IETF Logo Mail Archive

Re: [TLS] AEAD only for TLS1.3 revisit

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Tue, 30 September 2014 21:23 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 898091A9166 for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 14:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.287
X-Spam-Level:
X-Spam-Status: No, score=-15.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoT1bUcUt1oR for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 14:23:39 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05AC91A916C for <tls@ietf.org>; Tue, 30 Sep 2014 14:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4522; q=dns/txt; s=iport; t=1412112219; x=1413321819; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=fKywB6p2fT7WJ3PDkqXllkaOuxLyIL9fz4fS3+pik8k=; b=KgQdsxvc6d3cOKckm15BzKh4YHjs/2Ml70n7SKFlTXrLtXyq6f2/jl8q Y/jy8cOhGsVw0cFCaHS66hkpq16dV8PZYzHG6tsqa+CGTbvpXco7G7J45 pm2v5hPxsnei7oaKgok/arHI0PNkKohzAgyHyoeb6rp9C80utkh7zkGPG Q=;
X-Files: signature.asc : 495
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAMMeK1StJV2Q/2dsb2JhbABgDoMAU1vKHgqHTQKBEhYBe4QDAQEBAwEBAQFrCwULAgEIGC4nCyUCBA4FDguIHQgNvkoBEwSPUE4Hgy6BHQWRaoIKgUyHb5VwgyNAbIFIgQIBAQE
X-IronPort-AV: E=Sophos;i="5.04,629,1406592000"; d="asc'?scan'208";a="359409427"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-1.cisco.com with ESMTP; 30 Sep 2014 21:23:38 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s8ULNcJt027362 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Sep 2014 21:23:38 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.15]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.03.0195.001; Tue, 30 Sep 2014 16:23:37 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Thread-Topic: [TLS] AEAD only for TLS1.3 revisit
Thread-Index: AQHP3AJ4lndEwGXmSE2+7AxRf6JNSZwaacsAgAABUgCAABo+gA==
Date: Tue, 30 Sep 2014 21:23:37 +0000
Message-ID: <44A2498B-D0CB-415C-A1D8-2E362FD8BDF0@cisco.com>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <D05080B2.1ABB6%uri@ll.mit.edu>
In-Reply-To: <D05080B2.1ABB6%uri@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.136]
Content-Type: multipart/signed; boundary="Apple-Mail=_C2C28AA5-BD7D-456B-8C2D-B135B517D552"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7rV6-CM32w5hFx3PIPqkDFIikck
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 21:23:46 -0000

On Sep 30, 2014, at 12:49 PM, Blumenthal, Uri - 0558 - MITLL <uri@ll.mit.edu> wrote:

> On 9/30/14, 15:44 , "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> wrote:
> 
>> Allowing man-in-the-middle or integrity only cipher suites is not a valid
>> reason to revisit the AEAD decision.  Allowing for man-in-the-middle and
>> passive monitoring is in opposition to our current mandate.   As an
>> aside, if this becomes a requirement in the future I don't think that
>> AEAD actually limits either of these possibilities, although your choice
>> of cipher may.  
> 
> The point is that in some environments the choice is BETWEEN
> man-in-the-middle (currently done by many corporations via “split SSL” or
> “cracked SSL”) with no security guarantees at all, and passive monitoring
> where you can have at least integrity & authenticity.
> 
> AEAD with a single key (which is my preference) is incompatible with
> passive monitoring unless integrity is sacrificed as well.
> 

[Joe] I see your point, but its not within our current scope to design for this.  

> 
> 
>> On Sep 29, 2014, at 9:28 AM, Michael StJohns <msj@nthpermutation.com>
>> wrote:
>>> Hi -
>>> 
>>> This isn't a proposal to change the decision to only include AEAD
>>> ciphers in TLS1.3.  But something crossed my desk that suggested I
>>> should at least mention a possible issue with this.
>>> 
>>> Background:  There are number of countries (and private networks) that
>>> have a requirement to decrypt any traffic passing through certain
>>> places.  There is not a corresponding requirement to allow them to
>>> imitate a sender or receiver.  This can be done through key escrow,
>>> LEAF-like fields or multiple encryption of the data for example.
>>> 
>>> Implication:  AEAD ciphers have a single key which is broken down for
>>> use both in the encryption and integrity processes.  Revealing that
>>> single key (to satisfy the decryption requirement) can reveal the
>>> credentials to allow masquerading.  If the TLS connection credentials
>>> are also being used as credentials for control actions (e.g.
>>> cyber-physical controls of power systems, control over a firewall, etc),
>>> fulfilling the decryption requirement provides an unintended attack
>>> surface for possibly life critical systems.
>>> 
>>> 
>>> Thoughts:  At least one AEAD cipher (CCM) uses the exact same key for
>>> both integrity and encryption.  There is no way to reveal the encryption
>>> key without also revealing the integrity key.  But if you have the
>>> integrity key, you can masquerade as sender or receiver (controller or
>>> controlled).
>>> 
>>> Question:  In light of the above, should we revisit the AEAD-only
>>> decision for TLS1.3?
>>> 
>>> 
>>> Question:  Is there absolutely no requirement for TLS1.3 integrity only
>>> cipher suites?
>>> 
>>> The fallback for systems in areas that have these requirements could be
>>> either TLS1.2, one of the other IETF security protocols, or something
>>> proprietary.
>>> 
>>> And yes, this was triggered by a real-world requirement.
>>> 
>>> Mike
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email