IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

"Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu> Wed, 19 July 2017 15:07 UTC

Return-Path: <prvs=8373673639=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1633131CE6 for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 08:07:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgJJkx19TQPf for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 08:07:05 -0700 (PDT)
Received: from llmx2.ll.mit.edu (LLMX2.LL.MIT.EDU [129.55.12.48]) by ietfa.amsl.com (Postfix) with ESMTP id 8C50712F280 for <tls@ietf.org>; Wed, 19 Jul 2017 08:07:05 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by llmx2.ll.mit.edu (unknown) with ESMTP id v6JF746P005135 for <tls@ietf.org>; Wed, 19 Jul 2017 11:07:04 -0400
From: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] datacenter TLS decryption as a three-party protocol
Thread-Index: AQHTAJB0GJJTXEJ9Nke26Xc5y2RlZKJba/cAgAACGwCAAAi6AP//yW6A
Date: Wed, 19 Jul 2017 15:07:03 +0000
Message-ID: <B2046C73-F081-48F3-BF9F-53C955A4CD28@ll.mit.edu>
References: <81de2a21-610e-c2b3-d3ff-2fc598170369@akamai.com> <CAPt1N1mwYyTJVP1AyW0Zu3WBS6SCePAuR97-NQByTQh5Sg6eTA@mail.gmail.com> <CAJU8_nVfKi7iAFxTvVgYVd8G3V-mqMxMXE-03QoXxLSzMcmoHg@mail.gmail.com> <76bb50c5-a699-4c91-7993-618acb365baf@zinks.de>
In-Reply-To: <76bb50c5-a699-4c91-7993-618acb365baf@zinks.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.23.0.170610
x-originating-ip: [172.25.177.195]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3583307223_1931397775"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-19_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1707190248
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FHwNHn4bgCajFO_ElaoGTyraZOo>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 15:07:09 -0000

>>> This is exactly right.   We have a real problem here.   We should really solve it.  
>>> We should do the math.   :)
>>
>>  Is there appetite to do this work? If we restrict this to two paths, one of which is
>> spending years designing and implementing a new multi-party security protocol, 
>> the other of which is silently and undetectably (at least on private networks) modifying
>> the standardized protocol for which lots of well-tested code already exists...
>> my money is on the latter happening.
>
> There is a good chance that this "cheaper" solution is what will happen. 

Sure. The point is that IETF *must not* support such “undetectable modifications of a standard protocol”.
The fact that crime invariably happens does not imply that we should become criminals. ;-)

> However the multi-party protocol may be a safer and better approach and may even
> forced in by some regulators when it exists as an implemented alternative.

IETF is supposed to be about designing and (until a decade or so ago) implementing the *right* solutions. In this case multi-party protocol  appears to be “it”. 

So let those who need this capability spearhead the design, with cryptographers and academia helping that work or at least auditing the results.

>> In every decision we make with respect to the static DH approach, we have to keep
>> in mind that this change can be implemented unilaterally, i.e., without any modifications
>> for interop. Consequently, I think the work we really need to do is to design and implement
>> a FS-breakage detector so we can at least tell when this is happening on the public internet.

I agree. Though I don’t know off-hand if this is technically possible. Because as you pointed out, an end-point can always choose to leak its part out-of-band, and there’s nothing his communicating peer can do about it (AFAIK). (We can at least make sure that the official implementations such as OpenSSL and GnuTLS do not include such “extensions”.)

Still, a multi-party protocol that makes the presence or absence of such monitoring explicit, would be the best option, IMHO.

>> Beyond that, the best we can really do is ask implementors to be polite and intentionally
>> make their implementations not interoperate silently with TLS 1.3.

I agree.

v2.23.0 | Report a Bug | By Email