| blob | 49d9397297f801ab64e46d0a335a3a685b85b515 |
1 \r
4 Internet Engineering Task Force I. Hajjeh \r
5 INTERNET DRAFT ESRGroups \r
6 M. Badra, Ed. \r
7 LIMOS Laboratory \r
8 \r
9 Expires: April 2007 November 2006 \r
10 \r
11 TLS Sign \r
12 <draft-hajjeh-tls-sign-02.txt> \r
13 \r
14 \r
15 Status \r
16 \r
17 By submitting this Internet-Draft, each author represents that any \r
18 applicable patent or other IPR claims of which he or she is aware \r
19 have been or will be disclosed, and any of which he or she becomes \r
20 aware will be disclosed, in accordance with Section 6 of BCP 79. \r
21 \r
22 Internet-Drafts are working documents of the Internet Engineering \r
23 Task Force (IETF), its areas, and its working groups. Note that \r
24 other groups may also distribute working documents as Internet \r
25 Drafts. \r
26 \r
27 Internet-Drafts are draft documents valid for a maximum of six \r
28 months and may be updated, replaced, or obsoleted by other documents \r
29 at any time. It is inappropriate to use Internet-Drafts as reference \r
30 material or to cite them other than as "work in progress." \r
31 \r
32 The list of current Internet-Drafts can be accessed at \r
33 http://www.ietf.org/ietf/1id-abstracts.txt \r
34 \r
35 The list of Internet-Draft Shadow Directories can be accessed at \r
36 http://www.ietf.org/shadow.html \r
37 \r
38 This Internet-Draft will expire on April 09, 2007. \r
39 \r
40 Copyright Notice \r
41 \r
42 Copyright (C) The Internet Society (2006). \r
43 \r
44 Abstract \r
45 \r
46 TLS protocol provides authentication and data protection for \r
47 communication between two entities. However, missing from the \r
48 protocol is a way to perform non-repudiation service. \r
49 \r
50 This document defines extensions to the TLS protocol to allow it to \r
51 perform non-repudiation service. It is based on [TLSSign] and it \r
52 provides the client and the server the ability to sign by TLS, \r
53 handshake and applications data using certificates such as X.509. \r
54 \r
56 \r
58 INTERNET-DRAFT TLS Sign November 2006 \r
60 1 Introduction \r
61 \r
62 Actually, TLS is the most deployed security protocol for securing \r
63 exchanges. It provides end-to-end secure communications between two \r
64 entities with authentication and data protection. However, what is \r
65 missing from the protocol is a way to provide the non-repudiation \r
66 service. \r
67 \r
68 This document describes how the non-repudiation service may be \r
69 integrated as an optional module in TLS. This is in order to provide \r
70 both parties with evidence that the transaction has taken place and \r
71 to offer a clear separation with application design and development. \r
72 \r
73 TLS-Sign's design motivations included: \r
74 \r
75 o TLS is application protocol-independent. Higher-level protocol \r
76 can operate on top of the TLS protocol transparently. \r
77 \r
78 o TLS is a modular nature protocol. Since TLS is developed in four \r
79 independent protocols, the approach defined in this document can \r
80 be added by extending the TLS protocol and with a total \r
81 reuse of pre-existing TLS infrastructures and implementations. \r
82 \r
83 o Several applications like E-Business require non-repudiation \r
84 proof of transactions. It is critical in these applications to \r
85 have the non-repudiation service that generates, distributes, \r
86 validates and maintains the evidence of an electronic \r
87 transaction. Since TLS is widely used to secure these \r
88 applications exchanges, the non-repudiation should be offered by \r
89 TLS. \r
90 \r
91 o Generic non-repudiation with TLS. TLS Sign provides a generic \r
92 non-repudiation service that can be easily used with protocols. \r
93 TLS Sign minimizes both design and implementation of the \r
94 signature service and that of the designers and implementators \r
95 who wish to use this module. \r
96 \r
97 1.2 Requirements language \r
98 \r
99 The key words "MUST", "SHALL", "SHOULD", and "MAY", in this document \r
100 are to be interpreted as described in RFC-2119. \r
101 \r
102 2 TLS Sign overview \r
103 \r
104 TLS Sign is integrated as a higher-level module of the TLS Record \r
105 protocol. It is optionally used if the two entities agree. This is \r
106 negotiated by extending Client and Server Hello messages in the same \r
107 way defined in [TLSExt]. \r
108 \r
109 In order to allow a TLS client to negotiate the TLS Sign, a new \r
110 extension type should be added to the Extended Client and Server \r
112 \r
114 INTERNET-DRAFT TLS Sign November 2006 \r
116 Hellos messages. TLS clients and servers MAY include an extension of \r
117 type 'signature' in the Extended Client and Server Hellos messages. \r
118 The 'extension_data' field of this extension contains a \r
119 'signature_request' where: \r
120 \r
121 enum { \r
122 pkcs7(0), smime(1), xmldsig(2), (255); \r
123 } ContentFormat; \r
124 \r
125 struct { \r
126 ContentFormat content_format; \r
127 SignMethod sign_meth; \r
128 SignType sign_type<2..2^16-1>; \r
129 } SignatureRequest; \r
130 \r
131 enum { \r
132 ssl_client_auth_cert(0), ssl_client_auth_cert_url(1), (255); \r
133 } SignMethod; \r
134 \r
135 uint8 SignType[2]; \r
136 \r
137 The client initiates the TLS Sign module by sending the \r
138 ExtendedClientHello including the 'signature' extension. This \r
139 extension contains: \r
140 \r
141 - the SignType carrying the type of the non repudiation proof. It \r
142 can have one of these two values: \r
143 \r
144 SignType non_repudiation_with_proof_of_origin = { 0x00, 0x01 }; \r
145 SignType non_repudiation_without_proof_of_origin = { 0x00, 0x02 }; \r
146 \r
147 - the ContentFormat carrying the format of signed data. It can be \r
148 PKCS7 [PKCS7], S/MIME [S/MIME] or XMLDSIG [XMLDSIG] \r
149 \r
150 ContentFormat PKCS7 = { 0x00, 0xA1 }; \r
151 ContentFormat SMIME = { 0x00, 0xA2 }; \r
152 ContentFormat XMLDSIG = { 0x00, 0xA3 }; \r
153 \r
154 o if the value of the ContentFormat is PKCS7, then the PKCS7 \r
155 Content_type is of type signed-data. \r
156 \r
157 o if the value of the ContentFormat is S/MIME, then S/MIME \r
158 Content_type is of type SignedData \r
159 \r
160 o if the value of the ContentFormat is XMLDSIG, then XMLDSIG \r
161 signatureMethod algorithms. \r
162 \r
163 - the SignMethod carrying the signature method that is used to sign \r
164 the application data (e.g. X509 authentication certificate). \r
165 \r
166 SignMethod X509 = { 0x00, 0xB1 }; \r
168 \r
170 INTERNET-DRAFT TLS Sign November 2006 \r
172 \r
173 Actually, this document uses the same certificate used in client \r
174 authentication. Any new signature method MAY be added in future \r
175 versions (e.g. delegated attributes certificates). \r
176 \r
177 The server MAY reject the connection by sending the error alert \r
178 "unsupported_extension" [TLSExt] and closing the connection. \r
179 \r
180 The client and the server MAY or MAY NOT use the same certificates \r
181 used by the Handshake protocol. Several cases are possible: \r
182 \r
183 - If the server has an interest in getting non-repudiation data from \r
184 the client and that the cipher_suites list sent by the client does \r
185 not include any cipher_suite with signature ability, the server MUST \r
186 (upon reception of tls_sign_on_off protocol message not followed by \r
187 a certificate with a type equals to ExtendedServerHello.sign_method) \r
188 close the connection by sending a fatal error. \r
189 \r
190 - If the server has an interest in getting non-repudiation data from \r
191 the client and that the cipher_suites list sent by the client \r
192 includes at least a cipher_suite with signature ability, the server \r
193 SHOULD select a cipher_suite with signature ability and MUST provide \r
194 a certificate (e.g., RSA) that MAY be used for key exchange. \r
195 Further, the server MUST request a certificate from the client using \r
196 the TLS certificate request message (e.g., an RSA or a DSS \r
197 signature-capable certificate). If the client does not send a \r
198 certificate during the TLS Handshake, the server MUST close the TLS \r
199 session by sending a fatal error in the case where the client sends \r
200 a tls_sign_on_off protocol message not followed by a certificate \r
201 with a type equals to ExtendedServerHello.sign_method. \r
202 \r
203 - The client or the server MAY use a certificate different to these \r
204 being used by TLS Handshake. This MAY happen when the server agrees \r
205 in getting non-repudiation data from the client and that the type of \r
206 the client certificate used by TLS Handshake and the type selected \r
207 by the server from the list in ExtendedClientHello.sign_method are \r
208 different, or when the ExtendedServerHello.cipher_suite does not \r
209 require client and/or server certificates. In these cases, the \r
210 client or the server sends a new message called certificate_sign, \r
211 right after sending the tls_sign_on_off protocol messages. The new \r
212 message contains the sender's certificate in which the type is the \r
213 same type selected by the server from the list in \r
214 ExtendedClientHello.sign_method. The certificate_sign is therefore \r
215 used to generate signed data. It is defined as follows: \r
216 \r
217 opaque ASN.1Cert<2^24-1>; \r
218 \r
219 struct { \r
220 ASN.1Cert certificate_list<1..2^24-1>; \r
221 } CertificateSign; \r
222 \r
224 \r
226 INTERNET-DRAFT TLS Sign November 2006 \r
228 The certificate_list, as defined in [TLS], is a sequence (chain) of \r
229 certificates. The sender's certificate MUST come first in the list. \r
230 \r
231 If the server has no interest in getting non-repudiation data from \r
232 the client, it replays with an ordinary TLS ServerHello or return a \r
233 handshake failure alert and close the connection [TLS]. \r
234 \r
235 Client Server \r
236 ------ ------ \r
237 \r
238 ClientHello --------> \r
239 ServerHello \r
240 Certificate* \r
241 ServerKeyExchange* \r
242 CertificateRequest* \r
243 <-------- ServerHelloDone \r
244 Certificate* \r
245 ClientKeyExchange \r
246 CertificateVerify* \r
247 [ChangeCipherSpec] \r
248 Finished --------> \r
249 [ChangeCipherSpec] \r
250 <-------- Finished \r
251 \r
252 TLSSignOnOff <--------------------------> TLSSignOnOff \r
253 \r
254 CertificateSign* <-----------------------> CertificateSign* \r
255 \r
256 (Signed) Application Data <----> (Signed) Application Data \r
257 \r
258 * Indicates optional or situation-dependent messages that are not \r
259 always sent. \r
260 \r
261 2.1 tls sign on off protocol \r
262 \r
263 To manage the generation of evidence, new sub-protocol is added by \r
264 this document, called tls_sign_on_off. This protocol consists of a \r
265 single message that is encrypted and compressed under the \r
266 established connection state. This message can be sent at any time \r
267 after the TLS session has been established. Thus, no man in the \r
268 middle can replay or inject this message. It consists of a single \r
269 byte of value 1 (tls_sign_on) or 0 (tls_sign_off). \r
270 \r
271 enum { \r
272 change_cipher_spec(20), alert(21), handshake(22), \r
273 application_data(23), tls_sign(TBC), (255) \r
274 } ContentType; \r
275 \r
276 struct { \r
277 enum { tls_sign_off(0), tls_sign_on(1), (255) } type; \r
278 } TLSSignOnOff; \r
280 \r
282 INTERNET-DRAFT TLS Sign November 2006 \r
284 \r
285 The tls_sign_on_off message is sent by the client and/or server to \r
286 notify the receiving party that subsequent records will carry data \r
287 signed under the negotiated parameters. \r
288 \r
289 Note: TLSSignOnOff is an independent TLS Protocol content type, and \r
290 is not actually a TLS handshake message. \r
291 \r
292 2.1.1 TLS sign packet format \r
293 \r
294 This document defines a new packet format that encapsulates signed \r
295 data, the TLSSigntext. The packet format is shown below. The fields \r
296 are transmitted from left to right. \r
297 \r
298 0 1 2 3 \r
299 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 \r
300 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \r
301 | Content-Type | Flag | Version | \r
302 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \r
303 | Length | Signed Data ... \r
304 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ \r
305 \r
306 Content-Type \r
307 \r
308 Same as TLSPlaintext.type. \r
309 \r
310 Flag \r
311 \r
312 0 1 2 3 4 5 6 7 8 \r
313 +-+-+-+-+-+-+-+-+ \r
314 |A R R R R R R R| \r
315 +-+-+-+-+-+-+-+-+ \r
316 \r
317 A = acknowledgement of receipt \r
318 R = Reserved \r
319 \r
320 When the whole signed data is delivered to the receiver, the TLS \r
321 Sign will check the signature. If the signature is valid and that \r
322 the sender requires a proof of receipt, the receiver MUST generate a \r
323 TLSSigntext packet with the bit A set to 1 (acknowledgement of \r
324 receipt). This helps the receiver of the acknowledgment of receipt \r
325 in storing the data-field for later use (see section 2.2). The data-\r
326 field of that message contains the digest of the whole data receiver \r
327 by the generator of the acknowledgement of receipt. The digest is \r
328 signed before sending the result to the other side. \r
329 \r
330 2.1.3 bad_sign alert \r
331 \r
332 This alert is returned if a record is received with an incorrect \r
333 signature. This message is always fatal. \r
334 \r
336 \r
338 INTERNET-DRAFT TLS Sign November 2006 \r
340 2.2 Storing signed data \r
341 \r
342 The objective of TLS Sign is to provide both parties with evidence \r
343 that can be stored and later presented to a third party to resolve \r
344 disputes that arise if and when a communication is repudiated by one \r
345 of the entities involved. This document provides the two basic types \r
346 of non-repudiation service: \r
347 \r
348 o Non-repudiation with proof of origin: provides the TLS server \r
349 with evidence proving that the TLS client has sent it the signed \r
350 data at a certain time. \r
351 \r
352 o Non-repudiation with proof of delivery: provides the TLS client \r
353 with evidence that the server has received the client's signed \r
354 data at a specific time. \r
355 \r
356 TLS Handshake exchanges the current time and date according to the \r
357 entities internal clock. Thus, the time and date can be stored with \r
358 the signed data as a proof of communication. For B2C or B2B \r
359 transactions, non-repudiation with proof of origin and non-\r
360 repudiation with proof of receipt are both important. If the TLS \r
361 client requests a non-repudiation service with proof of receipt, the \r
362 server SHOULD verify and send back to client a signature on the hash \r
363 of signed data. \r
364 \r
365 The following figure explains the different events for proving and \r
366 storing signed data [RFC2828]. RFC 2828 uses the term "critical \r
367 action" to refer to the act of communication between the two \r
368 entities. For a complete non-repudiation deployment, 6 phases should \r
369 be respected: \r
370 \r
371 -------- -------- -------- -------- -------- -------- \r
372 Phase 1: Phase 2: Phase 3: Phase 4: Phase 5: Phase 6: \r
373 Request Generate Transfer Verify Retain Resolve \r
374 Service Evidence Evidence Evidence Evidence Dispute \r
375 -------- -------- -------- -------- -------- -------- \r
376 Service Critical Evidence Evidence Archive Evidence \r
377 Request => Action => Stored => Is => Evidence Is \r
378 Is Made Occurs For Later Tested In Case Verified \r
379 and Use | ^ Critical ^ \r
380 Evidence v | Action Is | \r
381 Is +-------------------+ Repudiated | \r
382 Generated |Verifiable Evidence|------> ----+ \r
383 +-------------------+ \r
384 \r
385 1- Requesting explicit transaction evidence before sending data. \r
386 Normally, this action is taken by the SSL/TLS client \r
387 \r
388 2- If the server accepts, the client will generate evidence by \r
389 signing data using his X.509 authentication certificate. Server will \r
390 go through the same process if the evidence of receipt is requested. \r
392 \r
394 INTERNET-DRAFT TLS Sign November 2006 \r
396 \r
397 3 - The signed data is then sent by the initiator (client or server) \r
398 and stored it locally, or by a third party, for a later use if \r
399 needed. \r
400 \r
401 4 - The entity that receive the evidence process to verify the \r
402 signed data. \r
403 \r
404 5- The evidence is then stored by the receiver entity for a later \r
405 use if needed. \r
406 \r
407 6- In this phase, which occurs only if the critical action is \r
408 repudiated, the evidence is retrieved from storage, presented, and \r
409 verified to resolve the dispute. \r
410 \r
411 With this method, the stored signed data (or evidence) can be \r
412 retrieved by both parties, presented and verified if the critical \r
413 action is repudiated. \r
414 \r
415 Security Considerations \r
416 \r
417 Security issues are discussed throughout this memo. \r
418 \r
419 IANA Considerations \r
420 \r
421 This document defines a new TLS extension "signature", assigned the \r
422 value TBD from the TLS ExtensionType registry defined in [TLSEXT]. \r
423 \r
424 This document defines one TLS ContentType: tls_sign(TBD). This \r
425 ContentType value is assigned from the TLS ContentType registry \r
426 defined in [TLS]. \r
427 \r
428 This document defines a new handshake message, certificate_sign, \r
429 whose value is to be allocated from the TLS HandshakeType registry \r
430 defined in [TLS]. \r
431 \r
432 The bad_sign alert that is defined in this document is assigned to \r
433 the TLS Alert registry defined in [TLS]. \r
434 \r
435 References \r
436 \r
437 [TLS] Dierks, T., et. al., "The TLS Protocol Version 1.0", \r
438 RFC 2246, January 1999. \r
439 \r
440 [TLSExt] Blake-Wilson, S., et. al., "Transport Layer Security TLS) \r
441 Extensions", RFC 3546, June 2003. \r
442 \r
443 [PKCS7] RSA Laboratories, "PKCS #7: RSA Cryptographic Message \r
444 Syntax Standard," version 1.5, November 1993. \r
445 \r
446 [S/MIME] Ramsdell, B., "S/MIME Version 3 Message Specification", \r
448 \r
450 INTERNET-DRAFT TLS Sign November 2006 \r
452 RFC 2633, June 1999. \r
453 \r
454 [XMLDSIG] Eastlake, D., et. al, "(Extensible Markup Language) XML \r
455 Signature Syntax and Processing", RFC 3275, March 2002. \r
456 \r
457 [TLSSign] Hajjeh, I., Serhrouchni, A., "Integrating a signature \r
458 module in SSL/TLS, ICETE2004., ACM/IEEE, First \r
459 International Conference on E-Business and \r
460 Telecommunication Networks, Portugal, August 2004. \r
461 \r
462 [RFC2828] Shirey, R., "Internet Security Glossary", RFC 2828, May \r
463 2000. \r
464 \r
465 Author's and Contributors' Addresses \r
466 \r
467 Ibrahim Hajjeh \r
468 Engineering and Scientific Research Groups (ESRGroups) \r
469 17 Passage Barrault \r
470 75013 Paris Phone: NA \r
471 France Email: Ibrahim.Hajjeh@esrgroups.org \r
472 \r
473 Mohamad Badra \r
474 LIMOS Laboratory - UMR (6158), CNRS \r
475 France Email: badra@isima.fr \r
476 \r
477 Ahmed serhrouchni \r
478 ENST Phone: NA \r
479 France Email: Ahmed.serhrouchni@enst.fr \r
480 \r
481 Jacques Demerjian \r
482 France Telecom R&D \r
483 42 rue des coutures \r
484 14066 Caen Cedex 4 Phone: NA \r
485 France Email: jacques.demerjian@francetelecom.com \r
486 \r
487 Acknowledgements \r
488 \r
489 The authors would like to thank Eric Rescorla for discussions and \r
490 comments on the design of TLS Sign. \r
491 \r
492 Appendix Changelog \r
493 \r
494 Changes from -01 to -02: \r
495 \r
496 o Add an IANA section. \r
497 \r
498 o Small clarifications to section 2. \r
499 \r
500 o Add the bad_sign alert and the certificate_sign message. \r
501 \r
502 Changes from -00 to -01: \r
504 \r
506 INTERNET-DRAFT TLS Sign November 2006 \r
508 \r
509 o Clarifications to the format of the signed data in Section 2. \r
510 \r
511 o Small clarifications to TLS SIGN negotiation in Section 2. \r
512 \r
513 o Added Jacques Demerjian and Mohammed Achemlal as \r
514 contributors/authors. \r
515 \r
516 Intellectual Property Statement \r
517 \r
518 The IETF takes no position regarding the validity or scope of any \r
519 Intellectual Property Rights or other rights that might be claimed \r
520 to pertain to the implementation or use of the technology described \r
521 in this document or the extent to which any license under such \r
522 rights might or might not be available; nor does it represent that \r
523 it has made any independent effort to identify any such rights. \r
524 Information on the IETF's procedures with respect to rights in IETF \r
525 Documents can be found in BCP 78 and BCP 79. \r
526 \r
527 Copies of IPR disclosures made to the IETF Secretariat and any \r
528 assurances of licenses to be made available, or the result of an \r
529 attempt made to obtain a general license or permission for the use \r
530 of such proprietary rights by implementers or users of this \r
531 specification can be obtained from the IETF on-line IPR repository \r
532 at http://www.ietf.org/ipr. \r
533 \r
534 The IETF invites any interested party to bring to its attention any \r
535 copyrights, patents or patent applications, or other proprietary \r
536 rights that may cover technology that may be required to implement \r
537 this standard. Please address the information to the IETF at ietf-\r
538 ipr@ietf.org. \r
539 \r
540 Disclaimer of Validity \r
541 \r
542 This document and the information contained herein are provided on \r
543 an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE \r
544 REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE \r
545 INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR \r
546 IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF \r
547 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED \r
548 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. \r
549 \r
550 Copyright Statement \r
551 \r
552 Copyright (C) The Internet Society (2006). This document is subject \r
553 to the rights, licenses and restrictions contained in BCP 78, and \r
554 except as set forth therein, the authors retain all their rights. \r
555 \r
556 Acknowledgment \r
557 \r
560 \r
562 INTERNET-DRAFT TLS Sign November 2006 \r
564 Funding for the RFC Editor function is currently provided by the \r
565 Internet Society. \r
616 \r
617 Hajjeh, et. al. Expires April 2007 [Page 11] \f