mirror of
https://github.com/torproject/torspec.git
synced 2024-11-24 02:09:50 +00:00
341 lines
15 KiB
Plaintext
341 lines
15 KiB
Plaintext
Filename: 294-tls-1.3.txt
|
|
Title: TLS 1.3 Migration
|
|
Authors: Isis Lovecruft
|
|
Created: 11 December 2017
|
|
Updated: 23 January 2018
|
|
Status: Draft
|
|
|
|
This proposal is currently in draft state and should be periodically
|
|
revised as we research how much of our idiosyncratic older TLS uses
|
|
can be removed.
|
|
|
|
1. Motivation
|
|
|
|
TLS 1.3 is a substantial redesign over previous versions of TLS, with several
|
|
significant protocol changes which should likely provide Tor implementations
|
|
with not only greater security but an improved ability to blend into "normal"
|
|
TLS traffic on the internet, due to its improvements in encrypting more
|
|
portions of the handshake.
|
|
|
|
Tor implementations may utilise the new TLS 1.3 EncryptedExtensions feature
|
|
to define arbitrary encrypted TLS extensions to encompass our less standard
|
|
(ab)uses of TLS. Additionally, several new Elliptic Curve (EC) based
|
|
signature algorithms, including Ed25519 and Ed448, are included within the
|
|
base specification including a single specification for EC point compression
|
|
for each supported curve, further decreasing our reliance on
|
|
Tor-protocol-specific uses and extensions (and implementation details).
|
|
|
|
Other new features which Tor implementations might take advantage of include
|
|
improved (server-side) stateless session resumption, which might be usable
|
|
for OPs to resume sessions with their guards, for example after network
|
|
disconnection or router IP address reassignment.
|
|
|
|
2. Summary
|
|
|
|
Everything that's currently TLS 1.2: make it use TLS 1.3. KABLAM. DONE.
|
|
|
|
For an excellent summary of differences between TLS 1.2 and TLS 1.3, see
|
|
[TLS-1.3-DIFFERENCES].
|
|
|
|
3. Specification
|
|
|
|
3.1. Link Subprotocol 4
|
|
|
|
(We call it "Link v4" here, but reserve whichever is the subsequently
|
|
available subprotocol version at the time.)
|
|
|
|
3.2. TLS Session Resumption & Compression
|
|
|
|
As before, implementations MUST NOT allow TLS session resumption. In the
|
|
event that it might be decided in the future that OR implementations would
|
|
benefit from 0-RTT, we can re-evaluate this decision and its security
|
|
considerations in a separate proposal.
|
|
|
|
Compression has been removed from TLS in version 1.3, so we no longer need to
|
|
make recommendations against its usage.
|
|
|
|
3.3. Handshake Protocol
|
|
|
|
3.3.1. Negotiation
|
|
|
|
The initiator sends the following four sets of options, as defined in §4.1.1
|
|
of [TLS-1.3-NEGOTIATION]:
|
|
>
|
|
> - A list of cipher suites which indicates the AEAD algorithm/HKDF hash
|
|
> pairs which the client supports.
|
|
> - A “supported_groups” (Section 4.2.7) extension which indicates the
|
|
> (EC)DHE groups which the client supports and a “key_share” (Section 4.2.8)
|
|
> extension which contains (EC)DHE shares for some or all of these groups.
|
|
> - A “signature_algorithms” (Section 4.2.3) extension which indicates the
|
|
> signature algorithms which the client can accept.
|
|
> - A “pre_shared_key” (Section 4.2.11) extension which contains a list of
|
|
> symmetric key identities known to the client and a “psk_key_exchange_modes”
|
|
> (Section 4.2.9) extension which indicates the key exchange modes that may be
|
|
> used with PSKs.
|
|
|
|
In our case, the initiator MUST leaave the PSK section blank and MUST include
|
|
the "key_share" extension, and the responder proceeds to select a ECDHE
|
|
group, including its "key_share" in the response ServerHello.
|
|
|
|
3.3.2. ClientHello
|
|
|
|
To initiate a v4 handshake, the client sends a TLS1.3 ClientHello with the
|
|
following options:
|
|
|
|
- The "legacy_version" field MUST be set to "TLS 1.2 (0x0303)". TLS 1.3
|
|
REQUIRES this. (Actual version negotiation is done via the
|
|
"supported_versions" extension. See §5.1 of this proposal for details of
|
|
the case where a TLS-1.3 capable initiator finds themself talking to a
|
|
node which does not support TLS 1.3 and/or doesn't support v4.)
|
|
|
|
- The "random" field MUST be filled with 32 bytes of securely generated
|
|
randomness.
|
|
|
|
- The "legacy_session_id" MUST be set to a new pseudorandom value each
|
|
time, regardless of whether the initiator has previously opened either a
|
|
TLS1.2 or TLS1.3 connection to the other side.
|
|
|
|
- The "legacy_compression_methods" MUST be set to a single null byte,
|
|
indicating no compression is supported. (This is the only valid setting
|
|
for this field in TLS1.3, since there is no longer any compression
|
|
support.)
|
|
|
|
- The "cipher_suites" should be set to
|
|
"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:"
|
|
This is the DEFAULT cipher suite list for OpenSSL 1.1.1. While an
|
|
argument could be made for customisation to remove the AES-128 option, we
|
|
choose to attempt to blend in which the majority of other TLS-1.3
|
|
clients, since this portion of the handshake is unencrypted.
|
|
(If the initiator actually means to begin a v3 protocol connection, they
|
|
send these ciphersuites anyway, cf. §5.2 of this proposal.)
|
|
|
|
- The "supported_groups" MUST include "X25519" and SHOULD NOT include any
|
|
of the NIST P-* groups.
|
|
|
|
- The "signature_algorithms" MUST include "ed25519 (0x0807)".
|
|
Implementations MAY advertise support for other signature schemes,
|
|
including "ed448 (0x0808)", however they MUST NOT advertise support for
|
|
ECDSA schemes due to the perils of secure implementation.
|
|
|
|
The initiator MUST NOT send any "pre_shared_key" or "psk_key_exchange_modes"
|
|
extensions.
|
|
|
|
The details of the "signature_algorithms" choice depends upon the final
|
|
standardisation of PKIX. [IETF-PKIX]
|
|
|
|
3.3.2.1. ClientHello Extensions
|
|
|
|
From [TLS-1.3_SIGNATURE_ALGOS]:
|
|
>
|
|
> The “signature_algorithms_cert” extension was added to allow implementatations
|
|
> which supported different sets of algorithms for certificates and in TLS itself
|
|
> to clearly signal their capabilities. TLS 1.2 implementations SHOULD also
|
|
> process this extension.
|
|
|
|
In order to support cross-certification, the initiator's ClientHello MUST
|
|
include the "signature_algorithms_cert" extension, in order to signal that
|
|
some certificate chains (one in particular) will include a certificate signed
|
|
using RSA-PKCSv1-SHA1:
|
|
|
|
- The "signature_algorithms_cert" MUST include the legacy algorithm
|
|
"rsa_pkcs1_sha1(0x0201)".
|
|
|
|
3.3.3. ServerHello
|
|
|
|
To respond to a TLS 1.3 ClientHello which supports the v4 link handshake
|
|
protocol, the responder sends a ServerHello with the following options:
|
|
|
|
- The "legacy_version" field MUST be set to "TLS 1.2 (0x0303)". TLS 1.3
|
|
REQUIRES this. (Actual version negotiation is done via the
|
|
"supported_versions" extension. See §5.1 of this proposal for details of
|
|
the case where a TLS-1.3 capable initiator finds themself talking to a
|
|
node which does not support TLS 1.3 and/or doesn't support v4.)
|
|
|
|
- The "random" field MUST be filled with 32 bytes of securely generated
|
|
randomness.
|
|
|
|
- The "legacy_session_id_echo" field MUST be filled with the contents of
|
|
the "legacy_session_id" from the initiator's ClientHello.
|
|
|
|
- The "cipher_suite" field MUST be set to "TLS13-CHACHA20-POLY1305-SHA256".
|
|
|
|
- The "legacy_compression_method" MUST be set to a single null byte,
|
|
indicating no compression is supported. (This is the only valid setting
|
|
for this field in TLS1.3, since there is no longer any compression
|
|
support.)
|
|
|
|
XXX structure and "key_share" response (XXX can we pre-generate a cache of
|
|
XXX key_shares?)
|
|
|
|
3.3.3.1 ServerHello Extensions
|
|
|
|
XXX what extensions do we need?
|
|
|
|
4. Implementation Details
|
|
|
|
4.1. Certificate Chains and Cross-Certifications
|
|
|
|
TLS 1.3 specifies that a certificate in a chain SHOULD be directly certified by
|
|
the preceding certificate in the chain. This seems to imply that OR
|
|
implementations SHOULD NOT do the DAG-like construction normally implied by
|
|
cross-certification between the master Ed25519 identity key and the master
|
|
RSA-1024 identity key.
|
|
|
|
Instead, since certificate chains are expected to be linear, we'll need three
|
|
certificate chains included in the same handshake:
|
|
|
|
1. EdMaster->EdSigning, EdSigning->Link
|
|
2. EdMaster->RSALegacy
|
|
3. RSALegacy->EdMaster
|
|
|
|
where A->B denotes that the certificate containing B has been signed with key A.
|
|
|
|
4.2. Removal of AUTHENTICATE, CLIENT_AUTHENTICATE, and CERTS cells
|
|
|
|
XXX see prop#224 and RFC5705 and compare
|
|
|
|
XXX when can we remove our "renegotiation" handshake completely?
|
|
|
|
5. Compatibility
|
|
|
|
5.1. TLS 1.2 version negotiation
|
|
|
|
From [TLS-1.3-DIFFERENCES]:
|
|
>
|
|
> The “supported_versions” ClientHello extension can be used to
|
|
> negotiate the version of TLS to use, in preference to the
|
|
> legacy_version field of the ClientHello.
|
|
|
|
If an OR does not receive a ClientHello with a "supported_versions"
|
|
extenstion, it MUST fallback to using the Tor Link subprotocols v3. That is,
|
|
the OR MUST immediately fallback to TLS 1.2 (or v3 with TLS 1.3, cf. the next
|
|
section) and, following both Tor's "renegotiation" and "in-protocol" version
|
|
negotiation mechanisms, immediately send a VERSIONS cell.
|
|
|
|
Otherwise, upon seeing a "supported_versions" in the ClientHello set to
|
|
0x0304, the OR should procede with Tor's Link subprotocol 4.
|
|
|
|
5.2. Preparing Tor's v3 Link Subprotocol for TLS 1.3
|
|
|
|
Some changes to the current v3 Link protocol are required, and these MUST
|
|
be backported, since implementations which are currently compiled against
|
|
TLS1.3-supporting OpenSSLs fail to establish any connections due to:
|
|
|
|
- failing to include any ciphersuite candidates which are TLS1.3 compatible
|
|
|
|
This is likely to be accomplished by:
|
|
|
|
1. Prefacing our v3 ciphersuite lists with
|
|
TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-256-GCM-SHA384:
|
|
(We could also retroactively change our custom cipher suite list to be
|
|
the HIGH cipher suites, since this includes all TLS 1.3 suites.)
|
|
2. Calling SSL_CTX_set1_groups() to set the supported groups (should be set
|
|
to "X25519:P-256"). [TLS-1.3_SET1_GROUPS]
|
|
3. Taking care that older OpenSSLs, which instead have the concept of
|
|
"curves" not groups, should have their equivalent TLS context settings
|
|
in place. [TLS-1.3_SET1_GROUPS] mentions that "The curve functions were
|
|
first added to OpenSSL 1.0.2. The equivalent group functions were first
|
|
added to OpenSSL 1.1.1".
|
|
|
|
However more steps may need to be taken.
|
|
|
|
[XXX are there any more steps necessary? —isis]
|
|
|
|
6. Security Implications
|
|
|
|
XXX evaluate the static RSA attack and its effects on TLS1.2/TLS1.3
|
|
XXX dual-operable protocols and determine if they apply
|
|
XXX
|
|
XXX Jager, T., Schwenk, J. and J. Somorovsky, "On the Security
|
|
XXX of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption",
|
|
XXX Proceedings of ACM CCS 2015 , 2015.
|
|
XXX https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf
|
|
|
|
7. Performance and Scalability
|
|
|
|
8. Availability and External Deployment
|
|
|
|
8.1. OpenSSL Availability and Interoperability
|
|
|
|
Implementation should be delayed until the stable release of OpenSSL 1.1.1.
|
|
|
|
OpenSSL 1.1.1 will be binary and API compatible with OpenSSL 1.1.0, so in
|
|
preparation we might wish to revise our current usage to OpenSSL 1.1.0 to be
|
|
prepared.
|
|
|
|
From Matt Caswell in [OPENSSL-BLOG-TLS-1.3]:
|
|
>
|
|
> OpenSSL 1.1.1 will not be released until (at least) TLSv1.3 is
|
|
> finalised. In the meantime the OpenSSL git master branch contains
|
|
> our development TLSv1.3 code which can be used for testing purposes
|
|
> (i.e. it is not for production use). You can check which draft
|
|
> TLSv1.3 version is implemented in any particular OpenSSL checkout
|
|
> by examining the value of the TLS1_3_VERSION_DRAFT_TXT macro in the
|
|
> tls1.h header file. This macro will be removed when the final
|
|
> version of the standard is released.
|
|
>
|
|
> In order to compile OpenSSL with TLSv1.3 support you must use the
|
|
> “enable-tls1_3” option to “config” or “Configure”.
|
|
>
|
|
> Currently OpenSSL has implemented the “draft-20” version of
|
|
> TLSv1.3. Many other libraries are still using older draft versions in
|
|
> their implementations. Notably many popular browsers are using
|
|
> “draft-18”. This is a common source of interoperability
|
|
> problems. Interoperability of the draft-18 version has been tested
|
|
> with BoringSSL, NSS and picotls.
|
|
>
|
|
> Within the OpenSSL git source code repository there are two branches:
|
|
> “tls1.3-draft-18” and “tls1.3-draft-19”, which implement the older
|
|
> TLSv1.3 draft versions. In order to test interoperability with other
|
|
> TLSv1.3 implementations you may need to use one of those
|
|
> branches. Note that those branches are considered temporary and are
|
|
> likely to be removed in the future when they are no longer needed.
|
|
|
|
At the time of its release, we may wish to test interoperability with other
|
|
implementation(s).
|
|
|
|
9. Future Directions
|
|
|
|
The implementation of this proposal would greatly ease the
|
|
implementation difficulty and maintenance requirements for some
|
|
other possible future beneficial areas of work.
|
|
|
|
9.1. TLS Handshake Composability
|
|
|
|
Handshake composition (i.e. hybrid handshakes) in TLS 1.3 is incredibly
|
|
straightforward.
|
|
|
|
For example, provided we had a Supersingular Isogeny Diffie-Hellman (SIDH)
|
|
based implementation with a sane API, composition of Elliptic Curve
|
|
Diffie-Hellman (ECDH) and SIDH handshakes would be a trivial codebase
|
|
addition (~10-20 lines of code, for others who have implemented this).
|
|
|
|
Our current circuit-layer protocol safeguards the majority of our security
|
|
and anonymity guarantees, while our TLS layer has historically been either a
|
|
stop-gap and/or an attempted (albeit usually not-so-successful) obfuscation
|
|
mechanism. However, our TLS usage has, in many cases, successfully, through
|
|
combination with the circuit layer cryptography, prevented more then a few
|
|
otherwise horrendous bugs. After our circuit-layer protocol is upgraded to a
|
|
hybrid post-quantum secure protocol (prop#269 and prop#XXX), and in order to
|
|
ensure that our TLS layer continues to act in this manner as a stop gap —
|
|
including within threat models which include adversaries capable of recording
|
|
traffic now and decrypting with a potential quantum computer in the future —
|
|
our TLS layer should also provide safety against such a quantum-capable
|
|
adversary.
|
|
|
|
|
|
A. References
|
|
|
|
[TLS-1.3-DIFFERENCES]:
|
|
https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#rfc.section.1.3
|
|
[OPENSSL-BLOG-TLS-1.3]:
|
|
https://www.openssl.org/blog/blog/2017/05/04/tlsv1.3/
|
|
[TLS-1.3-NEGOTIATION]:
|
|
https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#rfc.section.4.1.1
|
|
[IETF-PKIX]:
|
|
https://datatracker.ietf.org/doc/draft-ietf-curdle-pkix/
|
|
[TLS-1.3_SET1_GROUPS]:
|
|
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set1_groups.html
|
|
[TLS-1.3_SIGNATURE_ALGOS]:
|
|
https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#signature-algorithms
|