Re: [TLS] Broken browser behaviour with SCADA TLS
Peter Gutmann <pgut001@cs.auckland.ac.nz> Fri, 06 July 2018 06:33 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0EA130DE2 for <tls@ietfa.amsl.com>; Thu, 5 Jul 2018 23:33:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.198
X-Spam-Level:
X-Spam-Status: No, score=-4.198 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QXi3yDjZ-QEa for <tls@ietfa.amsl.com>; Thu, 5 Jul 2018 23:33:40 -0700 (PDT)
Received: from mx4-int.auckland.ac.nz (mx4-int.auckland.ac.nz [130.216.125.246]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C9CE1271FF for <tls@ietf.org>; Thu, 5 Jul 2018 23:33:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1530858820; x=1562394820; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=/W9eUayHTZMflSTKSO3Xh1HRnJLkNkPLU+Pf3KADfFQ=; b=y6J77ZM9ab0mTQUOXMjj3cYyONYrkpx40jo1H92rxW90DnIy7x54jyL6 R9Gd0giBJBQQg7EgPA8w53lOg2dKJ9uEt1ih5GTTeZTAsB0YkGOiH9c8s GkwHaaVCdRln/mGVbf1MW8oKAjkEZ5ktvDObBNp838g4iOK3dBr9FM+us 0bHs/PRwehS20nExh6Lm7sk4EHOcMYJyIT5dpAy8EFGPIX1aaGZju25c2 ISrnUJkEs4j6xfkcX7Z4o1Rz6yhoBdvyZH0+Mf2nTbgWlCkYqj1KYBBeS uVxrfc5hVN7rC3I2aqbcAzlh+iySOdiuVF39W5YCuODUm4UVvrNbmh43i Q==;
X-IronPort-AV: E=Sophos;i="5.51,314,1526299200"; d="scan'208";a="19920852"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.5 - Outgoing - Outgoing
Received: from exchangemx.uoa.auckland.ac.nz (HELO uxcn13-ogg-d.UoA.auckland.ac.nz) ([10.6.2.5]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 06 Jul 2018 18:33:37 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz (10.6.3.5) by uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.25) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Fri, 6 Jul 2018 18:33:37 +1200
Received: from uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8]) by uxcn13-tdc-d.UoA.auckland.ac.nz ([fe80::ccab:7bf5:3d4a:aed8%14]) with mapi id 15.00.1263.000; Fri, 6 Jul 2018 18:33:36 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: "mrex@sap.com" <mrex@sap.com>
CC: David Benjamin <davidben@chromium.org>, Nikos Mavrogiannopoulos <nmav@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>
Thread-Topic: [TLS] Broken browser behaviour with SCADA TLS
Thread-Index: AQHUE2JmEGgXYKCP9EqF19k6tdX1YKR92r8AgAAKB4CAAM2CYv//PBOAgAAHUoCAAG4mgIABhdIIgAA/joCAAZX2yw==
Date: Fri, 06 Jul 2018 06:33:36 +0000
Message-ID: <1530858795765.38904@cs.auckland.ac.nz>
References: <1530687136897.97792@cs.auckland.ac.nz> <CABkgnnXsM2_PsL_YsuNEh6eDyp-R2d2JRm6OmGFh9nRAV5Lukg@mail.gmail.com> <20180704074101.GA19789@LK-Perkele-VII> <1530691044974.54956@cs.auckland.ac.nz> <20180704081519.GA20000@LK-Perkele-VII> <b8ecb2cfdac0495f188baf9df187c075e70c3a58.camel@redhat.com> <CAF8qwaBTHfn7iBEaZ9QQ2ueP09Qn4J2s1sBWhqopTzq7eLF6ww@mail.gmail.com> <1530757910178.45400@cs.auckland.ac.nz>, <20180705181827.5820E409B@ld9781.wdf.sap.corp>
In-Reply-To: <20180705181827.5820E409B@ld9781.wdf.sap.corp>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/S6y16l8SGleUMhnn9lbCWS5MfEk>
Subject: Re: [TLS] Broken browser behaviour with SCADA TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jul 2018 06:33:44 -0000
Martin Rex <mrex@sap.com> writes: >Cough, what? TLS_DHE_ was known to be a security disaster beyond fixing a >good decade ago (14-May-2007): > > https://www.ietf.org/mail-archive/web/tls/current/msg01647.html That's not DHE that's the problem, it's the use of ridiculously short toy keys that were known to be insecure 20-25 years ago when they were mandated for export grade use. >but it needed a LOGJAM demonstration to have folks look at the crappy >implementations in the installed base. Sure, LOGJAM pointed it out, and spurred fixes (finally), just like FREAK did for RSA (and BEAST did, and POODLE did, and CRIME did, and BREACH did, and FLUFFYBUNNY did, and Heartbleed did, it always takes some attack with a cool name before people fix their code). I'm still waiting for a paper to point out that 512-bit DSA and secp160 are insecure, I assume the lack of public use of these is what's prevented that. The point is it has nothing to do with DHE, you've got exactly the same vulnerability with RSA-512, DH-512, DSA-512, Elgamal-512, and Mr-Not- Appearing-in-this-List-512. LOGJAM had two great contributions, firstly pointing out that there were a scary number of servers that still allowed toy keys, and secondly providing a baseline where, if you're worth less than several hundred million to several billion dollars to an attacker, DH-1024 is still OK (as long as it's not group2, that one's a bit too risky). >Probably most usage scenarios that still offer TLS_DHE today, provide less >security than with static-RSA 2048-bit. Sure, if you choose your DH key to be 512 bits and your RSA key to be 2048, you can make that claim. I'm going to choose my RSA key to be 128 bits and my DH key to be 16384 bits, in which case DH wins again. And by quite a margin, I must say. >How often does your SCADA devices (=servers) regenerate its DHE params? That's a question I can't answer in general because I've only seen the source code for a small number of vendor-specific embedded implementations (under various NDAs), but both from the code and from knowing the coding style used for these implementations, they'll do so on every connection because that's how the textbooks describe it. These implementations do just enough to connect to a client or server (some act as clients connecting to things like PLC control centres). They are the bare minimum needed to function. Cert processing is done with memcpy() of a pre-encoded blob. TLS extensions are encoded with memcpy() and decoded with memcmp(). You get the picture. No-one would even think of the possibility of cacheing DH parameters, let alone sit down and write the code for it. >Static RSA-2048 will always be better than DHE-1024. Since this will be exposing a private-key op with every decryption oracle and side channel known to research science directly to anything on the network (see the comment above on how these implementations are written), I'm going to disagree with you there. With DH you've admittedly still got the RSA sig, but that's buried behind/under so much other stuff I doubt it's exploitable. >Simply regenerate and roll your RSA keys&server cert if it makes you feel >good. Since that could involve a firmware reflash (with the new cert coded into the firmware), on a remote device that can never go offline, it's not likely to happen. In a previous message I mentioned an example of using DSA for TLS. This is because you can generate a DSA key in essentially zero memory with a single modexp, which completes before the watchdog times out and restarts the system. You can't do that with RSA in hard real-time. Also, there's no way to "roll the cert", it's baked in at the factory or when the device is deployed. Well, a reflash I guess, but then see above. >btw. which kind of "problematic pure-RSA" are you talking of? See above, exposing your private key via every kind of side channel and decryption oracle to a network attacker. >because of the illusion of PFS, which they create but do not offer. Maybe I shouldn't have mentioned PFS, I used that as an example because it was quicker than writing several paragraphs on why pure RSA is dangerous. PFS is actually more or less irrelevant for SCADA, it's something cryptographers care about but SCADA folks don't because pretty much all the traffic being carried is tactical, no-one's worried about an attacker being able to go back later and see that you sent a pilot-operated relief valve activation command two weeks ago in your non-PFS encrypted traffic. Peter.
- Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Salz, Rich
- Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
- Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
- Re: [TLS] Broken browser behaviour with SCADA TLS Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Martin Rex
- Re: [TLS] Broken browser behaviour with SCADA TLS Nikos Mavrogiannopoulos
- Re: [TLS] Broken browser behaviour with SCADA TLS Ilari Liusvaara
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Ilari Liusvaara
- Re: [TLS] Broken browser behaviour with SCADA TLS Martin Thomson
- [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Hubert Kario
- Re: [TLS] Broken browser behaviour with SCADA TLS Martin Thomson
- Re: [TLS] Broken browser behaviour with SCADA TLS Salz, Rich
- Re: [TLS] Broken browser behaviour with SCADA TLS Kurt Roeckx
- Re: [TLS] Broken browser behaviour with SCADA TLS David Benjamin
- Re: [TLS] Broken browser behaviour with SCADA TLS Colm MacCárthaigh
- Re: [TLS] Broken browser behaviour with SCADA TLS David Benjamin
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Ilari Liusvaara
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann
- Re: [TLS] Broken browser behaviour with SCADA TLS Adam Langley
- Re: [TLS] Broken browser behaviour with SCADA TLS Martin Rex
- Re: [TLS] Broken browser behaviour with SCADA TLS Martin Rex
- Re: [TLS] Broken browser behaviour with SCADA TLS Martin Thomson
- Re: [TLS] Broken browser behaviour with SCADA TLS Peter Gutmann