IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Stephen Farrell <stephen.farrell@cs.tcd.ie> Sun, 23 July 2017 16:16 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5A2612714F for <tls@ietfa.amsl.com>; Sun, 23 Jul 2017 09:16:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 65Ghu6FCZGZD for <tls@ietfa.amsl.com>; Sun, 23 Jul 2017 09:16:04 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D0751241FC for <tls@ietf.org>; Sun, 23 Jul 2017 09:16:04 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0D85ABE2C; Sun, 23 Jul 2017 17:16:03 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oiOV24H885NR; Sun, 23 Jul 2017 17:16:01 +0100 (IST)
Received: from [10.244.2.100] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 1FE97BE24; Sun, 23 Jul 2017 17:16:01 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1500826561; bh=FlrJH1Cyd3QpEmO5dDnIS4mb/GxXnixk6FZ12eV09ow=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=kJZmYkI/p3vNn7Odm85TPuEaxhYNC4bh6UClmiVytpbn69vuea7D99PMl80hp11K0 Ys9wsCaPyDQCrSaQjA3zoR5D++AlwmlcyN2D33kU+CuL25KRLJXX9K07cUHTc046Lt ewqUTkQkus3yJnWOejY2chFOlaTqqT1TbBk1Cg+Y=
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <CAAF6GDeFuRy0DN6w3FwmR_nh1G=YBi4+qiEcw0MfSRj4SUCbZQ@mail.gmail.com> <20170720200114.AA2F91A6CB@ld9781.wdf.sap.corp> <06AE85BC-87AD-4CA5-8408-44F670358701@ll.mit.edu> <20170720203238.e66zurx5yn2jja3a@LK-Perkele-VII> <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu> <20170723070240.x7kmynzmu4jqco5t@LK-Perkele-VII> <C0772D29-CB26-418F-981B-BC2E2435E655@ll.mit.edu>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <3ca53a31-52c4-3f87-2e4c-fb5965d43eee@cs.tcd.ie>
Date: Sun, 23 Jul 2017 17:16:00 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <C0772D29-CB26-418F-981B-BC2E2435E655@ll.mit.edu>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="bj6SsuuKOnCMX7ctxqiOutBOwcO4Nb3R5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3OpuJFJ-PHekStSeDLYq-XDd6hk>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2017 16:16:08 -0000


On 23/07/17 13:43, Blumenthal, Uri - 0553 - MITLL wrote:
> Ilari,
> 
> I got your point.
> 
> But in view of the request this WG is discussing now, I see only two
> reasonable (IMHO) opinion: 1. Tell those requestors to go away
> because TLS 1.3 has been designed to always be forward-secure; or 2.
> Add a *detectable* non-PFS key exchange so those requestors would
> have something they can live with, and the rest of us could at least
> agree or disagree to a non-PFS session establishment on a per-session
> or a per-entity basis.

In Prague some folks were considering another option:

3. Encourage folks who currently use static RSA keys for third
party decryption to put in place a migration plan that gets them
to FS without breaking TLS1.3. IOW, given they can continue to
use TLS1.2 for some years to come, there's no rush, and plenty
of time for transition plans to be put in place. (That'd I think
imply some work in the ops area of the IETF if there's any IETF
work needed at all, but nothing in the TLS wg.)

While I'd (probably entirely predictably:-) be against your
option 2 above, I'd also note that that'd entirely screw up any
ideas we might have of finishing TLS1.3 in the near term. Anyone
who'd argue for such changes needs to be clear that they're also
arguing for another year's delay.

Cheers,
S.

> 
> I do not know what mechanism could do the latter, or off it even
> exists. But folding an RSA method in seems to do the job. I'd say
> it's fine if it borrows from 1.0, as it isn't going to be the most
> secure setting anyway.
> 
> Regards, Uri
> 
> Sent from my iPhone
> 
>> On Jul 23, 2017, at 03:02, Ilari Liusvaara
>> <ilariliusvaara@welho.com> wrote:
>> 
>>> On Thu, Jul 20, 2017 at 08:42:10PM +0000, Blumenthal, Uri - 0553
>>> - MITLL wrote:
>>>> On 7/20/17, 16:32, "ilariliusvaara@welho.com on behalf of Ilari
>>>> Liusvaara" <ilariliusvaara@welho.com> wrote: Maybe we are
>>>> better off just retrofitting RSA-key-transport back into
>>>> TLS-1.3?
>>> 
>>> This has in fact been requested. Kenny Paterson said about the
>>> request: 
>>> -----------------------------------------------------------------------
>>>
>>> 
My view concerning your request: no.
>>> Rationale: We're trying to build a more secure internet.
>>> 
>>> My rationale to resurrect it: others are trying to push TLS-1.3
>>> into an invisibly-insecure state. If we must satisfy them (and
>>> I’m not at all sure we should), then this is the most obvious way
>>> to at least avoid the “insecurity” being silently pushed upon
>>> you. At the very least you’d have an option to continue under
>>> surveillance or abort connection.
>> 
>> This isn't just matter of what is considered "secure enough" to 
>> include. There are fundamential technical constraints that prevent 
>> adding static RSA back.
>> 
>> Early on, there were all sorts of really fundamential decisions on
>> how TLS 1.3 works. The results of these decisions are baked deeply
>> in the protocol, and are extremely hard to change. These decisions
>> were already very apparent in draft-02, over 3 years ago, despite
>> -02 being unimplementable.
>> 
>> One implication of those assumptions is that any asymmetric key 
>> exchange in TLS 1.3 is at least potentially forward secure[1] (the 
>> actual constraints on asymmetric key exchanges are even stronger 
>> than that, but this weaker version suffices here). Static RSA is
>> not even potentially forward-secure, so it can not be added.
>> 
>> If you try to add back RSA using the most straightforward method, 
>> what you get is not an analog of static RSA from TLS 1.2. The
>> result would be closer to RSA_EXPORT from TLS 1.0.
>> 
>> 
>> On the other hand, there is no way to construct a key exchange that
>> is always forward-secure. Either endpoint can always act in a way
>> that destroys forward-security (even without leaking any
>> per-connection information), but can not be detected (DH share
>> reuse is considered detectable) by the other end.
>> 
>> 
>> [1] "potentially forward secure" means that there exists
>> interoperating client and server implementations, so that the key
>> exchange is forward- secure.
>> 
>> 
>> -Ilari
>> 
>> 
>> 
>> _______________________________________________ TLS mailing list 
>> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email