IETF Logo Mail Archive

Re: [TLS] Is there a way forward after today's hum?

Robin Wilton <wilton@isoc.org> Thu, 20 July 2017 13:35 UTC

Return-Path: <wilton@isoc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E95DD131B2D for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 06:35:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=isoc.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ocQ8vSFc8ecC for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 06:35:44 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0073.outbound.protection.outlook.com [104.47.32.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2FC82131C33 for <tls@ietf.org>; Thu, 20 Jul 2017 06:35:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=isoc.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=IwqjNzFOmA693TVaJNPlnY7DqQjVxkLKRiOSW7f2r/w=; b=xyfEPm3riCmAWvjE0aO0G5+6tRzaitB+UgdY+jK/Y3piyOE+df0wZMgmwcXOAyTTin+of4+xxEOFSv5LNXej+DNR4ds63yshptkmNXtQLXlGXYwhIF1yzg/bCPb12IhO4XzzcWjSF3aebeCqbuqxjS4AQZ/FjXyjYQvWCXuJtB8=
Received: from BN6PR06MB3395.namprd06.prod.outlook.com (10.174.235.153) by BN6PR06MB3396.namprd06.prod.outlook.com (10.174.235.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1282.10; Thu, 20 Jul 2017 13:35:41 +0000
Received: from BN6PR06MB3395.namprd06.prod.outlook.com ([10.174.235.153]) by BN6PR06MB3395.namprd06.prod.outlook.com ([10.174.235.153]) with mapi id 15.01.1282.011; Thu, 20 Jul 2017 13:35:41 +0000
From: Robin Wilton <wilton@isoc.org>
To: Russ Housley <housley@vigilsec.com>
CC: IETF TLS <tls@ietf.org>
Thread-Topic: [TLS] Is there a way forward after today's hum?
Thread-Index: AQHTAT0e/02z4cJx9Eqsiy9o8ZfN66JclhgAgAAfOKE=
Date: Thu, 20 Jul 2017 13:35:41 +0000
Message-ID: <BN6PR06MB3395B6AABD069E49D4C3C921BFA70@BN6PR06MB3395.namprd06.prod.outlook.com>
References: <BN6PR06MB3395E47F181D02D5772EEC81BFA70@BN6PR06MB3395.namprd06.prod.outlook.com>, <5B14DA7C-E6D4-4681-AEE5-23DD0949CE68@vigilsec.com>
In-Reply-To: <5B14DA7C-E6D4-4681-AEE5-23DD0949CE68@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=isoc.org;
x-originating-ip: [178.255.154.107]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN6PR06MB3396; 7:0hpokNKF9k5WungIHiFPRGnAlYQNC0hlDZ+xYTChqLO4NURscVeFoVzxMQjiUGVUdGnvMjuEzhFUT0Dxx5oAVYzPU236EWePe5W71DOS7e9fSKkNhNX6+t0vTO/YVAQ26dJV383Qj1QwfjOYwMLu7cMerhhmwy2hyfE6VXKDxvwvGxecuKiluDxdIQKMBoz9QRsFC8JHS975RCQ0IG734KwZcIuLUGUPRx54gRQA8zR4dPQeH5DoXJZEqKSkqEwNOe2RqoWivAGNTPSgKalgazAihgKw+JU1/Az/4TIm3lAH8oARi/MC2RmWBo77M598p9q96ddQnQTEQm4RBKQ59bp6DEYs1cPlglCaQSUUpQGyla0NzFtCajkETH02jqn0TxtAJ/40Je9JbnHs5ym+LDX6lvocVWPn/WhpS4V9FuDgzPFfa0NOkNZl3f1loKjYyODyclG3UWH6MGbk31XphHAlR5GCzWQahhKG7kjrLYGvSNsGKzM3vlKXBdeKveNxGwZn2a8X0EPlp+YiDCAVAVekkTqHOIZlvTz3Ia8gqvc/uhhaiD+AmbaX+WHMRcaWc7WADoddGqPfwlcftU8CzyYnDYsIIw0r45bIh2O1UTyV3SxPR0zn2gpArQl8OAebSCM6vLLl3rPrsWTetNZKUSkbWUKo2s9ALgM0eOzO/I0PWpeiKcW01lnab46YVcAgafPJKbUFQKNKDjVRFBjtAIKk59gmnhJciUWmMDpqIAN0KIx3ONp3ttg2aUheIK22sFJ2Q1Nn0S2GhEa0rJti5u/epT9e1RigUROhoXCf0rs=
x-ld-processed: 89f84dfb-7285-4810-bc4d-8b9b5794554f,ExtAddr
x-ms-office365-filtering-correlation-id: 7394f506-54ad-4479-e104-08d4cf743727
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN6PR06MB3396;
x-ms-traffictypediagnostic: BN6PR06MB3396:
x-exchange-antispam-report-test: UriScan:(158342451672863)(236129657087228)(48057245064654)(247924648384137);
x-microsoft-antispam-prvs: <BN6PR06MB33963A0A3233CB8AD7D6C4C2BFA70@BN6PR06MB3396.namprd06.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(2017060910075)(5005006)(8121501046)(3002001)(93006095)(93001095)(10201501046)(100000703101)(100105400095)(6041248)(20161123555025)(20161123558100)(20161123560025)(20161123562025)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN6PR06MB3396; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN6PR06MB3396;
x-forefront-prvs: 0374433C81
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39830400002)(39400400002)(39410400002)(39450400003)(377454003)(24454002)(77096006)(6506006)(3660700001)(2906002)(478600001)(8936002)(74316002)(81166006)(8676002)(86362001)(6606003)(6116002)(7736002)(189998001)(6436002)(5660300001)(3846002)(229853002)(102836003)(6916009)(2950100002)(7696004)(25786009)(3280700002)(55016002)(33656002)(561944003)(66066001)(50986999)(19627405001)(53936002)(38730400002)(4326008)(54896002)(54356999)(236005)(2900100001)(9686003)(14454004)(110136004)(99286003)(76176999)(53546010)(6246003); DIR:OUT; SFP:1101; SCL:1; SRVR:BN6PR06MB3396; H:BN6PR06MB3395.namprd06.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR06MB3395B6AABD069E49D4C3C921BFA70BN6PR06MB3395namp_"
MIME-Version: 1.0
X-OriginatorOrg: isoc.org
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Jul 2017 13:35:41.4108 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 89f84dfb-7285-4810-bc4d-8b9b5794554f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR06MB3396
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7dqW27V6tZYGygpx0hm1cx8wJD4>
Subject: Re: [TLS] Is there a way forward after today's hum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 13:35:47 -0000



________________________________
From: Russ Housley <housley@vigilsec.com>
Sent: Thursday, July 20, 2017 12:35 PM
To: Robin Wilton
Cc: IETF TLS
Subject: Re: [TLS] Is there a way forward after today's hum?


On Jul 20, 2017, at 5:57 AM, Robin Wilton <wilton@isoc.org<mailto:wilton@isoc.org>> wrote:

Apologies for not replying "in thread" on this occasion, for noob reasons... but here's the specific comment from Russ that I wanted to respond to:


________________________________

The hum told us that the room was roughly evenly split.  In hind sight, I wish the chairs had asked a second question.  If the split in the room was different for the second question, then I think we might have learned a bit more about what people are thinking.

If a specification were available that used an extension that involved both the client and the server, would the working group adopt it, work on it, and publish it as an RFC?

I was listening very carefully to the comments made by people in line.  Clearly some people would hum for "no" to the above question, but it sounded like many felt that this would be a significant difference.  It would ensure that both server and client explicitly opt-in, and any party observing the handshake could see the extension was included or not.

Russ


====

Stephen Farrell articulated a concern with that approach - namely, that if we are relying on a setting that is meant to ensure both parties must be aware that static DH is in use, then a bad actor would find ways to suppress that notification. In your proposal, Russ, the notification mechanism would take the form of an extension... so I think we would need to understand what the failsafe is, for instance if that extension is disabled, or not present, in a given deployment of TLS.

There's an implicit assumption about the threat model, too, which I just want to call out. The assumption is that a bad actor would suppress the notification so that the client is not aware that static DH is in use. For completeness, should we also consider whether there are attacks in which it's the *server* whose notification is suppressed? (I can't think of such an attack, off the top of my head, but then, that's probably why I'm not a hacker. ;^, )

Best wishes,
Robin


Robin:

I belive that such tampering would be detected by the finished message processing and the handshake would fail.

Russ

Thanks, Russ;

If I am analysing this correctly, there are two "tampering events" involved here.

The first is: has someone tampered at the protocol/notification level to prevent the client from being notified that static DH is in use?

The second is: when the client decrypts traffic using whatever has resulted from the key exchange protocol, can it tell whether the DH key that was used is a static one or not?

I don't know enough about your proposed extension to judge whether it's reasonable to assume that the finished message processing would detect either of those or not (but I freely admit, that's my lack of knowledge).

Yrs.,
Robin

v2.23.0 | Report a Bug | By Email