draft-ietf-uta-rfc7525bis-03.txt   draft-ietf-uta-rfc7525bis-04.txt 
UTA Working Group Y. Sheffer UTA Working Group Y. Sheffer
Internet-Draft Intuit Internet-Draft Intuit
Obsoletes: 7525 (if approved) R. Holz Obsoletes: 7525 (if approved) R. Holz
Updates: 5288, 6066 (if approved) University of Twente Updates: 5288, 6066 (if approved) University of Twente
Intended status: Best Current Practice P. Saint-Andre Intended status: Best Current Practice P. Saint-Andre
Expires: 28 April 2022 Mozilla Expires: 27 May 2022 Mozilla
T. Fossati T. Fossati
arm arm
25 October 2021 23 November 2021
Recommendations for Secure Use of Transport Layer Security (TLS) and Recommendations for Secure Use of Transport Layer Security (TLS) and
Datagram Transport Layer Security (DTLS) Datagram Transport Layer Security (DTLS)
draft-ietf-uta-rfc7525bis-03 draft-ietf-uta-rfc7525bis-04
Abstract Abstract
Transport Layer Security (TLS) and Datagram Transport Layer Security Transport Layer Security (TLS) and Datagram Transport Layer Security
(DTLS) are widely used to protect data exchanged over application (DTLS) are widely used to protect data exchanged over application
protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the
last few years, several serious attacks on TLS have emerged, last few years, several serious attacks on TLS have emerged,
including attacks on its most commonly used cipher suites and their including attacks on its most commonly used cipher suites and their
modes of operation. This document provides recommendations for modes of operation. This document provides recommendations for
improving the security of deployed services that use TLS and DTLS. improving the security of deployed services that use TLS and DTLS.
skipping to change at page 1, line 48 skipping to change at page 1, line 48
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 28 April 2022. This Internet-Draft will expire on 27 May 2022.
Copyright Notice Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Revised BSD License text as
as described in Section 4.e of the Trust Legal Provisions and are described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Revised BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. General Recommendations . . . . . . . . . . . . . . . . . . . 5 3. General Recommendations . . . . . . . . . . . . . . . . . . . 5
3.1. Protocol Versions . . . . . . . . . . . . . . . . . . . . 5 3.1. Protocol Versions . . . . . . . . . . . . . . . . . . . . 5
3.1.1. SSL/TLS Protocol Versions . . . . . . . . . . . . . . 5 3.1.1. SSL/TLS Protocol Versions . . . . . . . . . . . . . . 5
3.1.2. DTLS Protocol Versions . . . . . . . . . . . . . . . 6 3.1.2. DTLS Protocol Versions . . . . . . . . . . . . . . . 6
3.1.3. Fallback to Lower Versions . . . . . . . . . . . . . 7 3.1.3. Fallback to Lower Versions . . . . . . . . . . . . . 7
3.2. Strict TLS . . . . . . . . . . . . . . . . . . . . . . . 7 3.2. Strict TLS . . . . . . . . . . . . . . . . . . . . . . . 7
3.3. Compression . . . . . . . . . . . . . . . . . . . . . . . 8 3.3. Compression . . . . . . . . . . . . . . . . . . . . . . . 8
3.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 8 3.4. TLS Session Resumption . . . . . . . . . . . . . . . . . 8
3.5. TLS Renegotiation . . . . . . . . . . . . . . . . . . . . 9 3.5. TLS Renegotiation . . . . . . . . . . . . . . . . . . . . 9
3.6. Post-Handshake Authentication . . . . . . . . . . . . . . 9 3.6. Post-Handshake Authentication . . . . . . . . . . . . . . 9
skipping to change at page 3, line 11 skipping to change at page 3, line 11
6.2.1. Nonce Reuse in TLS 1.2 . . . . . . . . . . . . . . . 19 6.2.1. Nonce Reuse in TLS 1.2 . . . . . . . . . . . . . . . 19
6.3. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 20 6.3. Forward Secrecy . . . . . . . . . . . . . . . . . . . . . 20
6.4. Diffie-Hellman Exponent Reuse . . . . . . . . . . . . . . 21 6.4. Diffie-Hellman Exponent Reuse . . . . . . . . . . . . . . 21
6.5. Certificate Revocation . . . . . . . . . . . . . . . . . 22 6.5. Certificate Revocation . . . . . . . . . . . . . . . . . 22
7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
8.1. Normative References . . . . . . . . . . . . . . . . . . 23 8.1. Normative References . . . . . . . . . . . . . . . . . . 23
8.2. Informative References . . . . . . . . . . . . . . . . . 26 8.2. Informative References . . . . . . . . . . . . . . . . . 26
Appendix A. Differences from RFC 7525 . . . . . . . . . . . . . 32 Appendix A. Differences from RFC 7525 . . . . . . . . . . . . . 32
Appendix B. Document History . . . . . . . . . . . . . . . . . . 33 Appendix B. Document History . . . . . . . . . . . . . . . . . . 33
B.1. draft-ietf-uta-rfc7525bis-03 . . . . . . . . . . . . . . 33 B.1. draft-ietf-uta-rfc7525bis-04 . . . . . . . . . . . . . . 33
B.2. draft-ietf-uta-rfc7525bis-02 . . . . . . . . . . . . . . 33 B.2. draft-ietf-uta-rfc7525bis-03 . . . . . . . . . . . . . . 33
B.3. draft-ietf-uta-rfc7525bis-01 . . . . . . . . . . . . . . 33 B.3. draft-ietf-uta-rfc7525bis-02 . . . . . . . . . . . . . . 33
B.4. draft-ietf-uta-rfc7525bis-00 . . . . . . . . . . . . . . 34 B.4. draft-ietf-uta-rfc7525bis-01 . . . . . . . . . . . . . . 33
B.5. draft-sheffer-uta-rfc7525bis-00 . . . . . . . . . . . . . 34 B.5. draft-ietf-uta-rfc7525bis-00 . . . . . . . . . . . . . . 34
B.6. draft-sheffer-uta-bcp195bis-00 . . . . . . . . . . . . . 34 B.6. draft-sheffer-uta-rfc7525bis-00 . . . . . . . . . . . . . 34
B.7. draft-sheffer-uta-bcp195bis-00 . . . . . . . . . . . . . 34
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 34
1. Introduction 1. Introduction
Transport Layer Security (TLS) [RFC5246] and Datagram Transport Transport Layer Security (TLS) [RFC5246] and Datagram Transport
Security Layer (DTLS) [RFC6347] are widely used to protect data Security Layer (DTLS) [RFC6347] are widely used to protect data
exchanged over application protocols such as HTTP, SMTP, IMAP, POP, exchanged over application protocols such as HTTP, SMTP, IMAP, POP,
SIP, and XMPP. Over the years leading to 2015, several serious SIP, and XMPP. Over the years leading to 2015, several serious
attacks on TLS have emerged, including attacks on its most commonly attacks on TLS have emerged, including attacks on its most commonly
used cipher suites and their modes of operation. For instance, both used cipher suites and their modes of operation. For instance, both
skipping to change at page 7, line 12 skipping to change at page 7, line 20
Version 1.2 of DTLS correlates to version 1.2 of TLS (see above). Version 1.2 of DTLS correlates to version 1.2 of TLS (see above).
(There is no version 1.1 of DTLS.) (There is no version 1.1 of DTLS.)
* Implementations SHOULD support and, if available, MUST prefer to * Implementations SHOULD support and, if available, MUST prefer to
negotiate DTLS version 1.3 as specified in [I-D.ietf-tls-dtls13]. negotiate DTLS version 1.3 as specified in [I-D.ietf-tls-dtls13].
Version 1.3 of DTLS correlates to version 1.3 of TLS (see above). Version 1.3 of DTLS correlates to version 1.3 of TLS (see above).
3.1.3. Fallback to Lower Versions 3.1.3. Fallback to Lower Versions
Clients that "fall back" to lower versions of the protocol after the TLS/DTLS 1.2 clients MUST NOT fall back to earlier TLS versions,
server rejects higher versions of the protocol MUST NOT fall back to since those versions have been deprecated [RFC8996]. We note that as
SSLv3 or earlier. Implementations of TLS/DTLS 1.2 or earlier MUST a result of that, the SCSV mechanism [RFC7507] is no longer needed
implement the Fallback SCSV mechanism [RFC7507] to prevent such for clients. In addition, TLS 1.3 implements a new version
fallback being forced by an attacker. negotiation mechanism.
Rationale: Some client implementations revert to lower versions of
TLS or even to SSLv3 if the server rejected higher versions of the
protocol. This fallback can be forced by a man-in-the-middle (MITM)
attacker. TLS 1.0 and SSLv3 are significantly less secure than TLS
1.2 but at least TLS 1.0 is still allowed by many web servers. As of
this writing, the Fallback SCSV solution is widely deployed and
proven as a robust solution to this problem.
3.2. Strict TLS 3.2. Strict TLS
The following recommendations are provided to help prevent SSL The following recommendations are provided to help prevent SSL
Stripping (an attack that is summarized in Section 2.1 of [RFC7457]): Stripping (an attack that is summarized in Section 2.1 of [RFC7457]):
* In cases where an application protocol allows implementations or * In cases where an application protocol allows implementations or
deployments a choice between strict TLS configuration and dynamic deployments a choice between strict TLS configuration and dynamic
upgrade from unencrypted to TLS-protected traffic (such as upgrade from unencrypted to TLS-protected traffic (such as
STARTTLS), clients and servers SHOULD prefer strict TLS STARTTLS), clients and servers SHOULD prefer strict TLS
skipping to change at page 25, line 44 skipping to change at page 25, line 44
[RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan, [RFC7301] Friedl, S., Popov, A., Langley, A., and E. Stephan,
"Transport Layer Security (TLS) Application-Layer Protocol "Transport Layer Security (TLS) Application-Layer Protocol
Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301, Negotiation Extension", RFC 7301, DOI 10.17487/RFC7301,
July 2014, <https://www.rfc-editor.org/info/rfc7301>. July 2014, <https://www.rfc-editor.org/info/rfc7301>.
[RFC7465] Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465, [RFC7465] Popov, A., "Prohibiting RC4 Cipher Suites", RFC 7465,
DOI 10.17487/RFC7465, February 2015, DOI 10.17487/RFC7465, February 2015,
<https://www.rfc-editor.org/info/rfc7465>. <https://www.rfc-editor.org/info/rfc7465>.
[RFC7507] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
Suite Value (SCSV) for Preventing Protocol Downgrade
Attacks", RFC 7507, DOI 10.17487/RFC7507, April 2015,
<https://www.rfc-editor.org/info/rfc7507>.
[RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
Langley, A., and M. Ray, "Transport Layer Security (TLS) Langley, A., and M. Ray, "Transport Layer Security (TLS)
Session Hash and Extended Master Secret Extension", Session Hash and Extended Master Secret Extension",
RFC 7627, DOI 10.17487/RFC7627, September 2015, RFC 7627, DOI 10.17487/RFC7627, September 2015,
<https://www.rfc-editor.org/info/rfc7627>. <https://www.rfc-editor.org/info/rfc7627>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
skipping to change at page 31, line 10 skipping to change at page 30, line 48
[RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection [RFC7435] Dukhovni, V., "Opportunistic Security: Some Protection
Most of the Time", RFC 7435, DOI 10.17487/RFC7435, Most of the Time", RFC 7435, DOI 10.17487/RFC7435,
December 2014, <https://www.rfc-editor.org/info/rfc7435>. December 2014, <https://www.rfc-editor.org/info/rfc7435>.
[RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing [RFC7457] Sheffer, Y., Holz, R., and P. Saint-Andre, "Summarizing
Known Attacks on Transport Layer Security (TLS) and Known Attacks on Transport Layer Security (TLS) and
Datagram TLS (DTLS)", RFC 7457, DOI 10.17487/RFC7457, Datagram TLS (DTLS)", RFC 7457, DOI 10.17487/RFC7457,
February 2015, <https://www.rfc-editor.org/info/rfc7457>. February 2015, <https://www.rfc-editor.org/info/rfc7457>.
[RFC7507] Moeller, B. and A. Langley, "TLS Fallback Signaling Cipher
Suite Value (SCSV) for Preventing Protocol Downgrade
Attacks", RFC 7507, DOI 10.17487/RFC7507, April 2015,
<https://www.rfc-editor.org/info/rfc7507>.
[RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre, [RFC7525] Sheffer, Y., Holz, R., and P. Saint-Andre,
"Recommendations for Secure Use of Transport Layer "Recommendations for Secure Use of Transport Layer
Security (TLS) and Datagram Transport Layer Security Security (TLS) and Datagram Transport Layer Security
(DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May (DTLS)", BCP 195, RFC 7525, DOI 10.17487/RFC7525, May
2015, <https://www.rfc-editor.org/info/rfc7525>. 2015, <https://www.rfc-editor.org/info/rfc7525>.
[RFC8452] Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV: [RFC8452] Gueron, S., Langley, A., and Y. Lindell, "AES-GCM-SIV:
Nonce Misuse-Resistant Authenticated Encryption", Nonce Misuse-Resistant Authenticated Encryption",
RFC 8452, DOI 10.17487/RFC8452, April 2019, RFC 8452, DOI 10.17487/RFC8452, April 2019,
<https://www.rfc-editor.org/info/rfc8452>. <https://www.rfc-editor.org/info/rfc8452>.
skipping to change at page 32, line 40 skipping to change at page 32, line 33
- MUST-level implementation requirement for ALPN, and more - MUST-level implementation requirement for ALPN, and more
specific SHOULD-level guidance for ALPN and SNI. specific SHOULD-level guidance for ALPN and SNI.
- Limits on key usage. - Limits on key usage.
- New attacks since [RFC7457]: ALPACA, Raccoon, Logjam, "Nonce- - New attacks since [RFC7457]: ALPACA, Raccoon, Logjam, "Nonce-
Disrespecting Adversaries". Disrespecting Adversaries".
* Differences specific to TLS 1.2: * Differences specific to TLS 1.2:
- Fallback SCSV as a MUST for TLS 1.2.
- SHOULD-level guidance on AES-GCM nonce generation. - SHOULD-level guidance on AES-GCM nonce generation.
- SHOULD NOT use static DH keys or reuse ephemeral DH keys across - SHOULD NOT use static DH keys or reuse ephemeral DH keys across
multiple connections. multiple connections.
- 2048-bit DH now a MUST, ECDH minimal curve size is 224, vs. 192 - 2048-bit DH now a MUST, ECDH minimal curve size is 224, vs. 192
previously. previously.
- Support for extended_master_secret is a SHOULD. Also removed - Support for extended_master_secret is a SHOULD. Also removed
other, more complicated, related mitigations. other, more complicated, related mitigations.
skipping to change at page 33, line 24 skipping to change at page 33, line 15
- SHOULD-level requirement for forward secrecy in TLS 1.3 session - SHOULD-level requirement for forward secrecy in TLS 1.3 session
resumption. resumption.
- Generic SHOULD-level guidance to avoid 0-RTT unless it is - Generic SHOULD-level guidance to avoid 0-RTT unless it is
documented for the particular protocol. documented for the particular protocol.
Appendix B. Document History Appendix B. Document History
// Note to RFC Editor: please remove before publication. // Note to RFC Editor: please remove before publication.
B.1. draft-ietf-uta-rfc7525bis-03 B.1. draft-ietf-uta-rfc7525bis-04
* No version fallback from TLS 1.2 to earlier versions, therefore no
SCSV.
B.2. draft-ietf-uta-rfc7525bis-03
* Cipher integrity and confidentiality limits. * Cipher integrity and confidentiality limits.
* Require extended_master_secret. * Require extended_master_secret.
B.2. draft-ietf-uta-rfc7525bis-02 B.3. draft-ietf-uta-rfc7525bis-02
* Adjusted text about ALPN support in application protocols * Adjusted text about ALPN support in application protocols
* Incorporated text from draft-ietf-tls-md5-sha1-deprecate * Incorporated text from draft-ietf-tls-md5-sha1-deprecate
B.3. draft-ietf-uta-rfc7525bis-01 B.4. draft-ietf-uta-rfc7525bis-01
* Many more changes, including: * Many more changes, including:
- SHOULD-level requirement for forward secrecy in TLS 1.3 session - SHOULD-level requirement for forward secrecy in TLS 1.3 session
resumption. resumption.
- Removed TLS 1.2 capabilities: renegotiation, compression. - Removed TLS 1.2 capabilities: renegotiation, compression.
- Specific guidance for multiplexed protocols. - Specific guidance for multiplexed protocols.
skipping to change at page 34, line 13 skipping to change at page 34, line 11
documented for the particular protocol. documented for the particular protocol.
- SHOULD-level guidance on AES-GCM nonce generation in TLS 1.2. - SHOULD-level guidance on AES-GCM nonce generation in TLS 1.2.
- SHOULD NOT use static DH keys or reuse ephemeral DH keys across - SHOULD NOT use static DH keys or reuse ephemeral DH keys across
multiple connections. multiple connections.
- 2048-bit DH now a MUST, ECDH minimal curve size is 224, up from - 2048-bit DH now a MUST, ECDH minimal curve size is 224, up from
192. 192.
B.4. draft-ietf-uta-rfc7525bis-00 B.5. draft-ietf-uta-rfc7525bis-00
* Renamed: WG document. * Renamed: WG document.
* Started populating list of changes from RFC 7525. * Started populating list of changes from RFC 7525.
* General rewording of abstract and intro for revised version. * General rewording of abstract and intro for revised version.
* Protocol versions, fallback. * Protocol versions, fallback.
* Reference to ECHO. * Reference to ECHO.
B.5. draft-sheffer-uta-rfc7525bis-00 B.6. draft-sheffer-uta-rfc7525bis-00
* Renamed, since the BCP number does not change. * Renamed, since the BCP number does not change.
* Added an empty "Differences from RFC 7525" section. * Added an empty "Differences from RFC 7525" section.
B.6. draft-sheffer-uta-bcp195bis-00 B.7. draft-sheffer-uta-bcp195bis-00
* Initial release, the RFC 7525 text as-is, with some minor * Initial release, the RFC 7525 text as-is, with some minor
editorial changes to the references. editorial changes to the references.
Authors' Addresses Authors' Addresses
Yaron Sheffer Yaron Sheffer
Intuit Intuit
Email: yaronf.ietf@gmail.com Email: yaronf.ietf@gmail.com
Ralph Holz Ralph Holz
University of Twente University of Twente
Email: ralph.ietf@gmail.com Email: ralph.ietf@gmail.com
Peter Saint-Andre Peter Saint-Andre
Mozilla Mozilla
Email: stpeter@mozilla.com
Email: stpeter@mozilla.com
Thomas Fossati Thomas Fossati
arm arm
Email: thomas.fossati@arm.com Email: thomas.fossati@arm.com
 End of changes. 19 change blocks. 
41 lines changed or deleted 37 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/