Re: [TLS] Call for Consensus on removal of renegotiation
mrex@sap.com (Martin Rex) Sat, 28 June 2014 05:09 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7DE21A029D for <tls@ietfa.amsl.com>; Fri, 27 Jun 2014 22:09:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.852
X-Spam-Level:
X-Spam-Status: No, score=-3.852 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zu2ZjOHi1eVG for <tls@ietfa.amsl.com>; Fri, 27 Jun 2014 22:09:35 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2308A1A029A for <tls@ietf.org>; Fri, 27 Jun 2014 22:09:34 -0700 (PDT)
Received: from mail05.wdf.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id s5S59OYH020301 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Sat, 28 Jun 2014 07:09:24 +0200 (MEST)
In-Reply-To: <9A043F3CF02CD34C8E74AC1594475C738DED010B@uxcn10-tdc06.UoA.auckland.ac.nz>
To: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Sat, 28 Jun 2014 07:09:24 +0200
X-Mailer: ELM [version 2.4ME+ PL125 (25)]
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="US-ASCII"
Message-Id: <20140628050924.86D2F1AD6F@ld9781.wdf.sap.corp>
From: mrex@sap.com
X-SAP: out
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/0FJSaaPLoPbU4_w1bzh00YX1q14
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for Consensus on removal of renegotiation
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 28 Jun 2014 05:09:38 -0000
Peter Gutmann wrote: > James Cloos <cloos@jhcloos.com> writes: >> >>If tls1.3 drops rekeying established sockets, then one reasonably can predict >>that its adoption will be limited enough that any security benefits it has >>over 1.2 will be, mostly, for naught. I think that TLSv1.3 will be largely ignored for many other reasons (except maybe by a few (heart)bleeding edge implementations that spend their scarce resources to implement every TLS kitchen sink rather than for quality of the stuff that is important). > > That's pretty speculative. My speculation is instead: > > If tls1.3 drops rekeying established sockets, then one reasonably can > predict that people won't rekey established sockets any more. > > I'd say that's far more likely. For the purpose of rekeying, I still think that renegotiation is a pretty good solution. I started my adventure into crypto protocols as a consumer of GSS-API and participant of the IETF CAT working group in 1995. GSS-API itself does not have renegotiation or rekeying, and back then (MIT) Kerberos 5 was the canonical GSS-API mechanism, was using (single)DES for encryption and it was enforcing a lifetime on GSS-API security contexts, deriving it from the lifetime of the Kerberos ticket that authenticated the security context. If an application wanted (a) use Kerberos 5 and (b) be able to communicate for more than 10 hours (often less, because the TGT may have been acquired a few hours ago), then a significant amount of complexity was thrown on the application to deal with this. I implemented a communication protcol for our application that will try to "transparently" replace an expiring security context with a new one, but MIT Kerberos 5 did not exactly make this easy: MIT Kerberos enforced security context expiration not just on send (gss_wrap, gss_get_mic), but also on receipt (gss_unwrap, gss_verify_mic) so that a message that was protected with only little security context lifetime left and was delayed in transport or delayed in processing on the receiver side would fail to unprotect (i.e. message lost). Most application protocols can not deal with lost data Since the security context lifetime is derived from the ticket lifetime (and service ticket lifetime derived from TGT lifetime), a security context with a longer lifetime could only be established when a new TGT was available. With MIT Kerberos, acquisition of a new TGT for a user required _manual_user_intervention_. So one's protocol layer above gssapi may want to try establishing a new security context with sufficient margin to expiration of the existing context to prevent protected messages from "expiring" in transit or on the receivers incoming message queue. Since the user may have not provided a new TGT yet, one may have to continue using the existing security context as fallback as long as it lives. The client can locally check the lifetime of his credential and avoid to insert a useless context establishment handshake that results in a new security context with not more lifetime than the existing. But when the server is the one who starts talking after a longer period of silence on an established channel, it may notice that the existing security context is close to expiration or already expired, and then needs to ask the client to try establishing a new security context before the server can convey the data under protection. Any such handshaking for the purpose of trying to replace an expiring (but not yet expired) security context needs to be performed in a fashion that is _not_ a deadly embrace, the fallback to continue using the not-yet-expired security context should be used. Microsoft implemented their own Kerberos 5 in Windows 2000, and in Windows2000 Beta3, Microsoft briefly tried to enforce security context expiration in the MIT Kerberos style. It was a pretty fierce crashing and burning of all Microsoft apps on top of SSPI. Exactly none of their apps was able to handle it. Beta3 (the last before rc1) might have been a little late to get back to the drawing board and redesign communication protocols to cope with security context roll-over. So security context expiration was disable for Win2Krc1 and was never seen again. Since all Microsoft apps are completely ignoring the various SSPI lifetimes (credentials and security context lifetime), this part is largely untested. While the info was mostly correct in Win2K, ever new Window release has added situations when bogus values are returned from SSPI. Client and Server on different machines may be told differing security context lifetimes, and there are Citrix usage scenarios when it is *IMPOSSIBLE* to create a security context that SSPI does *NOT* report as expired (via the lifetime parameter value). Not using or not being able to support a protocol feature is one thing, but over time, the credential and context lifetime reporting at SSPI for Kerberos went from OK to flaky to buggy to close-to-unusable (today). While Microsoft Kerberos has the nice capability to automatically acquire and refresh TGTs, the mechanism is flaky. Tickets may get replaced only *after* they've expired (and handshakes might get performed with expired tickets, resulting in expired security context being returned from the security context establishment handshake. In some Citrix scenarios, the reported lifetime of security contexts differ between client side and server side by the time zone difference between server and client. When the time zone difference is >= 10 hours, it is impossible to establish non-expired security contexts... Another challenge for a security context roll-over is in the Kerberos protocol itself. Authenticators have a limited lifetime (typically 5 minutes). This may be a problem for a communication link of an application that is processing stuff in batch (request pipelining) and that may exhibit response times of 10+ minutes. New requests from the network are read from the network and placed into a local message queue (so that TCP doesn't tear down the connection), but the actual processing of the message may get delayed for 10+ minutes, at which point the acceptor may be faced with an error because the authenticator has "expired". Bottom line: if renegotiation is dropped from TLSv1.3, then long-lived connections with either not rekey, i.e. kiss forward secrecy good-bye, or long-lived connections will kiss TLSv1.3 good-bye. The latter of these two options is less work and immediately available... -Martin
- [TLS] Call for Consensus on removal of renegotiat… Joseph Salowey (jsalowey)
- Re: [TLS] Call for Consensus on removal of renego… Daniel Kahn Gillmor
- Re: [TLS] Call for Consensus on removal of renego… Joseph Salowey (jsalowey)
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Colm MacCárthaigh
- Re: [TLS] Call for Consensus on removal of renego… Russ Housley
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… Salz, Rich
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… Salz, Rich
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… Salz, Rich
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Colm MacCárthaigh
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… Colm MacCárthaigh
- Re: [TLS] Call for Consensus on removal of renego… Salz, Rich
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Nikos Mavrogiannopoulos
- Re: [TLS] Call for Consensus on removal of renego… Hubert Kario
- Re: [TLS] Call for Consensus on removal of renego… Martin Rex
- Re: [TLS] Call for Consensus on removal of renego… Martin Rex
- Re: [TLS] Call for Consensus on removal of renego… Watson Ladd
- Re: [TLS] Call for Consensus on removal of renego… Watson Ladd
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… Nikos Mavrogiannopoulos
- Re: [TLS] Call for Consensus on removal of renego… Eric Rescorla
- Re: [TLS] Call for Consensus on removal of renego… Brian Hamon
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Brian Hamon
- Re: [TLS] Call for Consensus on removal of renego… Tapio Sokura
- Re: [TLS] Call for Consensus on removal of renego… Watson Ladd
- Re: [TLS] Call for Consensus on removal of renego… Peter Gutmann
- Re: [TLS] Call for Consensus on removal of renego… Yoav Nir
- Re: [TLS] Call for Consensus on removal of renego… James Cloos
- Re: [TLS] Call for Consensus on removal of renego… Brian Hamon
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Eric Rescorla
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Brian Smith
- Re: [TLS] Call for Consensus on removal of renego… Brian Hamon
- Re: [TLS] Call for Consensus on removal of renego… Martin Thomson
- Re: [TLS] Call for Consensus on removal of renego… Andy Lutomirski
- Re: [TLS] Call for Consensus on removal of renego… Peter Gutmann
- Re: [TLS] Call for Consensus on removal of renego… Martin Rex
- Re: [TLS] Call for Consensus on removal of renego… Watson Ladd
- Re: [TLS] Call for Consensus on removal of renego… Peter Gutmann
- Re: [TLS] Call for Consensus on removal of renego… Steve Checkoway
- Re: [TLS] Call for Consensus on removal of renego… Alyssa Rowan
- Re: [TLS] Call for Consensus on removal of renego… henry.story@bblfish.net