IETF Logo Mail Archive

Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

Jack Visoky <jmvisoky@ra.rockwell.com> Tue, 21 August 2018 15:20 UTC

Return-Path: <jmvisoky@ra.rockwell.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2288B128B14 for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 08:20:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VNxDXixV1PLm for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 08:20:19 -0700 (PDT)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01on0051.outbound.protection.outlook.com [104.47.33.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29EE21274D0 for <tls@ietf.org>; Tue, 21 Aug 2018 08:20:19 -0700 (PDT)
Received: from DM5PR2201MB1433.namprd22.prod.outlook.com (10.174.186.154) by DM5PR2201MB1465.namprd22.prod.outlook.com (10.174.186.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.21; Tue, 21 Aug 2018 15:20:17 +0000
Received: from DM5PR2201MB1433.namprd22.prod.outlook.com ([fe80::49f1:7875:b984:9a65]) by DM5PR2201MB1433.namprd22.prod.outlook.com ([fe80::49f1:7875:b984:9a65%2]) with mapi id 15.20.1059.023; Tue, 21 Aug 2018 15:20:17 +0000
From: Jack Visoky <jmvisoky@ra.rockwell.com>
To: Ted Lemon <mellon@fugue.com>
CC: Andreas Walz <andreas.walz@hs-offenburg.de>, "tls@ietf.org" <tls@ietf.org>, "ncamwing=40cisco.com@dmarc.ietf.org" <ncamwing=40cisco.com@dmarc.ietf.org>
Thread-Topic: [TLS] EXTERNAL: Re: integrity only ciphersuites
Thread-Index: AQHUOV98dXTtnuVz+kOQWLoA1No/8qTKTN5g
Date: Tue, 21 Aug 2018 15:20:17 +0000
Message-ID: <DM5PR2201MB14332BE29A418B74DF8E2AD299310@DM5PR2201MB1433.namprd22.prod.outlook.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <64d23891-2f32-9bb8-1ec8-f4fad13cdfb9@cs.tcd.ie> <982363FD-A839-4175-BA53-7CA242F9ADA6@ll.mit.edu> <2D7F2926-6376-4B2C-BDE9-7A6F1C0FA748@gmail.com> <5B7C1571020000AC0015C330@gwia2.rz.hs-offenburg.de> <DM5PR2201MB14335F5B8FBF5DC0B64B2AEF99310@DM5PR2201MB1433.namprd22.prod.outlook.com> <CAPt1N1=BLy5Y1Ecf6zPbC0UkXKCeKAavtKs=K5u5pL_a6CPtBw@mail.gmail.com>
In-Reply-To: <CAPt1N1=BLy5Y1Ecf6zPbC0UkXKCeKAavtKs=K5u5pL_a6CPtBw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jmvisoky@ra.rockwell.com;
x-originating-ip: [205.175.250.246]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR2201MB1465; 6:bgQJLt1lV06JFvhrGUmIMsX0ySFQSZ65U1MOWcDwNhjWXNECNH1c4sbD7VJHVN4XdFTJLq9TgXImCFE8gV/n9rJcZhcUXTN8fLKcyI8f170d3YHdlNJsmAoTZG8G6c0+6xrJuVGqI3GBdr/S+kewLN4HuNCuchg1pjMIo5gFFCEjcSOSTHlNA8xGJYCWZScpYvFnrYCeE3ORKa3MD2qaREknPV1rKrl20PgWze1J9ucilZ6UsM4gMa1kMI4sg7pX5pggfAcJmdtZ3Hrm6xR53EiEMG5ja5Ihxxlxpzg5Ppk5rJf3dRdPO9IPzin+VkmLHiZfNTiYNR0T9AQjQHYD0SbVWdune4GZxBHcjksroVXKLenuR9hrZlQKeLJh3PPnxK9S9t9jWPa2RisX5R0/dY6CqdZIdB40ZeqJ9GORDXE60Kq6jviJeqfEAH5o2gCEXijChDyyhSglY8zlUwbwwg==; 5:IcBzUMubVqkvF4PiW06Spzn/cTB3ZkBqoxGaRuITaeagE25olneQYDa/tUEYPZlHjlHEhhqs9Vq/VdVo6U+swk3D0Oh/IIxwDiuwHF0Z5wE7i+qyPTSg/2JraA5BHFDFFdAMafk3ncvwNRoxd6u1INDzY8fOgKLdN7QryW2eVZ4=; 7:PFeRVJHZzc3sYzwWAuBQiNWAw30XRfTbs6Iqk6olA734LULsXL+hcsVH6NNGMs869wNySTjUo+eoaICgAn68xTwwZt2kwT1YViabORsrfLNpxt75WshlCcT6Q1VvdiVAxb604nSjuBGk1fPASvq3BSMZtmBTpvBeD8RKTgIoAlHCHpKjWu0Qod6WJHSRqN8X+4v7KzqOoFc30vJ3v1OHbXzN5Ed+POylNezGUHLqr63OdVmkVM1//6iuwOpSP8VS
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 2c831219-32d2-4ecc-0e70-08d6077999cb
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM5PR2201MB1465;
x-ms-traffictypediagnostic: DM5PR2201MB1465:
x-microsoft-antispam-prvs: <DM5PR2201MB1465C5637EEE3B1E6D99956D99310@DM5PR2201MB1465.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(32856632585715)(278428928389397)(192374486261705)(85827821059158)(269231077054813)(100405760836317)(21748063052155)(240460790083961);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123560045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699016); SRVR:DM5PR2201MB1465; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2201MB1465;
x-forefront-prvs: 0771670921
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(396003)(39860400002)(366004)(346002)(189003)(199004)(966005)(4326008)(55016002)(8936002)(6306002)(54896002)(236005)(9326002)(9686003)(5660300001)(86362001)(99286004)(229853002)(53936002)(2906002)(14454004)(6916009)(66066001)(7696005)(6246003)(68736007)(478600001)(97736004)(6436002)(5003630100001)(76176011)(53546011)(186003)(26005)(102836004)(5024004)(33656002)(6506007)(316002)(256004)(606006)(476003)(81166006)(14444005)(8676002)(790700001)(7736002)(81156014)(3846002)(6116002)(486006)(93886005)(74316002)(105586002)(25786009)(5250100002)(19609705001)(2900100001)(54906003)(446003)(106356001)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR2201MB1465; H:DM5PR2201MB1433.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ra.rockwell.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: C9V+OMloG5SeYVImLEuMan8Koc7RBUQs39NVI/uUvNKm7PfgNQ8FbPmorD0DU9+oL20YRB4V0Rx+8iSpbXeuMiSrtzRm8kKm8bq9q6jc+SHp9zAzUvcIi73NoKD4VV1y5+yr+3CaEs9B2XSIx906RBorxtpGONk6/Wu1RqoDQnzVwDm+e+vuVUn8FaogFNAArxPq9so3Yu1XrTE/VEWa6KAX1MFGX3sZR6nnG22Vz2QyXMS0R/NW5Rqt0yJon9DWx8mQk2UMZDh8fu2ZkhfceGDyx2J/TCVk4fYiXW259QD+2lL6RMCYA4JfMF2HXiEVKVCABMXIbK0s097AWt3yUD3fFkoPGsv0XqIYbvF/eMg=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR2201MB14332BE29A418B74DF8E2AD299310DM5PR2201MB1433_"
MIME-Version: 1.0
X-OriginatorOrg: ra.rockwell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c831219-32d2-4ecc-0e70-08d6077999cb
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2018 15:20:17.0391 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 855b093e-7340-45c7-9f0c-96150415893e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2201MB1465
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gVCWcPY-P-9RRaRRHMO6yMZnt0A>
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 15:20:24 -0000

Hi Ted,

My apologies for being opaque.  There are many different device/applications/installations so I am sorry if I am mixing ideas here.  Generally the NULL ciphers have the benefit around allowing higher performance for devices that are lower horsepower.  Code space can certainly be a concern, but I think for industrial applications it’s more around throughput of high speed I/O, combined with the use cases that derive little benefit from the confidentiality of this data.  “Horsepower” is of course a vague term in of itself, so here I’m talking about things that would impact packet processing; this includes processor speed, available high speed RAM, presence of/lack of crypto acceleration (not in many Industrial Ethernet devices but growing).  I wouldn’t put the executable code size as high on the list of concerns as these items, although there are certainly devices that are limited in this.  This horsepower limitation is directly related to the fact that these devices are expected to function for many years.

I’m happy to clarify any of these points further if needed.

Thanks and Best Regards,

--Jack

From: Ted Lemon [mailto:mellon@fugue.com]
Sent: Tuesday, August 21, 2018 10:58 AM
To: Jack Visoky <jmvisoky@ra.rockwell.com>
Cc: Andreas Walz <andreas.walz@hs-offenburg.de>; tls@ietf.org; ncamwing=40cisco.com@dmarc.ietf.org
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

Thanks, Jack, but could you respond to the specific questions that we asked you?   Earlier you were saying that your motivation for using NULL ciphers was that you had specific hardware that couldn't implement encryption due to lack of horsepower or memory.   Now you seem to be saying something completely different.   It's going to be difficult for us to understand your requirements if you talk about different things in each message.

On Tue, Aug 21, 2018 at 10:27 AM, Jack Visoky <jmvisoky@ra.rockwell.com<mailto:jmvisoky@ra.rockwell.com>> wrote:
(I’m responding  a few different points made here)

In general, although this seems like a niche application, there are actually millions of Industrial Ethernet nodes, with the numbers trending upward.  As mentioned, many of these are relying on older protocols designed without security in mind.  Our industry has had a debate around using TLS vs. creating something specific.  Many of us prefer to rely on the security benefits of TLS.  To another point, although I work for Rockwell Automation, here I am working in my capacity within ODVA, a standards group for Industrial Communications that has several large vendors as members.  We have adopted TLS to protect our industrial Ethernet traffic, and one of the selling points of TLS 1.2 was the ability to use NULL encryption.

NULL encryption is not really as much about code size but capability of the devices.  The TLS handshake of course contains some “heavyweight” operations, although handshakes are pretty infrequent as these connections are often quite long-lived.  Once the handshake is over, the I/O data that is transferred is often quite sensitive to latency, and although the encryption overhead might not seem like much when the HMAC is considered, it is still a case where in many applications every bit counts.  Regarding older hardware that exists for many years, some hardware does have cryptographic acceleration although may not have AES-GCM, rather SHA-256 HMAC.  Alternatively, the hardware might not have any crypto acceleration as it was designed without TLS in mind.  At the same time we’d like to secure this traffic via a firmware upgrade.  Despite this, if using encryption drops performance enough users will simply not use it, which is a net worse outcome.  Users will likely not upgrade hardware for many years due to a variety of industry factors.

Kathleen’s comment about defining NULL encryption but being clear about the risks resonates with me.  I’m certainly not suggesting that NULL encryption is needed in all cases, but there are times (as discussed here and in the RFC draft) where it could be quite beneficial.

Thanks and Best Regards,

--Jack

From: TLS [mailto:tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>] On Behalf Of Andreas Walz
Sent: Tuesday, August 21, 2018 9:37 AM
To: tls@ietf.org<mailto:tls@ietf.org>
Cc: ncamwing=40cisco.com@dmarc.ietf.org<mailto:40cisco.com@dmarc.ietf.org>
Subject: EXTERNAL: Re: [TLS] integrity only ciphersuites


[Use caution with links & attachments]

+1

I fully understand the pursuit of minimizing complexity in TLS. However, banning from TLS all provisions to serve non-internet cases seems suboptimal to me.

I think there is a whole universe of systems and applications that are just at the very beginning of being armed with security features: think of communication systems driving, e.g., industrial automation and critical infrastructures. These are quite different from the internet and the web (different threats, security requirements, architectures, networks, resources, etc.). Still, IMHO it's not a niche at all; it's just not as visible to most of us.

I strongly believe it is *not* a good idea to hold back all the valuable experience condensed in TLS and entail the design of customized security protocols for such systems. TLS is state-of-the-art and its benefits should be accessible to as many systems as possible.

Cheers,
Andi Walz


>>> Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com<mailto:kathleen.moriarty.ietf@gmail.com>> 08/21/18 3:20 PM >>>


Sent from my mobile device

> On Aug 21, 2018, at 8:10 AM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu<mailto:uri@ll.mit.edu>> wrote:
>
> "Vulnerable-by-design ciphersuites"? Vulnerable to what?
>
> Suck sites are designed to provide end-point authentication and traffic integrity. Care to explain/show how these properties would not hold?
>
> Besides, it's been explained several times that some use cases do not require confidentiality, and in some use cases confidentiality is forbidden.

I agree with Uri here, flexibility to cover these use cases to accommodate the actual security requirements may result in them using something instead of nothing. It could be defined and not listed as Recommended as well. This comes down to risk management and options, where the risk can be clearly explained and the lack of recommendation can also be explained.

Best regards,
Kathleen

>
> Regards,
> Uri
>
> Sent from my iPhone
>
>> On Aug 21, 2018, at 07:42, Stephen Farrell <stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:
>>
>>
>>
>>> On 20/08/18 21:48, Nancy Cam-Winget (ncamwing) wrote:
>>> All, A couple IoT consortiums are trying to embrace the improvements
>>> made to TLS 1.3 and as they define their new security constructs
>>> would like to adopt the latest protocols, in this case TLS 1.3. To
>>> that extent, they have a strong need for mutual authentication, but
>>> integrity only (no confidentiality) requirements.
>>>
>>> In following the new IANA rules, we have posted the draft
>>> https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-00
>>> to document request for registrations of HMAC based cipher selections
>>> with TLS 1.3…..and are soliciting feedback from the WG on the draft
>>> and its path forward.
>>
>> As ekr pointed out, with the new registration rules,
>> there's nothing to stop someone defining any old set
>> of crypto stuff and getting non-recommended codepoints.
>>
>> That said, I don't consider that defining such
>> vulnerable-by-design ciphersuites is a good plan.
>>
>> - It imposes costs on the non-niche users of TLS - once
>> these things are defined then developers and those who
>> deploy/configure applications using TLS need to check
>> that they're not using these undesirable ciphersuites,
>> so costs are being displaced from niche uses to the
>> vast majority of implementations and deployments, which
>> seems to me to be a bad idea. And we know that people
>> will sometimes get those checks wrong leading to unexpected
>> transmission of plaintext over the Internet.
>>
>> - Similarly, just defining such ciphersuites seems likely
>> to lead to less well tested and infrequently used code
>> paths, which is undesirable. (Assuming someone pays some
>> developer to add these to some library, which generally
>> does seem to happen.)
>>
>> - RFC7525 [1] is clear on this topic (after debate in the
>> UTA WG) - "Implementations MUST NOT negotiate the cipher
>> suites with NULL encryption" and I see nothing new to
>> convince me that that ought change for TLS1.3.
>>
>> - Code footprint arguments aren't that convincing to
>> me - to get interop for the few devices where AES being
>> present or absent could make a real difference, you'd
>> need an awful lot more profiling of TLS or DTLS. I don't
>> see evidence of that so the interop/footprint arguments
>> seem pretty weak. I'd also bet that any useful "tiny
>> footprint" profile of that kind would end up targeting
>> loads of use-cases where confidentiality is absolutely
>> required.
>>
>> - (In addition to the good points made by Geoffrey
>> Keating [2]) cleartext payloads would also assist in
>> device fingerprinting, making it easier to exploit
>> vulnerabilities at scale.
>>
>> - IIUC there is also a desire to encrypt firmware
>> updates so that patches can be distributed more quickly
>> than attackers can reverse-engineer attacks. [4] I'm
>> not entirely sure if that's really likely to happen,
>> but if it were, then devices would need to be able to
>> use recommended ciphersuites in any case.
>>
>> - TLS/AX.25 doesn't seem that good a plan in any
>> case - according to [3], which seems reasonable to
>> me, using clear-signed GPG is quicker and better
>> meets the oddball regulations. Attempting to deal
>> with those regulations by weakening TLS seems like
>> a very bad plan, as you'd fail in any case to achieve
>> interop with normal TLS applications like the web.
>> (And the advertising is as illegal as the crypto
>> apparently, though I do like that aspect:-)
>>
>> - WRT unix sockets, I'm not clear that there's a
>> sufficiently important performance improvement in
>> real deployments to justify introducing weakened
>> ciphersuites - presumably mail servers are going to
>> use standard TLS libraries that (I hope!) won't be
>> offering NULL encryption, so I'd be surprised if
>> the right engineering decision was to prioritise
>> CPU to that extent, given the risks associated with
>> having weak ciphersuites present in widely used
>> implementations. IOW, it seems more sensible to me
>> for mail servers to just stick to using RECOMMENDED
>> ciphersuites. And given that you could use SASL
>> with Postfix/LMTP [5] I'm not sure why you'd want
>> a weirdo-version of TLS1.3 anyway but maybe there's
>> some reason I don't get.
>>
>> - I think this WG has had to spend waaaay too much
>> time dealing with the "inspection of data" debate in
>> various forms, but we did get an answer (no consensus)
>> in the end for that. Niche use cases seem extremely
>> unlikely to me to justify revisiting that painful
>> topic.
>>
>> So all in all, I just don't see a need for these
>> weak-by-design ciphersuites to even be defined. I'd
>> encourage folks who think they're needed to instead
>> think about how using RECOMMENDED ciphersuites might
>> make their implementations more widely applicable and
>> safer. Seems like a much more productive approach to
>> me anyway.
>>
>> Regards,
>> S.
>>
>> [1] https://tools.ietf.org/html/rfc7525
>> [2] https://mailarchive.ietf.org/arch/msg/tls/uI8xVgp7gTuJgwUyY-UgZfmUkRo
>> [3] https://tools.ietf.org/html/draft-ietf-suit-architecture-01#section-3.3
>> [4] https://www.tapr.org/pdf/DCC2010-AX.25-AuthenticationEffects-KE5LKY.pdf
>> [5] http://www.postfix.org/SASL_README.html#client_sasl
>>
>>
>> <0x5AB2FAF17B172BEA.asc>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org<mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org<mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email