[saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 01 September 2015 16:10 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E71631B432D for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 09:10:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4ns0ulWZCQ9 for <saag@ietfa.amsl.com>; Tue, 1 Sep 2015 09:10:49 -0700 (PDT)
Received: from mail-wi0-x234.google.com (mail-wi0-x234.google.com [IPv6:2a00:1450:400c:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03A4E1AC3BA for <saag@ietf.org>; Tue, 1 Sep 2015 09:10:42 -0700 (PDT)
Received: by wiclp12 with SMTP id lp12so36216376wic.1 for <saag@ietf.org>; Tue, 01 Sep 2015 09:10:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=F+vi6FrEA2P1Yf4hrgHqZElhyPGEjtHDTs+lP2FV2Zc=; b=nU8HAbEYqAY/ywI2a6Bt7uTguh9BH1Nwcg5mjKepCGR1kydA/wtRp8zLWlCVdOiVb6 7gbhdtsjRBedA43sjZnQ4zAqzLknLWRVSO5FXzTt312kvo9ym/rBoxjj4l6uSqrUdEOl rAhO4Z2MdDTzmPJ91dtR69YOAmvbx5no7oTmywRLXJbwFrwPLi8Ggiy237b3JCE5A5Ny flVN7Fq01lbC4srI9KimgkB9GE/Az1xG6t7jQecIOYSe6gAJ6LEVpXKiQtdB3sVzFeUb 8apSH/+ljJdfm9aUFO0Nn4UP87QhUMaYu7i8j7meV2vC4WIUns3HGtnCZIH9ZztD+QXu /8Jw==
MIME-Version: 1.0
X-Received: by 10.194.205.37 with SMTP id ld5mr37677325wjc.14.1441123840564; Tue, 01 Sep 2015 09:10:40 -0700 (PDT)
Received: by 10.28.157.84 with HTTP; Tue, 1 Sep 2015 09:10:40 -0700 (PDT)
Date: Tue, 01 Sep 2015 12:10:40 -0400
Message-ID: <CAHbuEH6w+O-TSA9SRP-9TrM+Hdh+vn7Me+tdJrFTNY_-Nbenug@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "saag@ietf.org" <saag@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/juZbx10bDiW8xDPIk1JUQ0cW_QM>
Subject: [saag] Section 2.9: was Re: AD review of draft-iab-crypto-alg-agility-06
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Sep 2015 16:10:51 -0000
In going through the mail on this and the Perpass list, then also re-reading RFC7435, I think I see more of where the discrepancies are, but do need to make sure there is agreement. I don't think there is consensus for what is stated in section 2.9 of this draft after reading through the threads, but will propose something after explaining why. While the detailed discussions were helpful, let's keep this to a high-level as the text in draft-iab-crypto-alg-agility is high-level and that will help us get to something workable (assuming there is agreement that a change would better reflect consensus). Current text: 2.9. Opportunistic Security Despite the guidance in Section 2.4, opportunistic security [RFC7435] SHOULD also be considered, especially at the time a protocol implementation is deployed and configured. Using algorithms that are weak against advanced attackers but sufficient against others is a way to make pervasive surveillance significantly more difficult. As a result, algorithms that would not be acceptable in many negotiated situations are acceptable for opportunistic security. Similarly, weaker algorithms and shorter key sizes are also acceptable for opportunistic security. That said, the use of strong algorithms is always preferable. If you go back to the OS RFC, RFC7435, the discussions of OS with general definitions are kept to clear text, unauthenticated session encryption, and authenticated encryption. The use of weaker or deprecated crypto is discussed, but that starts in section 3, Opportunistic Security Design Principles. Section 3 has carefully worded constraints on this use, so when I read it originally, I didn't think of this as part of the definition for OS, but rather that it would be okay with legacy systems. Here is the text: RFC7435, Section 3: With unauthenticated, encrypted communication, OS protocols may employ more liberal settings than would be best practice when security is mandated by policy. Some legacy systems support encryption, but implement only outdated algorithms or protocol versions. Compatibility with these systems avoids the need to resort to cleartext fallback. For greater assurance of channel security, an OS protocol may enforce more stringent cryptographic parameters when the session is authenticated. For example, the set of enabled Transport Layer Security (TLS) [RFC5246] cipher suites might exclude deprecated algorithms that would be tolerated with unauthenticated, encrypted communication. OS protocols should produce authenticated, encrypted communication when authentication of the peer is "expected". Here, "expected" means a determination via a downgrade-resistant method that authentication of that peer is expected to work. Downgrade-resistant methods include: validated DANE DNS records, existing TOFU identity information, and manual configuration. Such use of authentication is "opportunistic", in that it is performed when possible, on a per- session basis. When communicating with a peer that supports encryption but not authentication, any authentication checks enabled by default must be disabled or configured to soft-fail in order to avoid unnecessary communications failure or needless downgrade to cleartext. The support of cleartext and the use of outdated algorithms, and especially broken algorithms, is for backwards compatibility with systems already deployed. Protocol designs based on Opportunistic Security prefer to encrypt and prefer to use the best available encryption algorithms available. OS protocols employ cleartext or broken encryption algorithms only with peers that do not appear to be capable of doing otherwise. The eventual desire is to transition away from cleartext and broken algorithms, and particularly for broken algorithms, it is highly desirable to remove such functionality from implementations. Considering that the use of less than ideal crypto is somewhat restricted to the unauthenticated session encryption and is acceptable only with legacy systems (and the messages on this thread about reaching consensus), I propose the following text changes to 2.9 of the crypto agility draft: 2.9. Opportunistic Security Despite the guidance in Section 2.4, opportunistic security [RFC7435] SHOULD also be considered, especially at the time a protocol implementation is deployed and configured. Using algorithms that are weak against advanced attackers but sufficient against others is a way to make pervasive surveillance significantly more difficult. As a result, algorithms that would not be acceptable in many negotiated situations are acceptable for opportunistic security when legacy systems are in use for unauthenticated encrypted sessions [RFC7435] Section 3. Similarly, weaker algorithms and shorter key sizes are also acceptable for opportunistic security with the same constraints. That said, the use of strong algorithms is always preferable. I think it is important to include the design constraints in this paragraph, but am okay with wording changes that make the constraints clear so that we don't wind up generalizing the OS design principles and have them mean more than what was intended. I'd like to see this constrained to legacy systems as it's not always possible to have them upgraded. I also don't want to see OS become a way to bless the use of deprecated crypto, but would rather see it as in use for legacy systems understanding that it has been deprecated. Without that, I am afraid it will become increasingly more difficult to phase out deprecated crypto. I'd like to see that we are at least consistent in drafts/RFCs going forward so we don't inadvertently demonstrate consensus for more than what was agreed (IMO). Does the proposed text sound good (or something with the same intent)? Thanks very much for the useful discussions on this topic! -- Best regards, Kathleen
- [saag] Section 2.9: was Re: AD review of draft-ia… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Eliot Lear
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Steve Crocker
- Re: [saag] Section 2.9: was Re: AD review of draf… Salz, Rich
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Sam Hartman
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Barry Leiba
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty
- Re: [saag] Section 2.9: was Re: AD review of draf… Stephen Farrell
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Russ Housley
- Re: [saag] Section 2.9: was Re: AD review of draf… Viktor Dukhovni
- Re: [saag] Section 2.9: was Re: AD review of draf… Sam Hartman
- Re: [saag] Section 2.9: was Re: AD review of draf… Kathleen Moriarty