1
2
3
4
5
6
7Internet Engineering Task Force (IETF) E. Rescorla
8Request for Comments: 5705 RTFM, Inc.
9Category: Standards Track March 2010
10ISSN: 2070-1721
11
12
13 Keying Material Exporters for Transport Layer Security (TLS)
14
15Abstract
16
17 A number of protocols wish to leverage Transport Layer Security (TLS)
18 to perform key establishment but then use some of the keying material
19 for their own purposes. This document describes a general mechanism
20 for allowing that.
21
22Status of This Memo
23
24 This is an Internet Standards Track document.
25
26 This document is a product of the Internet Engineering Task Force
27 (IETF). It represents the consensus of the IETF community. It has
28 received public review and has been approved for publication by the
29 Internet Engineering Steering Group (IESG). Further information on
30 Internet Standards is available in Section 2 of RFC 5741.
31
32 Information about the current status of this document, any errata,
33 and how to provide feedback on it may be obtained at
34 http://www.rfc-editor.org/info/5705.
35
36Copyright Notice
37
38 Copyright (c) 2010 IETF Trust and the persons identified as the
39 document authors. All rights reserved.
40
41 This document is subject to BCP 78 and the IETF Trust's Legal
42 Provisions Relating to IETF Documents
43 (http://trustee.ietf.org/license-info) in effect on the date of
44 publication of this document. Please review these documents
45 carefully, as they describe your rights and restrictions with respect
46 to this document. Code Components extracted from this document must
47 include Simplified BSD License text as described in Section 4.e of
48 the Trust Legal Provisions and are provided without warranty as
49 described in the Simplified BSD License.
50
51 This document may contain material from IETF Documents or IETF
52 Contributions published or made publicly available before November
53 10, 2008. The person(s) controlling the copyright in some of this
54 material may not have granted the IETF Trust the right to allow
55
56
57
58Rescorla Standards Track [Page 1]
59
60RFC 5705 TLS Exporters March 2010
61
62
63 modifications of such material outside the IETF Standards Process.
64 Without obtaining an adequate license from the person(s) controlling
65 the copyright in such materials, this document may not be modified
66 outside the IETF Standards Process, and derivative works of it may
67 not be created outside the IETF Standards Process, except to format
68 it for publication as an RFC or to translate it into languages other
69 than English.
70
71Table of Contents
72
73 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
74 2. Conventions Used In This Document . . . . . . . . . . . . . . . 3
75 3. Binding to Application Contexts . . . . . . . . . . . . . . . . 3
76 4. Exporter Definition . . . . . . . . . . . . . . . . . . . . . . 4
77 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
78 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 6
79 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 6
80 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 7
81 8.1. Normative References . . . . . . . . . . . . . . . . . . . 7
82 8.2. Informative References . . . . . . . . . . . . . . . . . . 7
83
841. Introduction
85
86 Note: The mechanism described in this document was previously known
87 as "TLS Extractors" but was changed to avoid a name conflict
88 with the use of the term "Extractor" in the cryptographic
89 community.
90
91 A number of protocols wish to leverage Transport Layer Security (TLS)
92 [RFC5246] or Datagram TLS (DTLS) [RFC4347] to perform key
93 establishment but then use some of the keying material for their own
94 purposes. A typical example is DTLS-SRTP [DTLS-SRTP], a key
95 management scheme for the Secure Real-time Transport Protocol (SRTP)
96 that uses DTLS to perform a key exchange and negotiate the SRTP
97 [RFC3711] protection suite and then uses the DTLS master_secret to
98 generate the SRTP keys.
99
100 These applications imply a need to be able to export keying material
101 (later called Exported Keying Material or EKM) from TLS/DTLS to an
102 application or protocol residing at an upper layer, and to securely
103 agree on the upper-layer context where the keying material will be
104 used. The mechanism for exporting the keying material has the
105 following requirements:
106
107 o Both client and server need to be able to export the same EKM
108 value.
109
110
111
112
113
114Rescorla Standards Track [Page 2]
115
116RFC 5705 TLS Exporters March 2010
117
118
119 o EKM values should be indistinguishable from random data to
120 attackers who don't know the master_secret.
121
122 o It should be possible to export multiple EKM values from the same
123 TLS/DTLS association.
124
125 o Knowing one EKM value should not reveal any useful information
126 about the master_secret or about other EKM values.
127
128 The mechanism described in this document is intended to fulfill these
129 requirements. This mechanism is compatible with all versions of TLS.
130
1312. Conventions Used In This Document
132
133 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
134 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
135 document are to be interpreted as described in [RFC2119].
136
1373. Binding to Application Contexts
138
139 In addition to using an exporter to obtain keying material, an
140 application using the keying material has to securely establish the
141 upper-layer context where the keying material will be used. The
142 details of this context depend on the application, but it could
143 include things such as algorithms and parameters that will be used
144 with the keys, identifier(s) for the endpoint(s) who will use the
145 keys, identifier(s) for the session(s) where the keys will be used,
146 and the lifetime(s) for the context and/or keys. At a minimum, there
147 should be some mechanism for signaling that an exporter will be used.
148
149 This specification does not mandate a single mechanism for agreeing
150 on such context; instead, there are several possibilities that can be
151 used (and can complement each other). For example:
152
153 o Information about the upper-layer context can be included in the
154 optional data after the exporter label (see Section 4).
155
156 o Information about the upper-layer context can be exchanged in TLS
157 extensions included in the ClientHello and ServerHello messages.
158 This approach is used in [DTLS-SRTP]. The handshake messages are
159 protected by the Finished messages, so once the handshake
160 completes, the peers will have the same view of the information.
161 Extensions also allow a limited form of negotiation: for example,
162 the TLS client could propose several alternatives for some context
163 parameters, and the TLS server could select one of them.
164
165 o The upper-layer protocol can include its own handshake, which can
166 be protected using the keys exported by TLS.
167
168
169
170Rescorla Standards Track [Page 3]
171
172RFC 5705 TLS Exporters March 2010
173
174
175 No matter how the context is agreed, it is required that it has one
176 part that indicates which application will use the exported keys.
177 This part is the disambiguating label string (see Section 4).
178
179 It is important to note that just embedding TLS messages in the
180 upper-layer protocol may not automatically secure all the important
181 context information, since the upper-layer messages are not covered
182 by TLS Finished messages.
183
1844. Exporter Definition
185
186 The output of the exporter is intended to be used in a single scope,
187 which is associated with the TLS session, the label, and the context
188 value.
189
190 The exporter takes three input values:
191
192 o a disambiguating label string,
193
194 o a per-association context value provided by the application using
195 the exporter, and
196
197 o a length value.
198
199 If no context is provided, it then computes:
200
201 PRF(SecurityParameters.master_secret, label,
202 SecurityParameters.client_random +
203 SecurityParameters.server_random
204 )[length]
205
206 If context is provided, it computes: 5705:245 ../scram/scram.go:116
207
208 PRF(SecurityParameters.master_secret, label,
209 SecurityParameters.client_random +
210 SecurityParameters.server_random +
211 context_value_length + context_value
212 )[length]
213
214 Where PRF is the TLS Pseudorandom Function in use for the session.
215 The output is a pseudorandom bit string of length bytes generated
216 from the master_secret. (This construction allows for
217 interoperability with older exporter-type constructions which do not
218 use context values, e.g., [RFC5281]).
219
220 Labels here have the same definition as in TLS, i.e., an ASCII string
221 with no terminating NULL. Label values beginning with "EXPERIMENTAL"
222 MAY be used for private use without registration. All other label
223
224
225
226Rescorla Standards Track [Page 4]
227
228RFC 5705 TLS Exporters March 2010
229
230
231 values MUST be registered via Specification Required as described by
232 RFC 5226 [RFC5226]. Note that exporter labels have the potential to
233 collide with existing PRF labels. In order to prevent this, labels
234 SHOULD begin with "EXPORTER". This is not a MUST because there are
235 existing uses that have labels which do not begin with this prefix.
236
237 The context value allows the application using the exporter to mix
238 its own data with the TLS PRF for the exporter output. One example
239 of where this might be useful is an authentication setting where the
240 client credentials are valid for more than one identity; the context
241 value could then be used to mix the expected identity into the keying
242 material, thus preventing substitution attacks. The context value
243 length is encoded as an unsigned, 16-bit quantity (uint16; see
244 [RFC5246], Section 4.4) representing the length of the context value.
245 The context MAY be zero length. Because the context value is mixed 5705:206 ../scram/scram.go:116
246 with the master_secret via the PRF, it is safe to mix confidential
247 information into the exporter, provided that the master_secret will
248 not be known to the attacker.
249
2505. Security Considerations
251
252 The prime security requirement for exporter outputs is that they be
253 independent. More formally, after a particular TLS session, if an
254 adversary is allowed to choose multiple (label, context value) pairs
255 and is given the output of the PRF for those values, the attacker is
256 still unable to distinguish between the output of the PRF for a
257 (label, context value) pair (different from the ones that it
258 submitted) and a random value of the same length. In particular,
259 there may be settings, such as the one described in Section 4, where
260 the attacker can control the context value; such an attacker MUST NOT
261 be able to predict the output of the exporter. Similarly, an
262 attacker who does not know the master secret should not be able to
263 distinguish valid exporter outputs from random values. The current
264 set of TLS PRFs is believed to meet this objective, provided the
265 master secret is randomly generated.
266
267 Because an exporter produces the same value if applied twice with the
268 same label to the same master_secret, it is critical that two EKM
269 values generated with the same label not be used for two different
270 purposes -- hence, the requirement for IANA registration. However,
271 because exporters depend on the TLS PRF, it is not a threat to the
272 use of an EKM value generated from one label to reveal an EKM value
273 generated from another label.
274
275 With certain TLS cipher suites, the TLS master secret is not
276 necessarily unique to a single TLS session. In particular, with RSA
277 key exchange, a malicious party acting as TLS server in one session
278 and as TLS client in another session can cause those two sessions to
279
280
281
282Rescorla Standards Track [Page 5]
283
284RFC 5705 TLS Exporters March 2010
285
286
287 have the same TLS master secret (though the sessions must be
288 established simultaneously to get adequate control of the Random
289 values). Applications using the EKM need to consider this in how
290 they use the EKM; in some cases, requiring the use of other cipher
291 suites (such as those using a Diffie-Hellman key exchange) may be
292 advisable.
293
294 Designing a secure mechanism that uses exporters is not necessarily
295 straightforward. This document only provides the exporter mechanism,
296 but the problem of agreeing on the surrounding context and the
297 meaning of the information passed to and from the exporter remains.
298 Any new uses of the exporter mechanism should be subject to careful
299 review.
300
3016. IANA Considerations
302
303 IANA has created a TLS Exporter Label registry for this purpose. The
304 initial contents of the registry are given below:
305
306 Value Reference Note
307 ----------------------------- --------- ----
308 client finished [RFC5246] (1)
309 server finished [RFC5246] (1)
310 master secret [RFC5246] (1)
311 key expansion [RFC5246] (1)
312 client EAP encryption [RFC5216]
313 ttls keying material [RFC5281]
314 ttls challenge [RFC5281]
315
316 Note: (1) These entries are reserved and MUST NOT be used for the
317 purpose described in RFC 5705, in order to avoid confusion with
318 similar, but distinct, use in RFC 5246.
319
320 Future values are allocated via the RFC 5226 Specification Required
321 policy. The label is a string consisting of printable ASCII
322 characters. IANA MUST also verify that one label is not a prefix of
323 any other label. For example, labels "key" or "master secretary" are
324 forbidden.
325
3267. Acknowledgments
327
328 Thanks to Pasi Eronen for valuable comments and for the contents of
329 the IANA section and Section 3. Thanks to David McGrew for helpful
330 discussion of the security considerations and to Vijay Gurbani and
331 Alfred Hoenes for editorial comments.
332
333
334
335
336
337
338Rescorla Standards Track [Page 6]
339
340RFC 5705 TLS Exporters March 2010
341
342
3438. References
344
3458.1. Normative References
346
347 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
348 Requirement Levels", BCP 14, RFC 2119, March 1997.
349
350 [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an
351 IANA Considerations Section in RFCs", BCP 26, RFC 5226,
352 May 2008.
353
354 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer
355 Security (TLS) Protocol Version 1.2", RFC 5246,
356 August 2008.
357
3588.2. Informative References
359
360 [DTLS-SRTP] McGrew, D. and E. Rescorla, "Datagram Transport Layer
361 Security (DTLS) Extension to Establish Keys for Secure
362 Real-time Transport Protocol (SRTP)", Work in Progress,
363 February 2009.
364
365 [RFC3711] Baugher, M., McGrew, D., Naslund, M., Carrara, E., and
366 K. Norrman, "The Secure Real-time Transport Protocol
367 (SRTP)", RFC 3711, March 2004.
368
369 [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
370 Security", RFC 4347, April 2006.
371
372 [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
373 Authentication Protocol", RFC 5216, March 2008.
374
375 [RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication
376 Protocol Tunneled Transport Layer Security Authenticated
377 Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.
378
379Author's Address
380
381 Eric Rescorla
382 RTFM, Inc.
383 2064 Edgewood Drive
384 Palo Alto, CA 94303
385 USA
386
387 EMail: ekr@rtfm.com
388
389
390
391
392
393
394Rescorla Standards Track [Page 7]
395
396