Re: [TLS] Use-case for non-AEAD ciphers in network monitoring

Eric Rescorla <ekr@rtfm.com> Mon, 17 May 2021 20:00 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0379D3A42E3 for <tls@ietfa.amsl.com>; Mon, 17 May 2021 13:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VgkroNRoenBs for <tls@ietfa.amsl.com>; Mon, 17 May 2021 13:00:00 -0700 (PDT)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C4ED03A42E0 for <tls@ietf.org>; Mon, 17 May 2021 13:00:00 -0700 (PDT)
Received: by mail-io1-xd2d.google.com with SMTP id k16so7048725ios.10 for <tls@ietf.org>; Mon, 17 May 2021 13:00:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hpF5OPof7ZygUu+w+u5ioQjJVcCEVZeimTROKa03mTI=; b=B9PRAuQuOJlWUoo/QUjpKoFHIZ+9Nt8oUcds5FOODzH/Xfj9hFs7aNKAgkXkL4ZCCp sAo7545rjYMx6z0VAZN0qn9DQxSLa2oiemGJWsZUHWC5WpLPfiahr2MdyTSU3Qb0QOud lOYxzngGkRJhE/I0HYplleVcJbKlD2HPugni7D7ehqLZS0QpPgnLKC8J/0Ct1FzHlwY7 FCwBQLIH2SDoM0vRDhBTI0QJEADxn3iG3/tX0gNtzFxU6G32whM+/ge4NxM9yYtnINR2 4D/sO8dtObIXaTuUNzPqKHoSAf1WKNNy2PjDFeEGyYoybZEOEHfG++5mlBqEFPeDLgaM tfeQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hpF5OPof7ZygUu+w+u5ioQjJVcCEVZeimTROKa03mTI=; b=hzCzcpAseyjpdaroUOW1ptkV0yFVZ6JLgZp/SuclVK+a5VA3KwdqJagvySMnDxDsVM x+2OWSLBP4kggpWBDNiTGKOuy0EAW01IFNwL0HhPiugqCcPk9HhJUL6bBqlLjS8tN8Lw BP+XNxzCIfccNtHfG2BqIU7OVVvoJbBxyNa1yl7yPfn/tntbwxo7owAIJoFn1qC5VaT7 JQajueTu0goDQ6froNRu0RJz/EgPUFeoSeE/PnhC8Rr+nUqxcZFGsbw66GdMTMuPAgrY cAP715Tm7wSezmMfwdYjIO2+PUWXTXsjl2NxDeuHKGJmsGpxdhK95JICLE5fP+uY/5eG atZw==
X-Gm-Message-State: AOAM530JddZJaVKoxLsf/bkUf3m57uKA41MrqUbF/4aS8ej6Rgmb82X0 ZkWT+dvNVCPivifomxxHsndo/NVC3irSjMiZTcGh4GwcLuTDm4SY
X-Google-Smtp-Source: ABdhPJwH7w7pfexQzoHBjut0FgWA1iiUUkxFIfbNZmgXR+u6eheysDlxhTf2NBRUsJq6SJjmBPLDKwDqWIPMa8Ie2Qg=
X-Received: by 2002:a05:6638:29a:: with SMTP id c26mr1647472jaq.135.1621281599591; Mon, 17 May 2021 12:59:59 -0700 (PDT)
MIME-Version: 1.0
References: <b084b7a8-80a9-c7d9-fca7-dabb12ad6949@informatik.uni-hamburg.de>
In-Reply-To: <b084b7a8-80a9-c7d9-fca7-dabb12ad6949@informatik.uni-hamburg.de>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 17 May 2021 12:59:23 -0700
Message-ID: <CABcZeBNQRYwyFmwSwnGMXjN-U8UuDHdJCYpg_=YVqfYrRFFByQ@mail.gmail.com>
To: Florian Wilkens <wilkens@informatik.uni-hamburg.de>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d32b0805c28c09c6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/OmNtcvtKfQKPN6LWvCH9xJT9JtM>
Subject: Re: [TLS] Use-case for non-AEAD ciphers in network monitoring
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 May 2021 20:00:06 -0000

Hi Florian,

This suggestion comes up occasionally, and as Rich Salz says,
you could just register your own cipher suite.

With that said, I would make three comments:

1. I think it's a bit of a category error to talk about AEAD versus
non-AEAD in this context. AEAD is just an interface, so it's possible
to have AEAD algorithms that can have separate keys. For instance,
consider AES-CTR with HMAC.

2. If you have to define a new cipher suite, than that will require
changes on both sides, client and server.

3. It can be fairly hard to reason about the security properties of
this kind of system. As a concrete example, one might imagine that
having only the confidentiality key would allow one to inspect HTTP
client requests but not to modify them. However, because much HTTP
authentication is via cookies, as a practical matter being able to
inspect an HTTP transcation is sufficient to impersonate the client to
the server.

-Ekr



On Mon, May 17, 2021 at 9:25 AM Florian Wilkens <
wilkens@informatik.uni-hamburg.de> wrote:

> Hey folks,
>
> we came across a novel use-case that highlights the need for non-AEAD
> ciphers in TLS and would like to start a discussion on that.
>
> Our use-case is passive TLS decryption on network monitors (NMs).
> Non-AEAD ciphers would allow  to selectively forward the TLS write keys
> from clients to a NM that can then passively decrypt TLS sessions,
> without touching their integrity (as the write MAC keys remain on the
> host). This would be a major improvement compared to the usage of MitM
> proxies as current state of the art. MitM proxies terminate all TLS
> connections and establish own connections. Thus, a compromised MitM
> proxy cannot only decrypt all packets, but also change packet contents.
>
> We propose an approach for passive TLS decryption [1] in which
> cooperating hosts selectively forward TLS keys to the NM that then
> decrypts TLS sessions. The approach is (i) completely passive and thus
> does not interfere with the overall connection security and (ii) is able
> to selectively decrypt certain TLS connections with the hosts retaining
> full authority over the key material. While a MitM proxy can also claim
> to selectively decrypt traffic, we can guarantee this by keeping key
> material for selected connections on the client. Furthermore, for
> non-AEAD ciphers only the write keys, but not the write MAC keys, are
> forwarded, so that the NM can inspect but not modify TLS packets.
>
> Our prototype is built for the Zeek network monitor [2] and is currently
> in the process of being upstreamed with explicit interest from the
> maintainers [3]. Once merged, this will be the first open-source
> solution for passive TLS decryption on both client host (for which we
> built a small prototype) and network monitor (Zeek).
>
> We understand that AEAD ciphers offer many advantages and we understand
> the decision to limit the set of available ciphers to secure choices
> only. However, we think the use-case of passive TLS decryption is highly
> relevant especially for enterprise settings. In such settings, mainly
> MitM proxies are used that are a security problem on their own.
>
> We look forward to your feedback.
>
> Best,
> Florian
>
> [1] https://arxiv.org/abs/2104.09828
> [2] https://zeek.org
> [3] https://github.com/zeek/zeek/pull/1518
>
> --
> M.Sc. Florian Wilkens
> Research Associate
> Phone: +49 40 42883 2353
>
> IT-Sicherheit und Sicherheitsmanagement (ISS)
> Universität Hamburg
> Fachbereich Informatik
> Vogt-Kölln-Straße 30
> 22527 Hamburg
> Deutschland
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>