Re: [TLS] TLS Digest, Vol 156, Issue 60

"Eydlin, Igor - PENNINGTON NJ" <igor_eydlin@ml.com> Wed, 12 July 2017 00:27 UTC

Return-Path: <igor_eydlin@ml.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A052131606 for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 17:27:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.802
X-Spam-Level:
X-Spam-Status: No, score=-9.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-2.8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ml.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e1ymwBrp2PDn for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 17:27:47 -0700 (PDT)
Received: from bankofamerica.com (rchemail.bankofamerica.com [171.159.227.167]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB83613181D for <tls@ietf.org>; Tue, 11 Jul 2017 17:27:46 -0700 (PDT)
Received: from vadmzmailmx05.bankofamerica.com ([171.182.203.230]) by lrcha0n0xepmx04.bankofamerica.com (8.15.1/8.14.5) with ESMTP id v6C0Rjgk028562 for <tls@ietf.org>; Wed, 12 Jul 2017 00:27:45 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ml.com; s=corp1702; t=1499819265; bh=n/UND5zW26OY0RkmBtVJX+5pR373M0NYAxgcWBgIMKQ=; h=Date:From:Subject:In-reply-to:To:Message-id:MIME-version: Content-type:Content-transfer-encoding:References; b=W+3jiaY/3d3RAizUstLboVfYAtn7sMIdamHH4Fo6RnjAarFRcKlBZsLDPLOozYr9J vQwnpz0RdHy9rgUfNGE9Iw6k6P+n2Y9gvFUgW7iukGphp0ExEdr2W1XCMVE2kEJHPZ LMqyJQPwEQI/3PbWIb5l6JdPbFHFxBD8LvZpytH4=
Received: from lrcha0n5xepmx12.bankofamerica.com (lrcha0n5xepmx12.bankofamerica.com [171.205.12.15]) by vadmzmailmx05.bankofamerica.com (8.15.1/8.14.5) with ESMTP id v6C0Rald008639 for <tls@ietf.org>; Wed, 12 Jul 2017 00:27:45 GMT
Date: Wed, 12 Jul 2017 00:27:40 +0000
From: "Eydlin, Igor - PENNINGTON NJ" <igor_eydlin@ml.com>
In-reply-to: <mailman.562.1499810950.4234.tls@ietf.org>
X-Originating-IP: [171.206.3.30]
To: "tls@ietf.org" <tls@ietf.org>
Message-id: <59A768ECCBC05D4CAD5C6A2EDDD8075188DCC8C4@smtp_mail.bankofamerica.com>
MIME-version: 1.0
Content-type: text/plain; CHARSET=US-ASCII
Content-language: en-US
Content-transfer-encoding: 7BIT
X-MS-Has-Attach:
Accept-Language: en-US
Thread-topic: TLS Digest, Vol 156, Issue 60
Thread-index: AQHS+pJgsDEI8CIo3UyfVGvTe8NuO6JPTCQg
X-MS-TNEF-Correlator:
x-bac-client-sensitivity: X1
References: <mailman.562.1499810950.4234.tls@ietf.org>
X-Virus-Scanned: clamav-milter 0.98.7 at vadmzmailmx05.bankofamerica.com
X-Virus-Status: Clean
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-11_13:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/E0PqxtuKSRFAl3ykdqlbh3tEDi4>
Subject: Re: [TLS] TLS Digest, Vol 156, Issue 60
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jul 2017 00:27:50 -0000

As a person that supports enterprise environments, I would like to make a few points towards supporting draft utilizing static DH keys inside of enterprise perimeters: 

*	We need to support in-line and out of band TLS decryption in order to be able to fulfill our obligations to securely support our clients. We would have to utilize active application firewalls, IPs, IDS, End  User Management and monitoring tools.
*	Supporting Monitoring, EUM, and Security horizontal and vertical traffic coverage inside of the DMZ would be almost impossible. In many cases relying on logs and application/ network alerts and alarms leaves many troubleshooting and monitoring aspects cumbersome and not reliable. 
*	Men in the middle solution (such as proxy, accessibility fabrics/switches, load balancers sandwiches, ... ) adding additional processing time that would increase round trip time by 20 to over 100% (based on our internal benchmarks) That would lead to time X where X is number of application turns. How would users like it if their "favorite web site" had such an increase in response time during browsing?
*	On the public internet site, exploit client browsers could have a setting or warning to refuse such a TLS conversation to avoid static key usage as it was mentioned in previous communications.



-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of tls-request@ietf.org
Sent: Tuesday, July 11, 2017 6:09 PM
To: tls@ietf.org
Subject: TLS Digest, Vol 156, Issue 60

Send TLS mailing list submissions to
	tls@ietf.org

To subscribe or unsubscribe via the World Wide Web, visit
	https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=obUyEFMB40U1YA3Vm8KOBQKwd4VQax8zip_AAct0jvk&e= 
or, via email, send a message with subject or body 'help' to
	tls-request@ietf.org

You can reach the person managing the list at
	tls-owner@ietf.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of TLS digest..."


Today's Topics:

   1. Re:  chairs - please shutdown wiretapping discussion...
      (Ted Lemon)
   2. Re:  chairs - please shutdown wiretapping discussion...
      (Stephen Farrell)
   3. Re:  chairs - please shutdown wiretapping discussion... (Yoav Nir)


----------------------------------------------------------------------

Message: 1
Date: Tue, 11 Jul 2017 17:16:31 -0400
From: Ted Lemon <mellon@fugue.com>;
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>;
Cc: Christian Huitema <huitema@huitema.net>;, tls@ietf.org
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
Message-ID: <FF3F29FC-9EAA-4092-AF37-B19FB67E6BB8@fugue.com>;
Content-Type: text/plain; charset="utf-8"

On Jul 11, 2017, at 4:58 PM, Ted Lemon <mellon@fugue.com>; wrote:
> On Jul 11, 2017, at 4:31 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>> I'd bet folks would invent proprietary
>> ways of avoiding detection, that deviate from the "standard"
>> and that perhaps make crypto worse all around. Say by deriving
>> secrets from some function f(exfiltrated-secret, time, count)
>> for a small counter or some such and having the decryptor of
>> the wiretapped packets hunt a bit for the right key.
> 
> Hm, well, but that would be catnip for security researchers, particularly if it weakened the key.   But yeah, you're right, that does make detecting the attack possibly impractical aside from as a large research project.

On second thought, this suffers from the same problem as the many-static-keys problem: there are too many moving parts.   This requires all clocks on all servers and interceptors to be in perfect sync, not just close, or else potentially halves the performance during clock skew  overlap periods.   It requires every server and interceptor to implement the same algorithm.   And you still have to distribute the information from which the key is derived.

So again, yes, you can do this particular mitigation strategy.   But it's expensive, and so nobody's going to do it if they have a better choice.   It's cheaper to just re-tool to support TLS 1.3.   As long as the solution isn't standard, it's only going to appeal to a _very_ limited audience, if there's any audience for it at all.   E.g., consider trying to deploy something like this on a country-wide scale.   You're just going to exfiltrate every key instead?it's cheaper.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_browse_tls_attachments_20170711_558567ed_attachment.html&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=6tIu6VzbJsEfG0FdNckxZcqjUfwHtOIs4ejadxCs0Eo&e= >

------------------------------

Message: 2
Date: Tue, 11 Jul 2017 22:21:15 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>;
To: Yoav Nir <ynir.ietf@gmail.com>;, Christian Huitema
	<huitema@huitema.net>;
Cc: Ted Lemon <mellon@fugue.com>;, tls@ietf.org
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
Message-ID: <104f5108-751a-c8f5-45dc-bf5d7be26f35@cs.tcd.ie>;
Content-Type: text/plain; charset="utf-8"



On 11/07/17 22:10, Yoav Nir wrote:
> If one of the parties to a conversation cooperates with the wiretap,
> this isn?t an attack.
Lemme try on this one again from a different angle.

In classic telephony wiretaps the carrier does the
tap. There are similar situations with TLS...

In hosted platforms (e.g. wordpress.com and many
others) where the senders and receivers (or publishers
& readers) have read and write access via PHP code
and not via a shell, and cannot therefore control web
or TLS configuration, the platform would be doing a
wiretap if it turned this on, whilst colluding with
or being coerced by some other entity that collects
and later decrypts the ciphertext and packets.

Are we agreed that that use-case is wiretapping via
this mechanism?

There are many millions of people who use such
constrained hosted environments.

Cheers,
S.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_browse_tls_attachments_20170711_38fa13f0_attachment.asc&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=9fK4WbMTVYjcVd8WIWkHwKqZkVSsPd9526W_CEgkLkc&e= >

------------------------------

Message: 3
Date: Wed, 12 Jul 2017 01:09:02 +0300
From: Yoav Nir <ynir.ietf@gmail.com>;
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>;
Cc: Christian Huitema <huitema@huitema.net>;, Ted Lemon
	<mellon@fugue.com>;, TLS WG <tls@ietf.org>;
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
Message-ID: <A97601C6-D74F-4339-9EFF-D937BD2D2D51@gmail.com>;
Content-Type: text/plain; charset="utf-8"


> On 12 Jul 2017, at 0:21, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
> 
> 
> 
> On 11/07/17 22:10, Yoav Nir wrote:
>> If one of the parties to a conversation cooperates with the wiretap,
>> this isn?t an attack.
> Lemme try on this one again from a different angle.
> 
> In classic telephony wiretaps the carrier does the
> tap. There are similar situations with TLS...
> 
> In hosted platforms (e.g. wordpress.com and many
> others) where the senders and receivers (or publishers
> & readers) have read and write access via PHP code
> and not via a shell, and cannot therefore control web
> or TLS configuration, the platform would be doing a
> wiretap if it turned this on, whilst colluding with
> or being coerced by some other entity that collects
> and later decrypts the ciphertext and packets.
> 
> Are we agreed that that use-case is wiretapping via
> this mechanism?
> 
> There are many millions of people who use such
> constrained hosted environments.

Wordpress.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__wordpress.com_&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=Zf95oL14AEPloaHXQFOMYY6M0pRZfz3E-O2UOrH1rQM&e= > is a party to the session. It has access to the plaintext and could deliver it to whatever third party whenever they wanted. This draft may be an optimization, but the plaintext was always theirs to give.

I might be deluding myself that I?m sending this email to you over TLS. In fact I?m only uploading it to gmail.com <https://urldefense.proofpoint.com/v2/url?u=http-3A__gmail.com_&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=WqRUlHL4Shtg7zq0N-i7juYr6veb1Ig-pX59M8p9JXQ&e= > who will forward it to TCD?s server. Both servers will have access to the plaintext. Both servers can send it to a third party, or share session keys or share ECDHE private keys.

Whether one party to a conversation (phone or IP) has the right to share private contents with a third party is a legal matter that varies from country to country and from state to state. I only claim that this draft does not change the fact that is true for PFS suites in TLS 1.x and for all suites in TLS 1.3, that it?s impossible to decrypt a recorded session without cooperation from either party, and that cooperation has to start *before*  the session is recorded.

That is not the case for POTS wiretap or for the RSA key exchange.

Yoav

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_browse_tls_attachments_20170712_d1668f80_attachment.html&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=OK5RJ4SA0pK7nmpsoSNV0ssEmMo02ocAd0cFjsGrdG8&e= >
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP
URL: <https://urldefense.proofpoint.com/v2/url?u=https-3A__mailarchive.ietf.org_arch_browse_tls_attachments_20170712_d1668f80_attachment.asc&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=Lf3-sJzANnW-XVfvwiUT9jnCSJEgXMD7kz-EcOVA03g&e= >

------------------------------

Subject: Digest Footer

_______________________________________________
TLS mailing list
TLS@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwICAg&c=SFszdw3oxIkTvaP4xmzq_apLU3uL-3SxdAPNkldf__Q&r=Vz5mPTKmRh5XLwS5tp3D5gUo0x4x4r0IJ9DRWtVBuaA&m=MKc8GqNkbHLFtOlhAnO20M4sBp9QaIvcEhosO-v3M9Q&s=obUyEFMB40U1YA3Vm8KOBQKwd4VQax8zip_AAct0jvk&e= 


------------------------------

End of TLS Digest, Vol 156, Issue 60
************************************

----------------------------------------------------------------------
This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer.   If you are not the intended recipient, please delete this message.