IETF Logo Mail Archive

Re: [TLS] integrity only ciphersuites

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 22 August 2018 02:16 UTC

Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8823130DD4 for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 19:16:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzIxNG8DAZXL for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 19:16:02 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E635129619 for <tls@ietf.org>; Tue, 21 Aug 2018 19:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1534904162; x=1566440162; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=t3N+a//sP+VN7FlvJXEQ1ynYHJi+0AN7gNz2rMKPYe0=; b=hadDckcwG8oJtuUkk3x/Ezd19QBaO3oTBW4m0CD7TeT/gG5PnJg7O7Bf pg/hrx60LhqHoWUVUw2swhWUCssKh1oyl5pzgHVfizIqsrSsljUSNE+nB NygBQXj3xnBRaayTfeqnCD+5C2jrW2Fq4FyX8amgf+HJJTWAAZclissov VNEizH7PQ64xjczZXyOVQeQH8SQ0mrqENenLzy5hKnpKLG5xeTRcZ5SqQ UjfRb06qPEuRDP6SZV8HPZuphVauxctNBjH5/VttCW5I7xQ36zXPYmPRI xJ6QQzV3FfFqoUY76m9+q630M+/BR6Ygj8jaWlkWs91tJIvOyKWoisXpP Q==;
X-IronPort-AV: E=Sophos;i="5.53,272,1531742400"; d="scan'208";a="27491309"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from uxcn13-ogg-d.uoa.auckland.ac.nz ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 22 Aug 2018 14:16:00 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 22 Aug 2018 14:15:59 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.5]) with mapi id 15.00.1263.000; Wed, 22 Aug 2018 14:15:59 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "Fries, Steffen" <steffen.fries@siemens.com>, Andreas Walz <andreas.walz@hs-offenburg.de>, "tls@ietf.org" <tls@ietf.org>
CC: "ncamwing=40cisco.com@dmarc.ietf.org" <ncamwing=40cisco.com@dmarc.ietf.org>
Thread-Topic: [TLS] integrity only ciphersuites
Thread-Index: AQHUOMcWIQ0ztQCz9UKccOekmBKud6TJTRwAgAAIA4CAABIugIAABgCAgAAjtgCAAAI8AIAAAkEAgAADmoCAAXDR3g==
Date: Wed, 22 Aug 2018 02:15:58 +0000
Message-ID: <1534904156874.85231@cs.auckland.ac.nz>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <64d23891-2f32-9bb8-1ec8-f4fad13cdfb9@cs.tcd.ie> <982363FD-A839-4175-BA53-7CA242F9ADA6@ll.mit.edu> <2D7F2926-6376-4B2C-BDE9-7A6F1C0FA748@gmail.com> <5B7C1571020000AC0015C330@gwia2.rz.hs-offenburg.de> <E6C9F0E527F94F4692731382340B337804AEFA24@DENBGAT9EH2MSX.ww902.siemens.net> <A51CF46A-8C5F-4013-A4CE-EB90A9EE94CA@akamai.com> <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net>, <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com>
In-Reply-To: <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2C0jq0PMIHpiSqt1o_yJTQ_HGpg>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Aug 2018 02:16:07 -0000

Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org> writes:

>Most browsers already do not support NULL encryption, and it is highly
>unlikely that any will add it for 1.3.  Have you any indication otherwise?
>If you’re not going to use the algorithms in general use on the public
>Internet, then you should expect that standard clients such as browsers, will
>not work. PeterG can attest to this. :)

I'm going to have to handwave a bit on this, but a lot of TLS in embedded is
purely M2M, e.g. in IEDs (that's "intelligent electronic device", not
something that goes bang, although sometimes the things they control like
reclosers can go bang).  One or two levels above that are supervisory systems
that may need to talk a non-SCADA-profile TLS, but then they're often running
Windows or something similar and will talk whatever the browser needs.  So in
effect you've got a translation layer from SCADA-profile-TLS to whatever form
of TLS is in fashion in browsers at the moment.

Alternatively, you get extremely expensive control center software that
probably just wraps the Windows WebBrowser control in a custom app, although
I've seen some that use oddball ancient cipher suites so presumably they're
using the programmability of the components to ensure continued support for
older deployed gear.

That's only a high-level, handwavy view...

Peter.

v2.23.0 | Report a Bug | By Email