IETF Logo Mail Archive

Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Jack Visoky <jmvisoky@ra.rockwell.com> Thu, 11 February 2021 19:13 UTC

Return-Path: <jmvisoky@ra.rockwell.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 61A913A187B for <tls@ietfa.amsl.com>; Thu, 11 Feb 2021 11:13:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ra.rockwell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hwJoBDst--fx for <tls@ietfa.amsl.com>; Thu, 11 Feb 2021 11:13:36 -0800 (PST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com (mail-bn8nam12on2045.outbound.protection.outlook.com [40.107.237.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F96E3A187A for <TLS@ietf.org>; Thu, 11 Feb 2021 11:13:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=SkXrBMcCsPbY/2pv+dgij9EzOCh9yGjjIn8dr18gzGWgxZEauNxEtv0sw40RWBZgJRQD9S3LljmkPF2P4gdOl5E5pQoFYw5ptG4MTMhVAAsQjaaCCUH/2nGYF9P9QQOjjZnCdW8496QenBm6jb/scsSRvV7isbaCrPHzZfYu0XLHnyWCxnjDwqVS2NbNKFIcw8idV/8F3xlO+fMl+04SBAPFIhdCsrGm4wgVtzCqXvS8V1hp3/C4PHlHH6ZbrCeFDIOcB0PamamWRsFR9UzfnTWbu9TjE9KC0a28myxjqmg+e/00KLUv8tfwiQeqUl5E9wAFzL2Yv4/NyTVjRwiEUg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CoJ1qC2Kig7kCLpuBxNPcl/lErSgl3FlHoX8MKbs3RA=; b=a0waKpfNnsoa5YJOyO0ZhPDipCXaJqwi6lGJ/7GVk3yDUhfKNHYNveBJ2awX6zgcBwSjk7yfmQPrbqKJxJkLd7N49vEipCD9D5ktRpXxLT39ASile+xl55Ck3if6woIXM9P7+fDE7Ehgw4OLUhURTZEVHO5KPFCh1nvFPa3mh/4HMp+OhUbzj/Kr5TxRWjbX6xLToZoaPcof8nfbf2Vbo1NiM78g+bhTtmKKGQmCmQi9GjEFkFLb1G1CGa2VBdkvE0uu3Wt2o0/pvTfbL7CZn1iUx/JmoOIbTjujlHaeNTTU1syPNXLGpo0VLpGvVq2UlI1H7ij+f2feZcIZLjRWiw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ra.rockwell.com; dmarc=pass action=none header.from=ra.rockwell.com; dkim=pass header.d=ra.rockwell.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ra.rockwell.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CoJ1qC2Kig7kCLpuBxNPcl/lErSgl3FlHoX8MKbs3RA=; b=PI6UA5GOGkEfPY2IMrEqW3oNAzBS19+hNffbKRJdCAUUtJ3l3KlByH7ER706Zs8LGSF6as+UxPemcBfMSpr2+Ek2f0wiqc9O5PpBvbhl5s0QHpf93CCNOweXkk/UYqCZY8DP6eFy74UT9/mCmG6Baumz65D7W/U6TWJlIDA2AbI=
Received: from DM5PR2201MB1643.namprd22.prod.outlook.com (2603:10b6:4:34::17) by DM6PR22MB2183.namprd22.prod.outlook.com (2603:10b6:5:2b4::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.27; Thu, 11 Feb 2021 19:13:32 +0000
Received: from DM5PR2201MB1643.namprd22.prod.outlook.com ([fe80::b5:9927:99e6:834b]) by DM5PR2201MB1643.namprd22.prod.outlook.com ([fe80::b5:9927:99e6:834b%5]) with mapi id 15.20.3825.030; Thu, 11 Feb 2021 19:13:32 +0000
From: Jack Visoky <jmvisoky@ra.rockwell.com>
To: Eric Rescorla <ekr@rtfm.com>, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
CC: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
Thread-Index: AQHXAF0eKpj0DQqHFUiRZYRt05ITUapTNmQAgAAbzvA=
Date: Thu, 11 Feb 2021 19:13:32 +0000
Message-ID: <DM5PR2201MB1643321F09407F251ADC8CFB998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
References: <D553EA7A-1B49-4A7F-8992-FEEFC4B7C176@ericsson.com> <CABcZeBMvZyuZKoKykR=sXADDP2Pez6yT+FCGg=10++sNj+LC-A@mail.gmail.com>
In-Reply-To: <CABcZeBMvZyuZKoKykR=sXADDP2Pez6yT+FCGg=10++sNj+LC-A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-dg-ref: PG1ldGE+PGF0IG5tPSJib2R5Lmh0bWwiIHA9ImM6XHVzZXJzXGptdmlzb2sxXGFwcGRhdGFccm9hbWluZ1wwOWQ4NDliNi0zMmQzLTRhNDAtODVlZS02Yjg0YmEyOWUzNWJcbXNnc1xtc2ctMzlkYmU2NjAtNmM5ZC0xMWViLTk2ZTMtNTRiZjY0MmYyMmIwXGFtZS10ZXN0XDM5ZGJlNjYyLTZjOWQtMTFlYi05NmUzLTU0YmY2NDJmMjJiMGJvZHkuaHRtbCIgc3o9Ijg0MzgiIHQ9IjEzMjU3NTQ0NDExMTQ4OTU2MyIgaD0iL25uZ2xEcXErZ3pJSWd0N0swbHp0M3M3T3RBPSIgaWQ9IiIgYmw9IjAiIGJvPSIxIi8+PC9tZXRhPg==
x-dg-rorf: true
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=ra.rockwell.com;
x-originating-ip: [2600:1702:19a0:f0c0:7c22:e8e1:aa1e:8cd1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 8427f14e-6ebe-4187-57b5-08d8cec11f8a
x-ms-traffictypediagnostic: DM6PR22MB2183:
x-microsoft-antispam-prvs: <DM6PR22MB2183C782475F11CFA49E34DB998C9@DM6PR22MB2183.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DE0jesLFfdN0gfVr//8hpbWgoO8ShN0qzEY+efYG9wCl5fZITmkKutLqMvcp26YStq2Bw4PbFHTmvglSdkB0GWEQq54hIoN4jJ892nSF5CGAiUEvMmJnnmR/4LZBAwxvR1Fb42NhmMKETiFMcLXBtLHYAwrJ1r4OvlsrBHa9eeMosBDMZWBGVeOZO5IEsEDKbyziaEVECRN4J2jqDKnmi7e23CAvfUp6KHU6uMhDMoSwP+QK475bsfaBPeqE0wxgayk7MXyPc5PyJ9BuU5Fn1I1Wtr2swAdaBjxP5MnlQp6JQfbe4Exvxdrojy06Fy+kArMvWy/Nmphw80Eylt08jOefeynlD5Kn8WHw2biH4/FGQhbM1hFjx7VPLFyBG88iSbjTYrEgz59a33baeTpZk3ZiT4MooRldJ990Snr4PxYZPat6/cUT4LOHQEwc8tLU3drIdH1w5BkSz/5/skayQ7+bTS4IXwYb7qV2vOYNG+LRSRcqrux1mXSo7in1vlLWnwxOlfCPiAmYjmN8lmn/NDNe2jUVxAHbzVYgETdNxqdHMjSdf0sTnHxegsL+OhFxErFdY9Mc/gGuZr+omv3MnI9w4wcZ0juxQiEGeWD54GE=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM5PR2201MB1643.namprd22.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(396003)(39860400002)(366004)(346002)(8936002)(7696005)(9686003)(33656002)(55016002)(71200400001)(4326008)(8676002)(83380400001)(6506007)(66446008)(110136005)(66946007)(66476007)(316002)(64756008)(53546011)(66556008)(76116006)(966005)(478600001)(52536014)(5660300002)(86362001)(166002)(186003)(2906002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: R4jPSLDV0WteJq1PuB4PAGl1gpBKs6lX/xJvfaEpQXRUHdOEIqeARyhw+ih7uuZINUUFTvJXEK/Y5cnLMm2STd1hE6hcQbABZVaX+I0/7cAWmsVgJU+d1s/fEdWFSiQ24O/n5fn4R4Vu5/DslS++nb5Qz80y3oZ1lWzrW/buY0ts1YFmklccq4W0bfUpbT6FAYnkti3uPUfWzdswLmKC2WBPf6TJujA3mXfjpDdNznZjz6g9lcXttqLSgm9pKZ/TCSvsLXaIYTJJ2SvjeCNuDUg5MkjmqZNM9sSGwMXuCKQIQq0RkZnnd3+gYYyXTS8GXQXtL/eXoxVITA7bp8YF2wtWoqSqgEp7RWI0FqdXWPespZH5A4LUrQLcQXW6wer3ozOwTlqoBTlGVqtTGZZpre7dLdQv3iwkIj5DR5idRt+el4yK3piFX/qfmDjijVg/pS1L11/BwjCgyk+IEPjwzwmBlGFhXwxWFmWq3ioPMBwv7gg87iTtB3bQ1TeuINvat175349DW5uwPEQW/MU9BmNdgeK+4mHc229hsc8Zls2rkr4liZNfYI9LR7HEmgHH7itLm/8hbYYHqZx1MH71GwWZ+t6MF/uxRAHcaCy4gA+2PXLAyjogUZFPQv23/eh2T2itYQDemZg9MBciuWtgLzRbp6+iZki0Qb9QoMcFK9zPjFAr64NqAz3knWzw1tP/URHsEZlgJbwxqjrwZQYOD5gdmp/0odqXVOwtU0rUMILetcumq16lWUvCDSjsXMP73O5ky+MPoWZUVTifTk263SuXmNZwvRXIIZeOa19hZP3G/UXN1zHuok4MOeJ6MydpZ6ck1D5+6c3lXJZkpkxO/pP2Sps7kM2l0UtYc3FpechAW+UR+NSWWUfGEzawTqnf/Ugnmwf7s1lBJU3U/o85pYWlFan2jm9JqtzVIwvXx2FpFmZtuf7EnLNUWgnOJgpcuImQauB3TkJrR3BB+aEIu5CZrKneHVhAq0YsT9tmMmsHTBgAf3s+WyhYiHdOAvXqP/I2IJ7p+PHqvibZ4TcQ7dnxnGjyBnd1h1JOxhtMKsa9GvLHeBcw2qsc9D8VhJLJgE8zfojdejkERP7pIZPYeq4XSDpW64gZICaV3h7KrNpnKtKJj3uPjRbN2jpjzd/gMwtlpgqgY9l4HIIIgmo8zOblVxxoisus/6y8/nCK0gNhlnDNsAgeSKF5X1EHto0NQ+mfHnPJB3mJ7Pt2OF8jACiRZ6BjUOCAt+NqH+8z4Rz03/MiJ0BgcsNm51qthdqdYFLf0maYCstT7P8A3hS3l+W9fYGuSJKrRsHsLeDa+9swk9etlYjfK07AyZoaudrIEOjYWcIAqlt1tK9SOfsak+mUAeMfLLLdl+m5G4GJ43avcCIU0BIi38S//FF6xBSz
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM5PR2201MB1643321F09407F251ADC8CFB998C9DM5PR2201MB1643_"
MIME-Version: 1.0
X-OriginatorOrg: ra.rockwell.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM5PR2201MB1643.namprd22.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8427f14e-6ebe-4187-57b5-08d8cec11f8a
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Feb 2021 19:13:32.5085 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 855b093e-7340-45c7-9f0c-96150415893e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jA/FwhiXeczIYIzej+oaMu+24arKpalXbeJerI2XAKiCZeAe7c0fxKJhyL7jqvAzwkNVIunQMH8rPxMScUwS02ukks3i/nv16F1UOc9LsRg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR22MB2183
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bqMjdIeZ9gDbh5_xfE5M9s-CWvY>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 19:13:38 -0000

Hi John, Eric,

Thanks for the input. We will certainly make some changes to the draft regarding the inspection case. However, I can’t support removing the performance/latency information completely, as I have heard from those who have this very concern. That said, we will edit the language to make it clear that this is not true in all cases.

Regarding the category “They clearly do not provide some important security properties (???)”, we are happy to add some information into the draft if this is the right (or one of the right) places to do this. I can try to come up with some language on my own, or if the WG has a suggestion we can use that.

Thanks,

--Jack

From: TLS <tls-bounces@ietf.org> On Behalf Of Eric Rescorla
Sent: Thursday, February 11, 2021 12:30 PM
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: TLS@ietf.org
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

John,

Thanks for raising this topic I think it's important. I agree with you on the technical situation. As you say, we should be encouraging people to move to TLS 1.3, and NULL encryption cipher suites do not provide all the guarantees that TLS 1.3 is intended to deliver. [0].

I also agree with you that we probably should not stop people from making registrations even of weak ciphersuites, merely because it is not an effective way to limit their use and creates interoperability problems. However, as you say we should make clear that TLS 1.3 only provides its stated security properties when used with strong algorithms. While I think it's helpful to add this to the TLS spec, I wonder if this is something that should be in the registry in a way stronger than Recommended=N. Conceptually, it seems to me that suites fall into three categories:

- The WG has evaluated them and believes they are good (Recommended=Y)
- The WG has not evaluated them and has no real opinion (Recommended=N)
- They clearly do not provide some important security properties (???)

We could then put draft-camwinget in the last category (the situation with draft-ietf-tls-external-psk-guidance seems a bit more complicated).

As far as the contents of draft-camwinget, I concur that it would be better if rewritten in the form you propose, but as its an individual draft -- and I am not in favor of it being taken on as a WG item -- I'm not sure how much it matters. I tend to think it would be better to have something from the WG (e.g., the registry change I propose above) that made the WG's view clear.

-Ekr

[0] You correctly raise the point that without encryption, TLS 1.3 does not deliver protection of endpoint identities. I would also note that it does not provide unlinkability for resumption, even if each ticket is used only once. Moreover, it's not clear to me the extent to which the analyses of TLS 1.3 relied on the fact that the cipher suites provide encryption. While it seems likely that TLS with NULL encryption provides the expected properties (i.e., data origin authentication without confidentiality), I'm not sure we have analysis to that effect.

On Thu, Feb 11, 2021 at 2:03 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
 Salz, Rich wrote:
>Can you explain why TLS 1.2 isn't good enough for your needs?

I think it's bad to force industries requiring visibility to use TLS 1.2 unless it is for a limited time. TLS 1.2 is obsolete. I think the TLS WG should not spend any more time on TLS 1.2.

I personally do not object to the registrations as such. I object to the draft stating that sacrificing confidentiality has latency, cost, power, processing, and code size benefits. There seems to be consensus in the TLS WG that this is most often not the case. The discussions with the authors seem to lead nowhere. I think the draft needs to remove everything regarding benefits. In fact, I think the draft could be very short:

"There are use cases requiring visibility. This memo defines cipher suites without confidentiality for such use cases. This breaks the TLS 1.3 security property "Protection of endpoint identities" and is NOT RECOMMENDED."

That said, I think NULL encryption is a VERY BAD solution to the visibility problem. If visibility is needed, draft-rhrd-tls-tls13-visibility is clearly better.

The TLS WG might also need to discuss when the Appendix E security properties applies. Both draft-camwinget-tls-ts13-macciphersuites and draft-ietf-tls-external-psk-guidance breaks some of the security properties. Maybe this is ok as long as it is NOT RECOMMENDED?

Cheers,
John

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://urldefense.com/v3/__https:/www.ietf.org/mailman/listinfo/tls__;!!JhrIYaSK6lFZ!9sn_TxTOvX9rS3Ow8i2mVqh13RYYXFx8cIAdJNZZHkt-coksvmDv-V62rNDMgRv8Ra6M$>

v2.23.0 | Report a Bug | By Email