[TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)

Martin Thomson <martin.thomson@gmail.com> Wed, 14 March 2018 08:48 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2A2A127876 for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 01:48:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqrjAo66oHYb for <tls@ietfa.amsl.com>; Wed, 14 Mar 2018 01:48:14 -0700 (PDT)
Received: from mail-ot0-x231.google.com (mail-ot0-x231.google.com [IPv6:2607:f8b0:4003:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C541127871 for <tls@ietf.org>; Wed, 14 Mar 2018 01:48:14 -0700 (PDT)
Received: by mail-ot0-x231.google.com with SMTP id w38-v6so2452578ota.8 for <tls@ietf.org>; Wed, 14 Mar 2018 01:48:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=l54zDoQVS+GRMQ2Bs4BD6176nWSvFkmd4+xnb7fUu0s=; b=eTBzAnYwZ1sME/zvGYxj9yEUedBSvhr/gCewdObILjq5/GGoqJa3mUt44rvgvd6L98 d1KJ9zewWExNqAqUKil1pSlt6KE8KFRdnaM/IOHHVXVpR2/yZ63/gcFV9t2sO/FYGLVt dAYTWa5Kl5I8iaB/3yihQz/Zh1TkpQZ0CUaRjx3Qh+MkI+OnVojIKcm8uxWjhBv1VW6a t8pNBZC2hfx5PnK7yugljQv7gciuTYf8T0xIPfxvDB65hDPC7zl4AJ00iylAjIh19vNy q/YeNnnsxa1Iq2qNsJ93/HcQNPtn/SupVSU9qNIhPmNbOJBGxrx30CQE72KAf4G1gyjK WN1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=l54zDoQVS+GRMQ2Bs4BD6176nWSvFkmd4+xnb7fUu0s=; b=AqbbRHp76BgdypM0Stob/6vFgWMqkH3ruXCedPqezi/7/hH30hvS0qAIL7FeTSzvZQ 1yRc70uLCmAsY66eJWS0OGVldVpzvdGeH1UeL3saJ4Tcnd3cSPXp8WFMTOB/K9Mjdi2o ldXimEFJrnqXwsYcBaxiGXgXnpavBi+HINrmM1AT/4OhhalDh8o5TiEBHLV7SQN1QcNq GHWbSLPWzsYRrEU+tyGBfd59gKgiIb5Iq6N8EwI9iYp57iq+MiZo/eRzPUeho8V0gIkm eZURZsTZp2vTpJwMIrhiqALhqzDy4f/zJ5A5X9ETi+4dZ4nntqp4JclboB0ks+w8nT8D nWTw==
X-Gm-Message-State: AElRT7H/+H1WawBFIP4FMZWi2zQClyqZ8Ah7qS1MInNxLccPQO3nHhJ1 4zha7V1qS64CFMb8SDstNXwnJs+bN0Mba/cruv8=
X-Google-Smtp-Source: AG47ELud84HEk4OJaL9P7dvfgAmdQV7sHQS+M/xAL066dfZJSc2D0q1ZhMn4D/R6Bv/4zMhSvt/n/3NeDuawpxuOHJ4=
X-Received: by 10.157.53.10 with SMTP id o10mr2295409otc.283.1521017293587; Wed, 14 Mar 2018 01:48:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a9d:1055:0:0:0:0:0 with HTTP; Wed, 14 Mar 2018 01:48:13 -0700 (PDT)
From: Martin Thomson <martin.thomson@gmail.com>
Date: Wed, 14 Mar 2018 08:48:13 +0000
Message-ID: <CABkgnnUiQsCtQ+u_-yAg90FkLOM96PunqoeyeOP-9AvJhpdtPw@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>
Cc: IETF TLS <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/11sF1gIwHdcTAH2K7tssFj8H7no>
Subject: [TLS] Four concerns (was Re: draft-rhrd-tls-tls13-visibility at IETF101)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 08:48:16 -0000

On Tue, Mar 13, 2018 at 9:49 PM, Russ Housley <housley@vigilsec.com>; wrote:
> Nick Sullivan summarized
> four concerns with that approach.  See
> https://mailarchive.ietf.org/arch/msg/tls/NJEsyOZ8S3m8fiGk3bJ_lDnL-dg
>
> draft-rhrd-... addresses all four of these concerns.

This isn't quite right.  One of the goals Nick outlined was
"Decryption service only gets session keys, not master secret".  The
current design causes them to gain the handshake secrets, from which
it is trivial to derive the master secret and other secrets [1].  This
includes the resumption master secret and exporter secret.

So aside from enabling MitM, this also enables session resumption by
the decryption service, something that the security considerations
neglects to include in its list.  What, if anything, can be done with
the exporter secret will need more thought.

[1] draft-rescorla-tls13-semistatic-dh-00 and its OPTLS-based
insertion of another DH exchange would prevent the decryption service
from working for anything other than the handshake and 0-RTT.