Re: [TLS] Use-case for non-AEAD ciphers in network monitoring
Martin Thomson <mt@lowentropy.net> Wed, 26 May 2021 22:00 UTC
Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E9ED3A0D01 for <tls@ietfa.amsl.com>; Wed, 26 May 2021 15:00:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=2uhlmcDQ; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=VsTLOHqw
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26ScGMJYN8dw for <tls@ietfa.amsl.com>; Wed, 26 May 2021 15:00:52 -0700 (PDT)
Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 999EC3A0CFC for <tls@ietf.org>; Wed, 26 May 2021 15:00:52 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id B31905C0164 for <tls@ietf.org>; Wed, 26 May 2021 18:00:49 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute4.internal (MEProxy); Wed, 26 May 2021 18:00:49 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=9B+Tj NuMmBXylUVN7JVBZnMSy1AxFl2HQhjY3cAfcuY=; b=2uhlmcDQNLr9z2fXsW7un qosUH3+MrhH/cL+4e2oojatgxXAyTcQ3xoj8A59qsfBJIPfWTMYkXSQkJTq1yaY5 /LPK9qZtCEaHqzaW87U1ntIJ0LBSKbQF/bC1JFzXezwFHhS2Ahr5uZXYm4KFt+Wq vsXa6tbz9u5r09KlLOsVzuPXqyl0hvuXJpTuulxtj+mSTOBeEcHYVx+kw8w2wV5d 8/9kTKPJUwxWUWxkMkyAbylL/21cVmRiri2VohwVHBOpar6/9K+iUbcXWjYts5ro hynlBcBy6yji4qD8NcSICcCLmHXnLfqSBN9QtKnGVxehYY4w68WoQrbCFAwhr8XU Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm2; bh=9B+TjNuMmBXylUVN7JVBZnMSy1AxFl2HQhjY3cAfc uY=; b=VsTLOHqwdV+JLrq2A+/n6fqMeo5ZzOVZGIKeoqTyupQB9rwiQ8/C9XdjN For5kVErV+MCYLwhF8cH5+uW22RoU0rxsw95FIvN5eulEYVspitb5EjkH1n6vZOC //8t3YtYw7Hj94ikbqMPqZ/QsY12OFo+Zo8zGTUWko9o1qg8uWsTlZUQd+krB+9d swCAuIQZbO8v05pTDf+Glq3/3BcskIrrPhLp1UKq+RvaxCjcbCMZThKs0I5Gu3TB qyNKdcbD2tFyBas8XyfVcI51kA3+eDCDDGKQbNy/BrtpOTTV6Y93E8BFc8GnXryX qnTafB5bu77JvEwkSQZHuvOV/JZ0g==
X-ME-Sender: <xms:EMWuYFz5E2MeEVvkLgz3PZJDTbIOBWmYgqI28FpTJuaIYWaiuaG28A> <xme:EMWuYFTwTxKJdy99VkmhbyhsVQkoVhDfQ4Z5bBelPlolOfoftMYPBj1zxPQhkO3XA s59S1ieerCfmLI5_y4>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdekgedgtdefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuggftrfgrthhtvghrnheptddvteduieefveffte etgfegueffjeehjeeiledthffhgeehveeijefgkedtleejnecuffhomhgrihhnpegrrhig ihhvrdhorhhgpdiivggvkhdrohhrghdpghhithhhuhgsrdgtohhmpdegtdhivghtfhdroh hrghdpihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehm rghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:EMWuYPUjxfq_dyHI7r2dW9ZtBOcVVxIt1Q8YTLGehKvZbbSuIbz6ig> <xmx:EMWuYHjZ_cTEr4A3nV-s7SasO3njd99IJzi6HudyPo-YY7XHxtbEUA> <xmx:EMWuYHAsW7jKInxiI_0OJAG_ck4gm4-lKQWWgYh6ePW9DOVpWbHQhw> <xmx:EcWuYKOzD-ifqjD3GaM3UrPOCj_aIRinfea92GmAdgRKcedBmaREaw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id B46094E0091; Wed, 26 May 2021 18:00:48 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-448-gae190416c7-fm-20210505.004-gae190416
Mime-Version: 1.0
Message-Id: <8eedb189-7fb1-4a18-b68d-ee74ea130799@www.fastmail.com>
In-Reply-To: <584db921-4c57-4f45-65d6-8273611fd549@informatik.uni-hamburg.de>
References: <b084b7a8-80a9-c7d9-fca7-dabb12ad6949@informatik.uni-hamburg.de> <584db921-4c57-4f45-65d6-8273611fd549@informatik.uni-hamburg.de>
Date: Thu, 27 May 2021 08:00:28 +1000
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/27sveY-4chTH91Kf-H6vgnTCxWI>
Subject: Re: [TLS] Use-case for non-AEAD ciphers in network monitoring
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 22:00:58 -0000
It seems to me like the next step is to share a paper, ideally in the form of an internet-draft, that describes more precisely what you would like to see happen. On Wed, May 26, 2021, at 18:48, Florian Wilkens wrote: > Dear all, > > first, we want to thank you for your feedback, it is much appreciated! > We wanted to briefly clarify some details about our idea: > > - AEAD/non-AEAD: completely true. We were mainly looking at ciphers from > TLS 1.3 that all use keys and IVs but that is of course unrelated to > AEAD as a concept. > - registering our own ciphersuite: while that is certainly an option, we > are not really advocating for new cipher suites but rather keeping at > least a single cipher suite in the standard that allows for separate > keys for confidentiality and integrity. > > We also tried to catch up on the discussions in 2016/2017 around > industry concerns to TLS 1.3 (regarding PFS and static key exchanges). > While some parts are certainly similar, we think our approach is > different, as we do not aim to weaken the overall connection security > but rather keep the client machine in control of the key material (as it > is already with current TLS). > > To be clear, our prototype already works on current TLS as is. The > client sends either the pre-master-secret or derived session keys to the > network monitor. Naturally, this will continue to work with future TLS > versions as the client ultimately possesses all required key material. > There are certainly scenarios in which an enterprise might still want to > deploy an MitM proxy at the network edge to retain more control, however > our approach is able to avoid the disadvantages induced by these > proxies. In fact multiple commercial offerings (including one proposed > on the linked NIST workshop) already do exactly what we propose and hand > over all key material to a central party for decryption. Whether this is > good practice, is a discussion for another time, but it is already > happening anyway and there is demand for these solutions. > > Our prototype is able to slightly decrease the attack surface on the > network monitor, as it is not able to forge valid packets in the same > connection due to the missing integrity key. The impact on application > protocols such as HTTP is a problem, however this problem is also > present on both commercial solutions that exfiltrate all key material > from the client and MitM proxies. > > Overall, we just wanted to raise some awareness for the use case as we > felt that a small change to a future TLS standard could achieve some > slight improvements regarding the network monitor. However, if that does > not match the WG's opinion that is certainly okay, as we can work with > current TLS. > > So again thank you for you feedback! > Cheers, > Florian > > > On 17.05.21 18:23, Florian Wilkens wrote: > > Hey folks, > > > > we came across a novel use-case that highlights the need for non-AEAD > > ciphers in TLS and would like to start a discussion on that. > > > > Our use-case is passive TLS decryption on network monitors (NMs). > > Non-AEAD ciphers would allow to selectively forward the TLS write keys > > from clients to a NM that can then passively decrypt TLS sessions, > > without touching their integrity (as the write MAC keys remain on the > > host). This would be a major improvement compared to the usage of MitM > > proxies as current state of the art. MitM proxies terminate all TLS > > connections and establish own connections. Thus, a compromised MitM > > proxy cannot only decrypt all packets, but also change packet contents. > > > > We propose an approach for passive TLS decryption [1] in which > > cooperating hosts selectively forward TLS keys to the NM that then > > decrypts TLS sessions. The approach is (i) completely passive and thus > > does not interfere with the overall connection security and (ii) is able > > to selectively decrypt certain TLS connections with the hosts retaining > > full authority over the key material. While a MitM proxy can also claim > > to selectively decrypt traffic, we can guarantee this by keeping key > > material for selected connections on the client. Furthermore, for > > non-AEAD ciphers only the write keys, but not the write MAC keys, are > > forwarded, so that the NM can inspect but not modify TLS packets. > > > > Our prototype is built for the Zeek network monitor [2] and is currently > > in the process of being upstreamed with explicit interest from the > > maintainers [3]. Once merged, this will be the first open-source > > solution for passive TLS decryption on both client host (for which we > > built a small prototype) and network monitor (Zeek). > > > > We understand that AEAD ciphers offer many advantages and we understand > > the decision to limit the set of available ciphers to secure choices > > only. However, we think the use-case of passive TLS decryption is highly > > relevant especially for enterprise settings. In such settings, mainly > > MitM proxies are used that are a security problem on their own. > > > > We look forward to your feedback. > > > > Best, > > Florian > > > > [1] https://arxiv.org/abs/2104.09828 > > [2] https://zeek.org > > [3] https://github.com/zeek/zeek/pull/1518 > > > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org <mailto:TLS%40ietf.org> > > https://www.ietf.org/mailman/listinfo/tls > > > > > -- > M.Sc. Florian Wilkens > Research Associate > Phone: +49 40 42883 2353 > > IT-Sicherheit und Sicherheitsmanagement (ISS) > Universität Hamburg > Fachbereich Informatik > Vogt-Kölln-Straße 30 > 22527 Hamburg > Deutschland > > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS%40ietf.org> > https://www.ietf.org/mailman/listinfo/tls > > Attachments: > * OpenPGP_signature
- [TLS] Use-case for non-AEAD ciphers in network mo… Florian Wilkens
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Salz, Rich
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Eric Rescorla
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Darin Pettis
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Darin Pettis
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Stephen Farrell
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Eric Rescorla
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Darin Pettis
- Re: [TLS] [EXTERNAL] Re: Use-case for non-AEAD ci… Andrei Popov
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Ruslan N. Marchenko
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Florian Wilkens
- Re: [TLS] Use-case for non-AEAD ciphers in networ… Martin Thomson