IETF Logo Mail Archive

Re: [TLS] Proposal: a TLS formal analysis triage panel

Deirdre Connolly <durumcrustulum@gmail.com> Mon, 18 March 2024 15:56 UTC

Return-Path: <neried7@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E11FC18DBB9 for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 08:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.855
X-Spam-Level:
X-Spam-Status: No, score=-6.855 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Px1ytwFXsPF3 for <tls@ietfa.amsl.com>; Mon, 18 Mar 2024 08:56:13 -0700 (PDT)
Received: from mail-ej1-x629.google.com (mail-ej1-x629.google.com [IPv6:2a00:1450:4864:20::629]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F4AC151090 for <tls@ietf.org>; Mon, 18 Mar 2024 08:56:13 -0700 (PDT)
Received: by mail-ej1-x629.google.com with SMTP id a640c23a62f3a-a3ddc13bbb3so1003601966b.0 for <tls@ietf.org>; Mon, 18 Mar 2024 08:56:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1710777371; x=1711382171; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=4teWCDECACJ2e1kig0l/mDkApmBZi4CKeWHYG/FiHjU=; b=XKyoLxMvyPkaWmBJXjClng04xw776olC4cmH5lTcA6PFBDNO0mm63Vb+O3U62WUjBa QLnOkDoE/GzNOYBshfMfNWmKfShW1c8p77VU33ZZF32lpBCSBtZ57wlII6ESeUfAZ0vG 60cr+qBPE77Osg9BEdt6MJhe3WOeQDqapGNfxvtc5sfSTdu1eGTI/eM3FJMR7ld7srpa jvZ02mYZ7pzAuxiUEO1VDyH1noo6lJX3SJgBHvMUf5UpstG61hJJL9irJmuzFm7hAZlh ZmcKJYw/DO2J6pm/UJJR3i2jdHBxJr2vJy2h/AODxlrk21b80E/i6saAIl4WAxoJ/liB UCHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710777371; x=1711382171; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4teWCDECACJ2e1kig0l/mDkApmBZi4CKeWHYG/FiHjU=; b=Zof9AzfUjX4jMQWTuimHePxdHseKf7swczLuJlcuKlzflnSyztDY2I2J6pVBdttQN0 NL6Qop1j5tKCRz4DfxDlrsNlhnj996Vidde4WvBYaTituomMtr0YBJp77oy7iUrVY0gP n7yXjL0iUT6Wflyzb+qQEYzXu2ar0adqc5Zo4bLwUfn/RFjiPRw3cCAaNx+jz2rs7GAE Rral3h9jMgvy9/MvurYybibmAnWLTDsJ/NXr0VyC4DjBqyAfkeXlCvuK0MOYom+Euv/f MvzW1EICjNgrJefQ1KmtxOXqpiBPtZlw2Axvwayij/Y+gvtcy4VG+hOizM8IFaUykyA1 k+rw==
X-Gm-Message-State: AOJu0YzAvS2Mfdnvl6HtfAplgfB6Er9Sq+9EUUzXQdgI7VljtEF8evrS bakS9KAtcDPMpXg3mymyq0ZuW4bYKp6cGNSuKm8Gm8Ud0Dtjn/4iQKeH2wnswMcbXgUVurL65xN FnDR/PnS0LKVawDxXT94+xD1rTU7kM7zW
X-Google-Smtp-Source: AGHT+IHb6dRyseCMCbJFKBK/H0kPRvIgoK8f1lXlJFopStVB4frAKDDU1wukPq7BjBCy9RT0HcJVZ6dBATpj9BByi+A=
X-Received: by 2002:a17:906:249b:b0:a45:fab9:c7ff with SMTP id e27-20020a170906249b00b00a45fab9c7ffmr31784ejb.6.1710777370547; Mon, 18 Mar 2024 08:56:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAFR824ywNTnWPstZsrW7S9PYH+thW9-9f2yP0j_SC_eenS3k7A@mail.gmail.com> <8aa7ee78-4ce9-4fde-97eb-2d81ce4563f0@tu-dresden.de>
In-Reply-To: <8aa7ee78-4ce9-4fde-97eb-2d81ce4563f0@tu-dresden.de>
From: Deirdre Connolly <durumcrustulum@gmail.com>
Date: Mon, 18 Mar 2024 11:56:00 -0400
Message-ID: <CAFR824xymLEs==FiG021+sOJH0YHMzQqLMfhLg+aaqxoYr-Etw@mail.gmail.com>
To: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000761c730613f165d7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C1pmHGt5DnVJ0M3AVBkewW65FEo>
Subject: Re: [TLS] Proposal: a TLS formal analysis triage panel
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Mar 2024 15:56:14 -0000

I do think a 'reference' Tamarin model would be useful. It would of course
only model part of TLS (1.3, for example) and only through a particular
symbolic model/tool. And would require maintenance by...someone.

For the triage panel, I do think the preliminary triage is key: we'd ask a
group of experts /if/ formal analysis (new or updated) is warranted /at
all/, and if warranted, of what kind, what scope, if it needs novel
modeling work, if it can build on existing work, or even if pen and paper
analysis would suffice. I do not think there are any prerequisites to
standing such a triage panel up.


On Mon, Mar 18, 2024, 10:34 AM Muhammad Usama Sardar <
muhammad_usama.sardar@tu-dresden.de> wrote:

> Hi Deirdre,
>
> Just in case I miss the meeting (which is unfortunately after midnight for
> me), I would like to mention that this is great idea and I would be happy
> to contribute to this.
>
> In our recent research on integrating attestation in Inria's ProVerif
> artifacts [1] for TLS 1.3, we faced several challenges, such as:
>
>    - There are very few comments in the code. Main processes (such as
>    Client12, Server12, Client13, Server13, appData, channelBindingQuery and
>    secrecyQuery) have literally no comments at all.
>    - The latest version of the artifacts (modeling draft 20 of TLS 1.3)
>    has incorrectly modeled the key schedule [2,3]. The same incorrect model
>    has been used in a number of TLS extensions, including the recent LURK [4].
>    - WG seems to have no understanding of why some of the decisions were
>    taken in TLS 1.3. In a discussion over mailing list [5] as well as with
>    other experts, nobody has been able to justify the intuition of
>    Derive-Secret for Master Secret, and whether there is any practical attack
>    if that Derive-Secret is missing.
>
> So I believe one initial useful thing that the 'formal analysis triage
> panel' could do is to create RFC8446-consistent baseline artifacts, which
> are well-commented, thoroughly validated and reviewed by a few experts
> (both TLS as well as formal methods). Then these artifacts can be used for
> any TLS extension for which formal analysis is required.
>
> Regards,
>
> Usama
>
> [1] https://github.com/Inria-Prosecco/reftls/tree/master/pv
>
> [2] https://github.com/Inria-Prosecco/reftls/issues/6
>
> [3] https://github.com/Inria-Prosecco/reftls/issues/7
>
> [4] https://github.com/lurk-t/proverif
>
> [5] https://mailarchive.ietf.org/arch/msg/tls/ZGmyHwTYh2iPwPrirj_rkSTYhDo/
> On 06.03.24 02:37, Deirdre Connolly wrote:
>
> A few weeks ago, we ran a WGLC on 8773bis, but it basically came up
> blocked because of a lack of formal analysis of the proposed changes. The
> working group seems to be in general agreement that any changes to TLS 1.3
> should not degrade or violate the existing formal analyses and proven
> security properties of the protocol whenever possible. Since we are no
> longer in active development of a new version of TLS, we don't necessarily
> have the same eyes of researchers and experts in formal analysis looking at
> new changes, so we have to adapt.
>
> I have mentioned these issues to several experts who have analyzed TLS (in
> total or part) in the past and have gotten tentative buy-in from more than
> one for something like a 'formal analysis triage panel': a rotating group
> of researchers, formal analysis experts, etc, who have volunteered to give
> 1) a preliminary triage of proposed changes to TLS 1.3¹ and _whether_ they
> could do with an updated or new formal analysis, and 2) an estimate of the
> scope of work such an analysis would entail. Such details would be brought
> back to the working group for discussion about whether the proposed changes
> merit the recommended analysis or not (e.g., a small, nice-to-have change
> may actually entail a fundamentally new security model change, whereas a
> large change may not deviate significantly from prior analysis and be
> 'cheap' to do). If the working group agrees to proceed, the formal analysis
> triage panel consults on farming out the meat of the analysis work (either
> to their teams or to students they supervise, etc.).\ Group membership can
> be refreshed on a regular schedule or on an as-needed basis. Hopefully the
> lure of 'free' research questions will be enticing.
>
> The goal is to maintain the high degree of cryptographic assurance in TLS
> 1.3 as it evolves as one of the world's most-used cryptographic protocols.
>
> I would like to hear thoughts on this idea from the group and if we would
> like to put it on the agenda for 119.
>
> Cheers,
> Deirdre
>
> ¹ 1.3 has the most robust analysis; we'll see about other versions
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email