JDK-8186898 : Support Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
  • Type: CSR
  • Component: security-libs
  • Sub-Component: javax.net.ssl
  • Priority: P3
  • Status: Closed
  • Resolution: Withdrawn
  • Fix Versions: 10
  • Submitted: 2017-08-29
  • Updated: 2017-12-08
  • Resolved: 2017-11-28
Related Reports
CSR :  
JDK-8148421 - Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension
Description
Summary
-------

Add support for *Extended Master Secret* TLS extension in JSSE provider on both client and server sides, according to [RFC 7627 (*Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension*)](https://tools.ietf.org/html/rfc7627). This extension modifies the scheme through which the TLS session master key is derived, preventing attacks such as the [Triple Handshake Attack](https://www.mitls.org/pages/attacks/3SHAKE).

Problem
-------

JSSE has lack of support for *Extended Master Secret* TLS extension on both client and server sides. Even though many TLS implementations still negotiate sessions without *Extended Master Secret* for backward compatibility reasons, this is discouraged and may pose a security risk. Risk is related to the fact that the master key is not cryptographically bound to the session, allowing an active attacker to set up the same master key on a different session and bypass authentication schemes that rely on it. 

JSSE is currently behind other TLS implementations in regard to *Extended Master Secret* support:

 * [OpenSSL](https://www.openssl.org/docs/man1.1.0/ssl/SSL_get_extms_support.html)
 * [NSS](https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes)
 * [GnuTls](https://lists.gnupg.org/pipermail/gnutls-devel/2015-April/007535.html)

Solution
--------

When negotiating a TLS session as a client, send the *Extended Master Secret* extension as part of the Client Hello message. When negotiating a TLS session as a server, identify the use of *Extended Master Secret* extension in the Client Hello Message. If *Extended Master Secret* extension is in use, apply the algorithm specified in [RFC 7627](https://tools.ietf.org/html/rfc7627) to derive the session master key on both client and server sides. **Note:** The proposed solution does not change the current API, as it's JSSE internal.

Specification
-------------

Proposed webrev: http://cr.openjdk.java.net/~sgehwolf/webrevs/mbalaoal/JDK-8148421/webrev.02/

CSR is being asked for because the proposed change introduces modifications in the default behaviour for both JSSE TLS clients and servers. Clients will be sending the Extended Master Secret TLS extension in their Client Hello message by default (instead of not sending it). Servers will be handling received Extended Master Secret TLS extensions (instead of ignoring it). Both Clients and Servers will be using a new scheme for TLS master key derivation if the counterpart supports the aforementioned extension. This modifies not only the way in which JSSE Clients and Servers interact with each other but also their interaction with other TLS implementations from 3rd parties (i.e.: OpenSSL, NSS, GnuTls, etc.).

**Detailed changes:**

 * ClientHandshaker class
   * When negotiating a new TLS session (full handshake), the client sends the *Extended Master Secret* extension as part of the *Client Hello* message.
   * When resuming a TLS session (abbreviated handshake), the client sends the *Extended Master Secret* extension as part of the *Client Hello* message only if it was in use for the original session.
   * When processing a *Server Hello* message, the client identifies if the server supports the *Extended Master Secret* extension.
     * Client check for error conditions: the use of *Extended Master Secret* cannot differ from the original session when resuming a session.

 * ServerHandshaker class
   * When processing a *Client Hello* message, the server identifies if the client supports the *Extended Master Secret* extension.
     * Server check for error conditions: the use of *Extended Master Secret* cannot differ from the original session when resuming a session.
   * If *Extended Master Secret* is in use, the server sends the extension as part of the *Server Hello* message to notify the client.

 * SSLSessionImpl class
   * An instance variable was added to indicate if *Extended Master Secret* is enabled in the session.

 * Handshaker
   * Stores the session hash (handshake final hash) in a *TlsMasterSecretParameterSpec* instance for master key calculation when *Extended Master Secret* is in use.

 * TlsMasterSecretParameterSpec
   * The session hash (handshake final hash) can be stored here for master key calculation when *Extended Master Secret* is in use.

 * TlsMasterSecretGenerator
   * If *Extended Master Secret* is in use, derives the master key as specified in [RFC 7627](https://tools.ietf.org/html/rfc7627), using the session hash (handshake final hash) stored in the *TlsMasterSecretParameterSpec* instance.

**Note:**
As part of the change a property for disabling this new feature is also being considered. It would completely disable the use of this TLS extension. The property would apply to both Clients and Servers. The suggested property name would be `jsse.useExtendedMasterSecret` with a default value of `true`. Setting for disabling the wire protocol changes would, thus be: `jsse.useExtendedMasterSecret=false`.
Comments
See release note of JDK-8148421.
28-11-2017
I've updated with the new webrev (.02) that implements the proposed property.
09-10-2017
I would like to have a new property, "jsse.useExtendedMasterSecret" , to turn off the this extension for the implementation, just in case something bad happens. Otherwise, looks fine to me.
06-10-2017
Moving to Provisional state. Please have one or more security engineers review the request before it is finalized. Given experience adding similar features in the past, I suggest including a system property to enable to the new behavior.
13-09-2017
Required changes have been made.
12-09-2017
A few comments on this this. First, the CSR process is only being used for JDK 10 at the moment at the fixVersion of this CSR is set to 9.1. What set of releases is this fix intended for at the moment? Please hit "Edit" on the request at the set the Compatibility Kind, Compatibility Risk, Interface Kind, and Scope fields. From my reading of the request, there is no specification change per se, but instead behavioral changes allowed within the present specification. If that is the case, it should be explained in the specification section. Thanks.
31-08-2017
Note: I'm proposing this CSR on behalf of Martin Balao the actual author of this.
30-08-2017