Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 28 July 2015 05:30 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DEE81A1B6F for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 22:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dnvZIOs5X_S7 for <saag@ietfa.amsl.com>; Mon, 27 Jul 2015 22:30:37 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED1FF1A1B6E for <saag@ietf.org>; Mon, 27 Jul 2015 22:30:36 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id C8609284D5A; Tue, 28 Jul 2015 05:30:35 +0000 (UTC)
Date: Tue, 28 Jul 2015 05:30:35 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150728053035.GR4347@mournblade.imrryr.org>
References: <55A938F1.9090404@cs.tcd.ie> <CD936D80-BEA2-4918-828C-E3A392761EC5@gmail.com> <20150727194020.GD15860@localhost> <55B6D36C.70105@iang.org> <20150728013020.GO4347@mournblade.imrryr.org> <DM2PR0301MB0655CF099FA7C56E9B9D24A9A88D0@DM2PR0301MB0655.namprd03.prod.outlook.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <DM2PR0301MB0655CF099FA7C56E9B9D24A9A88D0@DM2PR0301MB0655.namprd03.prod.outlook.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/QJfrNuVNwv96SXcJM19cpvZ2XBI>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jul 2015 05:30:38 -0000

On Tue, Jul 28, 2015 at 04:54:58AM +0000, Christian Huitema wrote:

> OS is by definition prone to MITM attacks, including downgrade attacks.

[ Yes, when not authenticated.  There's also downgrade-resistant OS, via
  e.g. DANE, but not widely deployed at present. ]

> Just negotiating any which algorithm key that comes out of the channel is
> too dangerous for my taste. If we do OS we should also enable a form of
> MITM detection, maybe channel binding. It will not be used in all OS
> connections, but using it in some connections in an unpredictable should
> be enough to detect and deter mass deployment of MITM.

I agree this is desirable, but it is rather difficult to make MiTM
detection practical in many cases, e.g. email.  Sure one could log
channel-unique tags on both sides, but who's going to ever compare
them?

One might propagate the tags along the forward-path in new trace
headers, but those would need to be signed by the previous-hop MTA,
at which point, we're no longer talking about unauthenticated
opportunistic TLS.

The trick is finding a way to make it possible and worthwhile for
a sufficient fraction of participants to add the requsiite checks.
This can work for interactive protocols (humans on phone verbally
verify matching channel-ids), but is rather difficult for
store-and-forward.

For SMTP transport at least, DANE looks like a more promising
counter-measure to active attacks.

-- 
	VIktor.