IETF Logo Mail Archive

Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 01 September 2015 16:56 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69F921B451E for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 09:56:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enYvPnN2ESpZ for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 09:56:09 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB43F1B5529 for <saag@ietf.org>; Tue, 1 Sep 2015 09:55:27 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id B3227284B6C; Tue, 1 Sep 2015 16:55:26 +0000 (UTC)
Date: Tue, 01 Sep 2015 16:55:26 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: saag@ietf.org
Message-ID: <20150901165526.GU9021@mournblade.imrryr.org>
References: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/VFrOQmF0Y8CvsGEzDzJgkoXZAEU>
Subject: Re: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: saag@ietf.org
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 16:56:11 -0000

On Tue, Sep 01, 2015 at 12:10:40PM -0400, Kathleen Moriarty wrote:

> Considering that the use of less than ideal crypto is somewhat
> restricted to the unauthenticated session encryption and is acceptable
> only with legacy systems (and the messages on this thread about
> reaching consensus), I propose the following text changes to 2.9 of
> the crypto agility draft:
> 
> 2.9.  Opportunistic Security
> 
>    Despite the guidance in Section 2.4, opportunistic security [RFC7435]
>    SHOULD also be considered, especially at the time a protocol
>    implementation is deployed and configured.  Using algorithms that are
>    weak against advanced attackers but sufficient against others is a way
>    to make pervasive surveillance significantly more difficult.  As a
>    result, algorithms that would not be acceptable in many negotiated
>    situations are acceptable for opportunistic security when legacy systems
>    are in use for unauthenticated encrypted sessions [RFC7435] Section 3.
>    Similarly, weaker algorithms and shorter key sizes are also acceptable
>    for opportunistic security with the same constraints.  That said, the
>    use of strong algorithms is always preferable.
>
> Does the proposed text sound good (or something with the same intent)?

A step in the right direction, but I think we can do better.  The
document under discussion is a crypto agility document.  Agility
plays two roles in cryptographic protocols:

    * Makes it possible to introduce new stronger algorithms.
    * Makes it possible to phase out old deprecated algorithms.

>From an OS perspective, when no particular security level is
demanded, and we're merely trying to get the best possible protection
against passive attacks, the main benefit of agility is the first
one: over time, we end up using stronger crypto.

Rapid deprecation of weaker crypto is net loss for OS when the
result is loss of interoperability and/or fallback to cleartext.

So I think that the focus in the original and proposed text is not
optimal, we ought to first point out that OS benefits from agility
when better crypto is deployed side by side with legacy crypto
(deprecated or not) and is supported by the peers in a given
"conversation".

With that noted, we should observe (with reference to [7435]) that
with OS one should not rush into removal of legacy weak crypto that
is still required for inteoperability with enough systems, and
*does not* facilitate downgrade attacks.  Rather one introduces
better alternatives, encourages users to upgrade their systems,
and waits for the old to become largely unnecessary before removing
support.

That said, when new OS protocols or applications are developed,
that have no legacy interoperability requirements, they SHOULD NOT
grandfather support for algorithms that are already deprecated.

[ I know I did not put this together into a specific suggestion
  for a replacement, I hope this is useful nevertheless. ]

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email