Re: [TLS] RFC4492bis - Removing ECDH
Michael Clark <michael@metaparadigm.com> Sun, 11 January 2015 02:17 UTC
Return-Path: <michael@metaparadigm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C8BC91A0A85 for <tls@ietfa.amsl.com>; Sat, 10 Jan 2015 18:17:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.378
X-Spam-Level:
X-Spam-Status: No, score=-0.378 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, GB_I_LETTER=-2, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_22=0.6, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qsM8JWZvw2Yt for <tls@ietfa.amsl.com>; Sat, 10 Jan 2015 18:17:22 -0800 (PST)
Received: from klaatu.metaparadigm.com (klaatu.metaparadigm.com [67.207.128.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00AF31A0373 for <tls@ietf.org>; Sat, 10 Jan 2015 18:17:21 -0800 (PST)
Received: from monty.local (unknown.maxonline.com.sg [58.182.90.50] (may be forged)) (authenticated bits=0) by klaatu.metaparadigm.com (8.14.4/8.14.4/Debian-4) with ESMTP id t0B2cphX011751 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <tls@ietf.org>; Sun, 11 Jan 2015 02:38:55 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=metaparadigm.com; s=klaatu; t=1420943937; bh=EOSUQ9z5anmad0m1oLO1cLo2X2P8C/rPQ/IA5/gotCg=; h=Date:From:To:Subject:References:In-Reply-To:From; b=RHQecGkuXmJICIEpjeQUDRluayG1rdKMaSOM/Tlt0ejp5b645ixq6T5A86dQ7n73D cux5LNHy25RcYWgHdVvq7Sg2iqE83qX+XziUbkFxeUSIGfMLey3oyRcGQHwgJ/cSgP 9tXJOeiP9Yiib90wryLKWywRVWOTNJ7RihZmkY/w=
Message-ID: <54B1DD25.8090305@metaparadigm.com>
Date: Sun, 11 Jan 2015 10:17:09 +0800
From: Michael Clark <michael@metaparadigm.com>
Organization: Metaparadigm Pte Ltd
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
References: <274716D0-EC91-4131-A8F7-CD13A9B42CE7@gmail.com> <CA5F50E8-9FEE-481D-85B5-9DEAB333F4A8@gmail.com> <54ADE9B6.4080700@metaparadigm.com> <702F318A-FE04-45F7-8CA1-30256D628CF7@gmail.com>
In-Reply-To: <702F318A-FE04-45F7-8CA1-30256D628CF7@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: clamav-milter 0.98.4 at klaatu.metaparadigm.com
X-Virus-Status: Clean
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-xTELEkfG6bfdNzDIStgedz25XY>
Subject: Re: [TLS] RFC4492bis - Removing ECDH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 11 Jan 2015 02:17:26 -0000
tl;dr > #4 is a TLS proxy. And it does get noticed, because you don’t trust Gogo’s CA, so it’s not so great as an attack. I do wonder why they would apply it to Youtube of all services. Filter out video clips with crashing planes? I've come to the conclusion that the GoGo full proxy case is impossible to do anything about but is highly visible to the user. It's like being on an Island in the Sky without much Internet, a big cache and a high latency satellite link. It reminds me of New Zealand Internet in the mid 90s when I worked at an ISP with sat and copper submarine cables. The router guys did policy routes to send latency sensitive stuff over cable (SYN,SYNACK,ACK) and bulk transfer to latency insensitive stuff over satellite (NNTP). Similar mechanism to the grey box (see below). | | O -< full proxy | | If GoGo were smarter, they would put a trusty looking logo on their WiFi captive portal signin pop-up e.g. a gold crown with a red seal and ribbon; like those on a Reader's Digest prize letter; asking users to install and trust their certificate for "Enhanced in-flight security". Put an advertisement for Fidelity A-ssurance and a picture of Benjamin next to it, and then you can just generate certificates "on the fly" after snarfing out all of the ASN.1 fields from the remote end. They could even do EV and point to their own OCSP. Any address they like (NAT and anycast). Conclusion: Bank in Hawaii, but fly there to make withdrawals. However I believe that GoGo is kind of a cover story to show off crude tampering to mask much more subtle tampering. In fact there is no way around someone who is friends with a CA as they can implement a full proxy, especially if they have insertion points at all major POPs, deep packet inspection and selective policy routes to send you off to their grey boxes. Public-Key-Pins will only work if you initiate your first connection on a network you know is trusted. i.e. at the office. When you know the Tier 1 (backbone) in your own country is part of the five eyes then all bets are off. Vodafone fessed up and made a public statement about the 5 countries and they *don't approve* http://www.bbc.com/news/business-27732743 If *they* can compel Vodafone then they can compel a CA or 'Chorus' our own Fibre backbone provider to do whatever they want. Who knows what they are doing? Everyone. The law is "search warrant" and "probable cause". Wholesale wiretapping is illegal in almost all democracies. OK, it's a "representative" democracy. I'm a-political. Who cares what crowd gets in. Mil is going to be there either way. Military or Militant. What's the diff? One drives a fiat apparently. | | ¦ ¦<- pass-through tampering. | | There is a more subtle pass through case where handshake messages can be tampered with (without access to a CA, just an Internet coffee bucks WiFi tap). Allows attacks such as editing cipher lists and any other associated handshake metadata (curve format extensions, switching on compression) that are not properly authenticated. Until I am certain they are completely mitigated I remain skeptical. I am still thinking about pass-through tamper mitigation using random constant as AD and MAC for all pre-kex handshake messages and having the server returning the client MAC it saw from the client signed with its RSA or ECDSA key (and notify that all were equal including its original ServerHello MAC signed in the Finished message (given ChangeCipherSpec is proposed to be removed). Both can do this when they have a shared chain of trust and the client offers a certificate. Until I've finished my proxy, its just reasoning from auditing the spec. I am curruently unsure how MITM handshake tampering in the rouge WiFi or ISP active tapping case is mitigated. I've read SCSV but it confuses me a little. If it's in the clear and unauthenticate it can be tampered with. Any slightly milicious WiFi provider can do NAT and transparent proxy, introduce delays, drop handshake messages and rewrite cipher lists and extensions for anything not authenticated. Just wiresharking again... I can't see why I can't try to emulate WindowsXP ClientHello in a pass through proxy, by dropping, delaying or rewriting messages I don't like (including fallback). Windows XP IE 8 offers a 1.0 CLientHello often gets given TLS_WITH_RSA_RC4_128_SHA. Firefox has a 1.2 ClientHello and it gets TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 but TLS_WITH_RSA_RC4_128_SHA is offered in its ClientHello and it can talk TLS1.0. MiFi could fool a client into thinking all servers are TLS1.0 (for servers that still support TLS1.0)? and downgrade them to TLS_WITH_RSA_RC4_128_SHA and rewrite/filter their responses. Still we can't easily crack RC4. We'd need a huge black building in the dessert with acres of GPUs or a cave under a mountain, protected by ninjas. It seems the other direction is minimizing negotiation and removing extensions. Make SNI mandatory field. No compression. No renegotiation. It's all wise stuff. Label all cryptographic primitives with 'notional labels' in the spec so everything is pre-negotiated. Sign the chosen label with random salt. Return all offered and negotiated parameters signed after the kex (small negotiation or an HMAC known to the other end). Make TLSv1.3 require all of the existing primitives such as curve point formats, and make everything based on a tiny label. enum ssf { ssf56, ssf112, ssf168, ssf224, ssf336, ssf448, mssf56, mssf112, mssf168, mssf224, mssf336, mssf448 }; enum kex { kex_dh_anon, kex_psk_rsa, key_ffdhe_rsa, kex_ecdhe_rsa, kex_psk_eddsa, kex_ecdhe_eddsa }; enum orphan { srp }; /* protocol layer auth? */ Still, even when the negotiation is small, if *all* parameters offered in the Hellos are not returned signed (or by using a AD anti-tamper MAC of the negotiation parameters), then we can still be downgraded to ssf56 if we were to offer it in the range we are willing to accept. We want to know if we offer a range from ssf112 to ssf448 that ssf448 is an option and we are not going to be downgraded to ssf112. All negotiation parameters need to be signed no matter what the chosen kex is, and in the symmetric case (psk or client and server certs), then both ends can detect tampering (except in the crude case with RSA and compromised CAs). It makes downgrading hard instead of trivial. That said, SCSV helps mitigate without an overhaul of the handshake and I can understand why it is there. This is not despite SCSV, as fundamental changes to TLS negotiation and authentication are much more intrusive changes; and even with a solid spec there are chances of implementation bugs. We are humans. P.S. I'm not on any sec list; as if I was I would have a duty to keep quiet. I'm just auditing the spec based on public discourse and am not under any non-disclosure agreements expressed or implied. Just a candid third eye. ===================================================================== TL;DR Free Idea - semi-off-topic - symmetry likely already considered ===================================================================== It seems to me pinning and so forth are just papering around lack of tamper-resistance in TLS handshakes and CA transparency and the price of random bits. It's harder to change TLS but if you make changes to servers and clients that have common issues then browsers can mitigate using a common mechanism. Pinning. We all have a common interest. Public audit records for CA make huge sense. The cert is offered by the server so the CA should let you look in an audit trail of fingerprints. But re-issue doesn't imply revocation (unless it's handled like a domain transfer). Hard problem. A TLS derivative (essentially policy) could add (or remove) symmetry and make CertificateShare (either chained or self-signed) a requirement for clients (browsers, or whatever). This would allow the servers to see if clients were being impersonated if they stored client certs (or simply fingerprints, like sessions, in a paxos/flashcached), on behalf of the user, to allow service providers to give their users protection against impersonation (most good people don't want their identity stolen), and at the TLS level (essentially making them device certificates) using pre-existing functionality. At the moment we have n-methods of impersonation protection (all on behalf of users) for n-service providers. HTTPS/SMTP(TLS) everywhere would let service providers leverage RSA or EdDSA for protection of their users against identity theft. We clearly need (tamper-resistant) TLS everywhere. In support of AGL, Google, Firefox and everyone else working on TLS and Internet security in general. I'm just adding to the fire. Soon we will need some SMTP providers to start blocking based on certificate verification. Of course an anonymous client cert with a random common name could only be used for "confidence" after seeing it behave in a particular way repeatedly. It seems Asia needs a lot of work: http://www.google.com/transparencyreport/saferemail/ Anonymity would then become at the expense of CPU cycles. i.e. Opening up an incognito window would require cycles to generate a key and self-signed certificate. Sending anonymous SPAM would require more CPU cycles and it would have no effect on solicited bulk mail performance as legitimate mailers aren't trying to get their certificate fingerprints blacklisted. We could use certs in DNSSEC for SMTP blacklists (as one example). Back to stamps for mail. This would allow a server to detect someone trying to impersonate a client using the same mechanisms the client can use. i.e. signing of the handshake MAC in both directions when both sides have a cert. Servers could have an MCU (most commonly used) cache to expire client certs (or just their fingerprints). i.e. scaling the fingerprint expiry based on frequency of usage. i.e. Bayesian confidence in the association between a user and their certificate. Paranoid clients could generate a new cert for each domain. It takes ~200ms to create a 2048bit RSA key. This would make unsolicited bulk mail expensive. Attackers that wanted to make wide attacks would be CPU bound as honest clients and servers do key generation infrequently. Anyone who wanted to be trusted would leave fingerprints. This would make anonymous SPAM (SMTP with MX DVSNI vs self-signed certs) add almost no extraordinary expense for normal usage but anyone covering their tracks would have to use lots of CPU. Browsers might someday start serving up certificates to servers. The question is whether they prompt the user? prompt for policy choice? or do so implicitly to protect the identity of their users? That's policy. Not my area. Just putting ideas out there based on public knowledge from lots of awesome people (judgement is half perspective). Michael.
- [TLS] RFC4492bis - Removing ECDH Yoav Nir
- Re: [TLS] RFC4492bis - Removing ECDH Yoav Nir
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark
- Re: [TLS] RFC4492bis - Removing ECDH Yoav Nir
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark
- Re: [TLS] RFC4492bis - Removing ECDH Nikos Mavrogiannopoulos
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark
- Re: [TLS] RFC4492bis - Removing ECDH Ilari Liusvaara
- Re: [TLS] RFC4492bis - Removing ECDH Nikos Mavrogiannopoulos
- Re: [TLS] RFC4492bis - Removing ECDH Yoav Nir
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark
- Re: [TLS] RFC4492bis - Removing ECDH Ilari Liusvaara
- Re: [TLS] RFC4492bis - Removing ECDH Michael Clark