IETF Logo Mail Archive

Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Mon, 06 November 2017 06:38 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F23013FB15 for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 22:38:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68jvyL1ZxUz5 for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 22:38:53 -0800 (PST)
Received: from mail-wr0-x22c.google.com (mail-wr0-x22c.google.com [IPv6:2a00:1450:400c:c0c::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 045FC13FAD3 for <tls@ietf.org>; Sun, 5 Nov 2017 22:38:53 -0800 (PST)
Received: by mail-wr0-x22c.google.com with SMTP id j23so3348796wra.9 for <tls@ietf.org>; Sun, 05 Nov 2017 22:38:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=Gz1sjukK3KQOUMQdVt12c9o3wXjghdjx+sjTBMD7U1k=; b=tT4RiHcwYspeau512x1aAIuwqHrq/eXfznV8wuRlMf0evsTtXWNqECpkkiMkln/3Sc Hg6PWLyN/M8WFmwOQqh8xYEhdI0up3GUHOpLUXRvKM1Lqznj/xnDXxqAqgxmEJslEUqH KrjNvW5et4w0hEKXO/3dAvCqXf6ZWZUEssVOkSZY9TYtieZeA99G4nwx/6XGaHM5rFVI NNsKsayOY5Rcb8RLuKHYvTdEigH43ZC1RSnogT5+Jy2pzbnuwlrJze6AibCs1KhXSghR Lr89mrErTpcIwiUfNffIMqU85yjiMrL+2L3JZ+fKens8MczZdlhPa8UsKGheWq+XpO9s 2Bcw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=Gz1sjukK3KQOUMQdVt12c9o3wXjghdjx+sjTBMD7U1k=; b=K99OCFsobNy3Hr+reKMn86FT8wrHribzsS/0m4LHg8EbAWQfqrUCb9txooiRw6D65V 9lcTfcUhYeQ89TGINBmeu/mr94gajVoGHmeTuVZt26Rvr0PrqEOlLKvhjuClwKpyg5iW bWWrhnYkEfyrW/+46gBYBuKBuLlJq7kbHlHXhN9KjHD8PFK80guDXuBUxmFtRpKITJ+C 80zZbZtbElhVw31HSdv5+5Zn3LCghz97+gAck/ygo6F/GRo9bw4a2h97skltIN81FcV3 B2nm3LqlPrAK22AJwjD/9sOawNMBRGye+SAo3vtkoohOv9WyNjSuC6UwRCsHx4sep+ud xw7Q==
X-Gm-Message-State: AMCzsaUg5ONM0ily7STZfLWTbiOfB3q3b+SV4M0isZl5kMVERxpCpPzC giH4cuqeE6uY6ojfGbNSPks=
X-Google-Smtp-Source: ABhQp+TqBEygqlqQK4x9myvxn3/AXLF/rh+kpG7EFi/HRDwwKqkGd9xmENLzeEcm1HMQvTBW2K1mZw==
X-Received: by 10.223.171.236 with SMTP id s99mr12571212wrc.145.1509950331421; Sun, 05 Nov 2017 22:38:51 -0800 (PST)
Received: from [192.168.0.51] (ip-16.net-89-3-97.rev.numericable.fr. [89.3.97.16]) by smtp.gmail.com with ESMTPSA id 89sm3342566wro.25.2017.11.05.22.38.50 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 05 Nov 2017 22:38:50 -0800 (PST)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <70496A24-F4C2-466E-9522-1832DCD134D1@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_2987D9FD-B1E1-4C24-8B35-26115584E9F3"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 11.1 \(3445.4.7\))
Date: Mon, 06 Nov 2017 07:38:48 +0100
In-Reply-To: <CAOgPGoDyPgvjCv8RdOZXynydYWka4=N3bdjZ7QD-qjY2SXsNMw@mail.gmail.com>
Cc: Richard Barnes <rlb@ipv.sx>, Cas Cremers <cas.cremers@cs.ox.ac.uk>, "<tls@ietf.org>" <tls@ietf.org>
To: Joseph Salowey <joe@salowey.net>
References: <CABdrxL4ZX5GbUhdqmVrhVqwM-MqMsgLL6ow9ksQ8NYBCPvgnfA@mail.gmail.com> <CAL02cgQMeJAqTtrVBzv254arGQU-88NTJJWgZdoRQguPn14TkQ@mail.gmail.com> <CABdrxL7eE1rND6b-q-La7gwzgZmt2VEo3CKUcEfGMoiMWZ71wQ@mail.gmail.com> <CAOgPGoA6N4rwYet61ABNJCKzqEuMrtZ2a6Zk=FaB4uhFtxjT3w@mail.gmail.com> <CAL02cgT-SY3LcSHVMm1D_vP3ZbeHiY48BUOpjaRdUZAxR7nyTg@mail.gmail.com> <CAOgPGoDyPgvjCv8RdOZXynydYWka4=N3bdjZ7QD-qjY2SXsNMw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.4.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MhNoW5T50Lqb_bhgltcpEIIZ59M>
Subject: Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 06:38:56 -0000

Visibility goes both ways. The discussion so far has been primarily about making end-to-end data visible to middleboxes.
It would less concerning to do it the other way round, where middleboxes are made visible to the endpoints, and proxying/visbility decisions are made at the endpoints.
Indeed, this is one of the main ideas behind mcTLS: middleboxes don’t get to transparently inject themselves into a TLS channel, they must be authorized by *both* endpoints.

But even a careful design like mcTLS ends up losing significant authentication and integrity properties, both in the handshake and the record layer. (If someone is interested, send me email, and I can give you details.)
So, I really don’t recommend any change to the TLS 1.3 design to accomplish any of this, it is more likely that the change will break “normal” TLS connections.

If visibility is needed in some scenario, then I would prefer that it be done at the application layer, by a proxy that is visible to and authorized by at least one endpoint, if not both.

-Karthik



> On 6 Nov 2017, at 05:39, Joseph Salowey <joe@salowey.net> wrote:
> 
> I'm in agreement with Stephen.  If you compromise TLS confidentiality you are going to break application security. For most applications a loss in confidentiality in TLS will have an impact in other aspects of security.   The third-party will often be able to inject application traffic, although it may need to do this over a separate connection.
> 
> On Sun, Nov 5, 2017 at 7:38 PM, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
> I understood Cas to be observing that you could in principle remove confidentiality with regard to the third party to whom keys are being exfiltrated, without also removing integrity and authenticity.  So the third party could observe application traffic, but not modify or inject.  The solution in draft-rhrd removes all three properties with regard to the third party (all still of course hold with regard to all other attackers).
> 
> So you would still have a risk of violating applications' assumptions with regard to confidentiality, but only with regard to confidentiality, and only relative to the chosen third party.   To Stephen's point, though, this is of course a pretty subtle point for application developers to understand.
> 
> --Richard
> 
> 
> On Sun, Nov 5, 2017 at 8:57 PM, Joseph Salowey <joe@salowey.net <mailto:joe@salowey.net>> wrote:
> I'm not sure what use cases you are targeting, but this type of solution can be dangerous for application security. Most application security models assume that TLS will provide both confidentiality and authenticity. Breaking confidentiality will often expose vulnerabilities that can result in escalation of privilege or spoofing resulting in a loss of integrity/authenticity in the application. For example, the use bearer tokens such as passwords or session cookies is widespread. It will take much more work to make applications resilient to loss of confidentiality. There may be use cases where confidentiality compromise is limited to just confidentiality, but I think these are in the minority.
> 
> Joe
> 
> On Fri, Nov 3, 2017 at 7:41 AM, Cas Cremers <cas.cremers@cs.ox.ac.uk <mailto:cas.cremers@cs.ox.ac.uk>> wrote:
> Hi Richard,
> 
> Thanks for the pointer, I had missed your earlier observation of essentially the same thing in the large mail threads.
> 
> Personally, I think it is a substantial and unmotivated loss in security to also give up authentication/integrity.
> 
> Note that any changes towards PERC would require some significant changes in the security analyses; for mctls, I expect it would be a completely new analysis. (I haven't seen any analyses of rhrd, but of the three, it is of course closest to the current setup.)
> 
> Best,
> 
> Cas
> 
> 
> On Fri, Nov 3, 2017 at 2:00 PM, Richard Barnes <rlb@ipv.sx <mailto:rlb@ipv.sx>> wrote:
> Hey Cas,
> 
> This question is a good one.  Earlier I brought up mcTLS, which some folks have been working on to provide even more granular separations than you suggest:
> 
> https://mctls.org/ <https://mctls.org/>
> 
> I think the authors of draft-rhrd are trying for a more lightweight change to TLS.  That said, there might be some intermediate points on the spectrum here.  For example, you could define a TLS ciphersuite akin to what we defined in PERC when we wanted to break integrity partly and confidentiality not at all.
> 
> https://tools.ietf.org/html/draft-ietf-perc-double-07 <https://tools.ietf.org/html/draft-ietf-perc-double-07>
> 
> That would be less invasive than mcTLS, while still getting the properties you describe.
> 
> --Richard
> 
> 
> On Nov 3, 2017 09:43, "Cas Cremers" <cas.cremers@cs.ox.ac.uk <mailto:cas.cremers@cs.ox.ac.uk>> wrote:
> Dear all,
> ​​
> ​​Disclaimer: I am not a proponent of the idea behind draft visibility/green/rhrd; I think such a mechanism should not be part of the TLS 1.3 standard.
> ​​
> ​​I have a technical problem with the current design, whose goal is to allow eavesdropping for inspection, i.e., selectively decreasing confidentiality.
> ​​
> ​​However, the design in the draft also enables arbitrary traffic modification/insertion, additionally breaking all authentication and integrity guarantees. Once someone has the session keys, they can not only eavesdrop but can also start to insert/modify traffic. This additional decrease in security is entirely unmotivated by the cited use cases.
> ​​
> ​​It is possible to offer authentication and integrity, while selectively giving up confidentiality. For example, one could replace the AEAD by (i) a mechanism for authentication and (ii) a separate mechanism for confidentiality, and then possibly reveal the keys used for (ii), but make sure only the real endpoint has the keys for (i). That seems more rational to me, and may retain the authentication/integrity guarantees. However, it would require a much more invasive change.
> ​​
> ​​Best,
> ​​
> ​​Cas
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> 
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email