90 likes | 99 Views
This article explores the need for TLS extensions to cater to protocol developers' security requirements. It discusses integrating strong KDF, channel bindings, opaque objects, and extractors to bind key material to application context, offering a robust solution. It emphasizes the importance of allowing applications to contribute to key generation and authentication processes within TLS. The proposal suggests adopting opaque objects and extractors as working group documents to empower application developers and prevent protocol design complexities.
E N D
Extending TLS to Meet Protocol Developers’ Requirements July 23, 2007 Tim Polk
Why Am I Up Here? • Protocol developers are increasingly drawn to TLS to provision security services • As they should, it is a great protocol • Strong KDF that incorporates TLS context into derived key material • We want to encourage this, because inventing new mechanisms is always risky • Review is time consuming • Fixing errors is even more time consuming!
Why Am I Up Here? • TLS provisioned security services focus on the TLS endpoints, not on the calling protocols • Applications do not have an opportunity to contribute context to the TLS KDF • Applications needing additional key material need to run another KDF
Building on Channel Bindings • Channel bindings are an important step in the right direction • Incorporating the TLS finished messages into the authentication process binds the TLS key material to the authenticated identity at the application level • But we really want a mechanism that allows the application or protocol to contribute to the KDF, strongly binding the upper level context to the key material
Opaque Objects • draft-rescorla-tls-opaque-prf-input-00.txt • “it is desirable to have some material with the following properties”: • It is contributed both by client and server. • It is arbitrary-length. • It is mixed into the eventual keying material. • It is structured and decodable by the receiving party.
What Does That Get You? • Client and server can each assert their view of the application context • Client and server can verify application context is consistent at the endpoints • Key material that protects this application is strongly bound to that context, in addition to the context of the TLS session. • (If the client is authenticated,) the identities of both parties are bound to the key material.
TLS Extractors Draft • Endpoints request creation of additional key material for use by the application • http://tools.ietf.org/html/draft-rescorla-tls-extractor-00 • This is a very powerful tool, but we can augment this and make it stronger • Cryptographers’ rule of thumb: applications should contribute something to the derivation of their own keys… • So opaque objects and extractors in concert would provide a much stronger solution
Providing a tool • From the context of TLS, this mechanism does not have any negative impacts • From the context of the application, this mechanism can • Bind the app context to the session key material • Amplify channel bindings • Bind the app context to any additional TLS-derived application layer key material • We can and should provide these tools to application developers • Lets avoid those tricky protocol design problems!
Proposal • TLS should adopt opaque objects as a wg document • TLS should adopt the extractors draft as a wg document