[Model-t] Considerations for modern COMSEC protocol design
Eric Rescorla <ekr@rtfm.com> Mon, 17 February 2020 17:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA8771208D2 for <model-t@ietfa.amsl.com>; Mon, 17 Feb 2020 09:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id okogal-AV3xB for <model-t@ietfa.amsl.com>; Mon, 17 Feb 2020 09:07:35 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E8F11208CB for <model-t@iab.org>; Mon, 17 Feb 2020 09:07:34 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id y6so19702630lji.0 for <model-t@iab.org>; Mon, 17 Feb 2020 09:07:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=kVg24dOBfuQDn7Qr2WH2KJ8NE0MKIVaYVGzc9bivBUI=; b=vub6GOe2Le1G0RgXSrI2HIfGbKXyUZwlHHR4uObDkVOWahUSgLXfc9ZCaN4UKY1esh UnnSBxQ69/4m4AG+y5Q7hbpt63QAT7nA0eLpXzdgAYOSRkNl64WRRme2mJuuSGa+k/pZ dOigZ1Wji/mVrv5s2SxU7vt9N2GhNRdSRZ8KJvM3jKGcUddFpKkLMMpPvUxJ3fKi7tFG N8fnGqTqVX+Uc9Ngbr8OENtXELGB0KVb5f1TL7UM1PZHgR53N0rNjz8n0qKCyfnsElxp Hqobu55qwsJwR+BcBIiSGm7KHaOz5A/evL7dOnp0iuZCqbQUzml/xjtQbEQYyTXUVeJS lx0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=kVg24dOBfuQDn7Qr2WH2KJ8NE0MKIVaYVGzc9bivBUI=; b=ZYJz0RcqiTC2OObxWLTSUhbNw0SoHVlw9TrLUGDWSx/iHSeek0dGl5gfvqxdLHUpxv PPx/1V7ddfbyo1u9iFqsW53subYdvfyCon/irfkHl7ZcToiqJdcxs16wKZKUlkOn6CQt D0SXDnMDXebhrg3xbu8y8HSYDKaf872VPNRyLaiMmLsPD4TU+gw9rviN4x3I7k3xNR2H xmz9uB36HnmkkdKZ4B1mnoiDmx13QqcfRlMk/+WDSP0MXw9LSGTOFJLEhSbxZHiVgkAW Q0OeNXUh1oljFXdBoDF9O0SjCvTl7TwomOdtRL0fCkuzdmW4gj6tZacb8f8IN/h+DD2J Ac2g==
X-Gm-Message-State: APjAAAXpdD7H1FT0aKF6u3zqJYjHG/X1tXkmd08u8lmPq1xuNxHwJO8k JvMfEJBhuPVZl7tPMNJz/dqQmpLRp18c0GABQmgFhSaTYkU=
X-Google-Smtp-Source: APXvYqwQuBdYQ43z+t1XO4NlnED3FX9IhtbzUDEtMYCG0JZBa2GQwltVzf4hjmltvobP7ow2kiv3QatXSDsAKBtzuk4=
X-Received: by 2002:a2e:9b12:: with SMTP id u18mr10567058lji.274.1581959250536; Mon, 17 Feb 2020 09:07:30 -0800 (PST)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 17 Feb 2020 09:06:54 -0800
Message-ID: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com>
To: model-t@iab.org
Content-Type: multipart/alternative; boundary="0000000000002dc4eb059ec89722"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/F7sHaRcIhwMyE1Ftb9A56nVbj-4>
Subject: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 17:07:39 -0000
As promised... -Ekr and Chris RFC 3552 provides a description of classic issues for the development of communications security protocols. However, in the nearly 20 years since the publication of 3552, the practice of protocol design has moved on to a fair extent. This note sketches some of the considerations that should be considered when designing a communications security protocol that are not covered in detail in 3552. LIMIING TIME SCOPE OF COMPROMISE RFC 3552; Section 3 says: The Internet environment has a fairly well understood threat model. In general, we assume that the end-systems engaging in a protocol exchange have not themselves been compromised. Protecting against an attack when one of the end-systems has been compromised is extraordinarily difficult. It is, however, possible to design protocols which minimize the extent of the damage done under these circumstances. Although this text is technically correct, modern protocol designs such as TLS 1.3 and MLS often try to provide a fair amount of defense against various kinds of temporary compromise. Specifically: - Forward Security: Many protocols are designed so that compromise of an endpoint at time T does not lead to compromise of data transmitted prior to some time T' < T. For instance, if a protocol is based on Diffie-Hellman key establishment, then compromise of the long-term keys does not lead to compromise of traffic sent prior to compromise if the DH ephemerals and traffic keys have been deleted. - Post-Compromise Security: Conversely, if an endpoint is compromised at time T, it is often desirable to have the protocol "self-heal" so that a purely passive adversary cannot access traffic after a certain time T' > T. MLS, for instance, is designed with this property. - Containing Partial Authentication Key Compromise: If an endpoint is stolen and its authentication secret is stolen, then an attacker can impersonate that endpoint. However, there a number of scenarios in which an attacker can obtain use of an authentication key but not the secret itself (see, for instance [0]). It is often desirable to limit the impact of such compromises (for instance, by avoiding unlimited delegation from such keys). - Short-lived keys: Typical TLS certificates last for months or years. There is a trend towards shorter certificate lifetimes so as to minimize risk of exposure in the event of key compromise. Relatedly, delegated credentials are short-lived keys the certificate’s owner has delegated for use in TLS. These help reduce private key lifetimes without compromising or sacrificing reliability. FORCING ACTIVE ATTACK RFC 3552; Section 3.2 notes that it is important to consider passive attacks. In general, it is much harder to mount an active attack, both in terms of the capabilities required and the chance of being detected. Another theme in recent IETF protocols design is to build systems which might have limited defense against active attackers but are strong against passive attackers, thus forcing the attacker to go active. Examples include DTLS-SRTP and the trend towards opportunistic security. However, ideally protocols are built with strong defenses against active attackers. One prominent example is QUIC, which takes steps to ensure that off-path connection resets are intractable in practice. TRAFFIC ANALYSIS RFC 3552; Section 3.2.1 describes how the absence of TLS or other transport-layer encryption may lead to obvious confidentiality violations against passive attackers. However, recent trends in traffic analysis indicate encryption alone may be insufficient protection for some types of application data [1]. Encrypted traffic metadata, especially message size, can leak information about the underlying plaintext. DNS queries and responses are particularly at risk given their size distributions. Recent protocols account for this leakage by supporting padding, either generically in the transport protocol (QUIC and TLS), or specifically in the application protocol (EDNS(0) padding option for DNS messages). CONTAINING COMPROMISE OF TRUST POINTS Many protocols are designed to depend on trusted third parties (the WebPKI is perhaps the canonical example); if those trust points misbehave, the security of the protocol can be completely compromised. A number of recent protocols have attempted to reduce the power of those trust points. For instance. Certificate Transparency attempts to ensure that a CA cannot issue valid certificates without publishing them, allowing third parties to detect certain classes of misbehavior by those CA. Similarly, Key Transparency attempts to ensure that (public) keys associated with a given entity are publicly visible and auditable in tamper-proof logs. This allows users of these keys to check them for correctness. In the realm of software, Reproducible Builds and Binary Transparency are intended to allow a user to determine that they have received a valid copy of the binary that matches the auditable source code. Blockchain protocols such as Bitcoin and Ethereum also employ this principle of transparency and are intended to detect misbehavior by members of the network. [0] Jager, T., Schwenk, J., and J. Somorovsky, "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", Proceedings of ACM CCS 2015, DOI 10.1145/2810103.2813657, October 2015, <https://www.nds.rub.de/media/nds/ veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf>. [1] https://tools.ietf.org/html/draft-wood-pearg-website-fingerprinting-00
- [Model-t] Considerations for modern COMSEC protoc… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Spencer Dawkins at IETF
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Jim Fenton
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini
- Re: [Model-t] Considerations for modern COMSEC pr… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Christopher Wood
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini