Re: [saag] AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <> Tue, 28 July 2015 05:30 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 8DEE81A1B6F for <>; Mon, 27 Jul 2015 22:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dnvZIOs5X_S7 for <>; Mon, 27 Jul 2015 22:30:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ED1FF1A1B6E for <>; Mon, 27 Jul 2015 22:30:36 -0700 (PDT)
Received: by (Postfix, from userid 1034) id C8609284D5A; Tue, 28 Jul 2015 05:30:35 +0000 (UTC)
Date: Tue, 28 Jul 2015 05:30:35 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <20150727194020.GD15860@localhost> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <>
Subject: Re: [saag] AD review of draft-iab-crypto-alg-agility-06
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Jul 2015 05:30:38 -0000

On Tue, Jul 28, 2015 at 04:54:58AM +0000, Christian Huitema wrote:

> OS is by definition prone to MITM attacks, including downgrade attacks.

[ Yes, when not authenticated.  There's also downgrade-resistant OS, via
  e.g. DANE, but not widely deployed at present. ]

> Just negotiating any which algorithm key that comes out of the channel is
> too dangerous for my taste. If we do OS we should also enable a form of
> MITM detection, maybe channel binding. It will not be used in all OS
> connections, but using it in some connections in an unpredictable should
> be enough to detect and deter mass deployment of MITM.

I agree this is desirable, but it is rather difficult to make MiTM
detection practical in many cases, e.g. email.  Sure one could log
channel-unique tags on both sides, but who's going to ever compare

One might propagate the tags along the forward-path in new trace
headers, but those would need to be signed by the previous-hop MTA,
at which point, we're no longer talking about unauthenticated
opportunistic TLS.

The trick is finding a way to make it possible and worthwhile for
a sufficient fraction of participants to add the requsiite checks.
This can work for interactive protocols (humans on phone verbally
verify matching channel-ids), but is rather difficult for

For SMTP transport at least, DANE looks like a more promising
counter-measure to active attacks.