IETF Logo Mail Archive

Re: [TLS] Killing Algorithms

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Fri, 03 April 2015 21:01 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AF651A1BA2 for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 14:01:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.001
X-Spam-Level:
X-Spam-Status: No, score=-0.001 tagged_above=-999 required=5 tests=[BAYES_40=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F-3eqd1LfGEq for <tls@ietfa.amsl.com>; Fri, 3 Apr 2015 14:01:17 -0700 (PDT)
Received: from che.mayfirst.org (che.mayfirst.org [209.234.253.108]) by ietfa.amsl.com (Postfix) with ESMTP id A34E01A1B9C for <tls@ietf.org>; Fri, 3 Apr 2015 14:01:16 -0700 (PDT)
Received: from fifthhorseman.net (unknown [38.109.115.130]) by che.mayfirst.org (Postfix) with ESMTPSA id 23031F984; Fri, 3 Apr 2015 17:01:13 -0400 (EDT)
Received: by fifthhorseman.net (Postfix, from userid 1000) id D3F152023A; Fri, 3 Apr 2015 16:01:00 -0500 (CDT)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Aaron Zauner <azet@azet.org>, Bill Frantz <frantz@pwpconsult.com>
In-Reply-To: <551EB007.2010304@azet.org>
References: <r422Ps-1075i-F8BE1282BAD64B8397E9DAE49D77123B@Williams-MacBook-Pro.local> <551EB007.2010304@azet.org>
User-Agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)
Date: Fri, 03 Apr 2015 17:01:00 -0400
Message-ID: <87sich9bar.fsf@alice.fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/9-fExBb3G2db3qzQRdeounaS-ZQ>
Cc: tls@ietf.org
Subject: Re: [TLS] Killing Algorithms
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 21:01:25 -0000

On Fri 2015-04-03 11:21:43 -0400, Aaron Zauner wrote:
> Bill Frantz wrote:
>> From my point of view, acceptable techniques include online code update
>> and special messages which cause implementations to permanently cease
>> using an algorithm, along with methods and procedures to ensure that
>> these techniques actually work in the field.
>
> As much as I like the idea, until someone proposes a sane method to do
> so /online/ in the protocol, I don't think it makes a lot of sense to
> add that to the document, it'll only confuse readers.
>
> I can't think of a way a client or server could negotiate that a cipher
> is deprecated. That'll cause downgrade attacks all over again, possibly
> to the cipher that would by then be deprecated.

I've thought about this a lot, and haven't come up with any answers that
i like very much.  Perhaps i'm not imaginative or accepting enough,
though!

The problem is even worse than "we don't have a good way to switch an
algorithm off when we learn that it's broken" -- at the moment we don't
even have a good way to switch an algorithm off when we have known for
years that it has been catastrophically broken (e.g. EXPORT ciphersuites
still biting people in 2015, thanks FREAK)!

At the moment, the only deprecation models we have seen in practice are:

 0) explicit deprecation documents from standards bodies (like we've
    done for SSLv2 and are doing for RC4).  These often don't have
    teeth, but are used as advice.

 1) phased approaches driven by powerful vendors (e.g. SHA-1 deprecation
    driven by Google and Microsoft) that rely on gradually-increasing
    minor "penalties" (log messages, UI deprecation hints, no EV
    decoration, etc) with a well-published timeline for outright banning
    of the algorithm.  These approaches only seem possible only for
    those players with a lot of weight to throw around.


Here's a thought experiment to consider (i don't think i like this any
more than either of the above, but i haven't heard any other proposals):

Suppose the TLS WG (or some other part of the IETF or IRTF) places a
"believed good until" date on every algorithm in the spec.  We would
commit to updating this "freshness" estimate some interval before the
algorithm "expires".  We would ask implementations with access to a
"real" clock to commit to disabling each algorithm after its expiration
date, unless they recieve notice that the algorithm's expiration has
been extended.

This would put an upper bound on algorithm lifetime, as well as on the
lifetime that a given implementation could survive in the wild without
at least some form of update mechanism (for updating the algorithm
expiration dates at least).

This also provides an impetus for the community to do active, regular
review, rather than assuming that a given algorithm is just "good until
proven otherwise".

Some problems i have this proposal (i'm sure there are others too!):

  * smells like "planned obsolescence" -- from a "consumer" perspective,
    it feels manipulative and cagey, esp. if i have to pay my vendor for
    the upgrades.  Do we need to start thinking about software less like
    a hammer or saw, and more like fruits and vegetables?

  * not every implementation has a wall clock, or has it set right.
    what happens to these machines?

  * what happens when the update mechanism fails?

  * what kinds of attacks do we introduce by being able to turn off
    algorithms by fiddling with a victim's clock?

  * who is responsible for refreshing the expiration dates?  how is this
    done?  this is a time-sensitive, potentially-controversial topic.
    What if the deadline passes without being able to establish a rough
    consensus?  what if the relevant parties fall asleep at the switch?

  * what does this do to the incentives in the academic community to
    study algorithms that have not yet reached their expiration date?
    what about algorithms past their expiration date?

I'd love to hear other concrete proposals for how we can actually
effectively deprecate algorithms in the wild, once a deployed base
exists.

    --dkg

v2.23.0 | Report a Bug | By Email