Re: [TLS] AEAD only for TLS1.3 revisit
"Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu> Tue, 30 September 2014 19:50 UTC
Return-Path: <prvs=535012e8ee=uri@ll.mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 158D21A8877 for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 12:50:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.984
X-Spam-Level:
X-Spam-Status: No, score=-4.984 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cJFyC8ltBPgl for <tls@ietfa.amsl.com>; Tue, 30 Sep 2014 12:50:24 -0700 (PDT)
Received: from mx2.ll.mit.edu (MX2.LL.MIT.EDU [129.55.12.46]) by ietfa.amsl.com (Postfix) with ESMTP id EEB591A8875 for <tls@ietf.org>; Tue, 30 Sep 2014 12:50:23 -0700 (PDT)
Received: from LLE2K10-HUB01.mitll.ad.local (LLE2K10-HUB01.mitll.ad.local) by mx2.ll.mit.edu (unknown) with ESMTP id s8UJo10X020667; Tue, 30 Sep 2014 15:50:08 -0400
From: "Blumenthal, Uri - 0558 - MITLL" <uri@ll.mit.edu>
To: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>, Michael StJohns <msj@nthpermutation.com>
Thread-Topic: [TLS] AEAD only for TLS1.3 revisit
Thread-Index: AQHP3AJ2/EHuY8NeI02Vv3s5UcgKb5waWQoA//++N4A=
Date: Tue, 30 Sep 2014 19:49:34 +0000
Message-ID: <D05080B2.1ABB6%uri@ll.mit.edu>
References: <542988C5.8050307@nthpermutation.com> <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com>
In-Reply-To: <A46BA862-DEE1-46CF-9193-40D1EAAA14BE@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [172.25.177.187]
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha256"; boundary="B_3494936965_1266352"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.12.52, 1.0.28, 0.0.0000 definitions=2014-09-30_08:2014-09-30,2014-09-30,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1409300201
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/Z40cyk1D57cWaYMHTyAIt7a3dVA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] AEAD only for TLS1.3 revisit
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Sep 2014 19:50:26 -0000
On 9/30/14, 15:44 , "Joseph Salowey (jsalowey)" <jsalowey@cisco.com> wrote: >Allowing man-in-the-middle or integrity only cipher suites is not a valid >reason to revisit the AEAD decision. Allowing for man-in-the-middle and >passive monitoring is in opposition to our current mandate. As an >aside, if this becomes a requirement in the future I don't think that >AEAD actually limits either of these possibilities, although your choice >of cipher may. The point is that in some environments the choice is BETWEEN man-in-the-middle (currently done by many corporations via “split SSL” or “cracked SSL”) with no security guarantees at all, and passive monitoring where you can have at least integrity & authenticity. AEAD with a single key (which is my preference) is incompatible with passive monitoring unless integrity is sacrificed as well. >On Sep 29, 2014, at 9:28 AM, Michael StJohns <msj@nthpermutation.com> >wrote: >> Hi - >> >> This isn't a proposal to change the decision to only include AEAD >>ciphers in TLS1.3. But something crossed my desk that suggested I >>should at least mention a possible issue with this. >> >> Background: There are number of countries (and private networks) that >>have a requirement to decrypt any traffic passing through certain >>places. There is not a corresponding requirement to allow them to >>imitate a sender or receiver. This can be done through key escrow, >>LEAF-like fields or multiple encryption of the data for example. >> >> Implication: AEAD ciphers have a single key which is broken down for >>use both in the encryption and integrity processes. Revealing that >>single key (to satisfy the decryption requirement) can reveal the >>credentials to allow masquerading. If the TLS connection credentials >>are also being used as credentials for control actions (e.g. >>cyber-physical controls of power systems, control over a firewall, etc), >>fulfilling the decryption requirement provides an unintended attack >>surface for possibly life critical systems. >> >> >> Thoughts: At least one AEAD cipher (CCM) uses the exact same key for >>both integrity and encryption. There is no way to reveal the encryption >>key without also revealing the integrity key. But if you have the >>integrity key, you can masquerade as sender or receiver (controller or >>controlled). >> >> Question: In light of the above, should we revisit the AEAD-only >>decision for TLS1.3? >> >> >> Question: Is there absolutely no requirement for TLS1.3 integrity only >>cipher suites? >> >> The fallback for systems in areas that have these requirements could be >>either TLS1.2, one of the other IETF security protocols, or something >>proprietary. >> >> And yes, this was triggered by a real-world requirement. >> >> Mike >> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > >_______________________________________________ >TLS mailing list >TLS@ietf.org >https://www.ietf.org/mailman/listinfo/tls
- [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Martin Thomson
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Joseph Salowey (jsalowey)
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Stephen Farrell
- Re: [TLS] AEAD only for TLS1.3 revisit Nikos Mavrogiannopoulos
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Dan Harkins
- Re: [TLS] AEAD only for TLS1.3 revisit Ilari Liusvaara
- Re: [TLS] AEAD only for TLS1.3 revisit Michael StJohns
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann
- Re: [TLS] AEAD only for TLS1.3 revisit Hubert Kario
- Re: [TLS] AEAD only for TLS1.3 revisit Salz, Rich
- Re: [TLS] AEAD only for TLS1.3 revisit Peter Gutmann