IETF Logo Mail Archive

Re: [Model-t] Considerations for modern COMSEC protocol design

Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Mon, 17 February 2020 17:57 UTC

Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 594D612008F for <model-t@ietfa.amsl.com>; Mon, 17 Feb 2020 09:57:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9b-Xks0K93_F for <model-t@ietfa.amsl.com>; Mon, 17 Feb 2020 09:57:46 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B4F8120089 for <model-t@iab.org>; Mon, 17 Feb 2020 09:57:43 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id r19so19845529ljg.3 for <model-t@iab.org>; Mon, 17 Feb 2020 09:57:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fop3g2F3O/KTqFy3aZvjSNVGnq+DTOLiSyuVdLIrRtY=; b=epEsNCXLfNpDYU/Wo6Wvv13dJMJWDQVXjhEO2o1d1YsMD4uELLjldJWOQfljc7aN/j qUZzKz3g7CH5Qm+Ex803pvurCEJwE9Nyj5p3YfgkWNk9P2LdCg6EgnLRO4FRsTs9oocb T7umDXswlYTjDtMA+t4DK+jVgbLpcBuzWk41+yLK25adGtbV5UOg1LW0Vz5jpP35JKiR MPo/oxTYacrRjN2lfzlLM+mhbv639KGAZt1+GljRfEG8GirVUyZ0rfsm29hMls8G70SE rkbH7fcEVURufSMH0x0ysO/m5QI6sQpq3/MnXAc4j2llAj+8jzEYsHugPj1XOKtzvuFL 61fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fop3g2F3O/KTqFy3aZvjSNVGnq+DTOLiSyuVdLIrRtY=; b=PgtwgB6hC3CywfYTUH8PRtaewxExIHNKNw90f/a5dyic5jCMkCZytBA3/wK7kB6Wf/ 04sXPT3ifh3TcB29F5KCNbTOmMkJhCmVOU2CAacFPBzgZbcESzTbLJAKn6YsHMC9xq9a iQM7uRY3mHVYwPCeAlyVLi662e6DqUkhFSAB+kl83L9Pd9M0hGh71BEGAIZ/R3BPVH1j pYZ5Mpdw+JKdY3RMofUbIezVEuYAQAfwo2gGGuNy+sR0zLlczjG/GMTkwovVoxqcpbh9 CmGaIv8spvCXTQmtpnGcf/jYQQ4VWn6zPVzfIEmGMCFQViBsVaJa1V063mgy9ukpcxz8 yh3Q==
X-Gm-Message-State: APjAAAX1OKo7H79bi3/w1DrsOfhd4Wqmijg2sYudi+AEtfG3CzgJuWeQ S2jAZa6WShdiA2HbBkRRKXVD5fPxC8KOLCgGf0g=
X-Google-Smtp-Source: APXvYqzr6kOq5Ws4PZk6B+AgUUGSmwipR5m/dNvbhslSTOwXkfBonzU2JAp59IFcp9JvzfeepuZWRjBkfPHBc0H29nE=
X-Received: by 2002:a2e:9d3:: with SMTP id 202mr10715646ljj.60.1581962261238; Mon, 17 Feb 2020 09:57:41 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com>
In-Reply-To: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Mon, 17 Feb 2020 11:57:14 -0600
Message-ID: <CAKKJt-e5Gh7ixLapFt+kEDOXpS0xHB2whY6COTvRBu7i=P7VLQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: model-t@iab.org
Content-Type: multipart/alternative; boundary="000000000000a1182a059ec94aff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/TzvsUALa-l9qG3iVZEVF_IiK8FU>
Subject: Re: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 17:57:52 -0000

I'm not an active participant here, and the Internet is likely better for
that, but this is exactly the kind of conversation I was hoping Model-T
would be having.

Eric, thanks for sending this.

Spencer

On Mon, Feb 17, 2020 at 11:07 AM Eric Rescorla <ekr@rtfm.com> wrote:

> As promised...
>
> -Ekr and Chris
>
>
> RFC 3552 provides a description of classic issues for the development
> of communications security protocols. However, in the nearly 20 years
> since the publication of 3552, the practice of protocol design has
> moved on to a fair extent. This note sketches some of the
> considerations that should be considered when designing a communications
> security protocol that are not covered in detail in 3552.
>
> LIMIING TIME SCOPE OF COMPROMISE
> RFC 3552; Section 3 says:
>
>    The Internet environment has a fairly well understood threat model.
>    In general, we assume that the end-systems engaging in a protocol
>    exchange have not themselves been compromised.  Protecting against an
>    attack when one of the end-systems has been compromised is
>    extraordinarily difficult.  It is, however, possible to design
>    protocols which minimize the extent of the damage done under these
>    circumstances.
>
> Although this text is technically correct, modern protocol designs
> such as TLS 1.3 and MLS often try to provide a fair amount of defense
> against various kinds of temporary compromise. Specifically:
>
> - Forward Security: Many protocols are designed so that compromise of
>   an endpoint at time T does not lead to compromise of data transmitted
>   prior to some time T' < T. For instance, if a protocol is based on
>   Diffie-Hellman key establishment, then compromise of the long-term
>   keys does not lead to compromise of traffic sent prior to compromise
>   if the DH ephemerals and traffic keys have been deleted.
>
> - Post-Compromise Security: Conversely, if an endpoint is compromised
>   at time T, it is often desirable to have the protocol "self-heal"
>   so that a purely passive adversary cannot access traffic after
>   a certain time T' > T. MLS, for instance, is designed with this
>   property.
>
> - Containing Partial Authentication Key Compromise: If an endpoint is
>   stolen and its authentication secret is stolen, then an attacker can
>   impersonate that endpoint. However, there a number of scenarios in
>   which an attacker can obtain use of an authentication key but not
>   the secret itself (see, for instance [0]). It is often desirable to
>   limit the impact of such compromises (for instance, by avoiding
>   unlimited delegation from such keys).
>
> - Short-lived keys: Typical TLS certificates last for months or years.
>   There is a trend towards shorter certificate lifetimes so as to minimize
>   risk of exposure in the event of key compromise. Relatedly, delegated
>   credentials are short-lived keys the certificate’s owner has delegated
>   for use in TLS. These help reduce private key lifetimes without
> compromising
>   or sacrificing reliability.
>
>
> FORCING ACTIVE ATTACK
> RFC 3552; Section 3.2 notes that it is important to consider passive
> attacks. In general, it is much harder to mount an active attack, both
> in terms of the capabilities required and the chance of being
> detected. Another theme in recent IETF protocols design is to build
> systems which might have limited defense against active attackers but
> are strong against passive attackers, thus forcing the attacker to go
> active. Examples include DTLS-SRTP and the trend towards opportunistic
> security. However, ideally protocols are built with strong defenses
> against active attackers. One prominent example is QUIC, which takes
> steps to ensure that off-path connection resets are intractable in
> practice.
>
>
> TRAFFIC ANALYSIS
> RFC 3552; Section 3.2.1 describes how the absence of TLS or other
> transport-layer encryption may lead to obvious confidentiality
> violations against passive attackers. However, recent trends in
> traffic analysis indicate encryption alone may be insufficient
> protection for some types of application data [1]. Encrypted traffic
> metadata, especially message size, can leak information about the
> underlying plaintext. DNS queries and responses are particularly
> at risk given their size distributions. Recent protocols account
> for this leakage by supporting padding, either generically in the
> transport protocol (QUIC and TLS), or specifically in the application
> protocol (EDNS(0) padding option for DNS messages).
>
>
> CONTAINING COMPROMISE OF TRUST POINTS
> Many protocols are designed to depend on trusted third parties (the
> WebPKI is perhaps the canonical example); if those trust points
> misbehave, the security of the protocol can be completely compromised.
>
> A number of recent protocols have attempted to reduce the power of
> those trust points. For instance. Certificate Transparency attempts to
> ensure that a CA cannot issue valid certificates without publishing
> them, allowing third parties to detect certain classes of misbehavior
> by those CA. Similarly, Key Transparency attempts to ensure that (public)
> keys associated with a given entity are publicly visible and auditable
> in tamper-proof logs. This allows users of these keys to check
> them for correctness.
>
> In the realm of software, Reproducible Builds and Binary
> Transparency are intended to allow a user to determine that they
> have received a valid copy of the binary that matches the auditable
> source code. Blockchain protocols such as Bitcoin and Ethereum also
> employ this principle of transparency and are intended to detect
> misbehavior by members of the network.
>
>
>
> [0] Jager, T.., Schwenk, J., and J. Somorovsky, "On the Security of TLS
> 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption",
> Proceedings of ACM CCS 2015, DOI 10.1145/2810103.2813657, October
> 2015, <https://www.nds.rub.de/media/nds/
> veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf>.
> [1] https://tools.ietf.org/html/draft-wood-pearg-website-fingerprinting-00
> --
> Model-t mailing list
> Model-t@iab.org
> https://www.iab.org/mailman/listinfo/model-t
>

v2.23.0 | Report a Bug | By Email