Re: [TLS] TLS Impact on Network Security draft updated

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 23 July 2019 20:14 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4795C120987 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I0ScxnySdAa4 for <tls@ietfa.amsl.com>; Tue, 23 Jul 2019 13:14:45 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA3121209C6 for <tls@ietf.org>; Tue, 23 Jul 2019 13:14:45 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id E4A362F8F5; Tue, 23 Jul 2019 16:14:44 -0400 (EDT)
Date: Tue, 23 Jul 2019 16:14:44 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20190723201444.GB98742@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6AF48228-19C2-41C7-BA86-BA16940C3CFF@cisco.com>
User-Agent: Mutt/1.11.4 (2019-03-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XdI-CgNpYag5m4d3FZ36bzim2Uc>
Subject: Re: [TLS] TLS Impact on Network Security draft updated
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jul 2019 20:14:59 -0000

On Sun, Jul 21, 2019 at 01:51:32PM +0000, Nancy Cam-Winget (ncamwing) wrote:

> Thanks to all the feedback provided, we have updated the https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04
> draft.  At this point, we believe the draft is stable and would like to request its publication as an informational draft.

I found the language of the draft (especially the introduction)
somewhat turgid and repetitive to the point of significantly
detracting from readability.  I think the draft needs substantial
editing for simplicity and clarity.

As to specific technical issues, I don't understand the point being
made in Section 2.2.2 about client key shares and resumption:

   In TLS 1.3, the above mechanism is replaced by Pre-Shared Keys (PSK),
   which can be negotiated as part of an initial handshake and then used
   in a subsequent handshake to perform resumption using the PSK.  TLS
   1.3 states that the client SHOULD include a "key_share" extension to
   enable the server to decline resumption and fall back to a full
   handshake, however it is not an absolute requirement.

   Example scenarios that are impacted by this are middleboxes that were
   not part of the initial handshake, and hence do not know the PSK.  If
   the client does not include the "key_share" extension, the middlebox
   cannot force a fallback to the full handshake.  If the middlebox
   policy requires it to inspect the session, it will have to fail the
   connection instead.

[ AFAIK, even with PSK-based resumption, and even when the client's
  initial key share was not acceptable to server, the server can still
  perform a full handshake after HRR.  An MiTM middle-box can replace
  the server's HRR with its own, and then decline the client's PSK
  and perform a full handshake. ]

I also found the malicious server argument in section 2.2.1 somewhat
unconvincing, since malicious servers have lots of (previously)
innocuous domains to choose from, or can present self-signed
certificates for any SNI of their choice.

The impact of TLS 1.3 is largely limited to making it more difficult
to whitelist "known good" servers from MiTM inspection.  With TLS
1.3 a middle box that wants to be sure to MiTM sessions to "bad"
servers, must also MiTM sessions to "good" servers (in order to
determine that they're really "known good"), because authenticating
a "good" server is no longer possible without MiTM interception.
Blacklists of "known bad" are easily bypassed even with TLS 1.2.

Middleboxes that are limited to closing TCP connections for the
"known bad", are not particularly effective with TLS 1.2, and will
be increasingly less so as attacks become more sophisticated.  A
middlebox that wants to detect the bad must do MiTM interception,
and with TLS 1.3 will need to intercept *all* traffic, even the
previously "known good", once the "known good" peer deploys TLS 1.3.

Yes, optimizing out interception of the "authenticated known good"
is no longer possible.

-- 
	Viktor.