Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

John Mattsson <john.mattsson@ericsson.com> Thu, 18 February 2021 16:53 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 563613A1458 for <tls@ietfa.amsl.com>; Thu, 18 Feb 2021 08:53:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Level:
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.57, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rxm4EeB2NRLd for <tls@ietfa.amsl.com>; Thu, 18 Feb 2021 08:53:39 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2085.outbound.protection.outlook.com [40.107.22.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F8643A1463 for <TLS@ietf.org>; Thu, 18 Feb 2021 08:53:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RPhG/DBOiUbGBbW0wJr8jI5hH07CesfYDRR4tpcgGYeBanM5HLoJvdjX5rrJK7hXOr/iu2/y1DskgtOQ9XYhYYSrSJkvPQBmd76Zo9CIPGkqpmyEv82epL0XxLup8y5zlB1cGfbdHWXx3bZ9LYu9Bu0SEZsAsZoU2WWxs1Q6ziQStiVdQAQEWWKA0eUg8VlFZm8+vKgPlo5N030oAgx5Ezyn8HEBCkQtYVwVD+g5dTG6O2HH7gfSwNsTKNQJmw71HjGdYmD+riF1yD6Fh2CxvajAE9tZsPXLcSlz2MXLmt2/0PzJajkGFEVpRYQiZ6uBUEC7V0p9RV3vdxFIgfGh+g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oTYe9M1QTu13Tg+hdq/zd2OAM5tYgEtfM34JFPM6IH4=; b=alXlS1avowUDzZrrA20yXoj2g/AHZJ5pZCsMoZWC8NZ5aoTWJI0lSDhQ87fwEuHN2DoFcwm3d5iFALc6L/uo+3SEGWepY9QXZj4ESbJXdEpTp5tYhfE067sd+0hGaN/C/jWkwlxo2wHWCdaOFKLCp01g5O+szj+hRTtAjj5i28SVc+4L+QMT+7PKqI2JYNxIVHN0OxFGFyqAWQG/my3rTAFFTCeJssRA9ldgk1Yd8C4/fCcOmCqDmb+kA7f18I27CCBurXzpvtvutLSYQAG73wbpvHFnStLETfUbP0ClSnjjvgnpM+3rYbsjRWizQ59AiaAv+eKXJlUXFtBYVeboaw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oTYe9M1QTu13Tg+hdq/zd2OAM5tYgEtfM34JFPM6IH4=; b=BvAWTfO7oSkoVoELmIsEmU7Z1Jnn8g++uWMhdLn8jDNm83LG/SrnPQnjSsxd2WIotHqmsYuXIfLifd0ujYnwmIc3U1aK3mRnpVWYI8g96XLRvCl2Poxs36Pr8DoRDTs1bgCY8rVK2wsM9YeelL4nPZ4Ko/fxoFodKWMk+z1EuBs=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (10.168.92.136) by HE1PR0701MB2619.eurprd07.prod.outlook.com (10.168.187.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3868.12; Thu, 18 Feb 2021 16:53:35 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3868.025; Thu, 18 Feb 2021 16:53:34 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
Thread-Index: AQHXAF0eKpj0DQqHFUiRZYRt05ITUapTNmQAgAsG1QA=
Date: Thu, 18 Feb 2021 16:53:34 +0000
Message-ID: <9A15C09D-6433-4ACF-9DC7-D6A50A6254B4@ericsson.com>
References: <D553EA7A-1B49-4A7F-8992-FEEFC4B7C176@ericsson.com> <CABcZeBMvZyuZKoKykR=sXADDP2Pez6yT+FCGg=10++sNj+LC-A@mail.gmail.com>
In-Reply-To: <CABcZeBMvZyuZKoKykR=sXADDP2Pez6yT+FCGg=10++sNj+LC-A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: rtfm.com; dkim=none (message not signed) header.d=none;rtfm.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: da7ad8a4-8358-48b4-92f5-08d8d42dbb0c
x-ms-traffictypediagnostic: HE1PR0701MB2619:
x-microsoft-antispam-prvs: <HE1PR0701MB2619CAFC73F0E337B09745C089859@HE1PR0701MB2619.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: n7CMTS6Ky2EvXamg20mrB8yF7TAv4HdsxCHGmhyrqYpN/50AxNu0D+HHHmiP11n75+mET5GYlOiqce31DW2L+pSDfEdhooHHwBSRZttgR3MO7GPqaUMvojxAZzu3/fOUk7Yv6fQeo179ffaonnWhYBSpRtLFtGKHIYkI9UTjlvUY3+BSNG/t/Ep3TyhbOsTqck8SjMc+9NDSamziKI2aI99yVRBGi2uRTL/U6VkuYY22IqfXL2JwhS6reqgW036qZm8jATD3u/7WqxKKRQUTynahJbXlp8ORAMW4gTTPC33SZU3FFnEUFu2yJ5Nd688jdKi/fkaQza14K2lXPc3CMotybHnkaIEI1CDBzYn9zRNcqoiGYBSEDD8phktvwehy/z8sf6wYMW0LgeiFEbob2ufZR/1yH4UHyV//gcDCA0FNIxy4tN5GFpTWtkqCTR+sF8qNLDEn/JC02/T5zNAGY/Vs4tgro/kEOPuntxHhwJDXJHjhD4YEOnrcwcWB3iIPCy/UlvcFk/qbVITBMMRK4KYAPSxWD/TBsBvuBm/UYX2B8qln5prC9djQ3suWwofNZ5qKLM7UAUydgUUMLYXnfe2CbV2FIgEojtxOhmvVe8yP6JH/xDEysE2bnHI6qHA1Y61P2QEjWJh3byQt5ymhUg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(346002)(136003)(396003)(39860400002)(376002)(66556008)(6506007)(86362001)(36756003)(2906002)(4326008)(186003)(6916009)(6486002)(44832011)(6512007)(8676002)(478600001)(8936002)(966005)(53546011)(33656002)(316002)(66476007)(2616005)(64756008)(71200400001)(76116006)(66946007)(83380400001)(5660300002)(66446008)(166002)(26005)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: =?utf-8?B?OVJSNmFTckRyd2hBZkllenZ4eGVpSG85K21rSEpUUFNKVHZwOGI5aS80SGpo?= =?utf-8?B?V2Z4bE1maWZvNlhTeVZCUDRySE9VUjFJdkNxcDVEOEVRdWZVb3l5eWFJNEJD?= =?utf-8?B?cTVNNC81VXZqUVU2NkNILzBtbWlRV0t4aEkzM1FLQkdreXlDWTNTYzZHdng0?= =?utf-8?B?Tk9aN1FEQlN4WUJtOXdyTTNaTnI2Q0FIZmp3bzh6VVRzUjVlNHJHVFFoY3FF?= =?utf-8?B?OGltMWV3VkVmMWlhaWpNTW1qSkp0QmFBUENUMGovZDBGaTczVmZlTjJLM3Fk?= =?utf-8?B?dGNEenZzYU9IQXN4NDhQcDlqb3VzNGpkbGtKamx4Z3VoR1FvRWM0SXQzWUJE?= =?utf-8?B?aHJORWY0ODBMVjNBNjd5V09sS3lDUzlkaldkQ0lyeHRjcXlqMkJlSkhQdjEr?= =?utf-8?B?VU1IZHlqalBNYThwbjY3VVBXV2llU25xblFQcWk3czF5WVplWFEzay9oNzJO?= =?utf-8?B?dlF0WGJ1Y2FXRkhNY1JhbldVUTF1eWIyQVdKaXQySjUzZzBHTlhheS9US0dF?= =?utf-8?B?b0dsVmNIL1V2WHVKNldhNTdKSFdodUh3SzBTcFZKaXdEVWVNWlZPWlJ0NHZD?= =?utf-8?B?dGlHM1AyNlZTTkxwR2p2dDY1TFV6UGErckFXRHkzMHV2QXpWVjFRTU5jTk5m?= =?utf-8?B?YUdwa3c2SzZDZno1clhkLzgvSE1RbnJVeVJDZVM2M2pSRGRiZXluT2ZEc01k?= =?utf-8?B?c3RKQmRxa2NLTGRuTUtVaFdML0UrSG5Ea0xNVUJ3N3B5ekhoZFFuQ0pwTTg2?= =?utf-8?B?UWUycEQvRXloVXhLUXd6Nnh4bGtrd0g2VXJoLzY0YkxEbHVRQ0NlZFpKcEdq?= =?utf-8?B?U25MTWFTNGtiYlJUT3JMaEgyVGV1Q21wZ2tTN3lSeDNRdDhwaXhqdkpBdnNp?= =?utf-8?B?c3pYTTR6QldGZnpwT0ZHenYrWlM0NmRsb2JRUUV5TlNwNDRjWUNiV2NsSmZz?= =?utf-8?B?VWJxUjdBdlZiTzBwR3pzdFlkQWJVQlpIMkgvRStlbzlSWWFQVVVpcFRuSVVF?= =?utf-8?B?eHRKL3gxKzBiZUdESFhpK3BoUDdUWVFZRWVQWjRRQUtJTloxa0xDZjRoMnBK?= =?utf-8?B?QlpkT1gzRDJMekpLT3hMK3hhSE82OGpha0N3L3pGWERxTldGS3IzaUhRVENo?= =?utf-8?B?OG5aMXA3eCtmNGtPZlRNWFFWMEdJRkZWc3k2Q0RLeDhscERSR2ZDMWN3WXlT?= =?utf-8?B?Z281dWhLNjg4aGo1TmF6QXkvV3M4Y0tTZGhBYW5mSnBVK3RTYWxtOUo0bGg3?= =?utf-8?B?bU1ERU5hWlYwUkc5NEJEbzZaZ1pWVXJjdzJRWjFZSnNaRVdONUdiKytuUSt1?= =?utf-8?B?S2lWYTB5eU1wM2tyVXR5dlNmYnoyZTJFSFFMQ2ttM3FBRnAraVc4bzdqWXIx?= =?utf-8?B?RVpnZWxGMnRMODMvZWEwVmNzZUFaMERVNDdnT1E1Ym5Zc1pBdlA0Yk5KOUxL?= =?utf-8?B?Y0Jzc1JsK3pqSklEUks2YkFQVStSdzZoWFpITXVraVplaTVhd3AyUE94ellj?= =?utf-8?B?ZnFOTTFqYjhEcjI0V1d4eEtINDd4T1lWR1UwTGg5cW01VjZ1cGhwaDAvK3p5?= =?utf-8?B?SlYwNkVKMjJEeEc3MnkxOE9zWVhwT1FXMi9YeGwxcEhKNlJ1V0RrMzk2YnBR?= =?utf-8?B?b3NvTFRNcyt3Z0RycEVOSW5Eb2JMTVRvRlFoZklhRGgxS2ZMOXZqRTg5Mks5?= =?utf-8?B?M2dSR3ltTmNxa1NVY2x5bnJ0K0RkRWhnalkwTUdlT1dTQ2FuaVMyUkNLL25m?= =?utf-8?B?aEdNOGFwUFkxaTFlNmRIZE9MZE9FaldjSlA0MVBHZ2lEaFhEaGNxcVZXZStX?= =?utf-8?B?QlNOS1NydElxOGJxZExqZz09?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9A15C09D64334ACF9DC7D6A50A6254B4ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: da7ad8a4-8358-48b4-92f5-08d8d42dbb0c
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Feb 2021 16:53:34.8645 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Fxz8s9i/zAMn0AB6lue4onoIf4eiDSwk67W5wNtNxZU67hYZBguTdTj5TbNi8MMew0PloQFOatE8g/1gr6BPSRJ20oFXndE+p+I2xGoOjaM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2619
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_1fPsfy6kkQwFAtX3eKeIkRKK4E>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Feb 2021 16:53:42 -0000

Hi Eric,

Eric Rescorla <ekr@rtfm.com> wrote:
>Thanks for raising this topic I think it's important. I agree with you on
>the technical situation. As you say, we should be encouraging people to
>move to TLS 1.3, and NULL encryption cipher suites do not provide all the
>guarantees that TLS 1.3 is intended to deliver. [0].
>
>I also agree with you that we probably should not stop people from making
>registrations even of weak ciphersuites, merely because it is not an
>effective way to limit their use and creates interoperability problems.
>However, as you say we should make clear that TLS 1.3 only provides its
>stated security properties when used with strong algorithms. While I think
>it's helpful to add this to the TLS spec, I wonder if this is something
>that should be in the registry in a way stronger than Recommended=N.
>Conceptually, it seems to me that suites fall into three categories:
>
>- The WG has evaluated them and believes they are good (Recommended=Y)
>- The WG has not evaluated them and has no real opinion (Recommended=N)
>- They clearly do not provide some important security properties (???)
>
>We could then put draft-camwinget in the last category (the situation with
>draft-ietf-tls-external-psk-guidance seems a bit more complicated).

I think that sounds like a very good idea. I think the “Recommended" Column is a bit too simple for it's own good. I think it would be worthwhile to make an update to the "Recommended" column.

The current "Recommended" column is easy to misunderstand as recommended to use, while it formally is "recommended to implement". There was also several comments on the list year last year commenting on the "Recommended" column:

Achim Kraus wrote:
"Maybe, one column with recommended (Y/N/<blank>), is not enough."
"I'm still worrying about the "recommended" and the (mis-)interpretation
of that."
"Therefore my proposal to add the Y-period."

Hannes Tschofenig wrote:
"my problem is that the IANA registry only says “not recommended” but it does not say for what environments these ciphersuites are not recommended. Worse, it also wants to indicate whether the specification has gone through the IETF process."

David Benjamin wrote:
"It sounds like the registry may be confusing, so perhaps we, independent of
the existing criteria for Y vs N, need to do a better job of presenting the
information."

I especially like Hannes comment on environment, this is similar to what RFC 8221 and RFC 8247 does IoT. What is recommended to support for IoT, Web, DTLS/SCTP, and DTLS-SRTP, etc. can differ.

Cheers,
John

From: Eric Rescorla <ekr@rtfm.com>
Date: Thursday, 11 February 2021 at 18:31
To: John Mattsson <john.mattsson@ericsson.com>
Cc: "TLS@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

John,

Thanks for raising this topic I think it's important. I agree with you on the technical situation. As you say, we should be encouraging people to move to TLS 1.3, and NULL encryption cipher suites do not provide all the guarantees that TLS 1.3 is intended to deliver. [0].

I also agree with you that we probably should not stop people from making registrations even of weak ciphersuites, merely because it is not an effective way to limit their use and creates interoperability problems. However, as you say we should make clear that TLS 1.3 only provides its stated security properties when used with strong algorithms. While I think it's helpful to add this to the TLS spec, I wonder if this is something that should be in the registry in a way stronger than Recommended=N. Conceptually, it seems to me that suites fall into three categories:

- The WG has evaluated them and believes they are good (Recommended=Y)
- The WG has not evaluated them and has no real opinion (Recommended=N)
- They clearly do not provide some important security properties (???)

We could then put draft-camwinget in the last category (the situation with draft-ietf-tls-external-psk-guidance seems a bit more complicated).

As far as the contents of draft-camwinget, I concur that it would be better if rewritten in the form you propose, but as its an individual draft -- and I am not in favor of it being taken on as a WG item -- I'm not sure how much it matters. I tend to think it would be better to have something from the WG (e.g., the registry change I propose above) that made the WG's view clear.

-Ekr

[0] You correctly raise the point that without encryption, TLS 1.3 does not deliver protection of endpoint identities. I would also note that it does not provide unlinkability for resumption, even if each ticket is used only once. Moreover, it's not clear to me the extent to which the analyses of TLS 1.3 relied on the fact that the cipher suites provide encryption. While it seems likely that TLS with NULL encryption provides the expected properties (i.e., data origin authentication without confidentiality), I'm not sure we have analysis to that effect.

On Thu, Feb 11, 2021 at 2:03 AM John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
 Salz, Rich wrote:
>Can you explain why TLS 1.2 isn't good enough for your needs?

I think it's bad to force industries requiring visibility to use TLS 1.2 unless it is for a limited time. TLS 1.2 is obsolete. I think the TLS WG should not spend any more time on TLS 1.2.

I personally do not object to the registrations as such. I object to the draft stating that sacrificing confidentiality has latency, cost, power, processing, and code size benefits. There seems to be consensus in the TLS WG that this is most often not the case. The discussions with the authors seem to lead nowhere. I think the draft needs to remove everything regarding benefits. In fact, I think the draft could be very short:

"There are use cases requiring visibility. This memo defines cipher suites without confidentiality for such use cases. This breaks the TLS 1.3 security property "Protection of endpoint identities" and is NOT RECOMMENDED."

That said, I think NULL encryption is a VERY BAD solution to the visibility problem. If visibility is needed, draft-rhrd-tls-tls13-visibility is clearly better.

The TLS WG might also need to discuss when the Appendix E security properties applies. Both draft-camwinget-tls-ts13-macciphersuites and draft-ietf-tls-external-psk-guidance breaks some of the security properties. Maybe this is ok as long as it is NOT RECOMMENDED?

Cheers,
John

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls