Re: [Model-t] Considerations for modern COMSEC protocol design
Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com> Mon, 17 February 2020 17:57 UTC
Return-Path: <spencerdawkins.ietf@gmail.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 594D612008F for <model-t@ietfa.amsl.com>; Mon, 17 Feb 2020 09:57:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9b-Xks0K93_F for <model-t@ietfa.amsl.com>; Mon, 17 Feb 2020 09:57:46 -0800 (PST)
Received: from mail-lj1-x235.google.com (mail-lj1-x235.google.com [IPv6:2a00:1450:4864:20::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B4F8120089 for <model-t@iab.org>; Mon, 17 Feb 2020 09:57:43 -0800 (PST)
Received: by mail-lj1-x235.google.com with SMTP id r19so19845529ljg.3 for <model-t@iab.org>; Mon, 17 Feb 2020 09:57:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=fop3g2F3O/KTqFy3aZvjSNVGnq+DTOLiSyuVdLIrRtY=; b=epEsNCXLfNpDYU/Wo6Wvv13dJMJWDQVXjhEO2o1d1YsMD4uELLjldJWOQfljc7aN/j qUZzKz3g7CH5Qm+Ex803pvurCEJwE9Nyj5p3YfgkWNk9P2LdCg6EgnLRO4FRsTs9oocb T7umDXswlYTjDtMA+t4DK+jVgbLpcBuzWk41+yLK25adGtbV5UOg1LW0Vz5jpP35JKiR MPo/oxTYacrRjN2lfzlLM+mhbv639KGAZt1+GljRfEG8GirVUyZ0rfsm29hMls8G70SE rkbH7fcEVURufSMH0x0ysO/m5QI6sQpq3/MnXAc4j2llAj+8jzEYsHugPj1XOKtzvuFL 61fQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=fop3g2F3O/KTqFy3aZvjSNVGnq+DTOLiSyuVdLIrRtY=; b=PgtwgB6hC3CywfYTUH8PRtaewxExIHNKNw90f/a5dyic5jCMkCZytBA3/wK7kB6Wf/ 04sXPT3ifh3TcB29F5KCNbTOmMkJhCmVOU2CAacFPBzgZbcESzTbLJAKn6YsHMC9xq9a iQM7uRY3mHVYwPCeAlyVLi662e6DqUkhFSAB+kl83L9Pd9M0hGh71BEGAIZ/R3BPVH1j pYZ5Mpdw+JKdY3RMofUbIezVEuYAQAfwo2gGGuNy+sR0zLlczjG/GMTkwovVoxqcpbh9 CmGaIv8spvCXTQmtpnGcf/jYQQ4VWn6zPVzfIEmGMCFQViBsVaJa1V063mgy9ukpcxz8 yh3Q==
X-Gm-Message-State: APjAAAX1OKo7H79bi3/w1DrsOfhd4Wqmijg2sYudi+AEtfG3CzgJuWeQ S2jAZa6WShdiA2HbBkRRKXVD5fPxC8KOLCgGf0g=
X-Google-Smtp-Source: APXvYqzr6kOq5Ws4PZk6B+AgUUGSmwipR5m/dNvbhslSTOwXkfBonzU2JAp59IFcp9JvzfeepuZWRjBkfPHBc0H29nE=
X-Received: by 2002:a2e:9d3:: with SMTP id 202mr10715646ljj.60.1581962261238; Mon, 17 Feb 2020 09:57:41 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com>
In-Reply-To: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com>
From: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Date: Mon, 17 Feb 2020 11:57:14 -0600
Message-ID: <CAKKJt-e5Gh7ixLapFt+kEDOXpS0xHB2whY6COTvRBu7i=P7VLQ@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: model-t@iab.org
Content-Type: multipart/alternative; boundary="000000000000a1182a059ec94aff"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/TzvsUALa-l9qG3iVZEVF_IiK8FU>
Subject: Re: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Feb 2020 17:57:52 -0000
I'm not an active participant here, and the Internet is likely better for that, but this is exactly the kind of conversation I was hoping Model-T would be having. Eric, thanks for sending this. Spencer On Mon, Feb 17, 2020 at 11:07 AM Eric Rescorla <ekr@rtfm.com> wrote: > As promised... > > -Ekr and Chris > > > RFC 3552 provides a description of classic issues for the development > of communications security protocols. However, in the nearly 20 years > since the publication of 3552, the practice of protocol design has > moved on to a fair extent. This note sketches some of the > considerations that should be considered when designing a communications > security protocol that are not covered in detail in 3552. > > LIMIING TIME SCOPE OF COMPROMISE > RFC 3552; Section 3 says: > > The Internet environment has a fairly well understood threat model. > In general, we assume that the end-systems engaging in a protocol > exchange have not themselves been compromised. Protecting against an > attack when one of the end-systems has been compromised is > extraordinarily difficult. It is, however, possible to design > protocols which minimize the extent of the damage done under these > circumstances. > > Although this text is technically correct, modern protocol designs > such as TLS 1.3 and MLS often try to provide a fair amount of defense > against various kinds of temporary compromise. Specifically: > > - Forward Security: Many protocols are designed so that compromise of > an endpoint at time T does not lead to compromise of data transmitted > prior to some time T' < T. For instance, if a protocol is based on > Diffie-Hellman key establishment, then compromise of the long-term > keys does not lead to compromise of traffic sent prior to compromise > if the DH ephemerals and traffic keys have been deleted. > > - Post-Compromise Security: Conversely, if an endpoint is compromised > at time T, it is often desirable to have the protocol "self-heal" > so that a purely passive adversary cannot access traffic after > a certain time T' > T. MLS, for instance, is designed with this > property. > > - Containing Partial Authentication Key Compromise: If an endpoint is > stolen and its authentication secret is stolen, then an attacker can > impersonate that endpoint. However, there a number of scenarios in > which an attacker can obtain use of an authentication key but not > the secret itself (see, for instance [0]). It is often desirable to > limit the impact of such compromises (for instance, by avoiding > unlimited delegation from such keys). > > - Short-lived keys: Typical TLS certificates last for months or years. > There is a trend towards shorter certificate lifetimes so as to minimize > risk of exposure in the event of key compromise. Relatedly, delegated > credentials are short-lived keys the certificate’s owner has delegated > for use in TLS. These help reduce private key lifetimes without > compromising > or sacrificing reliability. > > > FORCING ACTIVE ATTACK > RFC 3552; Section 3.2 notes that it is important to consider passive > attacks. In general, it is much harder to mount an active attack, both > in terms of the capabilities required and the chance of being > detected. Another theme in recent IETF protocols design is to build > systems which might have limited defense against active attackers but > are strong against passive attackers, thus forcing the attacker to go > active. Examples include DTLS-SRTP and the trend towards opportunistic > security. However, ideally protocols are built with strong defenses > against active attackers. One prominent example is QUIC, which takes > steps to ensure that off-path connection resets are intractable in > practice. > > > TRAFFIC ANALYSIS > RFC 3552; Section 3.2.1 describes how the absence of TLS or other > transport-layer encryption may lead to obvious confidentiality > violations against passive attackers. However, recent trends in > traffic analysis indicate encryption alone may be insufficient > protection for some types of application data [1]. Encrypted traffic > metadata, especially message size, can leak information about the > underlying plaintext. DNS queries and responses are particularly > at risk given their size distributions. Recent protocols account > for this leakage by supporting padding, either generically in the > transport protocol (QUIC and TLS), or specifically in the application > protocol (EDNS(0) padding option for DNS messages). > > > CONTAINING COMPROMISE OF TRUST POINTS > Many protocols are designed to depend on trusted third parties (the > WebPKI is perhaps the canonical example); if those trust points > misbehave, the security of the protocol can be completely compromised. > > A number of recent protocols have attempted to reduce the power of > those trust points. For instance. Certificate Transparency attempts to > ensure that a CA cannot issue valid certificates without publishing > them, allowing third parties to detect certain classes of misbehavior > by those CA. Similarly, Key Transparency attempts to ensure that (public) > keys associated with a given entity are publicly visible and auditable > in tamper-proof logs. This allows users of these keys to check > them for correctness. > > In the realm of software, Reproducible Builds and Binary > Transparency are intended to allow a user to determine that they > have received a valid copy of the binary that matches the auditable > source code. Blockchain protocols such as Bitcoin and Ethereum also > employ this principle of transparency and are intended to detect > misbehavior by members of the network. > > > > [0] Jager, T.., Schwenk, J., and J. Somorovsky, "On the Security of TLS > 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", > Proceedings of ACM CCS 2015, DOI 10.1145/2810103.2813657, October > 2015, <https://www.nds.rub.de/media/nds/ > veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf>. > [1] https://tools.ietf.org/html/draft-wood-pearg-website-fingerprinting-00 > -- > Model-t mailing list > Model-t@iab.org > https://www.iab.org/mailman/listinfo/model-t >
- [Model-t] Considerations for modern COMSEC protoc… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Spencer Dawkins at IETF
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Jim Fenton
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini
- Re: [Model-t] Considerations for modern COMSEC pr… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Christopher Wood
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini