Re: [Model-t] Considerations for modern COMSEC protocol design
"Christopher Wood" <caw@heapingbits.net> Tue, 18 February 2020 15:27 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6274120152 for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 07:27:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=AJC5bLac; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=RuqkzAdZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xvWE8T5d24E7 for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 07:27:27 -0800 (PST)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 364BA120130 for <model-t@iab.org>; Tue, 18 Feb 2020 07:27:27 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 7677D747 for <model-t@iab.org>; Tue, 18 Feb 2020 10:27:26 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Tue, 18 Feb 2020 10:27:26 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm3; bh=U6cmMa/DA7sbdTdxKSsX0GM8IEg/l8V +4LvhuaY0fVo=; b=AJC5bLac8eRTEVUgj6QqqcljV3dZDc2Fb6a4CD1Wlvc6QRn gV6aSJ2aLMaFpD5jDOq2LlBK0MgHXcwDABFYQMNAtFBayHHWf3kcrbNgTILhnA9l 1Wp34PMnC5HPSYdzpCIyy2jFY9I5aSF0ukw1KxzyNShHUsX9dwymQdphjMv3aXkV J5a1S8NviVAUauiI/5c1X0e74mSMOlFmjjfmNSMmecNbWmzrtMiz2EVbbp2HPgjC 5KH0Wpivf+j32QZYUq5DFCWjwaIHFsWzo3kfDRSA1ZRy0HghbF4oALdH7byv2eYf zyBfbEzMR/YsDTtsDSZnW++fsGh/c6Xod72w/bg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=U6cmMa /DA7sbdTdxKSsX0GM8IEg/l8V+4LvhuaY0fVo=; b=RuqkzAdZ60rxQZukBB5tB3 vo1QeoYan/qIL0IHSvQFbUCVVf5IS27IfZH9IfkHVFgPAPv4calWCTfwqaBpQDEb aHoddm42rUbQE6beozE64TCRliTL1PEDx+b7LgR1XrsIXAb3q9By5duBe7Qp4XzG tUIzQMlVYMlX1CviQHRY/YosVtJiZT8c4RfrlUfyHlvqf/KsLEIVNxn+podtp7cR iF+P5tLyTuJh/WAjvtqd8QOsSADan6zp8ngdb9bdeX/ZhBFSzdSgrKo4L2kfxP66 hm+fyb9gko5jdERPQBtpjhsezdcD00PySy33Z4zJtovcell8pokvhF3RMXKEDpjQ ==
X-ME-Sender: <xms:XQJMXtDhpenc0IsSKFUH7WycnkEAoPvTgK_uyiiCrEOSOffoMvS34A>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrjeekgdejjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesthdtre dtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuffhomhgrihhnpehirggsrdhorhhgnecuve hluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgv rghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:XQJMXj6OnxVrLFoKM8v_qWafUlm8hRzQKZu-9qDQE_4OIuGfLoytPw> <xmx:XQJMXi2KGhXI8OUnCfM1hSHQYhsjaKW2L1Cl4Bs10aY289EdnM4DnQ> <xmx:XQJMXsVMzFPzFz3BuMTv5nFUdHWHzzzUI4x6eBkmfdSAIgdU_LNq9A> <xmx:XgJMXv8vQ9rhjLqJIYeXcl6sNUyF_vdG_LdTEMIgvV9HPMb2Six5XA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id DC0953C00A1; Tue, 18 Feb 2020 10:27:25 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-802-g7a41c81-fmstable-20200203v1
Mime-Version: 1.0
Message-Id: <c6c19978-7c59-4b7d-af00-e9c7dfe61993@www.fastmail.com>
In-Reply-To: <CABcZeBPzF4=_m5La1JikGWR=4_Q5j68n1kx3Xzozaa+-QhuMHg@mail.gmail.com>
References: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com> <a9bca34b-c458-f3b9-cf54-6418ef525fa9@tuwien.ac.at> <CABcZeBPzF4=_m5La1JikGWR=4_Q5j68n1kx3Xzozaa+-QhuMHg@mail.gmail.com>
Date: Tue, 18 Feb 2020 07:27:05 -0800
From: Christopher Wood <caw@heapingbits.net>
To: model-t@iab.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/nZMSCwDYjvWg--befuCS6GJcc60>
Subject: Re: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 15:27:30 -0000
On Tue, Feb 18, 2020, at 6:27 AM, Eric Rescorla wrote: > > > On Tue, Feb 18, 2020 at 3:39 AM Joachim Fabini > <Joachim.Fabini@tuwien.ac.at> wrote: > > thanks EKR for the concise summary. Some minor > > additions/comments/thoughts on the traffic analysis paragraph and on e2e > > aspects below. > > > > On 2/17/20 6:06 PM, Eric Rescorla wrote: > > > As promised... > > > > > > -Ekr and Chris > > > > > > [...] > > > > > > TRAFFIC ANALYSIS > > > RFC 3552; Section 3.2.1 describes how the absence of TLS or other > > > transport-layer encryption may lead to obvious confidentiality > > > violations against passive attackers. However, recent trends in > > > traffic analysis indicate encryption alone may be insufficient > > > protection for some types of application data [1]. Encrypted traffic > > > metadata, especially message size, > > > > In addition, message timing, -sequence, -patterns are the features most > > useful and commonly available whenever attacking encrypted (and > > potentially aggregated) protocol traffic. Worth mentioning... > > Yes, I agree with this. +1, though let's not get carried away. (The list can grow to thousands of features.) > > > can leak information about the > > > underlying plaintext. DNS queries and responses are particularly > > > at risk given their size distributions. Recent protocols account > > > for this leakage by supporting padding, either generically in the > > > transport protocol (QUIC and TLS), or specifically in the application > > > protocol (EDNS(0) padding option for DNS messages). > > > > Time synchronization protocols can be mentioned here as a use case, too. > > Currently none of the existing TS protocols is adequately protected > > against timing attacks (assumptions concerning link diversity typically > > fail whenever the attacker is well-positioned, e.g., on the majority of > > the system's few access links). And timing becomes crucial for many systems. > > > > Moreover, the accuracy of (today's) network-based timesync depends on > > deterministic message patterns, sizes and timing. Consequently (a) any > > attempt to secure/obscure these messages impairs on timesync accuracy > > and (b) timesync messages can be spotted easily within encrypted traffic > > (even including IPsec-tunneled timesync, despite TFC and obscuring > > traffic - references on request). > > > > At least a note could be added that subliminal channels do exist and > > should be considered when designing (security) protocols. I'll try to go > > into more detail with the malware draft. > > Hmm.... What do you think protocol designers would do with this information? > Every modern comsec protocol I am familiar with has zillions of bits that can > be freely chosen, and though there's been a bunch of work on deransomization > I don't think we're ready to change that. > > > Finally, somebody mentioned during Friday's telco that "we don't know > > who provides security". Imo this is where the threat landscape changed > > most since 2003. RFC3552 does not even include the definition of an > > endpoint (imo because by the time of writing it was too obvious what's > > meant). Security frameworks, containers, virtual guests, clouds, etc., > > changed the rules of the game. They help but their transparency can be > > painful in a security context. > > > > So it boils down to a (again, imo) central question that the CLESS > > endpoint taxonomy draft tackles to a certain extent: "what does > > end-to-end mean"? > > > > Is it meaningful/mandatory that future protocol/framework security > > specifications are forced to make explicit what their perception or > > concept of end-to-end is? Rewording this slightly: Users and > > applications should have a right to identify/query which underlying > > layers provide (e2e) security, i.e., where e2e security really ends. > > And, in addition, which layers/frameworks/etc. (either local or remote) > > sit in between and could break end-to-end security without being noticed. > > This seems like a kind of normative statement that 3552 generally strove to > avoid, and I think should remain out of scope here. I think it would be a good > idea to explain that the endpoint you are talking to now is probably really > distributed, but I don't think we should be taking a position on the users > rights vis-a-vis that. > > -Ekr > > -- > Model-t mailing list > Model-t@iab.org > https://www.iab.org/mailman/listinfo/model-t >
- [Model-t] Considerations for modern COMSEC protoc… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Spencer Dawkins at IETF
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Jim Fenton
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini
- Re: [Model-t] Considerations for modern COMSEC pr… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Christopher Wood
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini