Re: [Model-t] Considerations for modern COMSEC protocol design
Eric Rescorla <ekr@rtfm.com> Tue, 18 February 2020 14:28 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: model-t@ietfa.amsl.com
Delivered-To: model-t@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34300120152 for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 06:28:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7Z3WIHER1CTj for <model-t@ietfa.amsl.com>; Tue, 18 Feb 2020 06:28:14 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F176A1201DE for <model-t@iab.org>; Tue, 18 Feb 2020 06:28:13 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id f24so14668000lfh.3 for <model-t@iab.org>; Tue, 18 Feb 2020 06:28:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cGqDHdermo87sJxMp3/CCG7sjnoniPGb7brUmYX1EZU=; b=WJNgEkwU7lI+qtAFw7XFegjO4GHpLP6RNmlZ5GbVgj/M4ksdeVxenlAYa+esMsnUfA WWbsFnAzlXmJCQgtRXreMAwXKIawUtKS+B1oQxrntuBEiBCpTf5YGxWysH8y6bUNV7Zo UffxrAndXeX7U/1edC7748xT5WFBmAsCSzUIDaPnPA8qKP//tBBW8KL8xvMlPDUMN23i 2gX/wDli7ncpd1PiskIwCo+9gKGk20Pza40EoUydNkxy4Okeke1rfRtF5UNnsC7X1guv op7Gx5FV/SONN6s4OpcvztVrOYVXhRFNZVSOEG/MR/bNsnembjxWveJ8qBrtg9F7+YXO QuYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cGqDHdermo87sJxMp3/CCG7sjnoniPGb7brUmYX1EZU=; b=qsGC+N7IEaCltGe3w4K1JQudjKz6HDOTIxf0oa78MOoiqVBF0RKXkHG4gxqZLrpuXb 8CNKdzLfC4pZns+PoSpVPO6vWYkaPOp5fGM1pKbtpRAumwdadJNh3IetbSDr16lqUOT8 bdlyGc516AQyVJMranTAKw5oHztDkjccumJn2LqEj1U+SfrwHUAXwtk1tPMF1yuQHKkB ClDk+A1+4zg1PanH5763nfxs9BpImQyxmd6s4ILtCf34L4mGFvK1a881GQUFVIq7B1OM w6orkxgIUEEzfJdS3y6MBkDNywvyOCCbOtTDwffxCXP36C6gWRyL5wmxioe29WH6TBiv TJKw==
X-Gm-Message-State: APjAAAXUO3D/DZVI1RkEUU9ten4076Noiyl2QDCC/nuO+FEQ1E1NnL2I eT6O6Wa8NhYZgl0Tn/8NOLewRdxk4RSy3cOH3bbxMqlU
X-Google-Smtp-Source: APXvYqyiJ9iT4uJy/u0AiqUPhhyiYMh7oGrTUJ9Wh1/WH+MfWuP4gsePhFsJFi8x8/uShSANg/pPwQ2msH8NTMdKq3c=
X-Received: by 2002:ac2:53b9:: with SMTP id j25mr10436138lfh.140.1582036092239; Tue, 18 Feb 2020 06:28:12 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBPgvsQGzyWEXK_U2x_wYthuxELCs7r+J+NLyA=knpp8pw@mail.gmail.com> <a9bca34b-c458-f3b9-cf54-6418ef525fa9@tuwien.ac.at>
In-Reply-To: <a9bca34b-c458-f3b9-cf54-6418ef525fa9@tuwien.ac.at>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 18 Feb 2020 06:27:35 -0800
Message-ID: <CABcZeBPzF4=_m5La1JikGWR=4_Q5j68n1kx3Xzozaa+-QhuMHg@mail.gmail.com>
To: Joachim Fabini <Joachim.Fabini@tuwien.ac.at>
Cc: model-t@iab.org
Content-Type: multipart/alternative; boundary="0000000000004cd0d5059eda7b8e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/model-t/wu3RYe9ovF1elZ7F_McDOPvU8AA>
Subject: Re: [Model-t] Considerations for modern COMSEC protocol design
X-BeenThere: model-t@iab.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussions of changes in Internet deployment patterns and their impact on the Internet threat model <model-t.iab.org>
List-Unsubscribe: <https://www.iab.org/mailman/options/model-t>, <mailto:model-t-request@iab.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/model-t/>
List-Post: <mailto:model-t@iab.org>
List-Help: <mailto:model-t-request@iab.org?subject=help>
List-Subscribe: <https://www.iab.org/mailman/listinfo/model-t>, <mailto:model-t-request@iab.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Feb 2020 14:28:19 -0000
On Tue, Feb 18, 2020 at 3:39 AM Joachim Fabini <Joachim.Fabini@tuwien.ac.at> wrote: > thanks EKR for the concise summary. Some minor > additions/comments/thoughts on the traffic analysis paragraph and on e2e > aspects below. > > On 2/17/20 6:06 PM, Eric Rescorla wrote: > > As promised... > > > > -Ekr and Chris > > > > [...] > > > > TRAFFIC ANALYSIS > > RFC 3552; Section 3.2.1 describes how the absence of TLS or other > > transport-layer encryption may lead to obvious confidentiality > > violations against passive attackers. However, recent trends in > > traffic analysis indicate encryption alone may be insufficient > > protection for some types of application data [1]. Encrypted traffic > > metadata, especially message size, > > In addition, message timing, -sequence, -patterns are the features most > useful and commonly available whenever attacking encrypted (and > potentially aggregated) protocol traffic. Worth mentioning... > Yes, I agree with this. > > can leak information about the > > underlying plaintext. DNS queries and responses are particularly > > at risk given their size distributions. Recent protocols account > > for this leakage by supporting padding, either generically in the > > transport protocol (QUIC and TLS), or specifically in the application > > protocol (EDNS(0) padding option for DNS messages). > > Time synchronization protocols can be mentioned here as a use case, too. > Currently none of the existing TS protocols is adequately protected > against timing attacks (assumptions concerning link diversity typically > fail whenever the attacker is well-positioned, e.g., on the majority of > the system's few access links). And timing becomes crucial for many > systems. > > Moreover, the accuracy of (today's) network-based timesync depends on > deterministic message patterns, sizes and timing. Consequently (a) any > attempt to secure/obscure these messages impairs on timesync accuracy > and (b) timesync messages can be spotted easily within encrypted traffic > (even including IPsec-tunneled timesync, despite TFC and obscuring > traffic - references on request). > > At least a note could be added that subliminal channels do exist and > should be considered when designing (security) protocols. I'll try to go > into more detail with the malware draft. > Hmm.... What do you think protocol designers would do with this information? Every modern comsec protocol I am familiar with has zillions of bits that can be freely chosen, and though there's been a bunch of work on deransomization I don't think we're ready to change that. > Finally, somebody mentioned during Friday's telco that "we don't know > who provides security". Imo this is where the threat landscape changed > most since 2003. RFC3552 does not even include the definition of an > endpoint (imo because by the time of writing it was too obvious what's > meant). Security frameworks, containers, virtual guests, clouds, etc., > changed the rules of the game. They help but their transparency can be > painful in a security context. > > So it boils down to a (again, imo) central question that the CLESS > endpoint taxonomy draft tackles to a certain extent: "what does > end-to-end mean"? > > Is it meaningful/mandatory that future protocol/framework security > specifications are forced to make explicit what their perception or > concept of end-to-end is? Rewording this slightly: Users and > applications should have a right to identify/query which underlying > layers provide (e2e) security, i.e., where e2e security really ends. > And, in addition, which layers/frameworks/etc. (either local or remote) > sit in between and could break end-to-end security without being noticed. This seems like a kind of normative statement that 3552 generally strove to avoid, and I think should remain out of scope here. I think it would be a good idea to explain that the endpoint you are talking to now is probably really distributed, but I don't think we should be taking a position on the users rights vis-a-vis that. -Ekr
- [Model-t] Considerations for modern COMSEC protoc… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Spencer Dawkins at IETF
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Jim Fenton
- Re: [Model-t] Considerations for modern COMSEC pr… Stephen Farrell
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini
- Re: [Model-t] Considerations for modern COMSEC pr… Eric Rescorla
- Re: [Model-t] Considerations for modern COMSEC pr… Christopher Wood
- Re: [Model-t] Considerations for modern COMSEC pr… Joachim Fabini