Re: [TLS] Industry Concerns about TLS 1.3

Yoav Nir <ynir.ietf@gmail.com> Wed, 28 September 2016 17:51 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F90D12B2BA for <tls@ietfa.amsl.com>; Wed, 28 Sep 2016 10:51:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UC13reYecLKe for <tls@ietfa.amsl.com>; Wed, 28 Sep 2016 10:51:29 -0700 (PDT)
Received: from mail-wm0-x22d.google.com (mail-wm0-x22d.google.com [IPv6:2a00:1450:400c:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1411E12B2B1 for <tls@ietf.org>; Wed, 28 Sep 2016 10:51:29 -0700 (PDT)
Received: by mail-wm0-x22d.google.com with SMTP id l132so84305578wmf.1 for <tls@ietf.org>; Wed, 28 Sep 2016 10:51:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:subject:from:in-reply-to:date:cc:message-id:references :to; bh=TruxnojhVZcGDXsIVUgYNUN7eUPcMFilzFOSKS4DC6I=; b=bEcFY07huM6dv3eOL8I0+U1XJ8NsmZdidCbqz856dYW8dK8rixB0jA0nIY+a/vEp8i BUrLXfiVZW5qGWThN4qedRVibbLolerqL2wlRRJVIdvkcs9iyQzeXzLwZJVSFCgFcQ/h tHrcIqgKzCDJd/taOVNnU4hpVZh2J9K9pcqgWA3kiGUywagEDVT/If+FS1zCylfLiwvs LEtro8zCOSagMNvjjNZhPkGBhiJwY/YWpmQ2rR+/ZJ4KTKuL/khXvFpw7ClSZ825pc+6 m8xhkyw1C4dzQpb3IDUPaYmQLb/z1UPaaR7eafBS5TIr8v2jAsAlfONNpFQ6odp5Xiel fgng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=TruxnojhVZcGDXsIVUgYNUN7eUPcMFilzFOSKS4DC6I=; b=jfxjOWweHqvqcwLUr7BIKQnyr+YpCWJRTpe2LLi1Zkf42EFMI4Zc5i09wycC8N2DQv Npqct6v38G8psTXnPtca8d0z9v5cA175xJ6yJJHJw06c6nimgkkpkvTdFPuV3sjwT5sa 6sx42egwkvZGEZuDKYjjcInJw9rnDrN1PwCwXCiAf/fuf9pMmomGi7YmlM9oKwQeaubp Ub4c1NGfh0VLFkN45P3DmgtIPBX3DCoxaqAht/JikT6o4eOYdfc8YTgC4L7Xkb/KAS4Z IyU7KtX40CvABdB/Je8AprvN5WH/XeVjIfFJnLmI518tnClivI69wg+i0gqQW1eEkUvm Sj7Q==
X-Gm-Message-State: AA6/9Rn6FfiZHFXCNL5wf2sMrmTxd9mZGlWxTjaIJLfpglsCXQK4QjgWtb/EmdTDGeW2jQ==
X-Received: by 10.28.126.6 with SMTP id z6mr9670418wmc.125.1475085087529; Wed, 28 Sep 2016 10:51:27 -0700 (PDT)
Received: from [192.168.1.13] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id vx7sm5220873wjc.1.2016.09.28.10.51.26 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 28 Sep 2016 10:51:26 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_F948D0E9-554F-49B9-BE94-783E0F947713"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <810C31990B57ED40B2062BA10D43FBF50102182D@XMB116CNC.rim.net>
Date: Wed, 28 Sep 2016 20:51:25 +0300
Message-Id: <FA86B516-6F70-4FAD-929C-46F3A3583DE9@gmail.com>
References: <DM5PR11MB1419B782D2BEF0E0A35E420DF4C90@DM5PR11MB1419.namprd11.prod.outlook.com> <CO1PR07MB283F2C414B6478E993675DEC3C90@CO1PR07MB283.namprd07.prod.outlook.com> <394611bf-208f-03d3-620c-79aaf169645b@cs.tcd.ie> <4FC37E442D05A748896589E468752CAA0DBC66AE@PWN401EA120.ent.corp.bcbsm.com> <CAH8yC8kgYzYXwJ01NkK7WYxD-diponWEQOd+MNHssm+bLHE54w@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC699B@PWN401EA120.ent.corp.bcbsm.com> <CACsn0c=5vjzQmr=ah6sH1JzTj3peaKad7aCPertcqD4B2DLKiA@mail.gmail.com> <4FC37E442D05A748896589E468752CAA0DBC6CAC@PWN401EA120.ent.corp.bcbsm.com> <fd4ad423-3614-5330-b687-1b5848e839f0@wheelsystems.com> <4FC37E442D05A748896589E468752CAA0DBC9732@PWN401EA120.ent.corp.bcbsm.com> <b24efbbb594040e794f7513b7e62b3c7@usma1ex-dag1mb1.msg.corp.akamai.com> <4FC37E442D05A748896589E468752CAA0DBCBA55@PWN401EA120.ent.corp.bcbsm.com> <CAGAMPd83CdOM_R5rwPJ+LfWW4V9pv6oBp==mEVexA2hnBB5v9w@mail.gmail.com> <810C31990B57ED40B2062BA10D43FBF50102182D@XMB116CNC.rim.net>
To: Dan Brown <danibrown@blackberry.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AKFXRgvCIgoOOI8NB_vXOq9wGCw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Industry Concerns about TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2016 17:51:31 -0000

> On 28 Sep 2016, at 7:16 PM, Dan Brown <danibrown@blackberry.com>; wrote:
> 
> As I understand the concern, the worry is that Bud is compromising Bob's (TLS) server, to somehow send Bob's plaintext to the wrong place.
>  
> The proposed (existing?) strategy has Bob compromising his own forward-secrecy to stop Bud, but only after the cat is out of the bag. This seems a high price (no forward-secrecy) to pay for little gain (cat-out-of-bag).
>  
> It seems wiser for Bob to somehow monitor or log what is being done with his own plaintexts at his own server. I know little about existing products to do this, but from my theoretical perspective, it ought to be easier than compromising forward-secrecy (logging ciphertexts).
>  
> If proper plaintext monitoring or logging is somehow too costly, then yes...

I don’t really understand under what circumstances logging, monitoring or storing the plaintext is not feasible, while storing the ciphertext is. Because if you don’t store the ciphertext, then keeping static or ephemeral keys around doesn’t buy you much.  It’s true that current server products don’t log or store the plaintext, but they could easily be modified to do that. There are extensions to browsers that store the plaintext if you want.

Maybe if the good folks at the Bluffdale facility are willing to let you download their copy of your captured ciphertexts, then it makes sense to store only ephemeral or static keys. Otherwise it seems cheaper to store the plaintext than to store both ciphertext and keys.

Yoav