Re: [TLS] AEAD only for TLS1.3 revisit
Michael StJohns <msj@nthpermutation.com> Wed, 01 October 2014 16:36 UTC
Return-Path: <msj@nthpermutation.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C47C91ACE28 for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 09:36:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mHAQooHkjACE for <tls@ietfa.amsl.com>; Wed, 1 Oct 2014 09:36:15 -0700 (PDT)
Received: from mail-qa0-f50.google.com (mail-qa0-f50.google.com [209.85.216.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF9F91ACE7D for <tls@ietf.org>; Wed, 1 Oct 2014 09:36:14 -0700 (PDT)
Received: by mail-qa0-f50.google.com with SMTP id w8so511155qac.23 for <tls@ietf.org>; Wed, 01 Oct 2014 09:36:13 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:message-id:date:from:user-agent:mime-version:to :subject:references:in-reply-to:content-type; bh=Mv5v3jzlRfEGuqZrLMhVYbmFbADSx0/alwBDwIB+btY=; b=YB4G05/GhwQ3LpbvYaJzfUXI+Ln9aXxBZzKca0oUtRRe30jJ/G/9uMzQUe/WQ4WLJ9 RR5ofalKH2Dq/Rhjyd+Imcu30A1THW/swI7KGeewDyc/yvA0DOWKpFkAtZ1kWbhxnaTK zL4fc1nPIW9HNzhmWtqbSKLSNEKrL7y72lCIfBGJDN2PR+wVjAMI6l/t6yStcEl1G6kv Wx5J3iMgOk9OIFydr5xM9zFYm20JDjWUdrYGFsPSsLkTmuSiXpzRAx1eCqyHURQ0e9ME McMSVJv2Fq3p1m9oH0PW28GNXzxefL12OplEzoBVCT3KnQ26rtD1STgUHnExHtDKC7mY D8vQ==
X-Gm-Message-State: ALoCoQnDuf1Pcm3u4Bgp0IjK4XitstZHntk0H9cR7qd7f5QlxblPYmUjTLSX03LFuq8SOb+mEb8C
X-Received: by 10.140.84.11 with SMTP id k11mr88109520qgd.75.1412181373759; Wed, 01 Oct 2014 09:36:13 -0700 (PDT)
Received: from ?IPv6:2601:a:2a00:226:5d8b:d39a:536a:43ec? ([2601:a:2a00:226:5d8b:d39a:536a:43ec]) by mx.google.com with ESMTPSA id z7sm1026537qal.19.2014.10.01.09.36.13 for <tls@ietf.org> (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Oct 2014 09:36:13 -0700 (PDT)
Message-ID: <542C2D85.7000705@nthpermutation.com>
Date: Wed, 01 Oct 2014 12:36:21 -0400
From: Michael StJohns <msj@nthpermutation.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: tls@ietf.org
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com> <D05080B2.1ABB6%uri@ll.mit.edu> <44A2498B-D0CB-415C-A1D8-2E362FD8BDF0@cisco.com> <542B450C.5010304@cs.tcd.ie>
In-Reply-To: <542B450C.5010304@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="------------050805060704060206040903"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LlNhyV89qbaM0ANJuVhCjUt6HRA
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Oct 2014 16:36:18 -0000
On 9/30/2014 8:04 PM, Stephen Farrell wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hiya,
>
> On 30/09/14 22:23, Joseph Salowey (jsalowey) wrote:
>> [Joe] I see your point, but its not within our current scope to
>> design for this.
> IMO Joe is fully correct. This WG has repeatedly dealt with
> proposals of many kinds for standardising MiTM attacks on TLS
> and has repeatedly rejected that functionality. And should it
> ever be in favour while I'm the irresponsible AD, I'll be
> asking for the complete analysis of the impact of that on
> the literally hundreds of other IETF specifications (not to
> mention non-IETF specs and running code) that depend on TLS
> and implicitly on TLS not enabling a MiTM. I've raised this
> point in response to the last 3 or maybe 4 (I've lost count
> sadly) proposals to MiTM TLS and have yet to get a substantive
> response.
Hi Stephen -
Sorry, but this is a complete mis-statement of the problem.
1) There are places where "someone" requires the disclosure of the
confidentiality key of traffic transiting a specific network, or point.
That's just reality. How that is done is not a TLS protocol issue.
2) _*Nowhere in any of the emails (or at least the in the email thread
started by me) has there been a suggestion to "standardize MiTM attacks
on TLS" .*__* This is somewhat fear mongering.*_
3) TLS1.3 has exacerbated the problem of (1) by specifying AEAD as its
sole cryptographic model because of:
a) There are no viable integrity only AEAD cipher suites defined
which could be used to satisfy (1)
b) Since the only defined AEAD cipher suites couple the integrity
key with the encryption key, it is impossible to reveal only the
encryption key (thereby defeating the principle of least privilege).
E.g. the command key is shared by more than two entities.
4) In a number of TLS cases that I'm aware of, the most important
characteristic is mutual authentication (or at least sender/controller
authentication), as TLS is used as a bearer service for command and
control. Confidentiality is simply a "nice to have". That's the
observed characteristic for most of the smart grid stuff, and I would
expect that it will be similar for most of the IoT stuff.
The key piece here is that using TLS1.3 actually weakens the security
guarantees (protection of the control channel) given the real world
constraints of confidentiality key escrow/release. For me this was an
"unintended consequence" of the AEAD decision and one I didn't realize
until I encountered a new requirement for (1).
Note: I think (1) is a bad choice in pretty much all cases, but that I
don't get to decide that, I just have to design systems that can be sold
to customers that require it.
>
> This seems to me to be just another in this series of attempts
> to legitimise such MiTMs, albeit in this case as a comment on
> an already establish bit of WG consensus. (The MiTM part is
> the suggestion that different keys be established with those
> for confidentiality being "revealed.")
The implication that "different keys be established" is something new in
TLS is absurd. TLS1.3 makes changes that remove functionality and
capabilities that have been in the protocol from the beginning. Making
sure that the "unintended consequences" from those removals are actually
intended seems to me to be no more than due diligence.
As I said in my original message, the default for designers is going to
be to fall back to TLS1.2, or use other IETF security protocols or build
a proprietary protocol for such designs. That may be just fine.
>
> Yes, I know that there are deployments that do MiTM TLS. Yes,
> I know that there are some people who say that is required
> for some definition of required. (There are also those who
> claim doing so is anathema, so the existence of an argument
> is not in itself convincing.) I would ask however that those
> making the MiTM argument please set that out clearly as the
> change that it would represent to current IETF consensus
> documents such as RFCs 2804 and the pretty recent 7258 and
> others. But first try establish IETF consensus on your MiTM
> principle. That (establish the principle first) would seem
> to me to be the proper order required for such a change.
What "change" are you talking about?
By the way, RFC 7258 - you mention it above - has this:
> Making
> networks unmanageable to mitigate PM is not an acceptable outcome,
> but ignoring PM would go against the consensus documented here. An
> appropriate balance will emerge over time as real instances of this
> tension are considered.
This is somewhat different than considering all concerns resolved as you
seem to imply above.
From the customer's POV, (1) above is both a network management issue
and possibly a legal compliance issue. They may own the network, and
the traffic transiting it may mostly be machine-to-machine. The issues
you (since you wrote 7258) raised with respect to PM are not broadly
applicable to the privacy of a light switch or a sluice dam. I'd say
that counts as a "real instance".
I asked two questions in my original email:
> Question: In light of the above, should we revisit the AEAD-only
> decision for TLS1.3?
>
>
> Question: Is there absolutely no requirement for TLS1.3 integrity
> only cipher suites?
The primary decision to remove AEAD was NOT because it made passive
monitoring more difficult, but because it simplified the design of the
protocol AND ensured proper integrity protection over records. The
integrity only suites were a mostly unmourned casualty of that decision.
I'm not aware of any earlier discussion on the subject I raised in
this thread. I'm also not aware that anyone has proposed a change -
we're just talking here to figure out whether or not we missed something
critical in making that decision.
So what exactly is the problem with this discussion?
Mike
>
> S.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQEcBAEBAgAGBQJUK0UMAAoJEC88hzaAX42ikfUIAJxdIBnNfQaZWjczMiz68Jsw
> +LUzR4xsPn4nosJAsUWoGEOQI6yP8aj90qPdYMEF5tYORVtdhrDtfjy9Lkl25884
> 9xep6ug86ya0JHlWmVdcjfH1gg9MIFw0MgH8XqENagCcYzXfpoCmJ6njVwimqROS
> ZuZnTV+Fa9Offx95d3eZUY1fbe9kAPD18ClXry9J0CbDxxeKWumTLIz/egSGNv1q
> kFokSJbyRmmzMBEVlUb/iY+Hx8zbqSnwR0n+BiyKIrvWiUn3ZWw5KT9HVoFuBZZS
> 4czdFaWp9//J7GdJGZg5xz5LLBzeBB6VlFjjVNwiHXoFjswJBjgEuOf5yJQPEEQ=
> =k+r4
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
- [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Martin Thomson
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Stephen Farrell
- Re: [TLS] AEAD only for TLS1.3 revisit Nikos Mavrogiannopoulos
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Dan Harkins
- Re: [TLS] AEAD only for TLS1.3 revisit Ilari Liusvaara
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann
- Re: [TLS] AEAD only for TLS1.3 revisit Hubert Kario
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann