--- 1/draft-ietf-uta-rfc7525bis-03.txt 2021-11-22 15:13:13.602694351 -0800 +++ 2/draft-ietf-uta-rfc7525bis-04.txt 2021-11-22 15:13:13.674696148 -0800 @@ -1,24 +1,24 @@ UTA Working Group Y. Sheffer Internet-Draft Intuit Obsoletes: 7525 (if approved) R. Holz Updates: 5288, 6066 (if approved) University of Twente Intended status: Best Current Practice P. Saint-Andre -Expires: 28 April 2022 Mozilla +Expires: 27 May 2022 Mozilla T. Fossati arm - 25 October 2021 + 23 November 2021 Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) - draft-ietf-uta-rfc7525bis-03 + draft-ietf-uta-rfc7525bis-04 Abstract Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the security of deployed services that use TLS and DTLS. @@ -37,40 +37,40 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on 28 April 2022. + This Internet-Draft will expire on 27 May 2022. Copyright Notice Copyright (c) 2021 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components - extracted from this document must include Simplified BSD License text - as described in Section 4.e of the Trust Legal Provisions and are - provided without warranty as described in the Simplified BSD License. + extracted from this document must include Revised BSD License text as + described in Section 4.e of the Trust Legal Provisions and are + provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. General Recommendations . . . . . . . . . . . . . . . . . . . 5 3.1. Protocol Versions . . . . . . . . . . . . . . . . . . . . 5 3.1.1. SSL/TLS Protocol Versions . . . . . . . . . . . . . . 5 3.1.2. DTLS Protocol Versions . . . . . . . . . . . . . . . 6 3.1.3. Fallback to Lower Versions . . . . . . . . . . . . . 7 3.2. Strict TLS . . . . . . . . . . . . . . . . . . . . . . . 7 3.3. Compression . . . . . . . . . . . . . . . . . . . . . . . 8 3.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 8 3.5. TLS Renegotiation . . . . . . . . . . . . . . . . . . . . 9 3.6. Post-Handshake Authentication . . . . . . . . . . . . . . 9 @@ -94,26 +94,27 @@ 6.2.1. Nonce Reuse in TLS 1.2 . . . . . . . . . . . . . . . 19 6.3. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 20 6.4. Diffie-Hellman Exponent Reuse . . . . . . . . . . . . . . 21 6.5. Certificate Revocation . . . . . . . . . . . . . . . . . 22 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 8.1. Normative References . . . . . . . . . . . . . . . . . . 23 8.2. Informative References . . . . . . . . . . . . . . . . . 26 Appendix A. Differences from RFC 7525 . . . . . . . . . . . . . 32 Appendix B. Document History . . . . . . . . . . . . . . . . . . 33 - B.1. draft-ietf-uta-rfc7525bis-03 . . . . . . . . . . . . . . 33 - B.2. draft-ietf-uta-rfc7525bis-02 . . . . . . . . . . . . . . 33 - B.3. draft-ietf-uta-rfc7525bis-01 . . . . . . . . . . . . . . 33 - B.4. draft-ietf-uta-rfc7525bis-00 . . . . . . . . . . . . . . 34 - B.5. draft-sheffer-uta-rfc7525bis-00 . . . . . . . . . . . . . 34 - B.6. draft-sheffer-uta-bcp195bis-00 . . . . . . . . . . . . . 34 + B.1. draft-ietf-uta-rfc7525bis-04 . . . . . . . . . . . . . . 33 + B.2. draft-ietf-uta-rfc7525bis-03 . . . . . . . . . . . . . . 33 + B.3. draft-ietf-uta-rfc7525bis-02 . . . . . . . . . . . . . . 33 + B.4. draft-ietf-uta-rfc7525bis-01 . . . . . . . . . . . . . . 33 + B.5. draft-ietf-uta-rfc7525bis-00 . . . . . . . . . . . . . . 34 + B.6. draft-sheffer-uta-rfc7525bis-00 . . . . . . . . . . . . . 34 + B.7. draft-sheffer-uta-bcp195bis-00 . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 1. Introduction Transport Layer Security (TLS) [RFC5246] and Datagram Transport Security Layer (DTLS) [RFC6347] are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the years leading to 2015, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. For instance, both @@ -286,33 +287,25 @@ Version 1.2 of DTLS correlates to version 1.2 of TLS (see above). (There is no version 1.1 of DTLS.) * Implementations SHOULD support and, if available, MUST prefer to negotiate DTLS version 1.3 as specified in [I-D.ietf-tls-dtls13]. Version 1.3 of DTLS correlates to version 1.3 of TLS (see above). 3.1.3. Fallback to Lower Versions - Clients that "fall back" to lower versions of the protocol after the - server rejects higher versions of the protocol MUST NOT fall back to - SSLv3 or earlier. Implementations of TLS/DTLS 1.2 or earlier MUST - implement the Fallback SCSV mechanism [RFC7507] to prevent such - fallback being forced by an attacker. - - Rationale: Some client implementations revert to lower versions of - TLS or even to SSLv3 if the server rejected higher versions of the - protocol. This fallback can be forced by a man-in-the-middle (MITM) - attacker. TLS 1.0 and SSLv3 are significantly less secure than TLS - 1.2 but at least TLS 1.0 is still allowed by many web servers. As of - this writing, the Fallback SCSV solution is widely deployed and - proven as a robust solution to this problem. + TLS/DTLS 1.2 clients MUST NOT fall back to earlier TLS versions, + since those versions have been deprecated [RFC8996]. We note that as + a result of that, the SCSV mechanism [RFC7507] is no longer needed + for clients. In addition, TLS 1.3 implements a new version + negotiation mechanism. 3.2. Strict TLS The following recommendations are provided to help prevent SSL Stripping (an attack that is summarized in Section 2.1 of [RFC7457]): * In cases where an application protocol allows implementations or deployments a choice between strict TLS configuration and dynamic upgrade from unencrypted to TLS-protected traffic (such as STARTTLS), clients and servers SHOULD prefer strict TLS @@ -1164,25 +1157,20 @@ [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, "Transport Layer Security (TLS) Application-Layer Protocol Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, July 2014, . [RFC7465] Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465, DOI 10.17487/RFC7465, February 2015, . - [RFC7507] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher - Suite Value (SCSV) for Preventing Protocol Downgrade - Attacks", RFC 7507, DOI 10.17487/RFC7507, April 2015, - . - [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., Langley, A., and M. Ray, "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension", RFC 7627, DOI 10.17487/RFC7627, September 2015, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . @@ -1413,20 +1401,25 @@ [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection Most of the Time", RFC 7435, DOI 10.17487/RFC7435, December 2014, . [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing Known Attacks on Transport Layer Security (TLS) and Datagram TLS (DTLS)", RFC 7457, DOI 10.17487/RFC7457, February 2015, . + [RFC7507] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher + Suite Value (SCSV) for Preventing Protocol Downgrade + Attacks", RFC 7507, DOI 10.17487/RFC7507, April 2015, + . + [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, "Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May 2015, . [RFC8452] Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: Nonce Misuse-Resistant Authenticated Encryption", RFC 8452, DOI 10.17487/RFC8452, April 2019, . @@ -1490,22 +1483,20 @@ - MUST-level implementation requirement for ALPN, and more specific SHOULD-level guidance for ALPN and SNI. - Limits on key usage. - New attacks since [RFC7457]: ALPACA, Raccoon, Logjam, "Nonce- Disrespecting Adversaries". * Differences specific to TLS 1.2: - - Fallback SCSV as a MUST for TLS 1.2. - - SHOULD-level guidance on AES-GCM nonce generation. - SHOULD NOT use static DH keys or reuse ephemeral DH keys across multiple connections. - 2048-bit DH now a MUST, ECDH minimal curve size is 224, vs. 192 previously. - Support for extended_master_secret is a SHOULD. Also removed other, more complicated, related mitigations. @@ -1522,33 +1513,38 @@ - SHOULD-level requirement for forward secrecy in TLS 1.3 session resumption. - Generic SHOULD-level guidance to avoid 0-RTT unless it is documented for the particular protocol. Appendix B. Document History // Note to RFC Editor: please remove before publication. -B.1. draft-ietf-uta-rfc7525bis-03 +B.1. draft-ietf-uta-rfc7525bis-04 + + * No version fallback from TLS 1.2 to earlier versions, therefore no + SCSV. + +B.2. draft-ietf-uta-rfc7525bis-03 * Cipher integrity and confidentiality limits. * Require extended_master_secret. -B.2. draft-ietf-uta-rfc7525bis-02 +B.3. draft-ietf-uta-rfc7525bis-02 * Adjusted text about ALPN support in application protocols * Incorporated text from draft-ietf-tls-md5-sha1-deprecate -B.3. draft-ietf-uta-rfc7525bis-01 +B.4. draft-ietf-uta-rfc7525bis-01 * Many more changes, including: - SHOULD-level requirement for forward secrecy in TLS 1.3 session resumption. - Removed TLS 1.2 capabilities: renegotiation, compression. - Specific guidance for multiplexed protocols. @@ -1559,53 +1555,53 @@ documented for the particular protocol. - SHOULD-level guidance on AES-GCM nonce generation in TLS 1.2. - SHOULD NOT use static DH keys or reuse ephemeral DH keys across multiple connections. - 2048-bit DH now a MUST, ECDH minimal curve size is 224, up from 192. -B.4. draft-ietf-uta-rfc7525bis-00 +B.5. draft-ietf-uta-rfc7525bis-00 * Renamed: WG document. * Started populating list of changes from RFC 7525. * General rewording of abstract and intro for revised version. * Protocol versions, fallback. * Reference to ECHO. -B.5. draft-sheffer-uta-rfc7525bis-00 +B.6. draft-sheffer-uta-rfc7525bis-00 * Renamed, since the BCP number does not change. * Added an empty "Differences from RFC 7525" section. -B.6. draft-sheffer-uta-bcp195bis-00 +B.7. draft-sheffer-uta-bcp195bis-00 * Initial release, the RFC 7525 text as-is, with some minor editorial changes to the references. Authors' Addresses Yaron Sheffer Intuit Email: yaronf.ietf@gmail.com Ralph Holz University of Twente Email: ralph.ietf@gmail.com Peter Saint-Andre Mozilla - Email: stpeter@mozilla.com + Email: stpeter@mozilla.com Thomas Fossati arm Email: thomas.fossati@arm.com