IETF Logo Mail Archive

Re: [TLS] integrity only ciphersuites

Mike Bishop <mbishop@evequefou.be> Mon, 20 August 2018 23:01 UTC

Return-Path: <mbishop@evequefou.be>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0ACA0127148 for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 16:01:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dWiwMPaBqeyf for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 16:01:29 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0101.outbound.protection.outlook.com [104.47.32.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B15129619 for <tls@ietf.org>; Mon, 20 Aug 2018 16:01:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ME3VDYsCY7LljdqH0sqIaTagEEyqyUPm8w2kZJ10ZYU=; b=Mfzwl5w1cbo/XirlK3hS1K8saQ9kdV34NquqbY5PG54flDtKlBloK8ZCbQiXauGD5dijehZthYkosU4QW7AeVCRgi0mFfdoOEDjIlAzrKHaaRP95LUlgLq04+CEJD4VfdTy92GsqJS10weenjf6Yu1LC4amiKQYZIpAS3FQshH0=
Received: from BYAPR08MB3944.namprd08.prod.outlook.com (52.135.194.30) by BYAPR08MB4888.namprd08.prod.outlook.com (20.176.255.93) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.19; Mon, 20 Aug 2018 23:01:25 +0000
Received: from BYAPR08MB3944.namprd08.prod.outlook.com ([fe80::913f:4f09:ae22:b6db]) by BYAPR08MB3944.namprd08.prod.outlook.com ([fe80::913f:4f09:ae22:b6db%6]) with mapi id 15.20.1059.023; Mon, 20 Aug 2018 23:01:25 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: Eric Rescorla <ekr@rtfm.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] integrity only ciphersuites
Thread-Index: AQHUOMcWIQ0ztQCz9UKccOekmBKud6TJH2QAgAAPoXA=
Date: Mon, 20 Aug 2018 23:01:25 +0000
Message-ID: <BYAPR08MB39449E1BD3CFAD93B18613F6DA320@BYAPR08MB3944.namprd08.prod.outlook.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com>
In-Reply-To: <CABcZeBNpgnfBerkutLB0jKA4vF_FrpXNHnEeKQhAOFm-y=xJsA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [2601:600:8080:701:f1d0:3c7f:b853:184]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR08MB4888; 6:k6nhaG3vECIjaDeL+rC1ZV9+ebLnBITHZWtaw0pvmJzjxpZIMuygz1E4CYwnS7JvTEvSE7gmQNBz0XKsGk0o1kd1r+tTCO9B78pvB3y0iltUv7uVDooiNQRDu7qnLBU1noTKe2gsOje1nnBOleGntCRGSF3hBex+wqlS0FjQQBy4MHvLkk5SJ2AoV0jTszDnA7K2rLMLDIXJ0/A8kR+iy2UfNrb2PFM4P/IBChx4Muh0Hz5dp9luKuHd0jZwZpqXjMk8c7ohjeooLTN5VopPB12TGCAKpJzH3lrx1od6t2o3R2Qqb3FkR94xkfLglJaw+1NH5MXuE3XumD7wHF6Er4scf2b7DNIt+00iore14z0UY5E7Qzj9NZKwEHYoJtZbFXRbAl8We8LRPXFkDK9pOqvh/dlK5M0JzBR0flwtcPQ8vRM/smrHxlEEA7HAXhw8FGBVapx5Yo8LpJbJySx87Q==; 5:eKXsggKdOK6PA8MUCoSEBDTdot/swmt4l2PGi1EjprluFBEO6pCIbCJIuOkqdCdwD0clWe01unUYl1Uq4m2kIvmyGpb4repgiLzvSBgY7nNKSaqtwr8jILuuiWlqyuuCxbY3uR0jgOMqErqjXHess1MIOxheoXQWkkPz81jmZ58=; 7:GboQnolfQBEg9hFQGRjX3MwL/ZS56oKzKTdoKcJqTBx6sfoRFVV+yYc2A70fblMRyhvJ+ov8cNz2oTFUQ/jQ/H68J1JZuR3clpJFxxSXOMtDaKTt54yfec1nIYErIS7oGq+DyNVQ+BVSl1KZLnHG2HQacHUFbqxHNYXfxRaanE7w+OTSUANURorvLkPY2Kpo1GTuXfDOHoliObIDHWzy/I7LRbYpi1Fxh7UufFVK8ZseWmo0l18FLTTl53Rp1h2H
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 67e5e244-f850-42ca-6236-08d606f0db05
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(7021125)(8989137)(4534165)(7022125)(4603075)(4627221)(201702281549075)(8990107)(7048125)(7024125)(7027125)(7028125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR08MB4888;
x-ms-traffictypediagnostic: BYAPR08MB4888:
x-microsoft-antispam-prvs: <BYAPR08MB4888B0C01380CD967C075967DA320@BYAPR08MB4888.namprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(278428928389397)(166708455590820)(192374486261705)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(10201501046)(3231311)(944501410)(52105095)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123562045)(2016111802025)(20161123564045)(6043046)(201708071742011)(7699016); SRVR:BYAPR08MB4888; BCL:0; PCL:0; RULEID:; SRVR:BYAPR08MB4888;
x-forefront-prvs: 0770F75EA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39830400003)(346002)(136003)(376002)(396003)(366004)(189003)(199004)(14444005)(11346002)(53936002)(7696005)(7736002)(6306002)(236005)(186003)(25786009)(99286004)(6436002)(4326008)(446003)(102836004)(105586002)(97736004)(76176011)(106356001)(476003)(478600001)(229853002)(46003)(81166006)(54896002)(256004)(74316002)(6246003)(110136005)(81156014)(8676002)(6506007)(9686003)(316002)(53546011)(486006)(55016002)(86362001)(14454004)(5660300001)(966005)(2900100001)(74482002)(33656002)(6116002)(790700001)(19609705001)(2906002)(5250100002)(606006)(8936002)(68736007)(45080400002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR08MB4888; H:BYAPR08MB3944.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
x-microsoft-antispam-message-info: DK+eVPXylPJP8jh8ceT5Jj+kr7DjaU2iPYqj9EwS0EDRnPLK3JfBPBospqwtAR9Bj3ISa9B8H4TiBxyX01LSh2dAD0H6IH/SaSxzIAz1n5/QAhMwZ/8woE/yUB1mF1tiask+azIuhQESuGzH5E/NrJywI5MoyGR3zfhM1RB5ELd754sOleKBCvCm7p4RABmrYIK5OcfTHVLZG2j4bHCt15EGgXePRugtYgT24E1Kc/Z1+Ptzoy6ZDvmPE4V2kNJyXJ5aFfHhcj7T3KtgNcSTUjHGqUcUkr2ljJU3LSDkxIO81NreoZrV4K6Nhpb0RQJO07/k7FIH+FhwO9yfAlbzl0AinXcXKEzh4uTr2GsOvkw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BYAPR08MB39449E1BD3CFAD93B18613F6DA320BYAPR08MB3944namp_"
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 67e5e244-f850-42ca-6236-08d606f0db05
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2018 23:01:25.4373 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB4888
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JplYQimM94JDB4f9_DPoodecQ9o>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 23:01:33 -0000

I tend to think the strongest scenario for integrity-only ciphersuites is in an application where the data being transferred is already encrypted sufficiently.  For example, when running IPsec over an IP-HTTPS tunnel, Microsoft used a null cipher on the outer TLS layer.  However, as you say, this can be deceptive.  DRM-protected media is already encrypted and seems like another application for this, but using TLS means it is not (as) trivial to identify that different flows are retrieving the same resource.

From: TLS <tls-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Monday, August 20, 2018 1:58 PM
To: Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: tls@ietf.org
Subject: Re: [TLS] integrity only ciphersuites



On Mon, Aug 20, 2018 at 1:48 PM, Nancy Cam-Winget (ncamwing) <ncamwing=40cisco.com@dmarc.ietf.org<mailto:ncamwing=40cisco.com@dmarc.ietf.org>> wrote:
All,
A couple IoT consortiums are trying to embrace the improvements made to TLS 1.3 and as they define their new security constructs would like to adopt the latest protocols, in this case TLS 1.3.   To that extent, they have a strong need for mutual authentication, but integrity only (no confidentiality) requirements.


In following the new IANA rules, we have posted the draft https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-00 to document request for registrations of HMAC based cipher selections with TLS 1.3…..and are soliciting feedback from the WG on the draft and its path forward.

Nancy,

As you say, you don't need WG approval for code point registration as long as you don't want Recommended status.

With that said, I don't think this document makes a very strong case for these cipher suites. Essentially you say:

1. We don't need confidentiality
2. Code footprint is important

Generally, I'm not very enthusiastic about argument (1). It's often the case that applications superficially need integrity but actually rely on confidentiality in some way (the obvious case is that HTTP Cookies are an authentication mechanism, but because they are a bearer token, you actually need confidentiatilty). It's much easier to just always supply confidentiality than to try to reason about when it is or is not needed.

The second argument is that you are trying to keep code size down. It's true that not having AES is cheaper than having AES, but it's possible to have very lightweight AES stacks (see for instance: https://github.com/01org/tinycrypt).

So, overall, this doesn't seem very compelling..

-Ekr




Warm regards, Nancy (and Jack)

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email