IETF Logo Mail Archive

Re: [TLS] Is there a way forward after today's hum?

Jeffrey Walton <noloader@gmail.com> Thu, 20 July 2017 14:11 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2A23126CD6 for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 07:11:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Acn1KonF6dFZ for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 07:11:18 -0700 (PDT)
Received: from mail-oi0-x233.google.com (mail-oi0-x233.google.com [IPv6:2607:f8b0:4003:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A45A120227 for <tls@ietf.org>; Thu, 20 Jul 2017 07:11:18 -0700 (PDT)
Received: by mail-oi0-x233.google.com with SMTP id 191so27641153oii.2 for <tls@ietf.org>; Thu, 20 Jul 2017 07:11:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc; bh=F9ntQ229VMX6OQ7Vkvpn2zpu6peCBtDeoo1BYFbPdek=; b=AxcBP0zgvWBI88sTem/wHKX8fqTrZWUI6xm265oApaE2FT4mVi9IMCARnmN0Xqt/+Q z5kh2mO/c4ZiYSn+vO7w7+uS4K1wQYcXE4/4ycAW/WJGF9MR3wr4Tisx9RSZ4yxO8qp3 2fTc5VVitNH0cYpeNodL+Yh0bxbKnZuW6cDa+Eo2kIYO9bXp4DzDJVdboMf0Lv13sMZu bDxUNrxj0iYqk5dyochgZZAS9aA/p/esv4c6Z+i5SPJdVNVlys5Fzio8xRmV7gPQBqR+ b/lhwdyqgbKbpwA9EHKopmoocC25kyIBujTg8Ad6Aa6rQth9ND/rHzHo1CIDZe4WYmeB 32eA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc; bh=F9ntQ229VMX6OQ7Vkvpn2zpu6peCBtDeoo1BYFbPdek=; b=tbOd36WHKrciHhGjUO8HWnWbvVjuwzbCMy7fUn6Nte8bcu+EZYFY+liwDpEtIU59uo bmihSNdqxMP8WJJmeaz9nPee42jZcEG4w9Q1u2Q1LaV5kCQkjEqsjuh7BgNzptxgJIYN QxBC10iz/Mj4ld4LZPoK/d39deDkI7msVpqdqdt+wpkqlAqrcyBNhOM2HYFDR48nKNIL m7gcvJJ4omHWEfateX6Flb7K0Pn2vo77UCQktpbSM4e3qiKDWfSbixn2jSKzG0oTJiGD QNVoqdU2FMSXTzTUqibnC8bwxWznPswpxlUg59yLwFQawuBl1QH1O5SdIy2EiZvr6HEY Ekfg==
X-Gm-Message-State: AIVw110tr9gsYUqORJA8Bz5FHmbr30ziUwWft3rmuOcn3TWpxyqZacyc xP3CZyL3McW2/1DW8TBJnY25Rl7phA==
X-Received: by 10.202.53.215 with SMTP id c206mr5464037oia.164.1500559877368; Thu, 20 Jul 2017 07:11:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.5.6 with HTTP; Thu, 20 Jul 2017 07:11:16 -0700 (PDT)
Reply-To: noloader@gmail.com
In-Reply-To: <BN6PR06MB3395B6AABD069E49D4C3C921BFA70@BN6PR06MB3395.namprd06.prod.outlook.com>
References: <BN6PR06MB3395E47F181D02D5772EEC81BFA70@BN6PR06MB3395.namprd06.prod.outlook.com> <5B14DA7C-E6D4-4681-AEE5-23DD0949CE68@vigilsec.com> <BN6PR06MB3395B6AABD069E49D4C3C921BFA70@BN6PR06MB3395.namprd06.prod.outlook.com>
From: Jeffrey Walton <noloader@gmail.com>
Date: Thu, 20 Jul 2017 10:11:16 -0400
Message-ID: <CAH8yC8mOEfzGVmRZXL=W9WON-YYLpjE7HQbU_WrUzrQ_YB01kg@mail.gmail.com>
To: Robin Wilton <wilton@isoc.org>
Cc: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Ct6GMhpbtAlht1C_ptX1BGC4354>
Subject: Re: [TLS] Is there a way forward after today's hum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 14:11:20 -0000

On Thu, Jul 20, 2017 at 9:35 AM, Robin Wilton <wilton@isoc.org> wrote:
>...
> If I am analysing this correctly, there are two "tampering events" involved
> here.
>
> The first is: has someone tampered at the protocol/notification level to
> prevent the client from being notified that static DH is in use?
>
> The second is: when the client decrypts traffic using whatever has resulted
> from the key exchange protocol, can it tell whether the DH key that was used
> is a static one or not?
>
> I don't know enough about your proposed extension to judge whether it's
> reasonable to assume that the finished message processing would detect
> either of those or not (but I freely admit, that's my lack of knowledge).

In my mind's eye, and stepping back to 10,000 feet, the security
engineering problem you are witnessing is:

   * The security community has advised "DH for perfect forward secrecy"
   * RSA key transport was deprecated because it does not provide PFS
   * The proposal does an end-around, and it breaks
expectations/security properties

The security community created the "reasonable expectation" of PFS
when using Diffie-Hellman. A typical developer who follows best
practices will expect it. It was pounded into heir heads. Cf.,
https://www.imperialviolet.org/2013/12/03/forwardsecretforjournalists.html
and https://www.imperialviolet.org/2013/06/27/botchingpfs.html.

The typical developer will not be able to make the distinction between
Diffie-Hellman Ephemeral and Static Diffie-Hellman modulo key vaulting
so traffic can be decrypted later. In the typical developer's eyes,
they have been told to do something because it has certain security
properties but it no longer holds.

The signalling indicates the loss of the security property typical
developers and users have come to expect.

Jeff

v2.23.0 | Report a Bug | By Email