Re: [TLS] Are we holding TLS wrong?

Martin Thomson <martin.thomson@gmail.com> Fri, 09 November 2018 12:26 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE568130DFD; Fri, 9 Nov 2018 04:26:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VRwujic9ZwJH; Fri, 9 Nov 2018 04:26:32 -0800 (PST)
Received: from mail-oi1-x244.google.com (mail-oi1-x244.google.com [IPv6:2607:f8b0:4864:20::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0457130DF7; Fri, 9 Nov 2018 04:26:31 -0800 (PST)
Received: by mail-oi1-x244.google.com with SMTP id v83-v6so1292151oia.5; Fri, 09 Nov 2018 04:26:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=81CnmNP84SwqhDMo0OViGL2lgUR0OKEcoakKRyd2WKk=; b=X8lB8iO4Z06kGc4GVBCDNSVFLP7tIQAzUxncFUV4+i45aY1TLt6Uk7C+awL7WVTSXx V1uX5fu27C9v51ADTXWZNT/7xX/FCCU3+duCxtq414sqpYYE6M9oWb5leJDjwwIIxBf0 yFzNRT4DS1v1uLmRsAptfRxJDM5M+sejs8m4AVDTd+affu1bBA70kW3mTylmqM3Pz4BS 5RfkCQVZzu3Y7nNL6RyWmO72jM4cd50OHm/BneBbC1orQ4J2Vrch1PivmILZFgGXUxBb 4BZrGCeHow3hpyVDlYRluqMd0C25d89NBkET3T5NsiW6FOnGsPBaJMSAZUm0ztEsGDUC oh4Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=81CnmNP84SwqhDMo0OViGL2lgUR0OKEcoakKRyd2WKk=; b=qPej3/aLT3cexgEQND8aUzGGMvRszpmDcEjEsj4rxr2VxzeqWL88EOno8py1KumTny bouM8iEOTKV42giTBPGcS26hIZMZfWUwHIQc5c0WB+ynzb5EKffQRP10QZ6x3I4Uovc8 PzHXE5NQcnYs5nSB1NWjhloUvlJ2qPCQR+JySbpaqoM2FMDQkZ7xzH+I41Mo5zNHa89i OYhKCoJzbGHX1sjUJyB9nFUpyPIepncSKC/rbyfLQsH+l+STCzh0N+QiZAJdGkbVr24b 0AWxYJXYW6OD0SnE2hu9lgKLPMCepKV0IizsCwjvowz9uyX64FjtZuIFpOj2RBX2VNLY yFPQ==
X-Gm-Message-State: AGRZ1gK8utRfeuRdjsmzfvoZCpwJnhYwzJeFggiQfBvFpR1CNvLNJl59 9lZDW8QsATG9JPAW6S0kxTVB1hk2QqZIJufpQN8=
X-Google-Smtp-Source: AJdET5f4PiG4NIzOOASr6i0NziRjS4itZPcuEFrzig08HvyNE0rcXJW29DQ5Rwr7MhHzQ3kBBeiS0DWxto47mrepzKg=
X-Received: by 2002:aca:c792:: with SMTP id x140-v6mr5062402oif.129.1541766391087; Fri, 09 Nov 2018 04:26:31 -0800 (PST)
MIME-Version: 1.0
References: <CAPDSy+7-ceNNLJpFK0Z4SitBaUgxTpxiea8Z0QtpeSr+MNLKFg@mail.gmail.com>
In-Reply-To: <CAPDSy+7-ceNNLJpFK0Z4SitBaUgxTpxiea8Z0QtpeSr+MNLKFg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Fri, 9 Nov 2018 19:26:21 +0700
Message-ID: <CABkgnnWF6_cqhMCKMWHYNcdOTU=4BjRYaYMtfz-A3jtxprRAHA@mail.gmail.com>
To: dschinazi.ietf@gmail.com
Cc: "<tls@ietf.org>" <tls@ietf.org>, draft-ietf-babel-dtls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/P6YUL3Jxo_CQIm95AYFbzNGOL8M>
Subject: Re: [TLS] Are we holding TLS wrong?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Nov 2018 12:26:34 -0000

Hi David,

I couldn't find any description of the threat model involved here, nor
could I find any analysis of the security against that model.  Without
that, I can't really say whether this is right or not.  For instance,
there is specific mention of the certificate status request extension,
but there is no mention of why.

Given the configuration that I might infer from the hmac draft, I'm a
little surprised that this doesn't use PSK.

I'm somewhat dismayed by the firm recommendation to use the HMAC
mechanism, which doesn't seem particularly robust.  Offhand, it seems
like replays are possible if you allow the possibility of the node
crashing and dumping state.  The same applies during a rollover of the
32-bit counter.  Of course, that might not be permitted by the threat
model.
On Thu, Nov 8, 2018 at 9:15 AM David Schinazi <dschinazi.ietf@gmail.com>; wrote:
>
> Hi everyone,
>
> Over in the Babel working group we have a draft about securing Babel with DTLS:
> https://tools.ietf.org/html/draft-ietf-babel-dtls-01
>
> It's 5 pages long, could any TLS experts please give it a quick read and let us know if we're using DTLS correctly?
>
> Also, should the document contain guidance such as which DTLS version to use?
>
> Thanks,
> David
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls