Added document for TLS Keying Material Exporters [RFC-5705]

[DS: Fixed option prefix from '-' to '--'] Signed-off-by: Daniel Kubec <niel@rtfm.cz> Signed-off-by: David Sommerseth <davids@redhat.com> Acked-by: Steffan Karger <steffan.karger@fox-it.com Acked-by: David Sommerseth <davids@redhat.com>
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Forgot to add Message-ID and URLs to the commit message. Message-Id: CAEW7GUswCyjPpYN8_2d5OGQzg7xRe8tAVBa=9-243W9vLL4b+g@mail.gmail.com URL: http://article.gmane.org/gmane.network.openvpn.devel/9543 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlYYy94ACgkQDC186MBRfroOgQCgl5Qszv6ZbSqBJ29b2FE/dUMA ilEAn2IgcE6OD4ZPFekaUCv5KKsSSrh6 =DyDt -----END PGP SIGNATURE-----
2025-05-09 21:51:05 +08:00 · 2015-03-12 15:25:42 +01:00 · 2015-03-12 15:25:42 +01:00 · 84604e0bae · 2015-10-10 10:45:28 +02:00
commit 84604e0bae
parent 685e486e8b
1 changed files with 137 additions and 0 deletions
--- a/doc/keying-material-exporter.txt
+++ b/doc/keying-material-exporter.txt
@ -0,0 +1,137 @@
+OpenVPN                                             Daniel Kubec <niel@rtfm.cz>
+RFC-5705                                                          February 2015
+
+
+                Added support for TLS Keying Material Exporters
+
+Keying Material Exporter [RFC-5705] allow additional keying material to be
+derived from existing TLS channel. This exported keying material can then be
+used for a variety of purposes. TLS allows client and server to establish
+keying material for use in the upper layers between the TLS end-points and
+channel bindings is straightforward and well-defined mechanism how to
+authenticate other layers.
+
+
+OpenVPN Configuration
+
+--keying-material-exporter label len
+
+Export Keying Material [RFC-5705] of len bytes (min. 16 bytes) using label in
+environment (exported_keying_material) for use by plugins in
+OPENVPN_PLUGIN_TLS_FINAL callback.
+
+Note that exporter labels have the potential to collide with existing PRF
+labels. In order to prevent this, labels MUST begin with "EXPORTER".
+(This option requires OpenSSL 1.0.1 or newer.)
+
+
+Use Cases:
+
+Secure bindings of AAA information to application layer
+
+   OpenVPN Client                   <------>                 OpenVPN Server
+   [KeyAgreement]                                            [KeyAgreement]
+
+   [TLSExportedKeyingMaterial]                  [TLSExportedKeyingMaterial]
+   [AAASessionKey]                                          [AAASessionKey]
+   Client                           <------>                         Server
+                      [Authenticated layer on top of (D)TLS]
+
+
+TLS side channel authentication and straightforward bindings of AAA information
+to application layer using well-defined mechanism.
+
+   OpenVPN Client                   <------>                 OpenVPN Server
+   [KeyAgreement]                                            [KeyAgreement]
+
+   [TLSExportedKeyingMaterial]                  [TLSExportedKeyingMaterial]
+   [DerivedAAABindingKey]                            [DerivedAAABindingKey]
+                                                  [AuthenticateBindingKeys]
+   Client                           ------->                         Server
+                             [Confidental channel]
+
+
+TLS Message flow for a full handshake
+
+   ClientHello                      -------->
+                                                               ServerHello
+                                                               Certificate*
+                                                         ServerKeyExchange*
+                                                        CertificateRequest*
+                                    <--------              ServerHelloDone
+   Certificate*
+   ClientKeyExchange
+   CertificateVerify*
+   [ChangeCipherSpec]
+   Finished                         -------->
+                                                        [ChangeCipherSpec]
+                                    <--------                     Finished
+
+   GenerateTLSBindingKey                             GenerateTLSBindingKey
+
+   Application Data                 <------->             Application Data
+
+
+Terminology
+
+   AAA                     Authentication, Authorization, and Accounting:
+                           functions that are generally required to control
+                           access to a service and support auditing.
+
+   Secure channel          a packet, datagram, octet stream connection, or
+                           sequence of connections between two end-points that
+                           affords cryptographic integrity and confidentiality
+                           to data exchanged over it.
+
+   Channel binding         the process of establishing that no man-in-the-middle
+                           exists between two end-points that have been
+                           authenticated using secure channel.
+
+   TLS Binding Key         Exported Keying Material [RFC5705]
+
+                           If no context is provided, it then computes:
+                           PRF(SecurityParameters.master_secret, label,
+                               SecurityParameters.client_random +
+                               SecurityParameters.server_random
+                           )[length]
+
+                           If context is provided, it computes:
+                           PRF(SecurityParameters.master_secret, label,
+                               SecurityParameters.client_random +
+                               SecurityParameters.server_random +
+                               context_value_length + context_value
+                           )[length]
+
+   AAA Binding Key         TLS side channel authentication based on secure
+                           channel bindings requires one more key derivation.
+
+                           SHA1(TLSExportedKeyingMaterial + ServerPublicKey)
+
+Reference
+
+   [OPENAAA]               "TLS side channel authentication and straightforward
+                            bindings of AAA information to application
+                            layer using well-defined mechanism."
+                           Daniel Kubec <niel@rtfm.cz>              March 2013
+                           https://github.com/n13l/openaaa
+
+   [RFC5705]               "Keying Material Exporters for TLS"
+                           E. Rescorla, RFC 5705 March 2010
+                           http://tools.ietf.org/html/rfc5705
+
+   [RFC5929]               "Channel Bindings for TLS"
+                           J. Altman, N. Williams, L. Zhu, RFC 5929, July 2010
+                           http://tools.ietf.org/html/rfc5929
+
+   [RFC4680]               "TLS Handshake Message for Supplemental Data"
+                           S. Santesson, RFC 4680, September 2006
+                           http://tools.ietf.org/html/rfc4680
+
+   [RFC5878]               "TLS Authorization Extension"
+                           M. Brown, R. Housley, RFC 5878, May 2010
+                           http://tools.ietf.org/html/rfc5878
+
+   [RFC5746]               "TLS Renegotiation Indication Extension"
+                           E. Rescorla, M. Raym, S. Dispensa, N. Oskov
+                           RFC 5746, February 2010
+                           http://tools.ietf.org/html/rfc5746