IETF Logo Mail Archive

Re: [Tcpcrypt] Initial questions

ianG <iang@iang.org> Fri, 20 June 2014 06:14 UTC

Return-Path: <iang@iang.org>
X-Original-To: tcpcrypt@ietfa.amsl.com
Delivered-To: tcpcrypt@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 121EA1A0641 for <tcpcrypt@ietfa.amsl.com>; Thu, 19 Jun 2014 23:14:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UgvvWsCyLGef for <tcpcrypt@ietfa.amsl.com>; Thu, 19 Jun 2014 23:14:01 -0700 (PDT)
Received: from virulha.pair.com (virulha.pair.com [209.68.5.166]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BD271A0649 for <tcpcrypt@ietf.org>; Thu, 19 Jun 2014 23:13:57 -0700 (PDT)
Received: from tormenta.local (iang.org [209.197.106.187]) by virulha.pair.com (Postfix) with ESMTPSA id 941C36D643; Fri, 20 Jun 2014 02:13:55 -0400 (EDT)
Message-ID: <53A3D122.8030501@iang.org>
Date: Fri, 20 Jun 2014 07:13:54 +0100
From: ianG <iang@iang.org>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: tcpcrypt@ietf.org
References: <CACXcFmmQCgTu6-QLJZdH8Q+ZST97ugoTaUWCUV0S6AWsjvCGfg@mail.gmail.com> <53A2066A.4090802@isi.edu> <53A2BF69.3040001@iang.org> <53A3242E.7020106@isi.edu> <53A32AAA.1060400@iang.org> <53A32D5A.10007@isi.edu>
In-Reply-To: <53A32D5A.10007@isi.edu>
X-Enigmail-Version: 1.6
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/tcpcrypt/Qa-d-UmLDdeBPFhC0CIH6bbI6x0
Subject: Re: [Tcpcrypt] Initial questions
X-BeenThere: tcpcrypt@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discussion list for adding encryption to TCP." <tcpcrypt.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tcpcrypt/>
List-Post: <mailto:tcpcrypt@ietf.org>
List-Help: <mailto:tcpcrypt-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpcrypt>, <mailto:tcpcrypt-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jun 2014 06:14:04 -0000

On 19/06/2014 19:35 pm, Joe Touch wrote:
> 
> 
> On 6/19/2014 11:23 AM, ianG wrote:
>> On 19/06/2014 18:55 pm, Joe Touch wrote:
> ...
>> When did TCP have this 'urgent decision' ?  If it happened several years
>> after 1996, then what you have is a forewarning that was ignored.  If it
>> was after 2004, well, no amount of warning will do, and algorithmic
>> agility is a crutch that should be stripped away in order to focus
>> attention.
> 
> 2004 was the first practical attack on MD5; the first draft of TCP-AO
> was 2007. It took another three years for the IETF sausage mill to
> generate a final result.
> 
> Given that TCP-AO was used mostly for router security, and nobody had
> reported a successful MD5-based attack in the wild, that's not bad IMO.


Right.  So it worked.  The reason it worked fine -- no attacks reported
until 2008 [0] -- was likely due to the lack of collision vulnerability
in a protocol.  There was no urgent decision, just useful caution.


> The primary problem with TCP MD5 was that it wasn't algorithm-agile.


That's to repeat your conclusion.  I'm asserting a different conclusion:
 the problem with the MD5 upgrade was a management one, not a real one.
 The maintenance of the protocol should have started the replacement
sometime before 2004.


> ...
>>> That's why TCP-AO included two 'must implement' algorithms from the
>>> start, and why it's important to do so here as well.
>>
>> I'd like to see some historical evidence of when this actually made a
>> difference?  Yes, we understand the idea.  But we now have 20 years of
>> experience in Internet protocols.  We have data.  What does the data say
>> about algorithmic agility, in the field?
> 
> You're arguing two points at the same time.
> 
> 1) use one algorithm
> 
>     I've already pointed out how that's dangerous; it prevents
>     pre-deploying a backup when a given algorithm is deprecated.


You've pointed out it is dangerous.  Can you provide historical evidence
for this claim?  We've debunked MD5 in TCP-AO.

If it never happened, can it be still called dangerous?

If there is one thing that actually we are quite good at, it is
selecting a single strong suite.  How about we concentrate on what
actually does go wrong, demonstrably, in protocols?

Complexity leads to failure in takeup, anyone?


> 2) don't have algorithm agility
> 
>     This is counter to your earlier post. If you consider
>     that any one algorithm won't last forever, then ultimately
>     we'll want a solution that can support different algorithms.


OK, we're agreed that life moves on.  As do security products.  Versions
upgrade.  Let's look at say SSL.  It has run from v1 - v2 - v3 - TLS 1.0
- 1.1 - 1.2 - 1.4.

At each of those changes, there are incompatibilities within.  In each
case, the client/server conversation has to negotiate which version the
other side is capable of talking, and (generally) prefer the latest.

In each version, there is a chance to move forward.  This chance to move
forward may be taken for:  protocol weaknesses, advances in the science,
features, speed increases, ... *and the cipher suite*.

Now look at the history of important fixes to SSL.  SSL v3 patch,
TLS/SNI, renegotiation bug, heartbleed, gotofail, debian random, etc.

In practice, we're replacing the in-place version because of other bugs,
and improvements, over time, faster than we're seeing any problem with
any of the well chosen algorithms.

So we may as well just do that:  have TLS v+1 ready to go.

Also note that automated upgrade is the way that everyone does stuff
these days, and it can easily move faster than our ability to roll out a
config change.

Anyone got any numbers on how long it takes Apple to upgrade 80% of
clients?  Can they beat the OODA loop of 3.5 years for SSL [1]?


> I don't like either of the above, but they're separate points.


Here's another one:  why do you care?

This is opportunistic encryption, anyway.  We get what we can for free.
 Why bother about the freak occurrence of an algorithm break when it can
be hit by MITM anyway?  When we're losing most of the marketplace to
slowness in install?

How are you going to tell people to switch, given that our problem space
is automatic operation, without people knowing?

Is there anyone here who feels that (say) ChaCha20/Poly1305 is at risk
of a sudden break?  Who doesn't feel safe in an opportunistic protocol
against mass surveillance unless there is a backup inside it?



iang


[0] http://wiki.cacert.org/Risk/History#MD5-Root
[1] http://financialcryptography.com/mt/archives/001210.html

v2.23.0 | Report a Bug | By Email