................. 9
-2.3.2 Exporting the Final Inner Secret........................... 10
-2.3.3 Application Session Key Material........................... 10
-2.4 Session Resumption........................................... 12
-2.5 Error Termination............................................ 12
-2.6 Negotiating the Inner Application Extension.................. 12
-2.7 InnerApplication Protocol.................................... 13
-2.7.1 InnerApplicationExtension.................................. 13
-2.7.2 InnerApplication Message................................... 14
-2.7.3 IntermediatePhaseFinished and FinalPhaseFinished Messages.. 14
-2.7.4 The ApplicationPayload Message ............................ 15
-2.8 Alerts....................................................... 15
-3 Encapsulation of AVPs within ApplicationPayload Messages....... 16
-3.1 AVP Format................................................... 16
-3.2 AVP Sequences................................................ 17
-3.3 Guidelines for Maximum Compatibility with AAA Servers........ 18
-
-
-
-Paul Funk expires August 2005 [Page 2]
-
-Internet-Draft February 2005
-
-
-4 Tunneled Authentication within Application Phases ............. 18
-4.1 Implicit challenge........................................... 18
-4.2 Tunneled Authentication Protocols............................ 19
-4.2.1 EAP........................................................ 20
-4.2.2 CHAP....................................................... 20
-4.2.3 MS-CHAP.................................................... 21
-4.2.4 MS-CHAP-V2................................................. 21
-4.2.5 PAP........................................................ 23
-4.3 Performing Multiple Authentications.......................... 23
-5 Example Message Sequences...................................... 24
-5.1 Full Initial Handshake with Multiple Application Phases ..... 24
-5.2 Resumed Session with Single Application Phase................ 25
-5.3 Resumed Session with No Application Phase.................... 26
-6 Security Considerations........................................ 26
-7 References .................................................... 29
-7.1 Normative References......................................... 29
-7.2 Informative References....................................... 30
-8 Authors' Addresses ........................................... 30
-9 Intellectual Property Statement............................... 31
-
-
-1 Introduction
-
- This specification defines the TLS "Inner Application" extension.
- The term "TLS/IA" refers to the TLS protocol when used with the
- Inner Application extension.
-
- In TLS/IA, the setup portion of TLS is extended to allow an
- arbitrary exchange of information between client and server within a
- protected tunnel established during the TLS handshake and prior to
- the start of upper layer TLS data communications. The TLS handshake
- itself is unchanged; the subsequent Inner Application exchange is
- conducted under the confidentiality and integrity protection
- afforded by the TLS handshake.
-
- The primary motivation for providing such communication is to allow
- robust user authentication to occur as part of an "extended"
- handshake, in particular, user authentication that is based on
- password credentials, which is best conducted under the protection
- of an encrypted tunnel to preclude dictionary attack by
- eavesdroppers. For example, Extensible Authentication Protocol (EAP)
- may be used to authenticate using any of a wide variety of methods
- as part of this extended handshake. The multi-layer approach of
- TLS/IA, in which a strong authentication, typically based on a
- server certificate, is used to protect a password-based
- authentication, distinguishes it from other TLS variants that rely
- entirely on a pre-shared key or password for security; for example
- [TLS-PSK].
-
- The protected exchange accommodates any type of client-server
- application, not just authentication, though authentication may
-
-
-
-Paul Funk expires August 2005 [Page 3]
-
-Internet-Draft February 2005
-
-
- often be the prerequisite that allows other applications to proceed.
- For example, TLS/IA may be used to set up HTTP connections,
- establish IPsec security associations (as an alternative to IKE),
- obtain credentials for single sign-on, provide for client integrity
- verification, and so on.
-
- The new messages that are exchanged between client and server are
- encoded as sequences of Attribute-Value-Pairs (AVPs) from the
- RADIUS/Diameter namespace. Use of the RADIUS/Diameter namespace
- provides natural compatibility between TLS/IA applications and
- widely deployed AAA infrastructures. This namespace is extensible,
- allowing new AVPs and, thus, new applications to be defined as
- needed, either by standards bodies or by vendors wishing to define
- proprietary applications.
-
- The TLS/IA exchange comprises one or more "phases", each of which
- consists of an arbitrary number of AVP exchanges followed by a
- confirmation exchange. Authentications occurring in any phase must
- be confirmed prior to continuing to the next phase. This allows
- applications to implement security dependencies in which particular
- assurances are required prior to exchange of additional information.
-
-1.1 A Bit of History
-
- The TLS protocol has its roots in the Netscape SSL protocol, which
- was originally intended to secure HTTP. It provides either one-way
- or mutual authentication of client and server based on certificates.
- In its most typical use in HTTP, the client authenticates the server
- based on the server's certificate and establishes a tunnel through
- which HTTP traffic is passed.
-
- For the server to authenticate the client within the TLS handshake,
- the client must have its own certificate. In cases where the client
- must be authenticated without a certificate, HTTP, not TLS,
- mechanisms would have to be employed. For example, HTTP headers have
- been defined to perform user authentications. However, these
- mechanisms are primitive compared to other mechanisms, most notably
- EAP, that have been defined for contexts other than HTTP.
- Furthermore, any mechanisms defined for HTTP cannot be utilized when
- TLS is used to protect non-HTTP traffic.
-
- The TLS protocol has also found an important use in authentication
- for network access, originally within PPP for dial-up access and
- later for wireless and wired 802.1X access. Several EAP types have
- been defined that utilize TLS to perform mutual client-server
- authentication. The first to appear, EAP-TLS, uses the TLS handshake
- to authenticate both client and server based on the certificate of
- each.
-
- Subsequent protocols, such EAP-TTLSv0 and EAP-PEAP, utilize the TLS
- handshake to allow the client to authenticate the server based on
-
-
-
-Paul Funk expires August 2005 [Page 4]
-
-Internet-Draft February 2005
-
-
- the latter's certificate, then utilize the tunnel established by the
- TLS handshake to perform user authentication, typically based on
- password credentials. Such protocols are called "tunneled" EAP
- protocols. The authentication mechanism used inside the tunnel may
- itself be EAP, and the tunnel may also be used to convey additional
- information between client and server.
-
- TLS/IA is in effect a merger of the two types of TLS usage described
- above, based on the recognition that tunneled authentication would
- be useful in other contexts besides EAP. However, the tunneled
- protocols mentioned above are not directly compatible with a more
- generic use of TLS, because they utilize the tunneled data portion
- of TLS, thus precluding its use for other purposes such as carrying
- HTTP traffic.
-
- The TLS/IA solution to this problem is to insert an additional
- message exchange between the TLS handshake and the subsequent data
- communications phase, carried in a new record type distinct from the
- record type that carries upper layer data. Thus, the data portion of
- the TLS exchange becomes available for HTTP or any other protocol or
- connection that needs to be secured.
-
-1.2 TLS With or Without Upper Layer Data Communications
-
- It is anticipated that TLS/IA will be used with and without
- subsequent protected data communication within the tunnel
- established by the handshake.
-
- For example, TLS/IA may be used to secure an HTTP data connection,
- allowing more robust password-based user authentication to occur
- within the TLS/IA extended handshake than would otherwise be
- possible using mechanisms available in HTTP.
-
- TLS/IA may also be used for its handshake portion alone. For
- example, EAP-TTLSv1 encapsulates a TLS/IA extended handshake in EAP
- as a means to mutually authenticate a client and server and
- establish keys for a separate data connection; no subsequent TLS
- data portion is required. Another example might be use of TLS/IA
- directly over TCP to provide a user with credentials for single
- sign-on.
-
-2 The Inner Application Extension to TLS
-
- The Inner Application extension to TLS follows the guidelines of
- [RFC3546].
-
- A new extension type is defined for negotiating use of TLS/IA
-
- - The InnerApplicationExtension extension type. The client proposes
- use of this extension by including a InnerApplicationExtension
- message in its ClientHello handshake message, and the server
-
-
-
-Paul Funk expires August 2005 [Page 5]
-
-Internet-Draft February 2005
-
-
- confirms its use by including a InnerApplicationExtension message
- in its ServerHello handshake message.
-
- A new record type (ContentType) is defined for use in TLS/IA:
-
- - The InnerApplication record type. This record type carries all
- messages that implement the inner application extension. These
- messages will occur after the TLS handshake and prior to exchange
- of data.
-
- A new message type is defined for use within the InnerApplication
- record type:
-
- - The InnerApplication message. This message may encapsulate any of
- three subtypes:
-
- - The ApplicationPayload message. This message is used to carry
- AVP (Attribute-Value Pair) sequences within the TLS/IA
- extended handshake, in support of client-server applications
- such as authentication.
-
- - The IntermediatePhaseFinished message. This message confirms
- session keys established during the current TLS/IA phase, and
- indicates that at least one additional phase is to follow.
-
- - The FinalPhaseFinished message. This message confirms session
- keys established during the current TLS/IA phase, and
- indicates that no further phases are to follow.
-
- Two new alert codes are defined for use in TLS/IA:
-
- - The InnerApplicationFailure alert. This error alert allows either
- party to terminate the TLS/IA extended handshake due to a failure
- in an application implemented via AVP sequences carried in
- ApplicationPayload messages.
-
- - The InnerApplicationVerification alert. This error alert allows
- either party to terminate the TLS/IA extended handshake due to
- incorrect verification data in a received
- IntermediatePhaseFinished or FinalPhaseFinished message.
-
- The following new assigned numbers are used in TLS/IA:
-
- - "InnerApplicationExtension" extension type:37703
-
- - "InnerApplication" record type: 24
-
- - "InnerApplicationFailure" alert code: 208
-
- - "InnerApplicationVerification" alert code:209
-
-
-
-
-Paul Funk expires August 2005 [Page 6]
-
-Internet-Draft February 2005
-
-
- [Editor's note: I have not checked these types yet against types
- defined in RFCs or drafts. The TLS RFC specifies that new record
- types use the next number after ones already defined; hence I used
- 24, though I don't know if that is already taken.]
-
-2.1 TLS/IA Overview
-
- In TLS/IA, zero or more "application phases are inserted after the
- TLS handshake and prior to ordinary data exchange. The last such
- application phase is called the "final phase"; any application
- phases prior to the final phase are called "intermediate phases".
-
- Intermediate phases are only necessary if interim confirmation of
- session keys generated during an application phase is desired.
-
- Each application phase consists of ApplicationPayload handshake
- messages exchanged by client and server to implement applications
- such as authentication, plus concluding messages for cryptographic
- confirmation. These messages are encapsulated in records with
- ContentType of InnerApplication.
-
- All application phases prior to the final phase use
- IntermediatePhaseFinished rather than FinalPhaseFinished as the
- concluding message. The final phase concludes with the
- FinalPhaseFinished message.
-
- Application phases may be omitted entirely only when session
- resumption is used, provided both client and server agree that no
- application phase is required. The client indicates in its
- ClientHello whether it is willing to omit application phases in a
- resumed session, and the server indicates in its ServerHello whether
- any application phases are to ensue.
-
- In each application phase, the client sends the first
- ApplicationPayload message. ApplicationPayload messages are then
- traded one at a time between client and server, until the server
- concludes the phase by sending, in response to an ApplicationPayload
- message from the client, an IntermediatePhaseFinished sequence to
- conclude an intermediate phase, or a FinalPhaseFinished sequence to
- conclude the final phase. The client then responds with its own
- IntermediatePhaseFinished or FinalPhaseFinished message.
-
- Note that the server MUST NOT send an IntermediatePhaseFinished or
- FinalPhaseFinished message immediately after sending an
- ApplicationPayload message. It must allow the client to send an
- ApplicationPayload message prior to concluding the phase. Thus,
- within any application phase, there will be one more
- ApplicationPayload message sent by the client than sent by the
- server.
-
-
-
-
-
-Paul Funk expires August 2005 [Page 7]
-
-Internet-Draft February 2005
-
-
- The server determines which type of concluding message is used,
- either IntermediatePhaseFinished or FinalPhaseFinished, and the
- client MUST echo the same type of concluding message. Each
- IntermediatePhaseFinished or FinalPhaseFinished message provides
- cryptographic confirmation of any session keys generated during the
- current and any prior applications phases.
-
- Each ApplicationPayload message contains opaque data interpreted as
- an AVP (Attribute-Value Pair) sequence. Each AVP in the sequence
- contains a typed data element. The exchanged AVPs allow client and
- server to implement "applications" within a secure tunnel. An
- application may be any procedure that someone may usefully define. A
- typical application might be authentication; for example, the server
- may authenticate the client based on password credentials using EAP.
- Other possible applications include distribution of keys, validating
- client integrity, setting up IPsec parameters, setting up SSL VPNs,
- and so on.
-
- An "inner secret" is computed during each application phase that
- mixes the TLS master secret with any session keys that have been
- generated during the current and any previous application phases. At
- the conclusion of each application phase, a new inner secret is
- computed and is used to create verification data that is exchanged
- via the IntermediatePhaseFinished or FinalPhaseFinished messages. By
- mixing session keys of inner authentications with the TLS master
- secret, certain man-in-the-middle attacks are thwarted [MITM].
-
-2.2 Message Exchange
-
- Each intermediate application phase consists of ApplicationPayload
- messages sent alternately by client and server, and a concluding
- exchange of IntermediatePhaseFinished messages. The first and last
- ApplicationPayload message in each intermediate phase is sent by the
- client; the first IntermediatePhaseFinished message is sent by the
- server. Thus the client begins the exchange with an
- ApplicationPayload message and the server determines when to
- conclude it by sending IntermediatePhaseFinished. When it receives
- the server's IntermediatePhaseFinished message, the client sends its
- own IntermediatePhaseFinished message, followed by an
- ApplicationPayload message to begin the next handshake phase.
-
- The final application proceeds in the same manner as the
- intermediate phase, except that the FinalPhaseFinished message is
- sent by the server and echoed by the client, and the client does not
- send an ApplicationPayload message for the next phase because there
- is no next phase.
-
- At the start of each application phase, the server MUST wait for the
- client's opening ApplicationPayload message before it sends its own
- ApplicationPayload message to the client. The client MAY NOT
- initiate conclusion of an application handshake phase by sending the
-
-
-
-Paul Funk expires August 2005 [Page 8]
-
-Internet-Draft February 2005
-
-
- first IntermediatePhaseFinished or FinalPhaseFinished message; it
- MUST allow the server to initiate the conclusion of the phase.
-
- Note that it is perfectly acceptable for either client or server to
- send an ApplicationPayload message containing no AVPs. The client,
- for example, may have no AVPs to send in its first or last
- ApplicationPayload message during an application phase.
-
-2.3 Inner Secret
-
- The inner secret is a 48-octet value used to confirm that the
- endpoints of the TLS handshake are the same entities as the
- endpoints of the inner authentications that may have been performed
- during each application phase.
-
- The inner secret is initialized at the conclusion of the TLS
- handshake and permuted at the conclusion of each application phase.
-
- The inner secret that results from the final application phase is
- the final inner secret.
-
- When a new (non-resumed) session is negotiated, the resulting final
- inner secret is saved as part of the session state for use in
- session resumption.
-
-2.3.1 Computing the Inner Secret
-
- At the conclusion of the TLS handshake, each party initializes the
- inner secret to:
-
- - the master secret, if this is a new session
-
- - the previously computed final inner secret of the original
- session, if this is a resumed session
-
- At the conclusion of each application phase, prior to computing
- verification data for inclusion in the IntermediatePhaseFinished or
- FinalPhaseFinished message, each party permutes the inner secret
- using a PRF that includes session keys produced during the current
- application phase. The value that results replaces the current inner
- secret and is used to compute the verification data.
-
- inner_secret = PRF(inner_secret,
- "inner secret permutation",
- SecurityParameters.server_random +
- SecurityParameters.client_random +
- session_key_material) [0..48];
-
- session_key_material is the concatenation of session_key vectors,
- one for each session key generated during the current phase, where:
-
-
-
-
-Paul Funk expires August 2005 [Page 9]
-
-Internet-Draft February 2005
-
-
- opaque session_key<1..2^16-1>;
-
- In other words, each session key is prefixed by a 2-octet length to
- produce the session_key vector.
-
- Since multiple session keys may be produced during a single
- application phase, the following method is used to determine the
- order of concatenation: Each session key is treated as an unsigned
- big-endian numeric value, and the set of session keys is ordered
- from lowest to highest. The session keys are then converted to
- session_key vectors and concatenated in the determined order to form
- session_key_material.
-
- If no session keys were generated during the current phase,
- session_key_material will be null.
-
- Note that session_key_material itself is not a vector and therefore
- not prefixed with the length of the entire collection of session_key
- vectors.
-
-2.3.2 Exporting the Final Inner Secret
-
- Note that, within TLS itself, the inner secret is used for
- verification only, not for encryption. However, the inner secret
- resulting from the final application phase may be exported for use
- as a key from which additional session keys may be derived for
- arbitrary purposes, including encryption of data communications
- separate from TLS.
-
- An exported inner secret should not be used directly as a session
- key. Instead, additional keys should be derived from the inner
- secret, for example by using a PRF, and the client and server
- randoms should be incorporated into the derivation. This ensures
- cryptographic separation between use of the inner secret for session
- key confirmation and additional use of the inner secret outside
- TLS/IA.
-
- Note that for a resumed session that does not include an application
- phase, the final inner secret of that session is identical to that
- of the original session; hence, incorporation of randoms becomes
- critically important to ensure the cryptographic separation of the
- keys derived from sessions sharing a common original session.
-
-2.3.3 Application Session Key Material
-
- Many authentication protocols used today generate session keys that
- are bound to the authentication. Such keying material is normally
- intended for use in a subsequent data connection for encryption and
- validation. For example, EAP-TLS, MS-CHAP-V2 and its alter ego EAP-
- MS-CHAP-V2 each generate session keys.
-
-
-
-
-Paul Funk expires August 2005 [Page 10]
-
-Internet-Draft February 2005
-
-
- Any session keys generated during an application phase MUST be used
- to permute the TLS/IA inner secret between one phase and the next,
- and MUST NOT be used for any other purpose.
-
- Each authentication protocol may define how the session key it
- generates is mapped to an octet sequence of some length for the
- purpose of TLS/IA mixing. However, for protocols which do not
- specify this (including the multitude of protocols that pre-date
- TLS/IA) the following rules are defined. The first rule that applies
- SHALL be the method for determining the session key:
-
- - If the authentication protocol produces an MSK (as defined in
- [RFC3784]), the MSK is used as the session key. Note that an MSK
- is 64 octets.
-
- - If the authentication protocol maps its keying material to the
- RADIUS attributes MS-MPPE-Recv-Key and MS-MPPE-Send-Key
- [RFC2548], then the keying material for those attributes are
- concatenated, with MS-MPPE-Recv-Key first (Note that this rule
- applies to MS-CHAP-V2 and EAP-MS-CHAP-V2.)
-
- - If the authentication protocol uses a pseudo-random function to
- generate keying material, that function is used to generate 64
- octets for use as keying material.
-
- Providing verification of the binding of session keys to the TLS
- master secret is necessary to preclude man-in-the-middle attacks
- against tunneled authentication protocols, as described in [MITM].
- In such an attack, an unsuspecting client is induced to perform an
- untunneled authentication with an attacker posing as a server; the
- attacker then introduces the authentication protocol into a tunneled
- authentication protocol, fooling an authentic server into believing
- that the attacker is the authentic user.
-
- By mixing both the TLS master secret and session keys generated
- during application phase authentication into the inner secret used
- for application phase verification, such attacks are thwarted, as it
- guarantees that the same client both terminated the TLS handshake
- and performed the application phase authentication. Note that the
- session keys generated during authentication must be
- cryptographically related to the authentication and not derivable
- from data exchanged during authentication in order for the keying
- material to be useful in thwarting such attacks.
-
- In addition, the fact that the inner secret cryptographically
- incorporates session keys from application phase authentications
- provides additional protection when the inner secret is exported for
- the purpose of generating additional keys for use outside of the TLS
- exchange. If such an exported secret did not include keying material
- from inner authentications, an eavesdropper who somehow knew the
- server's private key could, in an RSA-based handshake, determine the
-
-
-
-Paul Funk expires August 2005 [Page 11]
-
-Internet-Draft February 2005
-
-
- exported secret and hence would be able to compute the additional
- keys that are based on it. When inner authentication keying material
- is incorporated into the exported secret, such an attack becomes
- impossible.
-
-2.4 Session Resumption
-
- A TLS/IA initial handshake phase may be resumed using standard
- mechanisms defined in [RFC2246]. When the TLS session is resumed,
- client and server may not deem it necessary to exchange AVPs in one
- or more additional application phases, as the resumption itself may
- provide all the security needed.
-
- The client indicates within the InnerApplicationExtension message in
- ClientHello whether it requires AVP exchange when session resumption
- occurs. If it indicates that it does not, then the server may at its
- option omit application phases and the two parties proceed to upper
- layer data communications immediately upon completion of the TLS
- handshake. The server indicates whether application phases are to
- follow the TLS handshake in its InnerApplication extension message
- in ServerHello.
-
- Note that [RFC3546] specifically states that when session resumption
- is used, the server MUST ignore any extensions in the ClientHello.
- However, it is not possible to comply with this requirement for the
- Inner Application extension, since even in a resumed session it may
- be necessary to include application phases, and whether they must be
- included is negotiated in the extension message itself. Therefore,
- the [RFC3546] provision is specifically overridden for the single
- case of the Inner Application extension, which is considered an
- exception to this rule.
-
- A TLS/IA session MAY NOT be resumed if an application phase resulted
- in failure, even though the TLS handshake itself succeeded. Both
- client and server MUST NOT save session state for possible future
- resumption unless the TLS handshake and all subsequent application
- phases succeed.
-
-2.5 Error Termination
-
- The TLS/IA handshake may be terminated by either party sending a
- fatal alert, following standard TLS procedures.
-
-2.6 Negotiating the Inner Application Extension
-
- Use of the InnerApplication extension follows [RFC3546]. The client
- proposes use of this extension by including the
- InnerApplicationExtension message in the client_hello_extension_list
- of the extended ClientHello. If this message is included in the
- ClientHello, the server MAY accept the proposal by including the
- InnerApplicationExtension message in the server_hello_extension_list
-
-
-
-Paul Funk expires August 2005 [Page 12]
-
-Internet-Draft February 2005
-
-
- of the extended ServerHello. If use of this extension is either not
- proposed by the client or not confirmed by the server, the
- InnerApplication record type MUST NOT be used.
-
-2.7 InnerApplication Protocol
-
- All specifications of TLS/IA messages follow the usage defined in
- [RFC2246].
-
-2.7.1 InnerApplicationExtension
-
- enum {
- no(0), yes(1), (255)
- } AppPhaseOnResumption;
-
- struct {
- AppPhaseOnResumption app_phase_on_resumption;
- } InnerApplicationExtension;
-
- If the client wishes to propose use of the Inner Application
- extension, it must include the InnerApplicationExtension message in
- the extension_data vector in the Extension structure in its extended
- ClientHello message.
-
- If the server wishes to confirm use of the Inner Application
- extension that has been proposed by the client, it must include the
- InnerApplicationExtension message in the extension_data vector in
- the Extension structure in its extended ServerHello message.
-
- The AppPhaseOnResumption enumeration allow client and server to
- negotiate an abbreviated, single-phase handshake when session
- resumption is employed. If the client sets app_phase_on_resumption
- to "no", and if the server resumes the previous session, then the
- server MAY set app_phase_on_resumption to "no" in the
- InnerApplication message it sends to the client. If the server sets
- app_phase_on_resumption to "no", no application phases occur and the
- TLS connection proceeds to upper layer data exchange immediately
- upon conclusion of the TLS handshake.
-
- The server MUST set app_phase_on_resumption to "yes" if the client
- set app_phase_on_resumption to "yes" or if the server does not
- resume the session. The server MAY set app_phase_on_resumption to
- "yes" for a resumed session even if the client set
- app_phase_on_resumption to "no", as the server may have reason to
- proceed with one or more application phases.
-
- If the server sets app_phase_on_resumption to "yes" for a resumed
- session, then the client MUST initiate an application phase at the
- conclusion of the TLS handshake.
-
-
-
-
-
-Paul Funk expires August 2005 [Page 13]
-
-Internet-Draft February 2005
-
-
- The value of app_phase_on_resumption applies to the current
- handshake only; that is, it is possible for app_phase_on_resumption
- to have different values in two handshakes that are both resumed
- from the same original TLS session.
-
-2.7.2 InnerApplication Message
-
- enum {
- application_payload(0), intermediate_phase_finished(1),
- final_phase_finished(2), (255)
- } InnerApplicationType;
-
- struct {
- InnerApplicationType msg_type;
- uint24 length;
- select (InnerApplicationType) {
- case application_payload: ApplicationPayload;
- case intermediate_phase_finished:
- IntermediatePhaseFinished;
- case final_phase_finished: FinalPhaseFinished;
- } body;
- } InnerApplication;
-
- The InnerApplication message carries any of the message types
- defined for the InnerApplication protocol.
-
-2.7.3 IntermediatePhaseFinished and FinalPhaseFinished Messages
-
- struct {
- opaque verify_data[12];
- } PhaseFinished;
-
- PhaseFinished IntermediatePhaseFinished;
-
- PhaseFinished FinalPhaseFinished;
-
- verify_data
- PRF(inner_secret, finished_label) [0..11];
-
- finished_label
- when sent by the client, the string "client phase finished"
- when sent by the server, the string "server phase finished"
-
- The IntermediatePhaseFinished and FinalPhaseFinished messages have
- the same structure and include verification data based on the
- current inner secret. IntermediatePhaseFinished is sent by the
- server and echoed by the client to conclude an intermediate
- application phase, and FinalPhaseFinished is used in the same manner
- to conclude the final application phase.
-
-
-
-
-
-Paul Funk expires August 2005 [Page 14]
-
-Internet-Draft February 2005
-
-
-2.7.4 The ApplicationPayload Message
-
- The ApplicationPayload message carries an AVP sequence during an
- application handshake phase. It is defined as follows:
-
- struct {
- opaque avps[InnerApplication.length];
- } ApplicationPayload;
-
- avps
- The AVP sequence, treated as an opaque sequence of octets.
-
- InnerApplication.length
- The length field in the encapsulating InnerApplication
- message.
-
- Note that the "avps" element has its length defined in square
- bracket rather than angle bracket notation, implying a fixed rather
- than variable length vector. This avoids having the length of the
- AVP sequence specified redundantly both in the encapsulating
- InnerApplication message and as a length prefix in the avps element
- itself.
-
-2.8 Alerts
-
- Two new alert codes are defined for use during an application phase.
- The AlertLevel for either of these alert codes MUST be set to
- "fatal".
-
- InnerApplicationFailure
- An InnerApplicationFailure error alert may be sent by either
- party during an application phase. This indicates that the
- sending party considers the negotiation to have failed due to an
- application carried in the AVP sequences, for example, a failed
- authentication.
-
- InnerApplicationVerification
- An InnerApplicationVerification error alert is sent by either
- party during an application phase to indicate that the received
- IntermediatePhaseFinished or FinalPhaseFinished is invalid, that
- is, contains verification data that does not match what is
- expected.
-
- Note that other alerts are possible during an application phase; for
- example, decrypt_error. The InnerApplicationFailure alert relates
- specifically to the failure of an application implemented via AVP
- sequences; for example, failure of an EAP or other authentication
- method, or information passed within the AVP sequence that is found
- unsatisfactory.
-
-
-
-
-
-Paul Funk expires August 2005 [Page 15]
-
-Internet-Draft February 2005
-
-
-3 Encapsulation of AVPs within ApplicationPayload Messages
-
- During application phases of the TLS handshake, information is
- exchanged between client and server through the use of attribute-
- value pairs (AVPs). This data is encrypted using the then-current
- cipher state established during the preceding handshake phase.
-
- The AVP format chosen for TLS/IA is compatible with the Diameter AVP
- format. This does not in any way represent a requirement that
- Diameter be supported by any of the devices or servers participating
- in the TLS/IA conversation, whether directly as client or server or
- indirectly as a backend authenticator. Use of this format is merely
- a convenience. Diameter is a superset of RADIUS and includes the
- RADIUS attribute namespace by definition, though it does not limit
- the size of an AVP as does RADIUS. RADIUS, in turn, is a widely
- deployed AAA protocol and attribute definitions exist for all
- commonly used password authentication protocols, including EAP.
-
- Thus, Diameter is not considered normative except as specified in
- this document. Specifically, the AVP Codes used in TLS/IA are
- semantically equivalent to those defined for Diameter, and, by
- extension, RADIUS.
-
- Use of the RADIUS/Diameter namespace allows a TLS/IA server to
- easily translate between AVPs it uses to communicate with clients
- and the protocol requirements of AAA servers that are widely
- deployed. Plus, it provides a well-understood mechanism to allow
- vendors to extend that namespace for their particular requirements.
-
-3.1 AVP Format
-
- The format of an AVP is shown below. All items are in network, or
- big-endian, order; that is, they have most significant octet first.
-
- 0 1 2 3
- 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | AVP Code |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- |V M r r r r r r| AVP Length |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | Vendor-ID (opt) |
- +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | Data ...
- +-+-+-+-+-+-+-+-+
-
- AVP Code
-
- The AVP Code is four octets and, combined with the Vendor-ID
- field if present, identifies the attribute uniquely. The first
-
-
-
-
-Paul Funk expires August 2005 [Page 16]
-
-Internet-Draft February 2005
-
-
- 256 AVP numbers represent attributes defined in RADIUS. AVP
- numbers 256 and above are defined in Diameter.
-
- AVP Flags
-
- The AVP Flags field is one octet, and provides the receiver with
- information necessary to interpret the AVP.
-
- The 'V' (Vendor-Specific) bit indicates whether the optional
- Vendor-ID field is present. When set to 1, the Vendor-ID field is
- present and the AVP Code is interpreted according to the
- namespace defined by the vendor indicated in the Vendor-ID field.
-
- The 'M' (Mandatory) bit indicates whether support of the AVP is
- required. When set to 0, this indicates that the AVP may be
- safely ignored if the receiving party does not understand or
- support it. When set to 1, if the receiving party does not
- understand or support the AVP it MUST fail the negotiation by
- sending an InnerApplicationFailure error alert.
-
- The 'r' (reserved) bits are unused and must be set to 0.
-
- AVP Length
-
- The AVP Length field is three octets, and indicates the length of
- this AVP including the AVP Code, AVP Length, AVP Flags, Vendor-ID
- (if present) and Data.
-
- Vendor-ID
-
- The Vendor-ID field is present if and only if the 'V' bit is set
- in the AVP Flags field. It is four octets, and contains the
- vendor's IANA-assigned "SMI Network Management Private Enterprise
- Codes" [RFC1700] value. Vendors defining their own AVPs must
- maintain a consistent namespace for use of those AVPs within
- RADIUS, Diameter and TLS/IA.
-
- A Vendor-ID value of zero is semantically equivalent to absence
- of the Vendor-ID field altogether.
-
-3.2 AVP Sequences
-
- Data encapsulated within the TLS Record Layer must consist entirely
- of a sequence of zero or more AVPs. Each AVP must begin on a 4-octet
- boundary relative to the first AVP in the sequence. If an AVP is not
- a multiple of 4 octets, it must be padded with 0s to the next 4-
- octet boundary.
-
- Note that the AVP Length does not include the padding.
-
-
-
-
-
-Paul Funk expires August 2005 [Page 17]
-
-Internet-Draft February 2005
-
-
-3.3 Guidelines for Maximum Compatibility with AAA Servers
-
- When maximum compatibility with AAA servers is desired, the
- following guidelines for AVP usage are suggested:
-
- - Non-vendor-specific AVPs should be selected from the set of
- attributes defined for RADIUS; that is, attributes with codes
- less than 256. This provides compatibility with both RADIUS and
- Diameter.
-
- - Vendor-specific AVPs should be defined in terms of RADIUS.
- Vendor-specific RADIUS attributes translate to Diameter
- automatically; the reverse is not true. RADIUS vendor-specific
- attributes use RADIUS attribute 26 and include vendor ID, vendor-
- specific attribute code and length; see [RFC2865] for details.
-
-4 Tunneled Authentication within Application Phases
-
- TLS/IA permits user authentication information to be tunneled within
- an application phase between client and server, protecting the
- security of the authentication information against active and
- passive attack.
-
- Any type of password or other authentication may be tunneled. Also,
- multiple tunneled authentications may be performed. Normally,
- tunneled authentication is used when the client has not been issued
- a certificate and the TLS handshake provides only one-way
- authentication of the server to the client; however, in certain
- cases it may be desired to perform certificate authentication of the
- client during the initial handshake phase as well as tunneled user
- authentication in a subsequent application phase.
-
- This section establishes rules for using common authentication
- mechanisms within TLS/IA. Any new authentication mechanism should in
- general be covered by these rules if it is defined as an EAP type.
- Authentication mechanisms whose use within TLS/IA is not covered
- within this specification may require separate standardization,
- preferably within the standard that describes the authentication
- mechanism in question.
-
-4.1 Implicit challenge
-
- Certain authentication protocols that use a challenge/response
- mechanism rely on challenge material that is not generated by the
- authentication server, and therefore require special handling.
-
- In PPP protocols such CHAP, MS-CHAP and MS-CHAP-V2, for example, the
- Network Access Server (NAS) issues a challenge to the client, the
- client then hashes the challenge with the password and forwards the
- response to the NAS. The NAS then forwards both challenge and
- response to a AAA server. But because the AAA server did not itself
-
-
-
-Paul Funk expires August 2005 [Page 18]
-
-Internet-Draft February 2005
-
-
- generate the challenge, such protocols are susceptible to replay
- attack.
-
- If the client were able to create both challenge and response,
- anyone able to observe a CHAP or MS-CHAP exchange could pose as that
- user by replaying that challenge and response into a TLS/IA
- conversation.
-
- To make these protocols secure in TLS/IA, it is necessary to provide
- a mechanism to produce a challenge that the client cannot control or
- predict.
-
- When a challenge-based authentication mechanism is used, both client
- and server use the TLS PRF function to generate as many octets as
- are required for the challenge, using the constant string "inner
- application challenge", based on the then-current master secret and
- random values established during the initial handshake phase:
-
- IA_challenge = PRF(final_inner_secret,
- "inner application challenge",
- SecurityParameters.server_random +
- SecurityParameters.client_random);
-
-4.2 Tunneled Authentication Protocols
-
- This section describes the rules for tunneling specific
- authentication protocols within TLS/IA.
-
- For each protocol, the RADIUS RFC that defines the relevant
- attribute formats is cited. Note that these attributes are
- encapsulated as described in section 3.1; that is, as Diameter
- attributes, not as RADIUS attributes. In other words, the AVP Code,
- Length, Flags and optional Vendor-ID are formatted as described in
- section 3.1, while the Data is formatted as described by the cited
- RADIUS RFC.
-
- All tunneled authentication protocols except EAP must be initiated
- by the client in the first ApplicationPayload message of an
- application phase. EAP may be initiated by the client in the first
- ApplicationPayload message of an application phase; it may also be
- initiated by the server in any ApplicationPayload message.
-
- The authentication protocols described below may be performed
- directly by the TLS/IA server or may be forwarded to a backend AAA
- server. For authentication protocols that generate session keys, the
- backend server must return those session keys to the TLS/IA server
- in order to allow the protocol to succeed within TLS/IA. RADIUS or
- Diameter servers are suitable backend AAA servers for this purpose.
- RADIUS servers typically return session keys in MS-MPPE-Recv-Key and
- MS-MPPE-Send-Key attributes [RFC2548]; Diameter servers return
- session keys in the EAP-Master-Session-Key AVP [AAA-EAP].
-
-
-
-Paul Funk expires August 2005 [Page 19]
-
-Internet-Draft February 2005
-
-
-4.2.1 EAP
-
- EAP is described in [RFC3784]; RADIUS attribute formats are
- described in [RFC3579].
-
- When EAP is the tunneled authentication protocol, each tunneled EAP
- packet between the client and server is encapsulated in an EAP-
- Message AVP.
-
- Either client or server may initiate EAP.
-
- The client is the first to transmit within any application phase,
- and it may include an EAP-Response/Identity AVP in its
- ApplicationPayload message to begin an EAP conversation.
- Alternatively, if the client does not initiate EAP the server may,
- by including an EAP-Request/Identity AVP in its ApplicationPayload
- message.
-
- The client's EAP-Response/Identity provides the actual username; the
- privacy of the user's identity is now guaranteed by the TLS
- encryption. This username must be a Network Access Identifier (NAI)
- [RFC2486]; that is, it must be in the following format:
-
- username@realm
-
- The @realm portion is optional, and is used to allow the server to
- forward the EAP message sequence to the appropriate server in the
- AAA infrastructure when necessary.
-
- The EAP authentication between client and server proceeds normally,
- as described in [RFC3784]. However, upon completion the server does
- not send an EAP-Success or EAP-Failure AVP. Instead, the server
- signals success when it concludes the application phase by issuing a
- Finished or PhaseFinished message, or it signals failure by issuing
- an InnerApplicationFailure alert.
-
- Note that the client may also issue an InnerApplicationFailure
- alert, for example, when authentication of the server fails in a
- method providing mutual authentication.
-
-4.2.2 CHAP
-
- The CHAP algorithm is described in [RFC1994]; RADIUS attribute
- formats are described in [RFC2865].
-
- Both client and server generate 17 octets of challenge material,
- using the constant string "inner application challenge" as described
- above. These octets are used as follows:
-
- CHAP-Challenge [16 octets]
- CHAP Identifier [1 octet]
-
-
-
-Paul Funk expires August 2005 [Page 20]
-
-Internet-Draft February 2005
-
-
- The client initiates CHAP by including User-Name, CHAP-Challenge and
- CHAP-Password AVPs in the first ApplicationPayload message in any
- application phase. The CHAP-Challenge value is taken from the
- challenge material. The CHAP-Password consists of CHAP Identifier,
- taken from the challenge material; and CHAP response, computed
- according to the CHAP algorithm.
-
- Upon receipt of these AVPs from the client, the server must verify
- that the value of the CHAP-Challenge AVP and the value of the CHAP
- Identifier in the CHAP-Password AVP are equal to the values
- generated as challenge material. If either item does not match
- exactly, the server must reject the client. Otherwise, it validates
- the CHAP-Challenge to determine the result of the authentication.
-
-4.2.3 MS-CHAP
-
- The MS-CHAP algorithm is described in [RFC2433]; RADIUS attribute
- formats are described in [RFC2548].
-
- Both client and server generate 9 octets of challenge material,
- using the constant string "inner application challenge" as described
- above. These octets are used as follows:
-
- MS-CHAP-Challenge [8 octets]
- Ident [1 octet]
-
- The client initiates MS-CHAP by including User-Name, MS-CHAP-
- Challenge and MS-CHAP-Response AVPs in the first ApplicationPayload
- message in any application phase. The MS-CHAP-Challenge value is
- taken from the challenge material. The MS-CHAP-Response consists of
- Ident, taken from the challenge material; Flags, set according the
- client preferences; and LM-Response and NT-Response, computed
- according to the MS-CHAP algorithm.
-
- Upon receipt of these AVPs from the client, the server must verify
- that the value of the MS-CHAP-Challenge AVP and the value of the
- Ident in the client's MS-CHAP-Response AVP are equal to the values
- generated as challenge material. If either item does not match
- exactly, the server must reject the client. Otherwise, it validates
- the MS-CHAP-Challenge to determine the result of the authentication.
-
-4.2.4 MS-CHAP-V2
-
- The MS-CHAP-V2 algorithm is described in [RFC2759]; RADIUS attribute
- formats are described in [RFC2548].
-
- Both client and server generate 17 octets of challenge material,
- using the constant string "inner application challenge" as described
- above. These octets are used as follows:
-
-
-
-
-
-Paul Funk expires August 2005 [Page 21]
-
-Internet-Draft February 2005
-
-
- MS-CHAP-Challenge [16 octets]
- Ident [1 octet]
-
- The client initiates MS-CHAP-V2 by including User-Name, MS-CHAP-
- Challenge and MS-CHAP2-Response AVPs in the first ApplicationPayload
- message in any application phase. The MS-CHAP-Challenge value is
- taken from the challenge material. The MS-CHAP2-Response consists of
- Ident, taken from the challenge material; Flags, set to 0; Peer-
- Challenge, set to a random value; and Response, computed according
- to the MS-CHAP-V2 algorithm.
-
- Upon receipt of these AVPs from the client, the server must verify
- that the value of the MS-CHAP-Challenge AVP and the value of the
- Ident in the client's MS-CHAP2-Response AVP are equal to the values
- generated as challenge material. If either item does not match
- exactly, the server must reject the client. Otherwise, it validates
- the MS-CHAP2-Challenge.
-
- If the MS-CHAP2-Challenge received from the client is correct, the
- server tunnels the MS-CHAP2-Success AVP to the client.
-
- Upon receipt of the MS-CHAP2-Success AVP, the client is able to
- authenticate the server. In its next InnerApplicationPayload message
- to the server, the client does not include any MS-CHAP-V2 AVPs.
- (This may result in an empty InnerApplicationPayload if no other
- AVPs need to be sent.)
-
- If the MS-CHAP2-Challenge received from the client is not correct,
- the server tunnels an MS-CHAP2-Error AVP to the client. This AVP
- contains a new Ident and a string with additional information such
- as error reason and whether a retry is allowed. If the error reason
- is an expired password and a retry is allowed, the client may
- proceed to change the user's password. If the error reason is not an
- expired password or if the client does not wish to change the user's
- password, it issues an InnerApplicationFailure alert.
-
- If the client does wish to change the password, it tunnels MS-CHAP-
- NT-Enc-PW, MS-CHAP2-CPW, and MS-CHAP-Challenge AVPs to the server.
- The MS-CHAP2-CPW AVP is derived from the new Ident and Challenge
- received in the MS-CHAP2-Error AVP. The MS-CHAP-Challenge AVP simply
- echoes the new Challenge.
-
- Upon receipt of these AVPs from the client, the server must verify
- that the value of the MS-CHAP-Challenge AVP and the value of the
- Ident in the client's MS-CHAP2-CPW AVP match the values it sent in
- the MS-CHAP2-Error AVP. If either item does not match exactly, the
- server must reject the client. Otherwise, it validates the MS-CHAP2-
- CPW AVP.
-
- If the MS-CHAP2-CPW AVP received from the client is correct, and the
- server is able to change the user's password, the server tunnels the
-
-
-
-Paul Funk expires August 2005 [Page 22]
-
-Internet-Draft February 2005
-
-
- MS-CHAP2-Success AVP to the client and the negotiation proceeds as
- described above.
-
- Note that additional AVPs associated with MS-CHAP-V2 may be sent by
- the server; for example, MS-CHAP-Domain. The server must tunnel such
- authentication-related AVPs along with the MS-CHAP2-Success.
-
-4.2.5 PAP
-
- PAP RADIUS attribute formats are described in [RFC2865].
-
- The client initiates PAP by including User-Name and User-Password
- AVPs in the first ApplicationPayload message in any application
- phase.
-
- In RADIUS, User-Password is padded with nulls to a multiple of 16
- octets, then encrypted using a shared secret and other packet
- information.
-
- A TLS/IA, however, does not RADIUS-encrypt the password since all
- application phase data is already encrypted. The client SHOULD,
- however, null-pad the password to a multiple of 16 octets, to
- obfuscate its length.
-
- Upon receipt of these AVPs from the client, the server may be able
- to decide whether to authenticate the client immediately, or it may
- need to challenge the client for more information.
-
- If the server wishes to issue a challenge to the client, it MUST
- tunnel the Reply-Message AVP to the client; this AVP normally
- contains a challenge prompt of some kind. It may also tunnel
- additional AVPs if necessary, such the Prompt AVP. Upon receipt of
- the Reply-Message AVPs, the client tunnels User-Name and User-
- Password AVPs again, with the User-Password AVP containing new
- information in response to the challenge. This process continues
- until the server determines the authentication has succeeded or
- failed.
-
-4.3 Performing Multiple Authentications
-
- In some cases, it is desirable to perform multiple user
- authentications. For example, a server may want first to
- authenticate the user by password, then by token card.
-
- The server may perform any number of additional user authentications
- using EAP, simply by issuing a EAP-Request with a new protocol type
- once the previous authentication has completed..
-
- For example, a server wishing to perform MD5-Challenge followed by
- Generic Token Card would first issue an EAP-Request/MD5-Challenge
- AVP and receive a response. If the response is satisfactory, it
-
-
-
-Paul Funk expires August 2005 [Page 23]
-
-Internet-Draft February 2005
-
-
- would then issue EAP-Request/Generic Token Card AVP and receive a
- response. If that response were also satisfactory, it would consider
- the user authenticated.
-
-5 Example Message Sequences
-
- This section presents a variety of possible TLS/IA message
- sequences. These examples do not attempt to exhaustively depict all
- possible scenarios.
-
- Parentheses indicate optional TLS messages. Brackets indicate
- optional message exchanges. Ellipsis (. . .) indicates optional
- repetition of preceding messages.
-
-5.1 Full Initial Handshake with Multiple Application Phases
-
- The diagram below depicts a full initial handshake phase followed by
- two application phases.
-
- Note that the client concludes the intermediate phase and starts the
- final phase in an uninterrupted sequence of three messages:
- ChangeCipherSpec and PhaseFinished belong to the intermediate phase,
- and ApplicationPayload belongs to the final phase.
-
- Client Server
- ------ ------
-
- *** TLS Handshake:
- ClientHello -------->
- ServerHello
- (Certificate)
- ServerKeyExchange
- (CertificateRequest)
- <-------- ServerHelloDone
- (Certificate)
- ClientKeyExchange
- (CertificateVerify)
- ChangeCipherSpec
- Finished -------->
- ChangeCipherSpec
- <-------- Finished
-
- *** Intermediate Phase:
- ApplicationPayload -------->
-
- [
- <-------- ApplicationPayload
-
- ApplicationPayload -------->
-
-
-
-
-
-Paul Funk expires August 2005 [Page 24]
-
-Internet-Draft February 2005
-
-
- ...
- ]
- <--------
- IntermediatePhaseFinished
- IntermediatePhaseFinished
- *** Final Phase:
- ApplicationPayload -------->
-
- [
- <-------- ApplicationPayload
-
- ApplicationPayload -------->
-
- ...
- ]
- <-------- FinalPhaseFinished
-
- FinalPhaseFinished -------->
-
-5.2 Resumed Session with Single Application Phase
-
- The diagram below depicts a resumed session followed by a single
- application phase.
-
- Note that the client concludes the initial phase and starts the
- final phase in an uninterrupted sequence of three messages:
- ChangeCipherSpec and PhaseFinished belong to the initial phase, and
- ApplicationPayload belongs to the final phase.
-
- Client Server
- ------ ------
-
- *** TLS Handshake:
- ClientHello -------->
- ServerHello
- ChangeCipherSpec
- <-------- Finished
- ChangeCipherSpec
- Finished
- *** Final Phase:
- ApplicationPayload -------->
-
- [
- <-------- ApplicationPayload
-
- ApplicationPayload -------->
-
- ...
- ]
- <-------- FinalPhaseFinished
-
-
-
-
-Paul Funk expires August 2005 [Page 25]
-
-Internet-Draft February 2005
-
-
- FinalPhaseFinished -------->
-
-5.3 Resumed Session with No Application Phase
-
- The diagram below depicts a resumed session without any subsequent
- application phase. This will occur if the client indicates in its
- ClientInnerApplication message that no application phase is required
- and the server concurs.
-
- Note that this message sequence is identical to that of a standard
- TLS resumed session.
-
- Client Server
- ------ ------
-
- *** TLS Handshake:
- ClientHello -------->
- ServerHello
- ChangeCipherSpec
- <-------- Finished
- ChangeCipherSpec
- Finished -------->
-
-6 Security Considerations
-
- This document introduces a new TLS extension called "Inner
- Application". When TLS is used with the Inner Application extension
- (TLS/IA), additional messages are exchanged during the TLS
- handshake. Hence a number of security issues need to be taken into
- consideration. Since the security heavily depends on the information
- (called "applications") which are exchanged between the TLS client
- and the TLS server as part of the TLS/IA extension we try to
- classify them into two categories: The first category considers the
- case where the exchange results in the generation of keying
- material. This is, for example, the case with many EAP methods. EAP
- is one of the envisioned main "applications". The second category
- focuses on cases where no session key is generated. The security
- treatment of the latter category is discouraged since it is
- vulnerability to man-in-the-middle attacks if the two sessions
- cannot be bound to each other as shown in [MITM].
-
- Subsequently, we investigate a number of security issues:
-
- - Architecture and Trust Model
-
- For many of the use cases in this document we assume that three
- functional entities participate in the protocol exchange: TLS
- client, TLS server and a AAA infrastructure (typically consisting
- of a AAA server and possibly a AAA broker). The protocol exchange
- described in this document takes place between the TLS client and
- the TLS server. The interaction between the AAA client (which
-
-
-
-Paul Funk expires August 2005 [Page 26]
-
-Internet-Draft February 2005
-
-
- corresponds to the TLS server) and the AAA server is described in
- the respective AAA protocol documents and therefore outside the
- scope of this document. The trust model behind this architecture
- with respect to the authentication, authorization, session key
- establishment and key transport within the AAA infrastructure is
- discussed in [KEYING].
-
- - Authentication
-
- This document assumes that the TLS server is authenticated to the
- TLS client as part of the authentication procedure of the initial
- TLS Handshake. This approach is similar to the one chosen with
- the EAP support in IKEv2 (see [IKEv2]). Typically, public key
- based server authentication is used for this purpose. More
- interesting is the client authentication property whereby
- information exchanged as part of the Inner Application is used to
- authenticate (or authorize) the client. For example, if EAP is
- used as an inner application then EAP methods are used to perform
- authentication and key agreement between the EAP peer (most
- likely the TLS client) and the EAP server (i.e., AAA server).
-
- - Authorization
-
- Throughout this document it is assumed that the TLS server can be
- authorized by the TLS client as a legitimate server as part of
- the authentication procedure of the initial TLS Handshake. The
- entity acting as TLS client can be authorized either by the TLS
- server or by the AAA server (if the authorization decision is
- offloaded). Typically, the authenticated identity is used to
- compute the authorization decision but credential-based
- authorization mechanisms may be used as well.
-
- - Man-in-the-Middle Attack
-
- Man-in-the-middle attacks have become a concern with tunneled
- authentication protocols because of the discovered
- vulnerabilities (see [MITM]) of a missing cryptographic binding
- between the independent protocol sessions. This document also
- proposes a tunneling protocol, namely individual inner
- application sessions are tunneled within a previously executed
- session. The first protocol session in this exchange is the
- initial TLS Handshake. To avoid man-in-the-middle attacks a
- number of sections address how to establish such a cryptographic
- binding (see Section 2.3 and Error! Reference source not found.).
-
- - User Identity Confidentiality
-
- The TLS/IA extension allows splitting the authentication of the
- TLS server from the TLS client into two separate sessions. As one
- of the advantages, this provides active user identity
- confidentiality since the TLS client is able to authenticate the
-
-
-
-Paul Funk expires August 2005 [Page 27]
-
-Internet-Draft February 2005
-
-
- TLS server and to establish a unilateral authenticated and
- confidentiality-protected channel prior to starting the client-
- side authentication.
-
- - Session Key Establishment
-
- TLS [RFC2246] defines how session key material produced during
- the TLS Handshake is generated with the help of a pseudo-random
- function to expand it to keying material of the desired length
- for later usage in the TLS Record Layer. Section 2.3 gives some
- guidelines with regard to the master key generation. Since the
- TLS/IA extension supports multiple exchanges whereby each phase
- concludes with a generated keying material. In addition to the
- keying material established as part of TLS itself, most inner
- applications will produce their keying material. For example,
- keying material established as part of an EAP method must be
- carried from the AAA server to the AAA client. Details are
- subject to the specific AAA protocol (for example, EAP usage in
- Diameter [AAA-EAP].
-
- - Denial of Service Attacks
-
- This document does not modify the initial TLS Handshake and as
- such, does not introduce new vulnerabilities with regard to DoS
- attacks. Since the TLS/IA extension allows to postpone the
- client-side authentication to a later stage in the protocol
- phase. As such, it allows malicious TLS clients to initiate a
- number of exchanges while remaining anonymous. As a consequence,
- state at the server is allocated and computational efforts are
- required at the server side. Since the TLS client cannot be
- stateless this is not strictly a DoS attack.
-
- - Confidentiality Protection and Dictionary Attack Resistance
-
- Similar to the user identity confidentiality property the usage
- of the TLS/IA extension allows to establish a unilateral
- authenticated tunnel which is confidentiality protected. This
- tunnel protects the inner application information elements to be
- protected against active adversaries and therefore provides
- resistance against dictionary attacks when password-based
- authentication protocols are used inside the tunnel. In general,
- information exchanged inside the tunnel experiences
- confidentiality protection.
-
- - Downgrading Attacks
-
- This document defines a new extension. The TLS client and the TLS
- server indicate the capability to support the TLS/IA extension as
- part of the client_hello_extension_list and the
- server_hello_extension_list payload. More details can be found in
- Section 2.6. To avoid downgrading attacks whereby an adversary
-
-
-
-Paul Funk expires August 2005 [Page 28]
-
-Internet-Draft February 2005
-
-
- removes a capability from the list is avoided by the usage of the
- Finish or PhaseFinished message as described in Section Error!
- Reference source not found..
-
-7 References
-
-7.1 Normative References
-
- [RFC1700] Reynolds, J., and J. Postel, "Assigned Numbers", RFC
- 1700, October 1994.
-
- [RFC1994] Simpson, W., "PPP Challenge Handshake Authentication
- Protocol (CHAP)", RFC 1994, August 1996.
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", RFC 2119, March 1997.
-
- [RFC2246] Dierks, T., and C. Allen, "The TLS Protocol Version
- 1.0", RFC 2246, November 1998.
-
- [RFC2433] Zorn, G., and S. Cobb, "Microsoft PPP CHAP Extensions",
- RFC 2433, October 1998.
-
- [RFC2486] Aboba, B., and M. Beadles, "The Network Access
- Identifier", RFC 2486, January 1999.
-
- [RFC2548] Zorn, G., "Microsoft Vendor-specific RADIUS Attributes",
- RFC 2548, March 1999.
-
- [RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2",
- RFC 2759, January 2000.
-
- [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson,
- "Remote Authentication Dial In User Service (RADIUS)",
- RFC 2865, June 2000.
-
- [RFC3546] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen,
- J., and T. Wright, "Transport Layer Security (TLS)
- Extensions", RFC 3546, June 2003.
-
- [RFC3579] Aboba, B., and P.Calhoun, "RADIUS (Remote Authentication
- Dial In User Service) Support For Extensible
- Authentication Protocol (EAP)", RFC 3579, September
- 2003.
-
- [RFC3588] Calhoun, P., Loughney, J., Guttman, E., Zorn, G., and J.
- Arkko, "Diameter Base Protocol", RFC 3588, July 2003.
-
- [RFC3784] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
- H. Levkowetz, "PPP Extensible Authentication Protocol
- (EAP)", RFC 3784, June 2004.
-
-
-
-Paul Funk expires August 2005 [Page 29]
-
-Internet-Draft February 2005
-
-
-
-7.2 Informative References
-
- [RFC1661] Simpson, W. (Editor), "The Point-to-Point Protocol
- (PPP)", STD 51, RFC 1661, July 1994.
-
- [RFC2716] Aboba, B., and D. Simon, "PPP EAP TLS Authentication
- Protocol", RFC 2716, October 1999.
-
- [EAP-TTLS] Funk, P., and S. Blake-Wilson, " EAP Tunneled TLS
- Authentication Protocol (EAP-TTLS)", draft-ietf-pppext-
- eap-ttls-05.txt, July 2004.
-
- [EAP-PEAP] Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G.,
- and S. Josefsson, "Protected EAP Protocol (PEAP) Version
- 2", draft-josefsson-pppext-eap-tls-eap-08.txt, July
- 2004.
-
- [TLS-PSK] Eronen, P., and H. Tschofenig, "Pre-Shared Key
- Ciphersuites for Transport Layer Security (TLS)", draft-
- ietf-tls-psk-01.txt, August 2004.
-
- [802.1X] IEEE Standards for Local and Metropolitan Area Networks:
- Port based Network Access Control, IEEE Std 802.1X-2001,
- June 2001.
-
- [MITM] Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
- in Tunneled Authentication",
- http://www.saunalahti.fi/~asokan/research/mitm.html,
- Nokia Research Center, Finland, October 24 2002.
-
- [KEYING] Aboba, B., Simon, D., Arkko, J. and H. Levkowetz, "EAP
- Key Management Framework", draft-ietf-eap-keying-01.txt
- (work in progress), October 2003.
-
- [IKEv2] C.Kaufman, "Internet Key Exchange (IKEv2) Protocol",
- draft-ietf-ipsec-ikev2-16.txt (work in progress),
- September 2004.
-
- [AAA-EAP] Eronen, P., Hiller, T. and G. Zorn, "Diameter Extensible
- Authentication Protocol (EAP) Application", draft-ietf-
- aaa-eap-03.txt (work in progress), October 2003.
-
-8 Authors' Addresses
-
- Questions about this memo can be directed to:
-
- Paul Funk
- Funk Software, Inc.
- 222 Third Street
- Cambridge, MA 02142
-
-
-
-Paul Funk expires August 2005 [Page 30]
-
-Internet-Draft February 2005
-
-
- USA
- Phone: +1 617 497-6339
- E-mail: paul@funk.com
-
- Simon Blake-Wilson
- Basic Commerce & Industries, Inc.
- 96 Spadina Ave, Unit 606
- Toronto, Ontario M5V 2J6
- Canada
- Phone: +1 416 214-5961
- E-mail: sblakewilson@bcisse.com
-
- Ned Smith
- Intel Corporation
- MS: JF1-229
- 2111 N.E. 25th Ave.
- Hillsboro, OR 97124
- USA
- Phone: +1 503 264-2692
- E-mail: ned.smith@intel.com
-
- Hannes Tschofenig
- Siemens
- Otto-Hahn-Ring 6
- Munich, Bayern 81739\
- Germany
- Phone: +49 89 636 40390
- E-mail: Hannes.Tschofenig@siemens.com
-
- Thomas Hardjono
- VeriSign Inc.
- 487 East Middlefield Road
- M/S MV6-2-1
- Mountain View, CA 94043
- USA
- Phone: +1 650 426-3204
- E-mail: thardjono@verisign.com
-
-9 Intellectual Property Statement
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed
- to pertain to the implementation or use of the technology described
- in this document or the extent to which any license under such
- rights might or might not be available; nor does it represent that
- it has made any independent effort to identify any such rights.
- Information on the procedures with respect to rights in RFC
- documents can be found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
-
-
-
-Paul Funk expires August 2005 [Page 31]
-
-Internet-Draft February 2005
-
-
- attempt made to obtain a general license or permission for the use
- of such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository
- at http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at ietf-
- ipr@ietf.org.
-
-Disclaimer of Validity
-
- This document and the information contained herein are provided on
- an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
- REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
- INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-Copyright Statement
-
- Copyright (C) The Internet Society (2001 - 2005). This document is
- subject to the rights, licenses and restrictions contained in BCP
- 78, and except as set forth therein, the authors retain all their
- rights.
-
-Acknowledgment
-
- Funding for the RFC Editor function is currently provided by the
- Internet Society.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Paul Funk expires August 2005 [Page 32]
-
View Lorry Controller Status