IETF Logo Mail Archive

Re: [TLS] integrity only ciphersuites

"Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com> Mon, 20 August 2018 23:13 UTC

Return-Path: <ncamwing@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E7A127148 for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 16:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8E3yKZeW0Sb for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 16:13:33 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4159C129619 for <tls@ietf.org>; Mon, 20 Aug 2018 16:13:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=21724; q=dns/txt; s=iport; t=1534806813; x=1536016413; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=JyasRvHTvjO7MEPqwP5ciQzFyYjN3tPEVv1jxC8N6Z4=; b=iG47OwN2moGH/PFtZEntGrrSFEVENfx7FjFspbmzL/y6nxWdzweY5d7C TabM7rhgcaGUt9uJNA3jFsFT+d1DyjGl+Vuu+4WNj1ZSsJCf3+TQJIeDw xyXb8PY7KDtuIhM8BRyH1KLEuwlzxBnmoDgCTHqQcQE5ES7z908PkSr5r Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0D5AABSSntb/4gNJK1cGgEBAQEBAgEBAQEIAQEBAYJXeGN/KAqDZogKjB6BaCWQbIUrgXoLGAEKhEkCF4M2ITQYAQIBAQIBAQJtHAyFNwEBAQQBASFLCxACAQgOAwMBAigDAgICJQsUCQgCBA4FgyIBgR1kD6dsgS6EKgE9hXcFh32BGxeCAIESJwwTgkyDGwEBAgGBfhaCSzGCJgKIdYQCjgUJAoYniTcVgT6EL4hLhkGES4d1AhEUgSQdOIFScBU7KgGCPgmCHBeDRYUUhT5vAY1vgRsBAQ
X-IronPort-AV: E=Sophos;i="5.53,267,1531785600"; d="scan'208,217";a="443972216"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 20 Aug 2018 23:13:32 +0000
Received: from XCH-RTP-014.cisco.com (xch-rtp-014.cisco.com [64.101.220.154]) by alln-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id w7KNDVg2014755 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 20 Aug 2018 23:13:32 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-014.cisco.com (64.101.220.154) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Mon, 20 Aug 2018 19:13:30 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Mon, 20 Aug 2018 19:13:31 -0400
From: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] integrity only ciphersuites
Thread-Index: AQHUOMbv4/TwUeWSFUmhTxfQeZX0pqTJYnIA//+wigA=
Date: Mon, 20 Aug 2018 23:13:31 +0000
Message-ID: <7E9735B9-79F4-4E0B-8701-676048893CB4@cisco.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com>
In-Reply-To: <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.c.0.180410
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.155.208.72]
Content-Type: multipart/alternative; boundary="_000_7E9735B979F44E0B8701676048893CB4ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.154, xch-rtp-014.cisco.com
X-Outbound-Node: alln-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/66XfRo2NI-JFq338OSWseAnN2NE>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 23:13:35 -0000

Hi Eric,
Thanks for the prompt feedback!  Please see further comments/questions below:

From: Eric Rescorla <ekr@rtfm.com>
Date: Monday, August 20, 2018 at 13:58
To: "ncamwing@cisco.com" <ncamwing@cisco.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] integrity only ciphersuites



On Mon, Aug 20, 2018 at 1:48 PM, Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org<mailto:ncamwing=40cisco.com@dmarc.ietf.org>> wrote:
All,
A couple IoT consortiums are trying to embrace the improvements made to TLS 1.3 and as they define their new security constructs would like to adopt the latest protocols, in this case TLS 1.3.   To that extent, they have a strong need for mutual authentication, but integrity only (no confidentiality) requirements.


In following the new IANA rules, we have posted the draft https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-00 to document request for registrations of HMAC based cipher selections with TLS 1.3…..and are soliciting feedback from the WG on the draft and its path forward.

Nancy,

As you say, you don't need WG approval for code point registration as long as you don't want Recommended status.

With that said, I don't think this document makes a very strong case for these cipher suites. Essentially you say:


  1.  We don't need confidentiality
2. Code footprint is important

Generally, I'm not very enthusiastic about argument (1). It's often the case that applications superficially need integrity but actually rely on confidentiality in some way (the obvious case is that HTTP Cookies are an authentication mechanism, but because they are a bearer token, you actually need confidentiatilty). It's much easier to just always supply confidentiality than to try to reason about when it is or is not needed.
[NCW] We are working diligently in several IoT based consortiums to begin to define security around those protocols as many today do not afford any protection at all.  At minimum, we want to ensure there is mutual authentication and authorization as well as message integrity.  As we cite in the draft, many “things” perform repetitive tasks that want to communicate motion, speed or other machine control functions that are not deemed to be private.
I can see your point/belief that it is much easier to include confidentiality, but some chipsets today especially at those levels (and cost) are not constructed with those provisions today, though they do have HMAC capabilities.

The second argument is that you are trying to keep code size down. It's true that not having AES is cheaper than having AES, but it's possible to have very lightweight AES stacks (see for instance: https://github.com/01org/tinycrypt).
[NCW] So, it is not just about code size, but overall hardware availability and cost….

So, overall, this doesn't seem very compelling..

-Ekr




Warm regards, Nancy (and Jack)

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email