IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Brian Sniffen <bsniffen@akamai.com> Mon, 24 July 2017 14:29 UTC

Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3552131D2E for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 07:29:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w0Yn9al6CUGj for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 07:29:23 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F912131D2C for <tls@ietf.org>; Mon, 24 Jul 2017 07:29:23 -0700 (PDT)
Received: from pps.filterd (m0050102.ppops.net [127.0.0.1]) by m0050102.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v6OEQrtR017296; Mon, 24 Jul 2017 15:29:18 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type; s=jan2016.eng; bh=QkAOGyZiDo4qvjCfZKYUaUVDKHPpCYO6SZ09Zr77ack=; b=PtvGRCZTL7nscrmkfqFxNCc1i8MUkoDUi6frI331qBC/6+1SsMEbxjEQDWyDmwucq0CT TIpmmSVPtLK+8zuIU0cQ/mxQvdbJ2oXSWMPDluPktMJaeEJSZGzWrL24uPNZx661Zmmf HDOioJAiyvKe2bvmOyaM/x2aqgd0d+4XnsSEdUnbJ7QPXdihuUvIrGINOAz/l4zfXffw 5BRnbIbURPfoh/w/N8NOt8UDUSPRpE111ef82+7CGCv2EZDZYcVxFM4pzCIhIKEfoIvl iQn5BiL/gFL7EutqkGc2D/rZC3digvgO7ugYHOEaZne2i4CJpBTyX6YH6mAL/Mv7qWEB Pg==
Received: from prod-mail-ppoint2 (a184-51-33-19.deploy.static.akamaitechnologies.com [184.51.33.19] (may be forged)) by m0050102.ppops.net-00190b01. with ESMTP id 2buusb0je7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 24 Jul 2017 15:29:18 +0100
Received: from pps.filterd (prod-mail-ppoint2.akamai.com [127.0.0.1]) by prod-mail-ppoint2.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v6OEQUHo005903; Mon, 24 Jul 2017 10:29:18 -0400
Received: from prod-mail-relay10.akamai.com ([172.27.118.251]) by prod-mail-ppoint2.akamai.com with ESMTP id 2bv21ue88x-1; Mon, 24 Jul 2017 10:29:17 -0400
Received: from bos-mpeve.kendall.corp.akamai.com (blr-wpxnq.kendall.corp.akamai.com [172.19.32.175]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id D291D1FC71; Mon, 24 Jul 2017 14:29:17 +0000 (GMT)
From: Brian Sniffen <bsniffen@akamai.com>
To: Kyle Rose <krose@krose.org>
Cc: Ted Lemon <mellon@fugue.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "<tls@ietf.org>" <tls@ietf.org>
In-Reply-To: <CAJU8_nXxKb6Ros+amCUSdvxQHPj3V_E75c4hxRkBRrD1z7WyGg@mail.gmail.com>
References: <CAAF6GDeFuRy0DN6w3FwmR_nh1G=YBi4+qiEcw0MfSRj4SUCbZQ@mail.gmail.com> <20170720200114.AA2F91A6CB@ld9781.wdf.sap.corp> <06AE85BC-87AD-4CA5-8408-44F670358701@ll.mit.edu> <20170720203238.e66zurx5yn2jja3a@LK-Perkele-VII> <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu> <20170723070240.x7kmynzmu4jqco5t@LK-Perkele-VII> <C0772D29-CB26-418F-981B-BC2E2435E655@ll.mit.edu> <35FD3356-8300-405A-B8D8-FC2574DB9A56@fugue.com> <CE89217F-972F-4F37-B8BA-925AE1FE8D68@ll.mit.edu> <44105D6B-4CE0-4C3C-ACFA-30EF1D8AA8F7@fugue.com> <C76720C5-7BB6-4AB4-8A2D-7569EC57D15D@ll.mit.edu> <388DA0F2-E3FC-47D2-B97C-D244ACE50E61@fugue.com> <m2o9sarky7.fsf@bos-mpeve.kendall.corp.akamai.com> <CAJU8_nXxKb6Ros+amCUSdvxQHPj3V_E75c4hxRkBRrD1z7WyGg@mail.gmail.com>
Date: Mon, 24 Jul 2017 10:29:17 -0400
Message-ID: <m2eft5sybm.fsf@bos-mpeve.kendall.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-24_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707240224
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-24_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707240224
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3bnXEbRVlXdwbOZpgkMbp4ezzCg>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 14:29:25 -0000

Kyle Rose <krose@krose.org> writes:

> On Mon, Jul 24, 2017 at 10:03 AM, Brian Sniffen <bsniffen@akamai.com> wrote:
>
>> I could imagine making the server ECDH share dependent on the
>> client ECDH share, plus a local random value.  At the end of the
>> session, the server discloses that random value, showing that it
>> properly constructed a fresh ECDH share.
>>
>> Then the client has an opportunity to notice---this session didn't have
>> a (retrospective) proof of proper generation of the server ECDH share,
>> and so may involve key reuse in a dangerous way.
>>
>> This doesn't stop the server from logging the session key, of course.
>>
>
> Of course, this is precisely the point. All your proposal does is
> complicate the process of sharing sessions with a third-party: it doesn't
> stop an endpoint from surreptitiously doing evil.

Yes, but it adds a storage requirement in proportion to the number of
evil acts taken.  For the same reason we find large-key cryptography
interesting---now the adversary has to smuggle out megabytes---we might
like this.

> (Your proposal is
> interesting, but because it neatly solves the problem of DH share reuse
> without requiring some kind of CT-like infrastructure, not because it
> somehow addresses the evil endpoint problem. On the downside, it also may
> have implications for amplification DoS.)

Yes: I'd expect a large operator to drop support for this extension
under load, exactly when they switch to pre-generated ECDH keys.  When
they must further switch to re-used keys, that will be silent.

Conversation elsewhere raises a practical point: browsers don't want to
alert the user on every aborted connection.  But a bad server can
accept&send this extension, reuse a ECDH share, and then RST the
connection rather than properly terminate it.  All I can offer there is
the idea that the client *should* alert when *it* closes the connection
and doesn't get back a proof of proper key generation.

-Brian

-- 
Brian Sniffen <bsniffen@akamai.com>
Information Security: Safety, Adversarial Resilience, Tools, Compliance
/(* Akamai - Faster Forward

v2.23.0 | Report a Bug | By Email