]> TU Dresden

muhammad_usama.sardar@tu-dresden.de

Security Transport Layer Security This document applies only to non-trivial extensions of TLS, which require formal analysis. It proposes the authors specify a threat model and informal security goals in the Security Considerations section, as well as motivation and a protocol diagram in the draft. We also briefly present a few pain points of the team doing the formal analysis which -- we believe -- require refining the process:

• Provide protection against FATT-bypass by other TLS-related WGs
• Contacting FATT
• ML-KEM
• Understanding the opposing goals
• Response within reasonable time frame

About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Transport Layer Security Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction While the TLS FATT process marks a historic change in achieving high cryptographic assurances by tightly integrating formal methods in the working group (WG) process, the current FATT process has some practical limitations. Given a relatively smaller formal methods community, and a steep learning curve as well as very low consideration of usability in the existing formal analysis tools, this document proposes some solutions to make the FATT process sustainable. Specifically, the TLS FATT process does not outline the division of formal analysis work between the authors and the WG members doing the formal analysis; the latter is hereafter referred to as the "Verifier" for convenience. This document aims to propose some solutions without putting an extensive burden on either party. An argument is often presented by the authors that an Internet-Draft is written for the implementers. We make several counter-arguments here:

• Researchers and protocol designers are also stakeholders of such specifications .
• Even implementers may like to understand the security implications before blindly starting to implement it.
• With the FATT process, this argument is clearly invalid. The Verifier may not be an implementer.

This document outlines the corresponding changes in the way Internet-Drafts are typically written. For the Internet-Draft to be useful for the formal analysis, this document proposes that it would be helpful for the formal analysis if the draft contains four main items, namely:

• motivation,
• a threat model,
• informal security goals, and
• a protocol diagram ().

Each one of these is summarized in . Future versions of this draft will include concrete examples. Expected contributions of the Verifier are summarized in .

Motivation A clear separation of expected contributions would help IRTF UFMRG to train the authors and Verifiers separately to make their own contributions to the formal analysis. Moreover, we believe that the experiences can help improve the FATT process. The goal is to document the identified gaps with concrete examples, discuss those and mutually find the best way forward.

Scope The scope of this document is only non-trivial extensions of TLS, which require formal analysis.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Protocol Diagram In the context of this document, a Protocol Diagram specifies the proposed cryptographically-relevant changes compared to the standard TLS protocol . This is conceptually similar to the Protocol Model in . However, while only recommends diagrams, we consider diagrams to be essential.

Verifier In this document, the Verifier refers to the WG members doing the formal analysis. Note that it is NOT a new formal role in the WG process.

Definition of Attack Any ambiguity originating from the threat model, informal security goals, and a Protocol Diagram is to be considered as an attack. The authors are, therefore, encouraged to be as precise as possible. The Verifier may propose text for consideration by authors/WG to disambiguate or propose a fix to the attack.

Pain Points of Verifier From the two extremes -- where Russ kindly provided all requested inputs and we were able to get it through (with a small change) without any formal analysis to where formal analysis revealed vulnerabilities and resulted in a separate WG to tackle this problem -- we summarize the pain points of the Verifier with the hope that we can refine the process. Note that we are not at all asserting that the authors have no pain points. They very likely have their own -- that is another indication that the process needs a refinement.

Provide Protection Against FATT-bypass by Other TLS-related WGs TLS-related WGs in particular those where the representation of TLS WG is a minority -- including the one (SEAT WG) that the author has defended himself as one of the six proponents -- MUST NOT be allowed to make changes to the TLS protocol beyond what is explicitly allowed in their charter. If rechartering of such WGs is absolutely unavoidable and includes non-trivial changes to the TLS protocol, it MUST only be done after agreement with the TLS WG. This will prevent the short-circuit path for FATT. If the WG does not have proper FATT-like process, TLS WG may request FATT review before WGLC. In short, our concern is: For example, makes key schedule level changes, breaks the SEAT WG charter and SEAT WG has no formal FATT-like process.

Contacting FATT According to FATT process , FATT is a 'design team' as per (also see this). The FATT process restricts the WG members -- except for authors (see for example this)-- from contacting the FATT directly. This creates an unjustified situation where the authors have an exclusive access to FATT. We argue that WG members -- including the Verifier -- should also be allowed to contact the FATT because of the following reasons:

• Formal methods community is small and within this small community, those with deep knowledge of TLS are quite limited.

• The feedback we receive on the list is really limited.
• Communication via chairs is a source of misunderstandings, as it has already happened with the chairs summarizing the intent of "Tamarin-like" to just "Tamarin".
• The process has to be inclusive of WG members who are willing to help but don't work in formal methods research groups.

Our proposed solution for this point is in .

Failure of Current Process The FATT process assigns a "FATT point person" after adoption. However, until FATT point person is assigned for a draft, Verifier is essentially not allowed to talk to any one in FATT. Note that it could mean (almost) the whole lifetime of the draft. A practical example is the PAKE draft . While the PAKE authors seemed ready for WGLC in meeting 125, no FATT person has been announced at the time of publishing this draft.

ML-KEM While ML-KEM looks like just a "trivial" addition, it had an opposition of several (ca. 25 in our understanding) WG members in the last WGLC. We see 2 possible options:

• Continue tabletop discussions on subjective calculation of risks, costs, tradeoffs, etc., and keep burning WG energy.
• Do some technical analysis using formal methods (such as symbolic and computational) to get a confirmation and offer a statement for security considerations, and move on to more critical works like hybrid authentication.

We believe the former cannot resolve the dispute. We believe the latter may help. Our proposed solution for this point is in .

Formal Analysis (Work-in-progress) We have presented observation from our ongoing symbolic security analysis (cf. limitations in ) using ProVerif on the mailing list. We argue that in general:

1. Migration from ECDHE to hybrid is security improvement.
2. Migration from hybrid to standalone ML-KEM is security regression.

Hybrid PQ/T More formally, the property hybrid PQ/T should provide is: Hybrid preserves ECDHE, and adds ML-KEM as an additional factor. So as long as one of them is not broken, the system is secure. In particular, even if ML-KEM is completely broken, the system retains the security level of ECDHE.

Non-hybrid PQ On the other hand, the formal property non-hybrid PQ provides is: If ML-KEM is broken, the whole system is broken.

Comparison Leak out the ECDHE key from hybrid PQ/T and you get a standalone ML-KEM. Clearly, hybrid is in general more secure, unless ECDHE is fully broken, in which case it still falls equivalent to standalone ML-KEM, or in the hypothetical scenario that there is an implementation bug in the ECDHE part which is triggered only in composition.

"Cost" "Cost" has been presented on the list as the motivation for ML-KEM but no reference has yet been presented. We believe costs will depend on several factors and it is quite subjective. There seems to be a need for a thorough study to understand the "cost."

Understanding the Opposing Goals The authors need to understand that the task of the Verifier is to find the subtle corner cases where the protocol may fail. This is naturally opposed to the goal of the authors -- that is, to convince the WG that the protocol is good enough to be adopted/published. In particular, some topics like remote attestation need more precise specifications because small changes or ambiguites may make a big difference.

Response Within Reasonable Time Frame If authors do not respond to the Verifier's questions within a reasonable time frame (say a few weeks but not months), the Verifier may not pursue formal analysis of their draft.

Proposed Solutions In addition to those mentioned inline in the previous section, we propose the following:

Contacting FATT

Separate List for FATT and WG Members We propose creating a public mailing list (something like tls-fatt) for discussions between interested WG members and FATT. In our understanding, the idea -- in a nutshell -- is something like hybrid design team, i.e.,:

• FATT continues to use whatever they currently use for their internal communication ("closed")
• The proposed list additionally allows public FATT-WG engagement ("open") for questions and discussion of WG members or FATT

Potential Need of FATT-WG Engagement In addition to the questions from the WG for the FATT, FATT also needs to engage with the WG:

• At initial FATT review (just after adoption), FATT may have questions from authors as well as Verifiers. For the former, to understand better the threat model and desired security goals, etc. to be able to suggest which approach is best-suited. For the latter, to better understand what formal analysis approach and tool is being planned/currently used (if any).
• During final FATT review (just before WGLC), FATT may have questions on what the Verifier has done, especially in cases where a peer-reviewed publication is not yet available. We believe evaluating someone else's code is not easy, or at least if FATT has the opportunity to talk to the Verifier, it will decrease the brain cycles that they will have to spend on it.

Design Goals

• minimal process change: some private discussions typically happen between authors and FATT; move them to public list for transparency. Keep intra-FATT communication private as it is.
• balanced workload: not to increase anyone's workload on average over a finite period of time (say lifetime of one document): joining list is voluntary; responding to list questions is voluntary
• all stakeholders benefit: ensure all stakeholders (FATT, authors, WG members, chairs) benefit compared to current process

Benefits In addition to transparency where this removes the current situation where only the authors have an exclusive access to FATT, we think the proposal has merits where all stakeholders benefit:

• Chairs get relief from carrying messages back and forth between WG and FATT.
• FATT gets involved early in the process and has to do lesser work later on (e.g., checking artifacts before WGLC).
• Interested WG members get a direct contact with experts.
• Uninterested WG members get lesser noise on the TLS list. They can check the public archives by searching for a specific draft if they would like to.

Risks

• We acknowledge the risk of 'no response from FATT' identified on list. In such cases, WG can continue with its best judgement based on its understanding of the available literature.

Open Questions Opinion of FATT is critical in this proposal whether the middle ground of hybrid is acceptable to (some of) them.

Lead FATT Person for Contact This proposal assigns a single FATT person -- referred to as Lead FATT Person -- who the WG group members and authors can contact for general queries. It can keep rotating after certain time, such as one month.

Students/Researchers of FATT Most of FATT persons are from academia. WG can request FATT to use their own students/researchers to do the formal analysis.

ML-KEM: FATT Review We have formally requested the chairs to initiate the FATT process for . See this and this.

Expected Learning We believe formal methods can provide additional value for security considerations of this draft in order to maintain the high cryptographic assurance of TLS. Since we have no guarantee on whether ECDHE will break before ML-KEM, it seems appropriate to do thorough cryptographic analysis. The Harvest Now, Decrypt Later (HNDL) attack applies equally well to non-hybrid ML-KEM. Adversary can record all traffic and decrypt it when ML-KEM is broken (or probably it is already broken; who knows?)

• As an example, it can help justify design choices, such as the preference for hybrids. It can help identify ways in which ML-KEM can break. It can also help identify all the assumptions under which the properties hold.
• As a relevant data point in the context of standardization, LAKE WG has done formal analysis for EDHOC-PSK with KEM (ref).
• Computational analysis (cf. SoK)-- using tools such as CryptoVerif -- seems like a reasonable approach to ensure security of ML-KEM in TLS, such as binding.

Scope of FATT

• Be more explicit on:
  • what is the scope of FATT?
  • what kind of drafts need FATT review and why? Discussion on this is happening in issue 19.

Discussion at Meeting So at least some time should be allocated in the meetings for discussion of ongoing formal analysis, rather than just the results. If the authors are doing the formal analysis themselves, it would be helpful to also present the current state of formal analysis in meetings for discussion. This may be a single slide describing:

• Approach used: symbolic or computational
• Tool used: ProVerif, CryptoVerif etc.
• Properties established

This will help the WG give any feedback and avoid other Verifiers doing redundant effort using potentially same tools.

Contribution of Authors The following contributions are expected from the authors:

Real Motivation Authors are expected to provide the real motivation of the work (i.e., the proposed extension of TLS). The Verifier can then ask questions to improve it.

Threat Model A threat model identifies which threats are in scope for the protocol design. So it should answer questions like:

• What are the capabilities of the adversary? What can the adversary do?
• Whether post-quantum threats are in scope?
• What can go wrong in the system? etc.
• What are the computational and memory resources available to the adversary?

Typical Dolev-Yao adversary A typical threat model assumes the classical Dolev-Yao adversary, who has full control over the communication channel. Any additional adversary capabilities and assumptions should be explicitly stated.

Potential Weaknesses of Cryptographic Primitives In general, it also outlines the potential weaknesses of the cryptographic primitives used in the proposed protocol extension. Examples include:

• weak hash functions
• weak Diffie-Hellman (DH) groups
• weak elements within strong DH groups

Keys This section should specify any keys in the system (e.g., long-term keys of the server) in addition to the standard TLS key schedule. Theoretically and arguably practically, any key may be compromised (i.e., become available to the adversary). For readability, we propose defining each key clearly as in Section 4.1 of . Alternatively, present as a table with the following entries for each key:

• Name (or symbol) of the key
• Purpose of the key
• (optionally but preferably -- particularly when the endpoint is not fully trusted) Which software in the system has access to the key?

If more than one servers are involved (such as migration cases), the keys for servers should be distinguished in an unambiguous way.

Informal Security Goals Knowing what you want is the first step toward achieving it. Hence, informal security goals such as integrity, authentication, freshness, etc. should be outlined in the Internet-Draft. If the informal security goals are not spelled out in the Internet-Draft, it is safe to assume that the goals are still unclear to the authors. Examples:

• Integrity of message X holds unless some key Y is leaked.
• (stated differently) Integrity of message X holds as long as some key Y is protected.
• Freshness of message X holds unless some key Y or some key Z is leaked.
• Server Authentication holds unless some key Y or some key Z is leaked.

See Section 5.1 of for concrete examples.

Protocol Diagram A Protocol Diagram should clearly mention the initial knowledge of the protocol participants, e.g., which authentic public keys are known to the protocol participants at the start of the protocol. An example of a Protocol Diagram for is provided in Figure 5 in .

Document Structure While the needs may differ for some drafts, we propose the following baseline template, with an example of : The template is:

• Easy for readers
• Easy for reviewers
• Easy for formal analysis

TODO: Currently it is almost a copy of the guidance email to the authors. We will add details in next versions.

Introduction

• Problem statement: Say in general what the problem is.
• For , we believe this should not include CATS. Anyone unfamiliar with CATS should be able to understand your problem.

Terminology

• Define any terms not defined in RFC8446bis or point to other drafts from where the definition is used.

Motivation and design rationale

• We really like how Russ motivates the problem statement in . Use it as a sample.
• Here authors should address all the concerns from WG, including justification with compelling arguments and authentic references why authors think it should be done within TLS WG (and within handshake).
• For , authors could put CATS here as a motivational use case.

Proposed solution (one or more sections)

• Protocol design with Protocol Diagram: we work on the formal analysis of TLS 1.3 exclusively. Please contact someone else if your draft relates to older versions.

Security considerations

Threat model

Desired security goals As draft proceeds these desired security goals will become what the draft actually achieves.

Other security implications/considerations

Contribution of Verifier When the authors declare the version as ready for formal analysis, the Verifier takes the above inputs, performs the formal analysis, and brings the results back to the authors and the WG. Based on the analysis, the verifier may propose updates to the Security Considerations section or other sections of the Internet-Draft.

Security Considerations The whole document is about improving security considerations. Like all security proofs, formal analysis is only as strong as its assumptions and model. The scope is typically limited, and the model does not necessarily capture real-world deployment complexity, implementation details, operational constraints, or misuse scenarios. Formal methods should be used as complementary and not as subtitute of other analysis methods.

IANA Considerations This document has no IANA actions.

References Normative References IETF TLS WG In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References Independent This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. This document updates RFCs 5705, 6066, 7627, and 8422 and obsoletes RFCs 5077, 5246, 6961, 8422, and 8446. This document also specifies new requirements for TLS 1.2 implementations. Intuit Arm Limited Arm Limited Arm Limited Huawei Linaro The TLS handshake protocol allows authentication of one or both peers using static, long-term credentials. In some cases, it is also desirable to ensure that the peer runtime environment is in a secure state. Such an assurance can be achieved using attestation which is a process by which an entity produces evidence about itself that another party can use to appraise whether that entity is found in a secure state. This document describes a series of protocol extensions to the TLS 1.3 handshake that enables the binding of the TLS authentication key to a remote attestation session. This enables an entity capable of producing attestation evidence, such as a confidential workload running in a Trusted Execution Environment (TEE), or an IoT device that is trying to authenticate itself to a network access point, to present a more comprehensive set of security metrics to its peer. These extensions have been designed to allow the peers to use any attestation technology, in any remote attestation topology, and mutually. Internet Architecture Board The IETF process depends on peer review. However, IETF documents are generally written to be useful for implementors, not reviewers. In particular, while great care is generally taken to provide a complete description of the state machines and bits on the wire, this level of detail tends to get in the way of initial understanding. This document describes an approach for providing protocol "models" that allow reviewers to quickly grasp the essence of a system. This memo provides information for the Internet community. Cryptography Consulting LLC Cloudflare, Inc. This document provides guidelines and best practices for writing technical specifications for cryptography protocols and primitives, targeting the needs of implementers, researchers, and protocol designers. It highlights the importance of technical specifications and discusses strategies for creating high-quality specifications that cater to the needs of each community, including guidance on representing mathematical operations, security definitions, and threat models. Vigil Security, LLC This document specifies a TLS 1.3 extension that allows TLS clients and servers to authenticate with certificates and provide confidentiality based on encryption with a symmetric key from the usual key agreement algorithm and an external pre-shared key (PSK). This Standards Track RFC (once approved) obsoletes RFC 8773, which was an Experimental RFC. Intuit Arm Limited Arm Limited Linaro Nokia The TLS handshake protocol allows authentication of one or both peers using static, long-term credentials. In some cases, it is also desirable to ensure that the peer runtime environment is in a secure state. Such an assurance can be achieved using remote attestation which is a process by which an entity produces Evidence about itself that another party can use to appraise whether that entity is found in a secure state. This document describes a series of protocol extensions to the TLS 1.3 handshake that enable the binding of the TLS authentication key to a remote attestation session. This enables an entity capable of producing attestation Evidence, such as a confidential workload running in a Trusted Execution Environment (TEE), or an IoT device that is trying to authenticate itself to a network access point, to present a more comprehensive set of security metrics to its peer. These extensions have been designed to allow the peers to use any attestation technology, in any remote attestation topology, and to use them mutually. SandboxAQ This memo defines ML-KEM-512, ML-KEM-768, and ML-KEM-1024 as NamedGroups and and registers IANA values in the TLS Supported Groups registry for use in TLS 1.3 to achieve post-quantum (PQ) key establishment. China Telecom China Telecom Palo Alto Networks Palo Alto Networks This draft proposes a service affinity solution between client and server based on Transport Layer Security (TLS). An extension to Transport Layer Security (TLS) 1.3 to enable session migration. This mechanism is designed for network architectures, particularly for multi-homed servers that possess multiple network interfaces and IP addresses. This document describes the guidelines and procedures for formation and operation of IETF working groups. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Apple, Inc. Google LLC Apple, Inc. Apple, Inc. The pre-shared key mechanism available in TLS 1.3 is not suitable for usage with low-entropy keys, such as passwords entered by users. This document describes an extension that enables the use of password-authenticated key exchange protocols with TLS 1.3.

Appendix

Document History -07

• Failure of current process in
• Students of FATT in
• Lead FATT Person for Contact in
• Feedback from the WG

-06

• Solution for ML-KEM: FATT analysis
• Solution for FATT contact: new mailing list
• Replaced responsibilities by expected contributions
• Clarified Verifier even further that it is just a WG member; no formal role
• s/pure/non-hybrid

-05

• Removed process-related stuff
• Moved discussion at meeting to solutions
• Added ML-KEM

-04

• Extended threat model
• Helpful discussions on formal analysis in meetings in
• Pointer to formal analysis and costs in

-03

• Limitations of formal analysis in security considerations
• Proposed solutions section
• More guidance for authors: Threat Model and Informal Security Goals

-02

• Added document structure
• FATT-bypass by Other TLS-related WGs
• FATT process not being followed

-01

• Pain points of Verifier
• Small adjustment of phrasing

Acknowledgments We thankfully acknowledge the following for their valuable input:

• Eric Rescorla for review of -02, -05, and -06.
• John Mattsson for proposing text for security considerations.
• S. Moonesamy for identifying the 'no response' risk in the proposal for new list.
• David Benjamin for review of -06.

The research work is funded by German Research Foundation ("Deutsche Forschungsgemeinschaft.")