Re: [TLS] AEAD only for TLS1.3 revisit
"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Tue, 30 September 2014 21:23 UTC
Return-Path: <jsalowey@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 898091A9166 for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 14:23:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.287
X-Spam-Level:
X-Spam-Status: No, score=-15.287 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GoT1bUcUt1oR for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 14:23:39 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05AC91A916C for <tls@ietf.org>; Tue, 30 Sep 2014 14:23:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4522; q=dns/txt; s=iport; t=1412112219; x=1413321819; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=fKywB6p2fT7WJ3PDkqXllkaOuxLyIL9fz4fS3+pik8k=; b=KgQdsxvc6d3cOKckm15BzKh4YHjs/2Ml70n7SKFlTXrLtXyq6f2/jl8q Y/jy8cOhGsVw0cFCaHS66hkpq16dV8PZYzHG6tsqa+CGTbvpXco7G7J45 pm2v5hPxsnei7oaKgok/arHI0PNkKohzAgyHyoeb6rp9C80utkh7zkGPG Q=;
X-Files: signature.asc : 495
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgcFAMMeK1StJV2Q/2dsb2JhbABgDoMAU1vKHgqHTQKBEhYBe4QDAQEBAwEBAQFrCwULAgEIGC4nCyUCBA4FDguIHQgNvkoBEwSPUE4Hgy6BHQWRaoIKgUyHb5VwgyNAbIFIgQIBAQE
X-IronPort-AV: E=Sophos;i="5.04,629,1406592000"; d="asc'?scan'208";a="359409427"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-1.cisco.com with ESMTP; 30 Sep 2014 21:23:38 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id s8ULNcJt027362 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 30 Sep 2014 21:23:38 GMT
Received: from xmb-rcd-x09.cisco.com ([169.254.9.15]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.03.0195.001; Tue, 30 Sep 2014 16:23:37 -0500
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
Thread-Topic: [TLS] AEAD only for TLS1.3 revisit
Thread-Index: AQHP3AJ4lndEwGXmSE2+7AxRf6JNSZwaacsAgAABUgCAABo+gA==
Date: Tue, 30 Sep 2014 21:23:37 +0000
Message-ID: <44A2498B-D0CB-415C-A1D8-2E362FD8BDF0@cisco.com>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <D05080B2.1ABB6%uri@ll.mit.edu>
In-Reply-To: <D05080B2.1ABB6%uri@ll.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.33.248.136]
Content-Type: multipart/signed; boundary="Apple-Mail=_C2C28AA5-BD7D-456B-8C2D-B135B517D552"; protocol="application/pgp-signature"; micalg="pgp-sha1"
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7rV6-CM32w5hFx3PIPqkDFIikck
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 21:23:46 -0000
On Sep 30, 2014, at 12:49 PM, Blumenthal, Uri - 0558 - MITLL <uri@ll.mit.edu> wrote: > On 9/30/14, 15:44 , "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> wrote: > >> Allowing man-in-the-middle or integrity only cipher suites is not a valid >> reason to revisit the AEAD decision. Allowing for man-in-the-middle and >> passive monitoring is in opposition to our current mandate. As an >> aside, if this becomes a requirement in the future I don't think that >> AEAD actually limits either of these possibilities, although your choice >> of cipher may. > > The point is that in some environments the choice is BETWEEN > man-in-the-middle (currently done by many corporations via “split SSL” or > “cracked SSL”) with no security guarantees at all, and passive monitoring > where you can have at least integrity & authenticity. > > AEAD with a single key (which is my preference) is incompatible with > passive monitoring unless integrity is sacrificed as well. > [Joe] I see your point, but its not within our current scope to design for this. > > >> On Sep 29, 2014, at 9:28 AM, Michael StJohns <msj@nthpermutation.com> >> wrote: >>> Hi - >>> >>> This isn't a proposal to change the decision to only include AEAD >>> ciphers in TLS1.3. But something crossed my desk that suggested I >>> should at least mention a possible issue with this. >>> >>> Background: There are number of countries (and private networks) that >>> have a requirement to decrypt any traffic passing through certain >>> places. There is not a corresponding requirement to allow them to >>> imitate a sender or receiver. This can be done through key escrow, >>> LEAF-like fields or multiple encryption of the data for example. >>> >>> Implication: AEAD ciphers have a single key which is broken down for >>> use both in the encryption and integrity processes. Revealing that >>> single key (to satisfy the decryption requirement) can reveal the >>> credentials to allow masquerading. If the TLS connection credentials >>> are also being used as credentials for control actions (e.g. >>> cyber-physical controls of power systems, control over a firewall, etc), >>> fulfilling the decryption requirement provides an unintended attack >>> surface for possibly life critical systems. >>> >>> >>> Thoughts: At least one AEAD cipher (CCM) uses the exact same key for >>> both integrity and encryption. There is no way to reveal the encryption >>> key without also revealing the integrity key. But if you have the >>> integrity key, you can masquerade as sender or receiver (controller or >>> controlled). >>> >>> Question: In light of the above, should we revisit the AEAD-only >>> decision for TLS1.3? >>> >>> >>> Question: Is there absolutely no requirement for TLS1.3 integrity only >>> cipher suites? >>> >>> The fallback for systems in areas that have these requirements could be >>> either TLS1.2, one of the other IETF security protocols, or something >>> proprietary. >>> >>> And yes, this was triggered by a real-world requirement. >>> >>> Mike >>> >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls
- [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Martin Thomson
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Stephen Farrell
- Re: [TLS] AEAD only for TLS1.3 revisit Nikos Mavrogiannopoulos
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Dan Harkins
- Re: [TLS] AEAD only for TLS1.3 revisit Ilari Liusvaara
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann
- Re: [TLS] AEAD only for TLS1.3 revisit Hubert Kario
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann