IETF Logo Mail Archive

Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?

Cas Cremers <cas.cremers@cs.ox.ac.uk> Mon, 06 November 2017 12:18 UTC

Return-Path: <cas.cremers@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAABD13FBA4 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2017 04:18:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id egWS2I60oc5U for <tls@ietfa.amsl.com>; Mon, 6 Nov 2017 04:18:10 -0800 (PST)
Received: from mail-ua0-x229.google.com (mail-ua0-x229.google.com [IPv6:2607:f8b0:400c:c08::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37E4513FB57 for <tls@ietf.org>; Mon, 6 Nov 2017 04:18:10 -0800 (PST)
Received: by mail-ua0-x229.google.com with SMTP id i35so6230922uah.9 for <tls@ietf.org>; Mon, 06 Nov 2017 04:18:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=7wUwN/rNV85NPgzDo+kzbT00xpU1KFF29eECYQScTlc=; b=CrJKeLdBvf2uHpDi0Hqn6jVkzqeNx7UR0zpuQLCxrHsQGNbEGAHM/4asZEi+HLTnf9 1yF3tI/tn5SL3dusaP3DDGEgYxo9KS73BbZOtvZhh8bIbUYuKMXWWWIqpqOOm+RcjVBb DpW5Wae2ZiXWwVBgwda4lArz0ezHh8YdgDBHDYuUGN7XvSn+0ZrMnCcAQQ8cI746vft1 Cz72jH0A8IUQ8j0TXYbTv2NlRNB4n7Kp/EOgbIL8Z/GiMc7m27UW1xpNB8T7kvntpYwG TSe6mwOI1pALsX8cRSr10SzflK5ZLPnINAkNhpCVpGmGDoWuR816hGWb2k9OBPkGPsP0 zffA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=7wUwN/rNV85NPgzDo+kzbT00xpU1KFF29eECYQScTlc=; b=KslCK81L2IIXUkxNot6nR/pGRxtK+5PMobGr59b2C1eQT2oGngRhcdHql2CglEXfbK oGIk3WNFRVmRhg1qrK5rx71HaLj1H43XTWQ0IW5xL2S6Qprppjhqi2Wj/YbNomMCRoFI T/DZVmY+98MxanH135Bw/AlHXDjGf7PWToJvl921Yq7qcqnYugJ8CHo4SEyxv7ZjgvJ9 dtZ7GfZLXUC7s109Txy6DT/HXDvyTGwkPlBo97dGXunntJOVQqkhrHgBjlw8U6fG18iN YMk2zbYrXt2tnKX4p2WAJPWR3amuDDHKXpcN7MOOIwv4JAZKqFKqqvELD/Dm5ilcL4nG nf1Q==
X-Gm-Message-State: AMCzsaWEWPQKORAGrWTvdgzJwMQ5+ZMu+aZxMzwsZFVB0IIS6n5ufcsm CJnozeZ1eGsHxBZjl7d+y6cVylS2mNmciTiuU14=
X-Google-Smtp-Source: ABhQp+SBySaquZebCQI/iQ2g6Xm9BnBv9zeynuj7ZA4Ia02MNib3lkdvqoy8AOi8KvlZ+noLp/AugvIw2aDDrK07K5g=
X-Received: by 10.176.10.148 with SMTP id d20mr12968397uak.118.1509970689186; Mon, 06 Nov 2017 04:18:09 -0800 (PST)
MIME-Version: 1.0
Sender: cas.cremers@gmail.com
Received: by 10.176.1.108 with HTTP; Mon, 6 Nov 2017 04:17:48 -0800 (PST)
In-Reply-To: <70496A24-F4C2-466E-9522-1832DCD134D1@gmail.com>
References: <CABdrxL4ZX5GbUhdqmVrhVqwM-MqMsgLL6ow9ksQ8NYBCPvgnfA@mail.gmail.com> <CAL02cgQMeJAqTtrVBzv254arGQU-88NTJJWgZdoRQguPn14TkQ@mail.gmail.com> <CABdrxL7eE1rND6b-q-La7gwzgZmt2VEo3CKUcEfGMoiMWZ71wQ@mail.gmail.com> <CAOgPGoA6N4rwYet61ABNJCKzqEuMrtZ2a6Zk=FaB4uhFtxjT3w@mail.gmail.com> <CAL02cgT-SY3LcSHVMm1D_vP3ZbeHiY48BUOpjaRdUZAxR7nyTg@mail.gmail.com> <CAOgPGoDyPgvjCv8RdOZXynydYWka4=N3bdjZ7QD-qjY2SXsNMw@mail.gmail.com> <70496A24-F4C2-466E-9522-1832DCD134D1@gmail.com>
From: Cas Cremers <cas.cremers@cs.ox.ac.uk>
Date: Mon, 06 Nov 2017 12:17:48 +0000
X-Google-Sender-Auth: sj5uA9tTvQjCkzouAzycocV1QBI
Message-ID: <CABdrxL7wn7DMdVHr0Ev_+M8ta2eaZtsBJhYYQO0W9ceoaFJ7Ow@mail.gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Cc: Joseph Salowey <joe@salowey.net>, Richard Barnes <rlb@ipv.sx>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e0826e4fc8ce233055d4f72a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Uz1MwT1EFOg7ClvvQIuRAiyMrkA>
Subject: Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 12:18:13 -0000

I agree with most of the above; my point was not to propose another
mechanism, but just to make explicit (as Richard had indicated earlier)
that the current design gives up much more security than it strictly seems
to need for its claimed use cases.

I'm not recommending any changes to the TLS 1.3 design, and agree that it
is very likely that many more things would be broken in the process.

Indeed, giving up confidentiality of the channel but retaining channel
authentication does not ensure authentication at the application layer,
because most application-level security guarantees rely on the
confidentiality of the channel. However, I don't find that a great argument
to immediately give up on authentication/integrity of the channel.

Best,

Cas





On Mon, Nov 6, 2017 at 6:38 AM, Karthikeyan Bhargavan <
karthik.bhargavan@gmail.com> wrote:

> Visibility goes both ways. The discussion so far has been primarily about
> making end-to-end data visible to middleboxes.
> It would less concerning to do it the other way round, where middleboxes
> are made visible to the endpoints, and proxying/visbility decisions are
> made at the endpoints.
> Indeed, this is one of the main ideas behind mcTLS: middleboxes don’t get
> to transparently inject themselves into a TLS channel, they must be
> authorized by *both* endpoints.
>
> But even a careful design like mcTLS ends up losing significant
> authentication and integrity properties, both in the handshake and the
> record layer. (If someone is interested, send me email, and I can give you
> details.)
> So, I really don’t recommend any change to the TLS 1.3 design to
> accomplish any of this, it is more likely that the change will break
> “normal” TLS connections.
>
> If visibility is needed in some scenario, then I would prefer that it be
> done at the application layer, by a proxy that is visible to and authorized
> by at least one endpoint, if not both.
>
> -Karthik
>
>
>
> On 6 Nov 2017, at 05:39, Joseph Salowey <joe@salowey.net> wrote:
>
> I'm in agreement with Stephen.  If you compromise TLS confidentiality you
> are going to break application security. For most applications a loss in
> confidentiality in TLS will have an impact in other aspects of security.
>  The third-party will often be able to inject application traffic, although
> it may need to do this over a separate connection.
>
> On Sun, Nov 5, 2017 at 7:38 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
>> I understood Cas to be observing that you could in principle remove
>> confidentiality with regard to the third party to whom keys are being
>> exfiltrated, without also removing integrity and authenticity.  So the
>> third party could observe application traffic, but not modify or inject.
>> The solution in draft-rhrd removes all three properties with regard to the
>> third party (all still of course hold with regard to all other attackers).
>>
>> So you would still have a risk of violating applications' assumptions
>> with regard to confidentiality, but only with regard to confidentiality,
>> and only relative to the chosen third party.   To Stephen's point, though,
>> this is of course a pretty subtle point for application developers to
>> understand.
>>
>> --Richard
>>
>>
>> On Sun, Nov 5, 2017 at 8:57 PM, Joseph Salowey <joe@salowey.net> wrote:
>>
>>> I'm not sure what use cases you are targeting, but this type of solution
>>> can be dangerous for application security. Most application security models
>>> assume that TLS will provide both confidentiality and authenticity.
>>> Breaking confidentiality will often expose vulnerabilities that can result
>>> in escalation of privilege or spoofing resulting in a loss of
>>> integrity/authenticity in the application. For example, the use bearer
>>> tokens such as passwords or session cookies is widespread. It will take
>>> much more work to make applications resilient to loss of confidentiality.
>>> There may be use cases where confidentiality compromise is limited to just
>>> confidentiality, but I think these are in the minority.
>>>
>>> Joe
>>>
>>> On Fri, Nov 3, 2017 at 7:41 AM, Cas Cremers <cas.cremers@cs.ox.ac.uk>
>>> wrote:
>>>
>>>> Hi Richard,
>>>>
>>>> Thanks for the pointer, I had missed your earlier observation of
>>>> essentially the same thing in the large mail threads.
>>>>
>>>> Personally, I think it is a substantial and unmotivated loss in
>>>> security to also give up authentication/integrity.
>>>>
>>>> Note that any changes towards PERC would require some significant
>>>> changes in the security analyses; for mctls, I expect it would be a
>>>> completely new analysis. (I haven't seen any analyses of rhrd, but of the
>>>> three, it is of course closest to the current setup.)
>>>>
>>>> Best,
>>>>
>>>> Cas
>>>>
>>>>
>>>> On Fri, Nov 3, 2017 at 2:00 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>>>
>>>>> Hey Cas,
>>>>>
>>>>> This question is a good one.  Earlier I brought up mcTLS, which some
>>>>> folks have been working on to provide even more granular separations than
>>>>> you suggest:
>>>>>
>>>>> https://mctls.org/
>>>>>
>>>>> I think the authors of draft-rhrd are trying for a more lightweight
>>>>> change to TLS.  That said, there might be some intermediate points on the
>>>>> spectrum here.  For example, you could define a TLS ciphersuite akin to
>>>>> what we defined in PERC when we wanted to break integrity partly and
>>>>> confidentiality not at all.
>>>>>
>>>>> https://tools.ietf.org/html/draft-ietf-perc-double-07
>>>>>
>>>>> That would be less invasive than mcTLS, while still getting the
>>>>> properties you describe.
>>>>>
>>>>> --Richard
>>>>>
>>>>>
>>>>> On Nov 3, 2017 09:43, "Cas Cremers" <cas.cremers@cs.ox.ac.uk> wrote:
>>>>>
>>>>> Dear all,
>>>>> ​​
>>>>> ​​Disclaimer: I am not a proponent of the idea behind draft
>>>>> visibility/green/rhrd; I think such a mechanism should not be part of the
>>>>> TLS 1.3 standard.
>>>>> ​​
>>>>> ​​I have a technical problem with the current design, whose goal is to
>>>>> allow eavesdropping for inspection, i.e., selectively decreasing
>>>>> confidentiality.
>>>>> ​​
>>>>> ​​However, the design in the draft also enables arbitrary traffic
>>>>> modification/insertion, additionally breaking all authentication and
>>>>> integrity guarantees. Once someone has the session keys, they can not only
>>>>> eavesdrop but can also start to insert/modify traffic. This additional
>>>>> decrease in security is entirely unmotivated by the cited use cases.
>>>>> ​​
>>>>> ​​It is possible to offer authentication and integrity, while
>>>>> selectively giving up confidentiality. For example, one could replace the
>>>>> AEAD by (i) a mechanism for authentication and (ii) a separate mechanism
>>>>> for confidentiality, and then possibly reveal the keys used for (ii), but
>>>>> make sure only the real endpoint has the keys for (i). That seems more
>>>>> rational to me, and may retain the authentication/integrity guarantees.
>>>>> However, it would require a much more invasive change.
>>>>> ​​
>>>>> ​​Best,
>>>>> ​​
>>>>> ​​Cas
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> TLS mailing list
>>>>> TLS@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>>
>>>
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>

v2.23.0 | Report a Bug | By Email