Re: [TLS] chairs - please shutdown wiretapping discussion...

Ted Lemon <mellon@fugue.com> Tue, 11 July 2017 21:16 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1113612F287 for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 14:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eR3xCQYnDp9l for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 14:16:34 -0700 (PDT)
Received: from mail-qt0-x230.google.com (mail-qt0-x230.google.com [IPv6:2607:f8b0:400d:c0d::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0350812ECB5 for <tls@ietf.org>; Tue, 11 Jul 2017 14:16:33 -0700 (PDT)
Received: by mail-qt0-x230.google.com with SMTP id r30so4139019qtc.0 for <tls@ietf.org>; Tue, 11 Jul 2017 14:16:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=s2inkSzTRfCyKxFsUOig+2MffrVeq7eMxRaKxhbf+BU=; b=wNil1rwyLeQwz0rbVN8NW0Re3V5EKupfYVnausLRyivCfTyYfe3rNu6MlpHDOU6hPa otKnSgyMQcb7fc31AcnAU1oPmonhcP0MGgBSglcy2BwGHLZ5cCgoSfCQLYUQJrz93zIz IVuq9nBi5S+s82/ejYLV1c0rsjSD4CDLFHdpMUEWoc3b9xZ3eg0AJyQewoNgSFGTlJzf UWiJYWp+6+mOL9Ys92q4wUf1RWJizhQFqDUg+80ewrz9xHXAiYTZNOb/QIBozuGOd1ah CPbxoLjZNJMzNu6HRPLjCnJKxRWP/ZWCsT5/wo1qKa2KVKdXThjMKxVeEDlbA9VYdNQP J7xw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=s2inkSzTRfCyKxFsUOig+2MffrVeq7eMxRaKxhbf+BU=; b=XzKdN/TJz2UeSrnCqefzaHWfFJ3E3/0+gnd4rxFtFQglt/nF7FOJLQhtDG9hXZkAFK xSyumWI6Dpwx/8/vhkwZBVq+Q8bTPDm+X2Y6iSNOBf+be6TS5BOISL2DnmWlEe7b3fM8 dzrPfNNOwI/Rmt3bzpOUX8eDAcl8hX2W3MZ9ISfWiugd+mugmzlDO5z0Y9VGKK6HaHzk F24UkM8ioDteNC+P55v4Q0SMNXA5EEYNphr4Tl/h1a7wmggERAa4ULYfqo3jhiR4jttk rP1u3HtMF3t7h2GrhORRcG96fP4YIhWCI3aunzBG2+y/QCW6TA3Dd1hmXKY05J5DwnJb J1LA==
X-Gm-Message-State: AIVw113AdsG9HEztKgdwGp7Go+gvsc/POmQnWZ+Mv/fL2gvPdkuBuUXf POOVh3+YPYQLu70Tyv9kNQ==
X-Received: by 10.200.13.4 with SMTP id q4mr2494617qti.221.1499807793028; Tue, 11 Jul 2017 14:16:33 -0700 (PDT)
Received: from macbook-pro-6.ether.lede.home (c-73-167-64-188.hsd1.nh.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id h17sm358327qte.20.2017.07.11.14.16.31 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 14:16:32 -0700 (PDT)
From: Ted Lemon <mellon@fugue.com>
Message-Id: <FF3F29FC-9EAA-4092-AF37-B19FB67E6BB8@fugue.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8AA6497C-735E-4176-8A62-70698828EEE7"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Tue, 11 Jul 2017 17:16:31 -0400
In-Reply-To: <74719010-DD1D-44F5-A65C-2FF5DD539066@fugue.com>
Cc: Christian Huitema <huitema@huitema.net>, tls@ietf.org
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
References: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov> <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <9693fc25-6444-e066-94aa-47094700f188@cs.tcd.ie> <CY4PR14MB1368BA01881DD9495FE86DF0D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <d806a69c-af30-c963-a361-91075332a61b@cs.tcd.ie> <F87D7646-DC53-4EF8-A2D8-D0939A0FB351@vigilsec.com> <b9001044-83d7-805c-2a49-c2780401bbf8@cs.tcd.ie> <C4125902-CA3A-4EA8-989B-8B1CE41598FB@fugue.com> <0c87999c-9d84-9eac-c2c4-0f1fc8a70bdb@cs.tcd.ie> <6DA3E09E-5523-4EB2-88F0-2C4429114805@fugue.com> <fa6e64a2-b1c8-9c55-799b-b687b830a246@huitema.net> <26848de4-ce08-8ebd-bd67-ed3af3417166@cs.tcd.ie> <CD0E0745-EA72-41D9-87F6-B40369ED6A70@fugue.com> <bcda4dab-3590-9162-5f5c-c453f7a610ac@cs.tcd.ie> <2500C1F7-480E-44C9-BDB0-7307EB3AF6C2@fugue.com> <d9870cd0-476c-b255-16bd-594e24cd91f0@cs.tcd.ie> <74719010-DD1D-44F5-A65C-2FF5DD539066@fugue.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K-wz-P3V5p0rbhEgfKd3Ma5QuDc>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 21:16:36 -0000

On Jul 11, 2017, at 4:58 PM, Ted Lemon <mellon@fugue.com>; wrote:
> On Jul 11, 2017, at 4:31 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie <mailto:stephen.farrell@cs.tcd.ie>> wrote:
>> I'd bet folks would invent proprietary
>> ways of avoiding detection, that deviate from the "standard"
>> and that perhaps make crypto worse all around. Say by deriving
>> secrets from some function f(exfiltrated-secret, time, count)
>> for a small counter or some such and having the decryptor of
>> the wiretapped packets hunt a bit for the right key.
> 
> Hm, well, but that would be catnip for security researchers, particularly if it weakened the key.   But yeah, you're right, that does make detecting the attack possibly impractical aside from as a large research project.

On second thought, this suffers from the same problem as the many-static-keys problem: there are too many moving parts.   This requires all clocks on all servers and interceptors to be in perfect sync, not just close, or else potentially halves the performance during clock skew  overlap periods.   It requires every server and interceptor to implement the same algorithm.   And you still have to distribute the information from which the key is derived.

So again, yes, you can do this particular mitigation strategy.   But it's expensive, and so nobody's going to do it if they have a better choice.   It's cheaper to just re-tool to support TLS 1.3.   As long as the solution isn't standard, it's only going to appeal to a _very_ limited audience, if there's any audience for it at all.   E.g., consider trying to deploy something like this on a country-wide scale.   You're just going to exfiltrate every key instead—it's cheaper.