summaryrefslogtreecommitdiff
path: root/doc/protocol/draft-ietf-tls-extractor-01.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/protocol/draft-ietf-tls-extractor-01.txt')
-rw-r--r--doc/protocol/draft-ietf-tls-extractor-01.txt392
1 files changed, 0 insertions, 392 deletions
diff --git a/doc/protocol/draft-ietf-tls-extractor-01.txt b/doc/protocol/draft-ietf-tls-extractor-01.txt
deleted file mode 100644
index a992f2b24f..0000000000
--- a/doc/protocol/draft-ietf-tls-extractor-01.txt
+++ /dev/null
@@ -1,392 +0,0 @@
-
-
-
-Network Working Group E. Rescorla
-Internet-Draft Network Resonance
-Intended status: Standards Track February 20, 2008
-Expires: August 23, 2008
-
-
- Keying Material Extractors for Transport Layer Security (TLS)
- draft-ietf-tls-extractor-01.txt
-
-Status of this Memo
-
- By submitting this Internet-Draft, each author represents that any
- applicable patent or other IPR claims of which he or she is aware
- have been or will be disclosed, and any of which he or she becomes
- aware will be disclosed, in accordance with Section 6 of BCP 79.
-
- Internet-Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working groups. Note that
- other groups may also distribute working documents as Internet-
- Drafts.
-
- Internet-Drafts are draft documents valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress."
-
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt.
-
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
-
- This Internet-Draft will expire on August 23, 2008.
-
-Copyright Notice
-
- Copyright (C) The IETF Trust (2008).
-
-Abstract
-
- A number of protocols wish to leverage Transport Layer Security (TLS)
- to perform key establishment but then use some of the keying material
- for their own purposes. This document describes a general mechanism
- for allowing that.
-
-
-
-
-
-
-
-Rescorla Expires August 23, 2008 [Page 1]
-
-Internet-Draft TLS Extractors February 2008
-
-
-Table of Contents
-
- 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
- 2. Conventions Used In This Document . . . . . . . . . . . . . . . 3
- 3. Binding to Application Contexts . . . . . . . . . . . . . . . . 3
- 4. Extractor Definition . . . . . . . . . . . . . . . . . . . . . 4
- 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
- 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
- 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
- 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6
- 8.1. Normative References . . . . . . . . . . . . . . . . . . . 6
- 8.2. Informational References . . . . . . . . . . . . . . . . . 6
- Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 6
- Intellectual Property and Copyright Statements . . . . . . . . . . 7
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Rescorla Expires August 23, 2008 [Page 2]
-
-Internet-Draft TLS Extractors February 2008
-
-
-1. Introduction
-
- A number of protocols wish to leverage Transport Layer Security (TLS)
- [RFC4346] or Datagram TLS (DTLS) [RFC4347] to perform key
- establishment but then use some of the keying material for their own
- purposes. A typical example is DTLS-SRTP [I-D.ietf-avt-dtls-srtp],
- which uses DTLS to perform a key exchange and negotiate the SRTP
- [RFC3711] protection suite and then uses the DTLS master_secret to
- generate the SRTP keys.
-
- These applications imply a need to be able to extract keying material
- (later called Exported Keying Material or EKM) from TLS/DTLS, and
- securely agree on the upper-layer context where the keying material
- will be used. The mechanism for extracting the keying material has
- the following requirements:
-
- o Both client and server need to be able to extract the same EKM
- value.
- o EKM values should be indistinguishable from random by attackers
- who don't know the master_secret.
- o It should be possible to extract multiple EKM values from the same
- TLS/DTLS association.
- o Knowing one EKM value should not reveal any information about the
- master_secret or about other EKM values.
-
- The mechanism described in this document is intended to fill these
- requirements.
-
-
-2. Conventions Used In This Document
-
- The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
- "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
- document are to be interpreted as described in [RFC2119].
-
-
-3. Binding to Application Contexts
-
- In addition to extracting keying material, an application using the
- keying material has to securely establish the upper-layer layer
- context where the keying material will be used. The details of this
- context depend on the application, but it could include things such
- as algorithms and parameters that will be used with the keys,
- identifier(s) for the endpoint(s) who will use the keys,
- identifier(s) for the session(s) where the keys will be used, and the
- lifetime(s) for the context and/or keys. At minimum, there should be
- some mechanism for signalling that an extractor will be used.
-
-
-
-
-Rescorla Expires August 23, 2008 [Page 3]
-
-Internet-Draft TLS Extractors February 2008
-
-
- This specification does not mandate a single mechanism for agreeing
- on such context; instead, there are several possibilities that can be
- used (and can complement each other). For example:
-
- o One important part of the context -- which application will use
- the extracted keys -- is given by the disambiguating label string
- (see Section 4).
- o Information about the upper-layer context can be included in the
- optional data after the extractor label (see Section 4).
- o Information about the upper-layer context can be exchanged in TLS
- extensions included in the ClientHello and ServerHello messages.
- This approach is used in [DTLS-SRTP]. The handshake messages are
- protected by the Finished messages, so once the handshake
- completes, the peers will have the same view of the information.
- Extensions also allow a limited form of negotiation: for example,
- the TLS client could propose several alternatives for some context
- parameters, and TLS server could select one of them.
- o The upper-layer protocol can include its own handshake which can
- be protected using the keys extracted from TLS.
-
- It is important to note that just embedding TLS messages in the
- upper-layer protocol may not automatically secure all the important
- context information, since the upper-layer messages are not covered
- by TLS Finished messages.
-
-
-4. Extractor Definition
-
- An extractor takes as input three values:
-
- o A disambiguating label string
- o A per-association context value provided by the extractor using
- application
- o A length value
-
- It then computes:
-
-
- PRF(master_secret, label,
- SecurityParameters.client_random +
- SecurityParameters.server_random +
- context_value_length + context_value
- )[length]
-
- The output is a pseudorandom bit string of length bytes generated
- from the master_secret.
-
- Label values beginning with "EXPERIMENTAL" MAY be used for private
-
-
-
-Rescorla Expires August 23, 2008 [Page 4]
-
-Internet-Draft TLS Extractors February 2008
-
-
- use without registration. All other label values MUST be registered
- via Specification Required as described by RFC 2434 [RFC2434]. Note
- that extractor labels have the potential to collide with existing PRF
- labels. In order to prevent this, labels SHOULD begin with
- "EXTRACTOR". This is not a MUST because there are existing uses
- which have labels which do not begin with this prefix.
-
- The context value allows the application using the extractor to mix
- its own data with the TLS PRF for the extractor output. The context
- value length is encoded as an unsigned 16-bit quantity (uint16)
- representing the length of the context value.
-
-
-5. Security Considerations
-
- Because an extractor produces the same value if applied twice with
- the same label to the same master_secret, it is critical that two EKM
- values generated with the same label be used for two different
- purposes--hence the requirement for IANA registration. However,
- because extractors depend on the TLS PRF, it is not a threat to the
- use of an EKM value generated from one label to reveal an EKM value
- generated from another label.
-
-
-6. IANA Considerations
-
- IANA is requested to create (has created) a TLS Extractor Label
- registry for this purpose. The initial contents of the registry are
- given below:
-
- Value Reference
- ----- ------------
- client finished [RFC4346]
- server finished [RFC4346]
- master secret [RFC4346]
- key expansion [RFC4346]
- client EAP encryption [RFC2716]
- ttls keying material [draft-funk-eap-ttls-v0-01]
-
- Future values are allocated via RFC2434 Specification Required
- policy. The label is a string consisting of printable ASCII
- characters. IANA MUST also verify that one label is not a prefix of
- any other label. For example, labels "key" or "master secretary" are
- forbidden.
-
-
-
-
-
-
-
-Rescorla Expires August 23, 2008 [Page 5]
-
-Internet-Draft TLS Extractors February 2008
-
-
-7. Acknowledgments
-
- Thanks to Pasi Eronen for valuable comments and the contents of the
- IANA section and Section 3.
-
-
-8. References
-
-8.1. Normative References
-
- [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
- Requirement Levels", BCP 14, RFC 2119, March 1997.
-
- [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an
- IANA Considerations Section in RFCs", BCP 26, RFC 2434,
- October 1998.
-
- [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security
- (TLS) Protocol Version 1.1", RFC 4346, April 2006.
-
-8.2. Informational References
-
- [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
- Security", RFC 4347, April 2006.
-
- [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and K.
- Norrman, "The Secure Real-time Transport Protocol (SRTP)",
- RFC 3711, March 2004.
-
- [I-D.ietf-avt-dtls-srtp]
- McGrew, D. and E. Rescorla, "Datagram Transport Layer
- Security (DTLS) Extension to Establish Keys for Secure
- Real-time Transport Protocol (SRTP)",
- draft-ietf-avt-dtls-srtp-01 (work in progress),
- November 2007.
-
-
-Author's Address
-
- Eric Rescorla
- Network Resonance
- 2064 Edgewood Drive
- Palo Alto, CA 94303
- USA
-
- Email: ekr@networkresonance.com
-
-
-
-
-
-Rescorla Expires August 23, 2008 [Page 6]
-
-Internet-Draft TLS Extractors February 2008
-
-
-Full Copyright Statement
-
- Copyright (C) The IETF Trust (2008).
-
- This document is subject to the rights, licenses and restrictions
- contained in BCP 78, and except as set forth therein, the authors
- retain all their rights.
-
- This document and the information contained herein are provided on an
- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
- OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
- THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
- OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
-
-
-Intellectual Property
-
- The IETF takes no position regarding the validity or scope of any
- Intellectual Property Rights or other rights that might be claimed to
- pertain to the implementation or use of the technology described in
- this document or the extent to which any license under such rights
- might or might not be available; nor does it represent that it has
- made any independent effort to identify any such rights. Information
- on the procedures with respect to rights in RFC documents can be
- found in BCP 78 and BCP 79.
-
- Copies of IPR disclosures made to the IETF Secretariat and any
- assurances of licenses to be made available, or the result of an
- attempt made to obtain a general license or permission for the use of
- such proprietary rights by implementers or users of this
- specification can be obtained from the IETF on-line IPR repository at
- http://www.ietf.org/ipr.
-
- The IETF invites any interested party to bring to its attention any
- copyrights, patents or patent applications, or other proprietary
- rights that may cover technology that may be required to implement
- this standard. Please address the information to the IETF at
- ietf-ipr@ietf.org.
-
-
-Acknowledgment
-
- Funding for the RFC Editor function is provided by the IETF
- Administrative Support Activity (IASA).
-
-
-
-
-
-Rescorla Expires August 23, 2008 [Page 7]
-
View Lorry Controller Status