IETF Logo Mail Archive

Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?

Joseph Salowey <joe@salowey.net> Mon, 06 November 2017 01:57 UTC

Return-Path: <joe@salowey.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7547C13FA27 for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 17:57:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWTKXa9wNx_d for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 17:57:21 -0800 (PST)
Received: from mail-pf0-x230.google.com (mail-pf0-x230.google.com [IPv6:2607:f8b0:400e:c00::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CFE6A13F88D for <tls@ietf.org>; Sun, 5 Nov 2017 17:57:21 -0800 (PST)
Received: by mail-pf0-x230.google.com with SMTP id a8so6584699pfc.0 for <tls@ietf.org>; Sun, 05 Nov 2017 17:57:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=pITbxZYiVBNG+xjzAhiH0wZlRIabJuols+DJe6inHHc=; b=a4dHmyn95teSXNDgrFFiWrWTRkQVcQV3NCMurAR8I1r4GfG49Br8AmzkP01T4dxS8I xJsUi7IuDUjZ9MeYqBXXDsU3RRbK8cmDJmD3QhyLR/5jJlEJ+r7AK5gER4pO+Flo/Ktg jbYaUgktBoY0Xtzhv7pq7OPXoZPqXTEjjnMx+Dd5AfYair5m0Ack/s99bT6jkJk76mzT lhRK06eDDxgCQ/MPRL042Qa+ajfCi+XL0o73/2xLQZJEVhogJhm16ZAhOu+DK42htHYs PequXV4kCh7vfqZx/Naxxsww4ZxksH/zVudCG9X70BQwNXFtB29FW78bYXtv98hkFCri NZtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=pITbxZYiVBNG+xjzAhiH0wZlRIabJuols+DJe6inHHc=; b=UkbLOgMxpjtV5oHp0nAejzpa46U08PyyjLGIEmOuzR4de0e9CiNJjeJf50LNwaRent 5A/3Akz6b0sYExEGprkmd413StnJ9I9LSjN4NSHqlbTaAa8qc5UCRzV1NX3Iv8RqVmM8 YRfReaY4tp/V9Som798hiPgokQW/uZ5iGpPeHcWOnLhgYaXlNRUxMDlorxsYdMZ8aRsH 0Gwf6unDch5QcXvGUVOHdgPuyAaljhJotQrYt1dkcgv/fZpN6uxlgJi5sd5+Htid+7mx MzIUmUXM6UwqOsgDx8sO1jDBaqx1LFHq3SLk7cVUOfxSy3Colu7goZqOAhL6rgeNYyAz x89w==
X-Gm-Message-State: AMCzsaV3ovStQqxJ2CQ3AacCmnrkCm1w0xxYddwvssS6fB7UyU2ffzXR xUrRIk7k3E/9x9g9yQGYd8QC995LqkbNcuOlssBlUcdn
X-Google-Smtp-Source: ABhQp+QZzudcNMIGcYp3W6TGWlRjnxoA9yliLdiqBXjlscUY1ICvvR76NVhzueEWoiEMfFn5O6neCpZHVz7vj8wgmLQ=
X-Received: by 10.99.185.79 with SMTP id v15mr13851863pgo.258.1509933441291; Sun, 05 Nov 2017 17:57:21 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.218.165 with HTTP; Sun, 5 Nov 2017 17:57:00 -0800 (PST)
In-Reply-To: <CABdrxL7eE1rND6b-q-La7gwzgZmt2VEo3CKUcEfGMoiMWZ71wQ@mail.gmail.com>
References: <CABdrxL4ZX5GbUhdqmVrhVqwM-MqMsgLL6ow9ksQ8NYBCPvgnfA@mail.gmail.com> <CAL02cgQMeJAqTtrVBzv254arGQU-88NTJJWgZdoRQguPn14TkQ@mail.gmail.com> <CABdrxL7eE1rND6b-q-La7gwzgZmt2VEo3CKUcEfGMoiMWZ71wQ@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 05 Nov 2017 17:57:00 -0800
Message-ID: <CAOgPGoA6N4rwYet61ABNJCKzqEuMrtZ2a6Zk=FaB4uhFtxjT3w@mail.gmail.com>
To: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Cc: Richard Barnes <rlb@ipv.sx>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1bae06673541055d46c699"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1lcHIPs57Jh4JkgBc5R6puIuNOc>
Subject: Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 01:57:24 -0000

I'm not sure what use cases you are targeting, but this type of solution
can be dangerous for application security. Most application security models
assume that TLS will provide both confidentiality and authenticity.
Breaking confidentiality will often expose vulnerabilities that can result
in escalation of privilege or spoofing resulting in a loss of
integrity/authenticity in the application. For example, the use bearer
tokens such as passwords or session cookies is widespread. It will take
much more work to make applications resilient to loss of confidentiality.
There may be use cases where confidentiality compromise is limited to just
confidentiality, but I think these are in the minority.

Joe

On Fri, Nov 3, 2017 at 7:41 AM, Cas Cremers <cas.cremers@cs.ox.ac.uk> wrote:

> Hi Richard,
>
> Thanks for the pointer, I had missed your earlier observation of
> essentially the same thing in the large mail threads.
>
> Personally, I think it is a substantial and unmotivated loss in security
> to also give up authentication/integrity.
>
> Note that any changes towards PERC would require some significant changes
> in the security analyses; for mctls, I expect it would be a completely new
> analysis. (I haven't seen any analyses of rhrd, but of the three, it is of
> course closest to the current setup.)
>
> Best,
>
> Cas
>
>
> On Fri, Nov 3, 2017 at 2:00 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
>> Hey Cas,
>>
>> This question is a good one.  Earlier I brought up mcTLS, which some
>> folks have been working on to provide even more granular separations than
>> you suggest:
>>
>> https://mctls.org/
>>
>> I think the authors of draft-rhrd are trying for a more lightweight
>> change to TLS.  That said, there might be some intermediate points on the
>> spectrum here.  For example, you could define a TLS ciphersuite akin to
>> what we defined in PERC when we wanted to break integrity partly and
>> confidentiality not at all.
>>
>> https://tools.ietf.org/html/draft-ietf-perc-double-07
>>
>> That would be less invasive than mcTLS, while still getting the
>> properties you describe.
>>
>> --Richard
>>
>>
>> On Nov 3, 2017 09:43, "Cas Cremers" <cas.cremers@cs.ox.ac.uk> wrote:
>>
>> Dear all,
>> ​​
>> ​​Disclaimer: I am not a proponent of the idea behind draft
>> visibility/green/rhrd; I think such a mechanism should not be part of the
>> TLS 1.3 standard.
>> ​​
>> ​​I have a technical problem with the current design, whose goal is to
>> allow eavesdropping for inspection, i.e., selectively decreasing
>> confidentiality.
>> ​​
>> ​​However, the design in the draft also enables arbitrary traffic
>> modification/insertion, additionally breaking all authentication and
>> integrity guarantees. Once someone has the session keys, they can not only
>> eavesdrop but can also start to insert/modify traffic. This additional
>> decrease in security is entirely unmotivated by the cited use cases.
>> ​​
>> ​​It is possible to offer authentication and integrity, while selectively
>> giving up confidentiality. For example, one could replace the AEAD by (i) a
>> mechanism for authentication and (ii) a separate mechanism for
>> confidentiality, and then possibly reveal the keys used for (ii), but make
>> sure only the real endpoint has the keys for (i). That seems more rational
>> to me, and may retain the authentication/integrity guarantees. However, it
>> would require a much more invasive change.
>> ​​
>> ​​Best,
>> ​​
>> ​​Cas
>>
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email