summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-housley-evidence-extns-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/draft-housley-evidence-extns-01.txt')
-rw-r--r--doc/protocol/draft-housley-evidence-extns-01.txt1176
1 files changed, 0 insertions, 1176 deletions
diff --git a/doc/protocol/draft-housley-evidence-extns-01.txt b/doc/protocol/draft-housley-evidence-extns-01.txt
deleted file mode 100644
index 639dd0b481..0000000000
--- a/doc/protocol/draft-housley-evidence-extns-01.txt
+++ /dev/null
@@ -1,1176 +0,0 @@
-
-
-
-
-Internet-Draft M. Brown
-November 2006 RedPhone Security
-Expires: May 2007 R. Housley
- Vigil Security
-
-
- Transport Layer Security (TLS) Evidence Extensions
- <draft-housley-evidence-extns-01.txt>
-
-
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
-Copyright Notice
-
- Copyright (C) The Internet Society (2006). All Rights Reserved.
-
-Abstract
-
- This document specifies evidence creation extensions to the Transport
- Layer Security (TLS) Protocol. Extension types are carried in the
- client and server hello message extensions to confirm that both
- parties support the protocol features needed to perform evidence
- creation. The syntax and semantics of the evidence creation alerts
- and messages are described in detail.
-
-
-
-
-
-Brown & Housley [Page 1]
-
-Internet-Draft November 2006
-
-
-1. Introduction
-
- Transport Layer Security (TLS) protocol [TLS1.0][TLS1.1] is being
- used in an increasing variety of operational environments, including
- ones that were not envisioned when the original design criteria for
- TLS were determined. The extensions specified in this document
- support evidence creation in environments where the peers in the TLS
- session cooperate to create persistent evidence of the TLS-protected
- application data. Such evidence may be necessary to meet business
- requirements, including regulatory requirements. Also, evidence may
- be used in tandem with authorization information to make high
- assurance access control and routing decisions in military and
- government environments. Evidence created using this extension may
- also be used to audit various aspects of the TLS handshake, including
- the cipher suite negotiation and the use of other TLS extensions. In
- many cases, the evidence does not need to be validated by third
- parties; however, in other cases, the evidence might be validated by
- third parties. To accommodate all of these situations, the evidence
- is generated using a digital signature. Since validation of a
- digital signature requires only public information, evidence
- generated with this mechanism is suitable for sharing with third
- parties.
-
- When digital certificates are to be employed in evidence creations,
- the client must obtain the public key certificate (PKC) for the
- server, and the server must obtain the PKC for the client. This is
- most easily accomplished by using the PKCs provided in the Handshake
- Protocol Certificate messages. Further, both parties SHOULD have an
- opportunity to validate the PKC that will be used by the other party
- before evidence creation. Again, this is naturally accomplished
- using the Handshake Protocol, where the TLS session can be rejected
- if the PKC cannot be validated.
-
- This document describes evidence creation TLS extensions supporting
- both TLS 1.0 and TLS 1.1. These extensions observe the conventions
- defined for TLS Extensions [TLSEXT]. The extensions are designed to
- be backwards compatible, meaning that the protocol alerts and
- messages associated with the evidence creation extensions will be
- exchanged only if the client indicates support for them in the client
- hello message and the server indicates support for them in the server
- hello message.
-
- Clients typically know the context of the TLS session before it is
- established. As a result, the client can request the use of the
- evidence creation extensions in sessions where they might be needed.
- Servers accept extended client hello messages, even if the server
- does not support the all of the listed extensions. However, the
- server will not indicate support for any extensions that are not
-
-
-
-Brown & Housley [Page 2]
-
-Internet-Draft November 2006
-
-
- "understood" by the implementation. At the end of the hello message
- exchange, the client may reject communications with servers that do
- not support the evidence creation extensions, or the client may
- accept the situation and proceed, whichever is appropriate.
-
-1.1. Conventions
-
- The syntax for the evidence creation messages is defined using the
- TLS Presentation Language, which is specified in Section 4 of
- [TLS1.0].
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in RFC 2119 [STDWORDS].
-
-1.2. Overview
-
- Figure 1 illustrates the placement of the evidence creation alerts
- and messages in the TLS session. The first pair of evidence creation
- alerts indicates the beginning of the protected content that will be
- covered by the evidence. The first pair of alerts can appear any
- place after the TLS Handshake Protocol Finished messages, which
- ensures that they are integrity protected. The second pair of
- evidence creation alerts indicates the ending of the protected
- content that will be covered by the evidence. Immediately after the
- reception of the final alert, a pair of Evidence Protocol messages is
- exchanged to create the persistent evidence.
-
- Generating evidence is not compatible with Diffie-Hellman Ephemeral
- (DHE) key exchanges. DHE does not permit the same keying material to
- be generated for validation of the evidence after the TLS session is
- over. Persistent evidence requires the use of a digital signature so
- that it can be validated well after the TLS session is over.
-
- The ClientHello message includes an indication that the evidence
- creation messages are supported. The ServerHello message also
- includes an indication that the evidence creation messages are
- supported. Both the client and the server MUST indicate support for
- the evidence protocol alerts and messages; otherwise they MUST NOT be
- employed by either the client or the server.
-
-
-
-
-
-
-
-
-
-
-
-Brown & Housley [Page 3]
-
-Internet-Draft November 2006
-
-
- Client Server
-
- ClientHello -------->
- ServerHello
- Certificate+
- ServerKeyExchange*
- CertificateRequest+
- <-------- ServerHelloDone
- Certificate+
- ClientKeyExchange
- CertificateVerify+
- ChangeCipherSpec
- Finished -------->
- ChangeCipherSpec
- <-------- Finished
- Application Data <-------> Application Data
- Alert(evidence_start1) -------->
- Application Data
- <-------- Alert(evidence_start2)
-
- Application Data <-------> Application Data
- Alert(evidence_end1) -------->
- Application Data
- <-------- Alert(evidence_end2)
- EvidenceRequest -------->
- <-------- EvidenceResponse
- Application Data <-------> Application Data
-
- * Indicates optional or situation-dependent messages that
- are not always sent.
- + Indicates messages optional to the TLS handshake that
- MUST be sent when using TLS evidence.
-
-
- Figure 1. Example TLS Session with Evidence Creation.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Brown & Housley [Page 4]
-
-Internet-Draft November 2006
-
-
-2. Evidence Extension Types
-
- The general extension mechanisms enable clients and servers to
- negotiate whether to use specific extensions, and how to use specific
- extensions. As specified in [TLSEXT], the extension format used in
- the extended client hello message and extended server hello message
- within the TLS Handshake Protocol is:
-
- struct {
- ExtensionType extension_type;
- opaque extension_data<0..2^16-1>;
- } Extension;
-
- The extension_type identifies a particular extension type, and the
- extension_data contains information specific to the particular
- extension type.
-
- As specified in [TLSEXT], for all extension types, the extension type
- MUST NOT appear in the extended server hello message unless the same
- extension type appeared in the preceding client hello message.
- Clients MUST abort the handshake if they receive an extension type in
- the extended server hello message that they did not request in the
- preceding extended client hello message.
-
- When multiple extensions of different types are present in the
- extended client hello message or the extended server hello message,
- the extensions can appear in any order, but there MUST NOT be more
- than one extension of the same type.
-
- This document specifies the use of the evidence_creation extension
- type. This specification adds one new type to ExtensionType:
-
- enum {
- evidence_creation(TBD), (65535)
- } ExtensionType;
-
- The evidence_creation extension is relevant when a session is
- initiated and also for any subsequent session resumption. However, a
- client that requests resumption of a session does not know whether
- the server has maintained all of the context necessary to accept this
- request, and therefore the client SHOULD send an extended client
- hello message that includes the evidence_creation extension type.
- This indicates that the client requests the server's continued
- cooperation in creating evidence. If the server denies the
- resumption request, then the evidence_creation extension will be
- negotiated normally using the full Handshake protocol.
-
- Clients MUST include the evidence_creation extension in the extended
-
-
-
-Brown & Housley [Page 5]
-
-Internet-Draft November 2006
-
-
- client hello message to indicate their desire to send and receive
- evidence creation alerts and messages. The extension_data field
- indicates the evidence creation algorithms that are supported. The
- format is indicated with the EvidenceCreateList type:
-
- uint16 EvidenceCreateSuite[2];
-
- struct {
- EvidenceCreateSuite evidence_suites<2..2^16-1>;
- } EvidenceCreateList;
-
- The EvidenceCreateList enumerates the evidence creation algorithms
- that are supported by the client. The client MUST order the entries
- from most preferred to least preferred, but all of the entries MUST
- be acceptable to the client. Values are defined in Appendix A, and
- others can be registered in the future.
-
- Servers that receive an extended client hello message containing the
- evidence_creation extension MUST respond with the evidence_creation
- extension in the extended server hello message if the server is
- willing to send and receive evidence creation alerts and messages.
- The evidence_creation extension MUST be omitted from the extended
- server hello message if the server is unwilling to send and receive
- using one of the evidence creation algorithm suites identified by the
- client. The extension_data field indicates the evidence creation
- algorithm suite that the server selected from the list provided by
- the client. The format is indicated with the EvidenceCreateSuite
- type defined above.
-
-3. Alert Messages
-
- This document specifies the use of four new alert message
- descriptions: the evidence_start1, evidence_start2, evidence_end1,
- and evidence_end2. These descriptions are specified in Sections 3.1,
- 3.2, 3.3, and 3.4, respectively. The alert descriptions are
- presented below in the order they MUST be sent; sending alerts in an
- unexpected order results in a fatal error. These descriptions are
- always used with the warning alert level. This specification adds
- four new types to AlertDescription:
-
- enum {
- evidence_start1(TBD),
- evidence_start2(TBD),
- evidence_end1(TBD),
- evidence_end2(TBD),
- evidence_failure(TBD),
- (255)
- } AlertDescription;
-
-
-
-Brown & Housley [Page 6]
-
-Internet-Draft November 2006
-
-
-3.1. The evidence_start1 Description
-
- The client and the server need to synchronize evidence creation.
- Either party may indicate the desire to start creating evidence by
- sending the evidence_start1 alert. If the other party is ready to
- begin creating evidence, then the other party MUST send an
- evidence_start2 alert in response to the evidence_start1 alert that
- was sent. If the other party is unwilling to begin creating
- evidence, the other party MUST respond with fatal
- evidence_failure(TBD) alert and terminate the TLS session.
-
- Evidence may be collected more than once during a TLS session;
- however, evidence gathering MUST NOT be nested. That is, a party
- sending the a second evidence_start1 alert before evidence_end2 alert
- has occurred and the evidence protocol has completed is a protocol
- violation. Reception of an evidence_start1 alert that would result
- in evidence nesting MUST be responded to with a fatal
- evidence_failure(TBD) alert and terminating the TLS session.
-
- Digital signatures are used in evidence creation. If an
- evidence_start1 alert is received before the other party has provided
- a valid PKC, then the evidence_start1 alert recipient MUST terminate
- the TLS session using a fatal certificate_unknown alert.
-
-3.2. The evidence_start2 Description
-
- The evidence_start2 alert is sent in response to the evidence_start1
- alert. By sending the evidence_start2 alert, the sending party
- indicates that they are also ready to begin creating evidence. After
- this pair of alerts is exchanged, both the client and the server use
- the hash function indicated in the extended server hello message to
- start computing the evidence. Each party computes two independent
- hash values: one for each octet that is written, and one for each
- octet that is read.
-
- Digital signatures are used in evidence creation. If an
- evidence_start2 alert is received before the other party has provided
- a valid PKC, then the evidence_start2 alert recipient MUST terminate
- the TLS session using a fatal certificate_unknown alert.
-
-3.3. The evidence_end1 Description
-
- Either party may initiate the closure of an evidence-creating
- interval and the exchange of evidence messages by sending the
- evidence_end1 alert. Upon sending evidence_end1, the sender MUST not
- send any more application data on this connection until the Evidence
- Protocol messages are exchanged.
-
-
-
-
-Brown & Housley [Page 7]
-
-Internet-Draft November 2006
-
-
- The evidence_end1 alert sender MAY initiate the Evidence Protocol as
- described in Section 4 at any time following this alert. The
- evidence_end1 alert sender SHOULD ensure that it has received all
- pending application data writes from the other party before
- initiating the Evidence Protocol. One way to ensure that all of the
- application data has been received it to wait for the receipt of an
- evidence_end2 alert. If the Evidence Protocol begins before all of
- the application data is available, the result will be a fatal
- evidence_failure(TBD) alert when signature verification fails.
-
-3.4. The evidence_end2 Description
-
- The evidence_end2 alert is sent in response to the evidence_end1
- alert. The evidence_end1 alert receiver SHOULD complete any pending
- writes. The intent is to include any application data that would be
- sent in response to application data that was received before the
- evidence_end1 alert as part of evidence creation. Once the pending
- writes are complete, the evidence_end1 alert receiver sends the
- evidence_end2 alert.
-
- At this point, each party completes the hash value computations.
-
- The evidence_end2 alert receiver MUST respond by initiating the
- Evidence Protocol as described in Section 4, if it has not already
- done so.
-
-3.5. The evidence_failure Description
-
- The evidence_failure fatal alert is sent to indicate a failure in
- evidence creation. During evidence synchronization, this alert
- indicates that the sending party is unwilling to begin evidence
- creation. During the Evidence Protocol, this alert indicates that
- the evidence provided by the other party is not acceptable or cannot
- be validated.
-
-4. Evidence Protocol
-
- This document specifies an additional TLS Protocol: the Evidence
- Protocol. It is used to create persistent evidence of the TLS
- session content. This specification adds one new Record layer
- ContentType:
-
- enum {
- evidence(TBD),
- (255)
- } ContentType;
-
-
-
-
-
-Brown & Housley [Page 8]
-
-Internet-Draft November 2006
-
-
- Persistence evidence of the TLS session content is produced by the
- TLS Evidence Protocol. Evidence messages are supplied to the TLS
- Record Layer, where they are encapsulated within one or more
- TLSPlaintext structures, which are processed and transmitted as
- specified by the current active session state.
-
- The Evidence Protocol structure follows:
-
- enum {
- request(1), response(2), (255)
- } EvidenceMsgType;
-
- struct {
- EvidenceMsgType evidence_msg_type;
- uint24 length; /* number of octets in message */
- select (EvidenceMsgType) {
- case request: EvidenceRequest;
- case response: EvidenceResponse;
- } body;
- } EvidenceProtocol;
-
- The Evidence Protocol messages are presented below in the order they
- MUST be sent; sending evidence messages in an unexpected order
- results in a fatal unexpected_message(10) alert. The EvidenceRequest
- message and the EvidenceResponse message are specified in Section 4.2
- and Section 4.3, respectively. Section 4.1 describes structures that
- are used in the EvidenceRequest and EvidenceResponse messages.
-
-4.1. Certificates and Digital Signatures
-
- The evidence Protocol makes use of the ASN.1Cert definition used
- elsewhere in TLS. It is repeated here for convenience.
-
- opaque ASN.1Cert<1..2^24-1>;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Brown & Housley [Page 9]
-
-Internet-Draft November 2006
-
-
- The EvidenceSignature definition is very similar to the Signature
- definition used elsewhere in TLS. The EvidenceSignature definition
- signs hash[hash_size], but the Signature definition used elsewhere in
- TLS signs a combination of an md5_hash and a sha_hash. Also, the
- EvidenceSignature definition excludes the anonymous case.
-
- enum { rsa, dsa, ecdsa } EvidenceSignatureAlgorithm;
-
- select (EvidenceSignatureAlgorithm)
- { case rsa:
- digitally-signed struct {
- opaque hash[hash_size];
- };
- case dsa:
- digitally-signed struct {
- opaque hash[hash_size];
- };
- case ecdsa:
- digitally-signed struct {
- opaque hash[hash_size];
- };
- } EvidenceSignature;
-
- The hash algorithm and the hash_size depend on evidence create
- algorithm suite selected by the server in the evidence_creation
- extension.
-
-4.2. EvidenceRequest Message
-
- The EvidenceRequest message contains the evidence_end1 alert sender's
- contribution to the persistent evidence. It employs the evidence
- create algorithm suite selected by the server in the
- evidence_creation extension in the extended server hello message.
-
- struct {
- Evidence evidence<1..2^16-1>;
- ASN.1Cert party1_certificate;
- EvidenceSignature party1_signature;
- } EvidenceRequest;
-
-
-
-
-
-
-
-
-
-
-
-
-Brown & Housley [Page 10]
-
-Internet-Draft November 2006
-
-
- struct {
- EvidenceCreateSuite evidence_suite;
- uint64 gmt_unix_time;
- uint64 app_data_sent_offset;
- uint64 app_data_received_offset;
- opaque handshake_protocol_hash<1..512>;
- opaque app_data_sent_hash<1..512>;
- opaque app_data_received_hash<1..512>;
- } Evidence;
-
- The elements of the EvidenceRequest structure are described below:
-
- evidence
- Contains an evidence create algorithm identifier, a timestamp,
- and three hash values in the Evidence structure as described
- below.
-
- party1_certificate
- Contains the X.509 certificate of the signer. While this
- certificate was probably exchanged and validated in the
- Handshake Protocol, inclusion here makes it clear which
- certificate was employed by the signer when the evidence is
- validated in the future, possibly by a third party.
-
- party1_signature
- Contains the digital signature computed by the sender of the
- evidence_end1 alert using the evidence creation algorithm suite
- identified in evidence_create_suite. The hash value is
- computed as:
-
- Hash(evidence)
-
- The elements of the Evidence structure are described below:
-
- evidence_suite
- Indicates the evidence creation algorithm suite selected by the
- server in the evidence_creation extension in the Handshake
- Protocol. This value determines the structure of the hash
- values and digital signatures.
-
- gmt_unix_time
- Indicates the current date and time according to the local
- system clock used by the sender of the evidence_end1 alert.
- This time value is intended to represent the moment in time
- that evidence_end1 was sent. Unlike other places in the TLS
- protocol, a 64-bit value is used to ensure that time values do
- not wrap in 2038.
-
-
-
-
-Brown & Housley [Page 11]
-
-Internet-Draft November 2006
-
-
- app_data_sent_offset
- Indicates the number of octets that were sent as part of this
- TLS session before evidence collection began.
-
- app_data_received_offset
- Indicates the number of octets that were received as part of
- this TLS session before evidence collection began.
-
- handshake_protocol_hash
- Compute as:
-
- Hash(handshake_messages),
-
- where handshake_messages refers to all Handshake Protocol
- messages sent or received, beginning with the most recent
- client hello message. If the double handshake mechanism
- described in the security considerations of [TLSAUTHZ] is used
- to encrypt the Handshake Protocol, the plaintext form of these
- messages is used in calculating this hash value.
-
- Verification of the handshake_protocol_hash is performed using
- the plaintext form of the Handshake protocol messages. For
- this hash value to be validated at a later time, this
- information must be saved as part of the overall evidence. Any
- attempt to save this data must ensure that it is not
- inappropriately disclosed by employing suitable physical
- protection or cryptographic mechanisms that are at least as
- strong as the selected TLS ciphersuite. Suitable controls are
- discussed further in the Security Considerations; see Section
- 6.
-
- In the case of successful TLS session resumption, the most
- recent client hello message will contain a valid
- ClientHello.session_id value as well as extensions, and these
- extensions may include sensitive data. The TLS Authorization
- Extension [AUTHZ] is one example where an extension might
- contain sensitive information. Thus, even when session
- resumption is employed, the content of the Handshake protocol
- messages ought to be protected.
-
- TLS users should ensure that the content of the Handshake
- protocol messages contain sufficient evidence to determine the
- intent of the signers, where "signers" are defined as the
- subject identities in the exchanged X.509 certificates.
- Clients and servers MAY record the protocol messages containing
- an expression of the intent of the signers using a suitable TLS
- extension [TLSEXT], such as [TLSAUTHZ]. For example, a client
- may request access to a resource provided by the server,
-
-
-
-Brown & Housley [Page 12]
-
-Internet-Draft November 2006
-
-
- provide sufficient authentication and authorization information
- grounds to convince the server to grant the requested access,
- and receive an affirmative response from the server. A record
- of TLS Handshake protocol messages representing this example
- may provide a sufficient record of the intent of both the
- client and the server.
-
- app_data_sent_hash
- Compute as:
-
- Hash(sent_application_data),
-
- where sent_application_data refers to all of the Application
- Data messages sent since the most recent evidence_start1 or
- evidence start2 alert was sent, and ending with the sending of
- the evidence_end1 alert. The alerts are not application data,
- and they are not included in the hash computation.
-
- app_data_received_hash
- Compute as:
-
- Hash(received_application_data),
-
- where received_application_data refers to all of the
- Application Data messages received since the most recent
- evidence_start1 or evidence start2 alert was received, and
- ending with the receipt of the evidence_end2 alert. The alerts
- are not application data, and they are not included in the hash
- computation.
-
-4.3. EvidenceResponse Message
-
- The EvidenceResponse message contains the complete persistent
- evidence. The value is saved by one or both parties as evidence of
- the TLS session content identified by the evidence_start1,
- evidence_start2, evidence_end1, and evidence_end2 alerts.
-
- struct {
- Evidence evidence<1..2^16-1>;
- ASN.1Cert party1_certificate;
- EvidenceSignature party1_signature;
- ASN.1Cert party2_certificate;
- EvidenceSignature party2_signature;
- } EvidenceResponse;
-
-
-
-
-
-
-
-Brown & Housley [Page 13]
-
-Internet-Draft November 2006
-
-
- The elements of the EvidenceResponse structure are described below:
-
- evidence
- Contains an evidence create algorithm identifier, a timestamp,
- and three hash values in the Evidence structure as described in
- section 4.2. The evidence creation algorithm MUST match the
- evidence create algorithm suite selected by the server in the
- evidence_creation extension in the extended server hello
- message. The timestamp MUST be acceptable to the
- EvidenceRequest recipient as the same value is provided in the
- EvidenceResponse message. The three hash values received in
- the EvidenceRequest message MUST match locally computed values
- over the same data. Note that the app_data_sent_hash and the
- app_data_received_hash values represent the session from the
- perspective of the EvidenceRequest originator, and the values
- are not swapped to represent the EvidenceRequest recipient
- perspective. If any of these conditions is not met, then the
- EvidenceResponse message MUST NOT be sent, and the TLS session
- MUST be closed immediately after sending a fatal
- evidence_failure(TBD) alert.
-
- party1_certificate
- Contains the X.509 certificate of the sender of the
- evidence_end1 alert. If this certificate cannot be validated,
- then TLS session must be closed immediately after sending one
- of the following fatal alerts: bad_certificate(42),
- unsupported_certificate(43), certificate_revoked(44), or
- certificate_expired(45). These alerts are described in Section
- 7.2.2 of [TLS1.1].
-
- party1_signature
- Contains the digital signature computed by the sender of the
- evidence_end1 alert. If this signature cannot be validated,
- then TLS session must be closed immediately after sending a
- fatal evidence_failure(TBD) alert.
-
- party2_certificate
- Contains the X.509 certificate of the sender of the
- evidence_end2 alert. While this certificate was probably
- exchanged and validated in the Handshake Protocol, inclusion
- here make it clear which certificate was employed by the signer
- when the evidence is validated in the future, possibly by a
- third party.
-
-
-
-
-
-
-
-
-Brown & Housley [Page 14]
-
-Internet-Draft November 2006
-
-
- Party2_signature
- Contains the digital signature computed by the sender of the
- evidence_end2 alert using the evidence creation algorithm suite
- identified in evidence_suite. The hash value is computed as:
-
- Hash(evidence)
-
-5. IANA Considerations
-
- This document defines one TLS extension: evidence_creation(TBD).
- This extension type value is assigned from the TLS Extension Type
- registry defined in [TLSEXT].
-
- This document defines five TLS alert descriptions: the
- evidence_start1(TBD), evidence_start2(TBD), evidence_end1(TBD),
- evidence_end2(TBD), and evidence_failure(TBD). These alert
- descriptions are assigned from the TLS Alert registry defined in
- [TLS1.1].
-
- This document defines one TLS ContentType: evidence(TBD). This
- ContentType value is assigned from the TLS ContentType registry
- defined in [TLS1.1].
-
- This document establishes a registry for TLS Evidence Protocol
- EvidenceMsgType. The first two entries in the registry are
- request(1) and response(2). All additional TLS Evidence Protocol
- EvidenceMsgType values are assigned by Standards Action as described
- in [IANA].
-
- This document establishes a registry for Evidence Create Algorithm
- suite identifiers. Appendix A lists the initial values for this
- registry. Evidence Create Algorithm suite identifier values with the
- first byte in the range 0-191 (decimal) inclusive are assigned by
- Standards Action as described in [IANA]. Values with the first byte
- in the range 192-254 (decimal) are assigned by Specification Required
- as described in [IANA]. Values with the first byte 255 (decimal) are
- reserved for Private Use as described in [IANA].
-
-6. Security Considerations
-
- This document describes an extension to the TLS protocol, and the
- security considerations in [TLS1.1] and [TLSEXT] apply.
- Additionally, temporal and storage security considerations are
- discussed below.
-
-
-
-
-
-
-
-Brown & Housley [Page 15]
-
-Internet-Draft November 2006
-
-
-6.1. Temporal Considerations
-
- Generating evidence that covers Application Data values that do not
- explicitly or implicitly indicate the point in time at which the
- Application Data was transferred over the TLS session might give rise
- to replay attacks, post-dating, pre-dating, or other temporal
- disputes. To avoid these concerns, the evidence includes an
- indication of the date and time. The TLS implementation MUST NOT
- attempt to extract date and time values from the Application Data;
- doing so is likely to be error prone. Instead, the date and time
- SHOULD come from a local clock or a trustworthy time server. Date
- and time are provided by one of the parties, and the other party
- determines that the date and time value is sufficiently accurate.
-
- When a more highly trusted time source is needed, the Time-Stamp
- Protocol [TSP] can be used to obtain a time-stamp on the evidence
- from a trusted third party.
-
-6.2. Storage Considerations
-
- Parties that choose to preserve a plaintext record of Application
- Data or Handshake Protocol messages for evidence verification at a
- later time must ensure must ensure that this data is not
- inappropriately disclosed by employing suitable physical protection
- or cryptographic mechanisms that are at least as strong as the
- selected TLS ciphersuite.
-
- Suitable physical controls for the protection of Application Data or
- Handshake Protocol messages containing keying material or sensitive
- data should use removable storage media in conjunction with durable,
- locking storage containers. If the removable media is transferred
- from one location to another or backup copies are made, secure
- handling protections ought to be employed, which might include the
- use of insured or bonded couriers.
-
- A suitable cryptographic mechanism provides confidentiality
- protection, since the hash value in the evidence itself provides
- integrity protection. One reasonable solution is to encrypt the
- Handshake Protocol messages and Application Data messages with a
- fresh symmetric encryption key using the same algorithm that was
- negotiated for the selected TLS ciphersuite. The key generation
- should follow the recommendations in [RANDOM]. Then, the symmetric
- key is encrypted for storage with the party's RSA public key or long-
- lived key-encryption key. The Cryptographic Message Syntax (CMS)
- [CMS] offers a convenient way to keep all of this information
- together.
-
-
-
-
-
-Brown & Housley [Page 16]
-
-Internet-Draft November 2006
-
-
- An alternative cryptographic mechanism is to save the TLS session
- itself. The negotiated TLS ciphersuite was already used to protect
- the Application Data messages, and the Handshake Protocol messages
- contain the keying material necessary to decrypt them if the party
- retains the private keys and/or pre-shared secrets.
-
-7. References
-
-7.1. Normative References
-
- [IANA] Narten, T., and H. Alvestrand, "Guidelines for Writing
- an IANA Considerations Section in RFCs", RFC 3434,
- October 1998.
-
- [DSS] Federal Information Processing Standards Publication
- (FIPS PUB) 186, Digital Signature Standard, 2000.
-
- [PKCS1] Kaliski, B., "PKCS #1: RSA Encryption Version 1.5",
- RFC 2313, March 1998.
-
- [PKIX1] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet
- Public Key Infrastructure - Certificate and
- Certificate Revocation List (CRL) Profile", RFC 3280,
- April 2002.
-
- [TLS1.0] Dierks, T., and C. Allen, "The TLS Protocol, Version 1.0",
- RFC 2246, January 1999.
-
- [TLS1.1] Dierks, T., and E. Rescorla, "The Transport Layer Security
- (TLS) Protocol, Version 1.1", RFC 4346, April 2006.
-
- [TLSEXT] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
- and T. Wright, "Transport Layer Security (TLS) Extensions",
- RFC 4366, April 2006.
-
- [SHA] Federal Information Processing Standards Publication
- (FIPS PUB) 180-2, Secure Hash Algorithm, 2002.
-
- [STDWORDS] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [X9.62] X9.62-1998, "Public Key Cryptography For The Financial
- Services Industry: The Elliptic Curve Digital
- Signature Algorithm (ECDSA)", January 7, 1999.
-
-
-
-
-
-
-
-Brown & Housley [Page 17]
-
-Internet-Draft November 2006
-
-
-7.2. Informative References
-
- [AUTHZ] Brown, M., and R. Housley, "Transport Layer Security
- (TLS) Authorization Extensions", work in progress,
- draft-housley-tls-authz-extns.
-
- [CMS] Housley, R., "Cryptographic Message Syntax (CMS)",
- RFC 3852, July 2004.
-
- [TSP] Adams, C., Cain, P., Pinkas, D., and R. Zuccherato,
- "Internet X.509 Public Key Infrastructure: Time-Stamp
- Protocol (TSP)", RFC 3161,August 2001.
-
-8. Acknowledgements
-
- Thanks to C. Robert Beattie, J.D. and Randy V. Sabett, J.D., CISSP
- for their observations and comparisons between the Uniform Electronic
- Transactions Act (1999) prepared by the National Conference of
- Commissioners on Uniform State Laws versus the American Bar
- Association's Digital Signature Guidelines (1996), their observations
- regarding the strengths and weaknesses of these two approaches, and
- their desire to promote trust and reduce potential for litigation in
- online transactions. Their pro bono contribution of time and
- expertise deserves recognition.
-
- This material is based, in part, upon work supported by the United
- States Navy Space and Naval Warfare Systems Command under Contract
- No. N00039-06-C-0097.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Brown & Housley [Page 18]
-
-Internet-Draft November 2006
-
-
-Appendix A. Evidence Create Algorithms
-
- The following values define the EvidenceCreateSuite identifiers used
- in the TLS Evidence Extensions.
-
- An EvidenceCreateSuite defines a cipher specification supported by
- TLS Evidence Extensions. A suite identifier names a public key
- signature algorithm and an associated one-way hash function. A
- registration is named as follows:
-
- <SignatureAlgorithm>_WITH_<HashFunction>
-
- These components have the following meaning:
-
- <SignatureAlgorithm>
- Specifies the digital signature algorithm and key length
- associated with the algorithm. It is used to digitally sign
- the evidence. The "RSA_1024" value indicates the use of the
- PKCS#1 v1.5 [PKCS1] digital signature algorithm using a
- 1024-bit public key. The "DSS_1024" value indicates the use of
- the DSS digital signature algorithm [DSS] with a 1024-bit
- public key. The "ECDSA_P384" value indicates the use of the
- ECDSA digital signature algorithm [X9.62] using the P-384 named
- elliptic curve.
-
- <HashFunction>
- Specifies the one-way hash function used as part of the digital
- signature. The "SHA_1", "SHA_224", "SHA_256", "SHA_384", and
- "SHA_512" values identify members of the Secure Hash Algorithm
- family of one-way- hash functions [SHA].
-
- In most cases it will be appropriate to use the same algorithms and
- certified public keys that were negotiated in the TLS Handshake
- Protocol. The following additional steps are required in order to
- employ the digital signature aspects of a TLS CipherSuite to a valid
- EvidenceCreateSuite:
-
- 1) CipherSuites that do not include signature-capable certificates
- cannot be used as EvidenceCreateSuite.
-
- 2) CipherSuites that specify the use of MD5 one-way hash function
- should not be used as EvidenceCreateSuite.
-
- Of course, any aspect of a CipherSuite that deals with symmetric
- ciphers and symmetric cipher key lengths is not relevant to the
- EvidenceCreateSuite.
-
-
-
-
-
-Brown & Housley [Page 19]
-
-Internet-Draft November 2006
-
-
- All public key certificate profiles used in TLS are defined by the
- IETF PKIX working group in [PKIX1]. When a key usage extension is
- present, then either the digitalSignature bit or the nonRepudiation
- bit MUST be set for the public key to be eligible for signing
- evidence. If both bits are set, then this requirement is satisfied.
-
- The following EvidenceCreateSuite definitions are made at this time.
- Section 5 specifies the procedures for registering additional
- EvidenceCreateSuite definitions.
-
- EvidenceCreateSuite RSA_1024_WITH_SHA_1 = { 0x00, 0x01 };
- EvidenceCreateSuite RSA_1024_WITH_SHA_256 = { 0x00, 0x02 };
- EvidenceCreateSuite RSA_2048_WITH_SHA_256 = { 0x00, 0x03 };
-
- EvidenceCreateSuite DSS_1024_WITH_SHA_1 = { 0x00, 0x11 };
- EvidenceCreateSuite DSS_2048_WITH_SHA_256 = { 0x00, 0x12 };
-
- EvidenceCreateSuite ECDSA_P256_WITH_SHA_256 = { 0x00, 0x21 };
- EvidenceCreateSuite ECDSA_P384_WITH_SHA_384 = { 0x00, 0x22 };
- EvidenceCreateSuite ECDSA_P521_WITH_SHA_512 = { 0x00, 0x23 };
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Brown & Housley [Page 20]
-
-Internet-Draft November 2006
-
-
-Author's Address
-
- Mark Brown
- RedPhone Security
- 2019 Palace Avenue
- Saint Paul, MN 55105
- USA
- mark <at> redphonesecurity <dot> com
-
- Russell Housley
- Vigil Security, LLC
- 918 Spring Knoll Drive
- Herndon, VA 20170
- USA
- housley <at> vigilsec <dot> com
-
-Full Copyright Statement
-
- Copyright (C) The Internet Society (2006). This document is subject
- to the rights, licenses and restrictions contained in BCP 78, and
- except as set forth therein, the authors retain all their rights.
-
- This document and translations of it may be copied and furnished to
- others, and derivative works that comment on or otherwise explain it
- or assist in its implementation may be prepared, copied, published
- and distributed, in whole or in part, without restriction of any
- kind, provided that the above copyright notice and this paragraph are
- included on all such copies and derivative works. However, this
-
- document itself may not be modified in any way, such as by removing
- the copyright notice or references to the Internet Society or other
- Internet organizations, except as needed for the purpose of
- developing Internet standards in which case the procedures for
- copyrights defined in the Internet Standards process must be
- followed, or as required to translate it into languages other than
- English.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
- ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
- INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
- INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-
-
-
-
-
-Brown & Housley [Page 21]
View Lorry Controller Status