1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
|
<pre>Internet Engineering Task Force (IETF) J. Altman
Request for Comments: 5929 Secure Endpoints
Category: Standards Track N. Williams
ISSN: 2070-1721 Oracle
L. Zhu
Microsoft Corporation
July 2010
<span class="h1">Channel Bindings for TLS</span>
Abstract
This document defines three channel binding types for Transport Layer
Security (TLS), tls-unique, tls-server-end-point, and tls-unique-for-
telnet, in accordance with <a href="./rfc5056">RFC 5056</a> (On Channel Binding).
Note that based on implementation experience, this document changes
the original definition of 'tls-unique' channel binding type in the
channel binding type IANA registry.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc5929">http://www.rfc-editor.org/info/rfc5929</a>.
Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
<span class="grey">Altman, et al. Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
This document may contain material from IETF Documents or IETF
Contributions published or made publicly available before November
10, 2008. The person(s) controlling the copyright in some of this
material may not have granted the IETF Trust the right to allow
modifications of such material outside the IETF Standards Process.
Without obtaining an adequate license from the person(s) controlling
the copyright in such materials, this document may not be modified
outside the IETF Standards Process, and derivative works of it may
not be created outside the IETF Standards Process, except to format
it for publication as an RFC or to translate it into languages other
than English.
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Conventions Used in This Document ...............................<a href="#page-3">3</a>
<a href="#section-3">3</a>. The 'tls-unique' Channel Binding Type ...........................<a href="#page-3">3</a>
<a href="#section-3.1">3.1</a>. Description ................................................<a href="#page-3">3</a>
<a href="#section-3.2">3.2</a>. Registration ...............................................<a href="#page-4">4</a>
<a href="#section-4">4</a>. The 'tls-server-end-point' Channel Binding Type .................<a href="#page-5">5</a>
<a href="#section-4.1">4.1</a>. Description ................................................<a href="#page-5">5</a>
<a href="#section-4.2">4.2</a>. Registration ...............................................<a href="#page-6">6</a>
<a href="#section-5">5</a>. The 'tls-unique-for-telnet' Channel Binding Type ................<a href="#page-6">6</a>
<a href="#section-5.1">5.1</a>. Description ................................................<a href="#page-7">7</a>
<a href="#section-5.2">5.2</a>. Registration ...............................................<a href="#page-7">7</a>
<a href="#section-6">6</a>. Applicability of TLS Channel Binding Types ......................<a href="#page-7">7</a>
<a href="#section-7">7</a>. Required Application Programming Interfaces ....................<a href="#page-10">10</a>
8. Description of Backwards-Incompatible Changes Made
Herein to 'tls-unique' .........................................<a href="#page-10">10</a>
<a href="#section-9">9</a>. IANA Considerations ............................................<a href="#page-11">11</a>
<a href="#section-10">10</a>. Security Considerations .......................................<a href="#page-11">11</a>
<a href="#section-10.1">10.1</a>. Cryptographic Algorithm Agility ..........................<a href="#page-12">12</a>
10.2. On Disclosure of Channel Bindings Data by
Authentication Mechanisms ................................<a href="#page-12">12</a>
<a href="#section-11">11</a>. References ....................................................<a href="#page-13">13</a>
<a href="#section-11.1">11.1</a>. Normative References .....................................<a href="#page-13">13</a>
<a href="#section-11.2">11.2</a>. Informative References ...................................<a href="#page-14">14</a>
<span class="grey">Altman, et al. Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Subsequent to the publication of "On Channel Bindings" [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>],
three channel binding types for Transport Layer Security (TLS) were
proposed, reviewed, and added to the IANA channel binding type
registry, all in accordance with [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>]. Those channel binding
types are: 'tls-unique', 'tls-server-end-point', and 'tls-unique-for-
telnet'. It has become desirable to have these channel binding types
re-registered through an RFC so as to make it easier to reference
them, and to correct them to describe actual implementations. This
document does just that. The authors of those three channel binding
types have transferred, or have indicated that they will transfer,
"ownership" of those channel binding types to the IESG.
We also provide some advice on the applicability of these channel
binding types, as well as advice on when to use which. Additionally,
we provide an abstract API that TLS implementors should provide, by
which to obtain channel bindings data for a TLS connection.
WARNING: it turns out that the first implementor implemented and
deployed something rather different than what was described in the
IANA registration for 'tls-unique'. Subsequently, it was decided
that we should adopt that form of 'tls-unique'. This means that this
document makes a backwards-incompatible change to 'tls-unique'. See
<a href="#section-8">Section 8</a> for more details.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Conventions Used in This Document</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. The 'tls-unique' Channel Binding Type</span>
IANA updated the registration of the 'tls-unique' channel binding
type to match the description below. There are material and
substantial changes from the original registration, both in the
description as well as registration meta-data (such as registration
ownership).
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Description</span>
Description: The first TLS Finished message sent (note: the Finished
struct, not the TLS record layer message containing it) in the most
recent TLS handshake of the TLS connection being bound to (note: TLS
connection, not session, so that the channel binding is specific to
each connection regardless of whether session resumption is used).
If TLS renegotiation takes place before the channel binding
<span class="grey">Altman, et al. Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
operation, then the first TLS Finished message sent of the latest/
inner-most TLS connection is used. Note that for full TLS
handshakes, the first Finished message is sent by the client, while
for abbreviated TLS handshakes (session resumption), the first
Finished message is sent by the server.
WARNING: The definition, security, and interoperability
considerations of this channel binding type have changed since the
original registration. Implementors should read the document that
last updated this registration for more information.
Interoperability note:
This definition of 'tls-unique' means that a channel's bindings
data may change over time, which in turn creates a synchronization
problem should the channel's bindings data change between the time
that the client initiates authentication with channel binding and
the time that the server begins to process the client's first
authentication message. If that happens, the authentication
attempt will fail spuriously.
Based on the fact that while servers may request TLS
renegotiation, only clients may initiate it, this synchronization
problem can be avoided by clients and servers as follows: server
applications MUST NOT request TLS renegotiation during phases of
the application protocol during which application-layer
authentication occurs. Client applications SHOULD NOT initiate
TLS renegotiation between the start and completion of
authentication.
The rationale for making the server behavior a requirement while
the client behavior is only a recommendation is that there
typically exist TLS APIs for requesting renegotiation on the
server side of a TLS connection, while many client TLS stacks do
not provide fine-grained control over when TLS renegotiation
occurs.
Application protocols SHOULD be designed in such a way that a
server would never need to request TLS renegotiation immediately
before or during application-layer authentication.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Registration</span>
o Channel binding unique prefix: tls-unique
o Channel binding type: unique
o Channel type: TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>]
<span class="grey">Altman, et al. Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
o Published specification: <<a href="./rfc5929">RFC 5929</a>>
o Channel binding is secret: no
o Description: <See specification>
o Intended usage: COMMON
o Person and email address to contact for further information: Larry
Zhu (larry.zhu@microsoft.com), Nicolas Williams
(Nicolas.Williams@oracle.com).
o Owner/Change controller name and email address: IESG.
o Expert reviewer name and contact information: IETF TLS WG
(tls@ietf.org, failing that, ietf@ietf.org)
o Note: see the published specification for advice on the
applicability of this channel binding type.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. The 'tls-server-end-point' Channel Binding Type</span>
IANA updated the registration of the 'tls-server-end-point' channel
binding type to match the description below. Note that the only
material changes from the original registration are: the "owner" (now
the IESG), the contacts, the published specification, and a note
indicating that the published specification should be consulted for
applicability advice. References were added to the description. All
other fields of the registration are copied here for the convenience
of readers.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Description</span>
Description: The hash of the TLS server's certificate [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>] as it
appears, octet for octet, in the server's Certificate message. Note
that the Certificate message contains a certificate_list, in which
the first element is the server's certificate.
The hash function is to be selected as follows:
o if the certificate's signatureAlgorithm uses a single hash
function, and that hash function is either MD5 [<a href="./rfc1321" title=""The MD5 Message-Digest Algorithm"">RFC1321</a>] or SHA-1
[<a href="./rfc3174" title=""US Secure Hash Algorithm 1 (SHA1)"">RFC3174</a>], then use SHA-256 [<a href="#ref-FIPS-180-3" title=""Secure Hash Standard"">FIPS-180-3</a>];
o if the certificate's signatureAlgorithm uses a single hash
function and that hash function neither MD5 nor SHA-1, then use
the hash function associated with the certificate's
signatureAlgorithm;
<span class="grey">Altman, et al. Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
o if the certificate's signatureAlgorithm uses no hash functions or
uses multiple hash functions, then this channel binding type's
channel bindings are undefined at this time (updates to is channel
binding type may occur to address this issue if it ever arises).
The reason for using a hash of the certificate is that some
implementations need to track the channel binding of a TLS session in
kernel-mode memory, which is often at a premium.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Registration</span>
o Channel binding unique prefix: tls-server-end-point
o Channel binding type: end-point
o Channel type: TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>]
o Published specification: <<a href="./rfc5929">RFC 5929</a>>
o Channel binding is secret: no
o Description: <See specification>
o Intended usage: COMMON
o Person and email address to contact for further information: Larry
Zhu (larry.zhu@microsoft.com), Nicolas Williams
(Nicolas.Williams@oracle.com).
o Owner/Change controller name and email address: IESG.
o Expert reviewer name and contact information: IETF TLS WG
(tls@ietf.org, failing that, ietf@ietf.org)
o Note: see the published specification for advice on the
applicability of this channel binding type.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. The 'tls-unique-for-telnet' Channel Binding Type</span>
IANA updated the registration of the 'tls-unique-for-telnet' channel
binding type to match the description below. Note that the only
material changes from the original registration are: the "owner" (now
the IESG), the contacts, the published specification, and a note
indicating that the published specification should be consulted for
applicability advice. The description is also clarified. We also
moved the security considerations notes to the security
considerations section of this document. All other fields of the
registration are copied here for the convenience of readers.
<span class="grey">Altman, et al. Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Description</span>
Description: There is a proposal for adding a "StartTLS" extension to
TELNET, and a channel binding extension for the various TELNET AUTH
mechanisms whereby each side sends the other a "checksum" (MAC --
message authentication code) of their view of the channel's bindings.
The client uses the TLS Finished messages (note: the Finished struct)
sent by the client and server, each concatenated in that order and in
their clear text form, of the first TLS handshake to which the
connection is being bound. The server does the same but in the
opposite concatenation order (server, then client).
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Registration</span>
o Channel binding unique prefix: tls-unique-for-telnet
o Channel binding type: unique
o Channel type: TLS [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>]
o Published specification: <<a href="./rfc5929">RFC 5929</a>>
o Channel binding is secret: no
o Description: <See specification>
o Intended usage: COMMON
o Person and email address to contact for further information: Jeff
Altman (jaltman@secure-endpoints.com), Nicolas Williams
(Nicolas.Williams@oracle.com).
o Owner/Change controller name and email address: IESG.
o Expert reviewer name and contact information: IETF TLS WG
(tls@ietf.org, failing that, ietf@ietf.org)
o Note: see the published specification for advice on the
applicability of this channel binding type.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Applicability of TLS Channel Binding Types</span>
The 'tls-unique-for-telnet' channel binding type is only applicable
to TELNET [<a href="./rfc0854" title=""Telnet Protocol Specification"">RFC0854</a>] and is available for all TLS connections.
The 'tls-unique' channel binding type is available for all TLS
connections, while 'tls-server-end-point' is only available when TLS
cipher suites with server certificates are used, specifically: cipher
<span class="grey">Altman, et al. Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
suites that use the Certificate handshake message, which typically
involve the use of PKIX [<a href="./rfc5280" title=""Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile"">RFC5280</a>]. For example, 'tls-server-end-
point' is available when using TLS ciphers suites such as (this is
not an exhaustive list):
o TLS_DHE_DSS_WITH_*
o TLS_DHE_RSA_WITH_*
o TLS_DH_DSS_WITH_*
o TLS_DH_RSA_WITH_*
o TLS_ECDHE_ECDSA_WITH_*
o TLS_ECDHE_RSA_WITH_*
o TLS_ECDH_ECDSA_WITH_*
o TLS_ECDH_RSA_WITH_*
o TLS_RSA_PSK_WITH_*
o TLS_RSA_WITH_*
o TLS_SRP_SHA_DSS_WITH_*
o TLS_SRP_SHA_RSA_WITH_*
but is not available when using TLS cipher suites such as (this is
not an exhaustive list):
o TLS_DHE_PSK_WITH_*
o TLS_DH_anon_WITH_*
o TLS_ECDHE_PSK_WITH_*
o TLS_ECDH_anon_WITH_*
o TLS_KRB5_WITH_*
o TLS_PSK_WITH_*
o TLS_SRP_SHA_WITH_*
<span class="grey">Altman, et al. Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
'tls-server-end-point' is also not applicable for use with OpenPGP
server certificates [<a href="./rfc5081" title=""Using OpenPGP Keys for Transport Layer Security (TLS) Authentication"">RFC5081</a>] [<a href="./rfc4880" title=""OpenPGP Message Format"">RFC4880</a>] (since these don't use the
Certificate handshake message).
Therefore, 'tls-unique' is applicable to more contexts than 'tls-
server-end-point'. However, 'tls-server-end-point' may be used with
existing TLS server-side proxies ("concentrators") without
modification to the proxies, whereas 'tls-unique' may require
firmware or software updates to server-side proxies. Therefore there
may be cases where 'tls-server-end-point' may interoperate but where
'tls-unique' may not.
Also, authentication mechanisms may arise that depend on channel
bindings to contribute entropy, in which case unique channel bindings
would always have to be used in preference to end-point channel
bindings. At this time there are no such mechanisms, though one such
SASL mechanism has been proposed. Whether such mechanisms should be
allowed is out of scope for this document.
For many applications, there may be two or more potentially
applicable TLS channel binding types. Existing security frameworks
(such as the GSS-API [<a href="./rfc2743" title=""Generic Security Service Application Program Interface Version 2, Update 1"">RFC2743</a>] or the SASL [<a href="./rfc4422" title=""Simple Authentication and Security Layer (SASL)"">RFC4422</a>] GS2 framework
[<a href="./rfc5801" title=""Using Generic Security Service Application Program Interface (GSS-API) Mechanisms in Simple Authentication and Security Layer (SASL): The GS2 Mechanism Family"">RFC5801</a>]) and security mechanisms generally do not support
negotiation of channel binding types. Therefore, application peers
need to agree a priori as to what channel binding type to use (or
agree to rules for deciding what channel binding type to use).
The specifics of whether and how to negotiate channel binding types
are beyond the scope of this document. However, it is RECOMMENDED
that application protocols making use of TLS channel bindings, use
'tls-unique' exclusively, except, perhaps, where server-side proxies
are common in deployments of an application protocol. In the latter
case an application protocol MAY specify that 'tls-server-end-point'
channel bindings must be used when available, with 'tls-unique' being
used when 'tls-server-end-point' channel bindings are not available.
Alternatively, the application may negotiate which channel binding
type to use, or may make the choice of channel binding type
configurable.
Specifically, application protocol specifications MUST indicate at
least one mandatory to implement channel binding type, MAY specify a
negotiation protocol, MAY allow for out-of-band negotiation or
configuration, and SHOULD have a preference for 'tls-unique' over
'tls-server-end-point'.
<span class="grey">Altman, et al. Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Required Application Programming Interfaces</span>
TLS implementations supporting the use of 'tls-unique' and/or 'tls-
unique-for-telnet' channel binding types MUST provide application
programming interfaces by which applications (clients and servers
both) may obtain the channel bindings for a TLS connection. Such
interfaces may be expressed in terms of extracting the channel
bindings data for a given connection and channel binding type.
Alternatively, the implementor may provide interfaces by which to
obtain the initial client Finished message, the initial server
Finished message, and/or the server certificate (in a form that
matches the description of the 'tls-server-end-point' channel binding
type). In the latter case, the application has to have knowledge of
the channel binding type descriptions from this document. This
document takes no position on which form these application
programming interfaces must take.
TLS implementations supporting TLS renegotiation SHOULD provide APIs
that allow applications to control when renegotiation can take place.
For example, a TLS client implementation may provide a "callback"
interface to indicate that the server requested renegotiation, but
may not start renegotiation until the application calls a function to
indicate that now is a good time to renegotiate.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Description of Backwards-Incompatible Changes Made Herein to</span>
'tls-unique'
The original description of 'tls-unique' read as follows:
|OLD| Description: The client's TLS Finished message (note: the
|OLD| Finished struct) from the first handshake of the connection
|OLD| (note: connection, not session, so that the channel binding
|OLD| is specific to each connection regardless of whether session
|OLD| resumption is used).
Original 'tls-unique' description
In other words: the client's Finished message from the first
handshake of a connection, regardless of whether that handshake was a
full or abbreviated handshake, and regardless of how many subsequent
handshakes (renegotiations) might have followed.
As explained in <a href="#section-1">Section 1</a>, this is no longer the description of 'tls-
unique', and the new description is not backwards compatible with the
original except in the case of TLS connections where: a) only one
handshake has taken place before application-layer authentication,
and b) that one handshake was a full handshake.
<span class="grey">Altman, et al. Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
This change has a number of implications:
o Backwards-incompatibility. It is possible that some
implementations of the original 'tls-unique' channel binding type
have been deployed. We know of at least one TLS implementation
that exports 'tls-unique' channel bindings with the original
semantics, but we know of no deployed application using the same.
Implementations of the original and new 'tls-unique' channel
binding type will only interoperate when: a) full TLS handshakes
are used, and b) TLS renegotiation is not used.
o Security considerations -- see <a href="#section-10">Section 10</a>.
o Interoperability considerations. As described in <a href="#section-3">Section 3</a>, the
new definition of the 'tls-unique' channel binding type has an
interoperability problem that may result in spurious
authentication failures unless the application implements one or
both of the techniques described in that section.
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. IANA Considerations</span>
IANA updated three existing channel binding type registrations. See
the rest of this document.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Security Considerations</span>
The Security Considerations sections of [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>], [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>], and
[<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>] apply to this document.
The TLS Finished messages (see <a href="./rfc5246#section-7.4.9">Section 7.4.9 of [RFC5246]</a>) are known
to both endpoints of a TLS connection and are cryptographically bound
to it. For implementations of TLS that correctly handle
renegotiation [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>], each handshake on a TLS connection is bound
to the preceding handshake, if any. Therefore, the TLS Finished
messages can be safely used as a channel binding provided that the
authentication mechanism doing the channel binding conforms to the
requirements in [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>]. Applications utilizing 'tls-unique'
channel binding with TLS implementations without support for secure
renegotiation [<a href="./rfc5746" title=""Transport Layer Security (TLS) Renegotiation Indication Extension"">RFC5746</a>] MUST ensure that ChangeCipherSpec has been
used in any and all renegotiations prior to application-layer
authentication, and MUST discard any knowledge learned from the
server prior to the completion of application-layer authentication.
The server certificate, when present, is also cryptographically bound
to the TLS connection through its use in key transport and/or
authentication of the server (either by dint of its use in key
transport, by its use in signing key agreement, or by its use in key
<span class="grey">Altman, et al. Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
agreement). Therefore, the server certificate is suitable as an end-
point channel binding as described in [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>].
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Cryptographic Algorithm Agility</span>
The 'tls-unique' and 'tls-unique-for-telnet' channel binding types do
not add any use of cryptography beyond that used by TLS itself.
Therefore, these two channel binding types add no considerations with
respect to cryptographic algorithm agility.
The 'tls-server-end-point' channel binding type consists of a hash of
a server certificate. The reason for this is to produce manageably
small channel binding data, as some implementations will be using
kernel-mode memory (which is typically scarce) to store these. This
use of a hash algorithm is above and beyond TLS's use of
cryptography, therefore the 'tls-server-end-point' channel binding
type has a security consideration with respect to hash algorithm
agility. The algorithm to be used, however, is derived from the
server certificate's signature algorithm as described in <a href="#section-4.1">Section 4.1</a>;
to recap: use SHA-256 if the certificate signature algorithm uses MD5
or SHA-1, else use whatever hash function the certificate uses
(unless the signature algorithm uses no hash functions or more than
one hash function, in which case 'tls-server-end-point' is
undefined). The construction of 'tls-server-end-point' channel
bindings is not directly hash-agile (since no negotiation of hash
function is provided for), but it is hash-agile nonetheless. The
hash agility of 'tls-server-end-point' channel bindings derives from
PKIX and TLS.
Current proposals for randomized signatures algorithms [<a href="#ref-RHASH" title=""Strengthening Digital Signatures via Randomized Hashing"">RHASH</a>]
[<a href="#ref-NIST-SP.800-106.2009" title=""NIST Special Publication 800- 106: Randomized Hashing for Digital Signatures"">NIST-SP.800-106.2009</a>] use hash functions in their construction -- a
single hash function in each algorithm. Therefore, the 'tls-server-
end-point' channel binding type should be available even in cases
where new signatures algorithms are used that are based on current
randomized hashing proposals (but we cannot guarantee this, of
course).
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. On Disclosure of Channel Bindings Data by Authentication</span>
<span class="h3"> Mechanisms</span>
When these channel binding types were first considered, one issue
that some commenters were concerned about was the possible impact on
the security of the TLS channel, of disclosure of the channel
bindings data by authentication mechanisms. This can happen, for
example, when an authentication mechanism transports the channel
bindings data, with no confidentiality protection, over other
transports (for example, in communicating with a trusted third
party), or when the TLS channel provides no confidentiality
<span class="grey">Altman, et al. Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
protection and the authentication mechanism does not protect the
confidentiality of the channel bindings data. This section considers
that concern.
When the TLS connection uses a cipher suite that does not provide
confidentiality protection, the TLS Finished messages will be visible
to eavesdroppers, regardless of what the authentication mechanism
does. The same is true of the server certificate which, in any case,
is generally visible to eavesdroppers. Therefore we must consider
our choices of TLS channel bindings here to be safe to disclose by
definition -- if that were not the case, then TLS with cipher suites
that don't provide confidentiality protection would be unsafe.
Furthermore, the TLS Finished message construction depends on the
security of the TLS PRF, which in turn needs to be resistant to key
recovery attacks, and we think that it is, as it is based on HMAC,
and the master secret is, well, secret (and the result of key
exchange).
Note too that in the case of an attempted active man-in-the-middle
attack, the attacker will already possess knowledge of the TLS
Finished messages for both inbound and outbound TLS channels (which
will differ, given that the attacker cannot force them to be the
same). No additional information is obtained by the attacker from
the authentication mechanism's disclosure of channel bindings data --
the attacker already has it, even when cipher suites providing
confidentiality protection are provided.
None of the channel binding types defined herein produce channel
bindings data that must be kept secret. Moreover, none of the
channel binding types defined herein can be expected to be private
(known only to the end-points of the channel), except that the unique
TLS channel binding types can be expected to be private when a cipher
suite that provides confidentiality protection is used to protect the
Finished message exchanges and the application data records
containing application-layer authentication messages.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. References</span>
<span class="h3"><a class="selflink" id="section-11.1" href="#section-11.1">11.1</a>. Normative References</span>
[<a id="ref-FIPS-180-3">FIPS-180-3</a>] United States of America, National Institute
of Standards and Technology, "Secure Hash
Standard", Federal Information Processing
Standard (FIPS) 180-3, October 2008.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to
Indicate Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>,
<a href="./rfc2119">RFC 2119</a>, March 1997.
<span class="grey">Altman, et al. Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
[<a id="ref-RFC5056">RFC5056</a>] Williams, N., "On the Use of Channel Bindings
to Secure Channels", <a href="./rfc5056">RFC 5056</a>, November 2007.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport
Layer Security (TLS) Protocol Version 1.2",
<a href="./rfc5246">RFC 5246</a>, August 2008.
[<a id="ref-RFC5746">RFC5746</a>] Rescorla, E., Ray, M., Dispensa, S., and N.
Oskov, "Transport Layer Security (TLS)
Renegotiation Indication Extension",
<a href="./rfc5746">RFC 5746</a>, February 2010.
<span class="h3"><a class="selflink" id="section-11.2" href="#section-11.2">11.2</a>. Informative References</span>
[<a id="ref-NIST-SP.800-106.2009">NIST-SP.800-106.2009</a>] National Institute of Standards and
Technology, "NIST Special Publication 800-
106: Randomized Hashing for Digital
Signatures", February 2009.
[<a id="ref-RFC0854">RFC0854</a>] Postel, J. and J. Reynolds, "Telnet Protocol
Specification", STD 8, <a href="./rfc854">RFC 854</a>, May 1983.
[<a id="ref-RFC1321">RFC1321</a>] Rivest, R., "The MD5 Message-Digest
Algorithm", <a href="./rfc1321">RFC 1321</a>, April 1992.
[<a id="ref-RFC2743">RFC2743</a>] Linn, J., "Generic Security Service
Application Program Interface Version 2,
Update 1", <a href="./rfc2743">RFC 2743</a>, January 2000.
[<a id="ref-RFC3174">RFC3174</a>] Eastlake, D. and P. Jones, "US Secure Hash
Algorithm 1 (SHA1)", <a href="./rfc3174">RFC 3174</a>,
September 2001.
[<a id="ref-RFC4422">RFC4422</a>] Melnikov, A., Ed., and K. Zeilenga, Ed.,
"Simple Authentication and Security Layer
(SASL)", <a href="./rfc4422">RFC 4422</a>, June 2006.
[<a id="ref-RFC4880">RFC4880</a>] Callas, J., Donnerhacke, L., Finney, H.,
Shaw, D., and R. Thayer, "OpenPGP Message
Format", <a href="./rfc4880">RFC 4880</a>, November 2007.
[<a id="ref-RFC5081">RFC5081</a>] Mavrogiannopoulos, N., "Using OpenPGP Keys
for Transport Layer Security (TLS)
Authentication", <a href="./rfc5081">RFC 5081</a>, November 2007.
<span class="grey">Altman, et al. Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc5929">RFC 5929</a> TLS Channel Bindings July 2010</span>
[<a id="ref-RFC5280">RFC5280</a>] Cooper, D., Santesson, S., Farrell, S.,
Boeyen, S., Housley, R., and W. Polk,
"Internet X.509 Public Key Infrastructure
Certificate and Certificate Revocation List
(CRL) Profile", <a href="./rfc5280">RFC 5280</a>, May 2008.
[<a id="ref-RFC5801">RFC5801</a>] Josefsson, S. and N. Williams, "Using Generic
Security Service Application Program
Interface (GSS-API) Mechanisms in Simple
Authentication and Security Layer (SASL): The
GS2 Mechanism Family", <a href="./rfc5801">RFC 5801</a>, July 2010.
[<a id="ref-RHASH">RHASH</a>] Halevi, S. and H. Krawczyk, "Strengthening
Digital Signatures via Randomized Hashing",
Work in Progress, October 2007.
Authors' Addresses
Jeff Altman
Secure Endpoints
255 W 94TH ST PHB
New York, NY 10025
US
EMail: jaltman@secure-endpoints.com
Nicolas Williams
Oracle
5300 Riata Trace Ct
Austin, TX 78727
US
EMail: Nicolas.Williams@oracle.com
Larry Zhu
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
US
EMail: larry.zhu@microsoft.com
Altman, et al. Standards Track [Page 15]
</pre>
|
