IETF Logo Mail Archive

Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Eric Rescorla <ekr@rtfm.com> Thu, 11 February 2021 17:30 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D7F3A17BE for <tls@ietfa.amsl.com>; Thu, 11 Feb 2021 09:30:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SXeGGUhT4-Is for <tls@ietfa.amsl.com>; Thu, 11 Feb 2021 09:30:55 -0800 (PST)
Received: from mail-lf1-x130.google.com (mail-lf1-x130.google.com [IPv6:2a00:1450:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FEAF3A17BB for <TLS@ietf.org>; Thu, 11 Feb 2021 09:30:55 -0800 (PST)
Received: by mail-lf1-x130.google.com with SMTP id u25so9273841lfc.2 for <TLS@ietf.org>; Thu, 11 Feb 2021 09:30:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=c97Py17hDY6+SPiUL2kiludSaTtwUGTemQ14Hmx6iMc=; b=OJ6QWv5gjh5FdGqHIiKV87Dny0uAXarTJHD0M5bT6HNxOYzQUa6E5OhH0vpQLIxaWX ZKQrubCXp5SYTX/aUqEoOiDWR2d3MO3ujXFj9MCrNlq2vvS7Aj59VbTjqfd9cFCxvZnd YasR5eZmF2FngcJH5gvkCdqEF4Ua7GpzayTHGMm6zjDFYTHf0wFoUL1sqfda95GgD3x9 JVlxI0C/TLQAhNsXlRf7zOndN2PXLQIK8CzWUIadq/AF58WNXdbI0jNNmmIET4cwYEmi IFrJjCax/6BjxpbH19pDrsl5+Rt9VU0p16eGNQpXQmHOoH2AZX2A8PsDqAIZlWiz/ozd MYtA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=c97Py17hDY6+SPiUL2kiludSaTtwUGTemQ14Hmx6iMc=; b=YrFPIqF6lKvNn2v08YXnqCIf9t4wfU0pFWrmv3P3yLH2d0apMnTlXqdVfnZnq7Iig4 qcDT0vl0mQFbMj/Ja3AOWiF1KWlHgaoGtBKopCUmO44cjtX360WiRv0a/pB++sHAWjHr xX/8Yj4NrvR0q8HgG50roV88WisaZ+0QZq9y/CZIK3+DIqxbvIpzPLlijesSKGGdklAl nEUnQLoisND01tNn6Fzv6pTaxRrUBlhPTpDryXYcHzv1Vs0zZ0zZL6nRbryboLBe//C0 2PpTD03+1X11vM2BFcm6RmRREQNRRywMHFCwwV9/cjBHFFbmdHjjM22rvtOeTMyM3JsX rmlg==
X-Gm-Message-State: AOAM532DDds1Vod6GG73U22LS3NEEwzp5J0Y78QiAawX94HC+zqYxOYb WiB1ZrfAr/W2KtHR6J6i6qUHgOOt0Pg2JIEhtpotVw==
X-Google-Smtp-Source: ABdhPJytQc5SFXw3pUULwfcC+oWWvn5DOpVsXuKkXDX3lEQZqtthxKfMCsUBq1SEVmON2lru4Zk7iRIKbPHu2MdyrBM=
X-Received: by 2002:a19:6447:: with SMTP id b7mr4767187lfj.206.1613064652954; Thu, 11 Feb 2021 09:30:52 -0800 (PST)
MIME-Version: 1.0
References: <D553EA7A-1B49-4A7F-8992-FEEFC4B7C176@ericsson.com>
In-Reply-To: <D553EA7A-1B49-4A7F-8992-FEEFC4B7C176@ericsson.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 11 Feb 2021 09:30:16 -0800
Message-ID: <CABcZeBMvZyuZKoKykR=sXADDP2Pez6yT+FCGg=10++sNj+LC-A@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a3b7b805bb12e151"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SSTxpVX1qZh1dtnlz1IslWnN9yQ>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 17:30:58 -0000

John,

Thanks for raising this topic I think it's important. I agree with you on
the technical situation. As you say, we should be encouraging people to
move to TLS 1.3, and NULL encryption cipher suites do not provide all the
guarantees that TLS 1.3 is intended to deliver. [0].

I also agree with you that we probably should not stop people from making
registrations even of weak ciphersuites, merely because it is not an
effective way to limit their use and creates interoperability problems.
However, as you say we should make clear that TLS 1.3 only provides its
stated security properties when used with strong algorithms. While I think
it's helpful to add this to the TLS spec, I wonder if this is something
that should be in the registry in a way stronger than Recommended=N.
Conceptually, it seems to me that suites fall into three categories:

- The WG has evaluated them and believes they are good (Recommended=Y)
- The WG has not evaluated them and has no real opinion (Recommended=N)
- They clearly do not provide some important security properties (???)

We could then put draft-camwinget in the last category (the situation with
draft-ietf-tls-external-psk-guidance seems a bit more complicated).

As far as the contents of draft-camwinget, I concur that it would be better
if rewritten in the form you propose, but as its an individual draft -- and
I am not in favor of it being taken on as a WG item -- I'm not sure how
much it matters. I tend to think it would be better to have something from
the WG (e.g., the registry change I propose above) that made the WG's view
clear.

-Ekr

[0] You correctly raise the point that without encryption, TLS 1.3 does not
deliver protection of endpoint identities. I would also note that it does
not provide unlinkability for resumption, even if each ticket is used only
once. Moreover, it's not clear to me the extent to which the analyses of
TLS 1.3 relied on the fact that the cipher suites provide encryption. While
it seems likely that TLS with NULL encryption provides the expected
properties (i.e., data origin authentication without confidentiality), I'm
not sure we have analysis to that effect.

On Thu, Feb 11, 2021 at 2:03 AM John Mattsson <john.mattsson=
40ericsson.com@dmarc.ietf.org> wrote:

>  Salz, Rich wrote:
> >Can you explain why TLS 1.2 isn't good enough for your needs?
>
> I think it's bad to force industries requiring visibility to use TLS 1.2
> unless it is for a limited time. TLS 1.2 is obsolete. I think the TLS WG
> should not spend any more time on TLS 1.2.
>
> I personally do not object to the registrations as such. I object to the
> draft stating that sacrificing confidentiality has latency, cost, power,
> processing, and code size benefits. There seems to be consensus in the TLS
> WG that this is most often not the case. The discussions with the authors
> seem to lead nowhere. I think the draft needs to remove everything
> regarding benefits. In fact, I think the draft could be very short:
>
> "There are use cases requiring visibility. This memo defines cipher suites
> without confidentiality for such use cases. This breaks the TLS 1.3
> security property "Protection of endpoint identities" and is NOT
> RECOMMENDED."
>
> That said, I think NULL encryption is a VERY BAD solution to the
> visibility problem. If visibility is needed,
> draft-rhrd-tls-tls13-visibility is clearly better.
>
> The TLS WG might also need to discuss when the Appendix E security
> properties applies. Both draft-camwinget-tls-ts13-macciphersuites and
> draft-ietf-tls-external-psk-guidance breaks some of the security
> properties. Maybe this is ok as long as it is NOT RECOMMENDED?
>
> Cheers,
> John
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email