IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 24 July 2017 15:19 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5BE5131E10 for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 08:19:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CF5sVl1BAuJm for <tls@ietfa.amsl.com>; Mon, 24 Jul 2017 08:19:50 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 701CE131E0F for <tls@ietf.org>; Mon, 24 Jul 2017 08:19:50 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 6607A22903; Mon, 24 Jul 2017 18:19:49 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id OKXR6KKlNT4k; Mon, 24 Jul 2017 18:19:40 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 5B5D021C; Mon, 24 Jul 2017 18:19:36 +0300 (EEST)
Date: Mon, 24 Jul 2017 18:19:36 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Brian Sniffen <bsniffen@akamai.com>
Cc: Ted Lemon <mellon@fugue.com>, "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>, "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20170724151936.hq7uepji62nhype6@LK-Perkele-VII>
References: <20170720203238.e66zurx5yn2jja3a@LK-Perkele-VII> <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu> <20170723070240.x7kmynzmu4jqco5t@LK-Perkele-VII> <C0772D29-CB26-418F-981B-BC2E2435E655@ll.mit.edu> <35FD3356-8300-405A-B8D8-FC2574DB9A56@fugue.com> <CE89217F-972F-4F37-B8BA-925AE1FE8D68@ll.mit.edu> <44105D6B-4CE0-4C3C-ACFA-30EF1D8AA8F7@fugue.com> <C76720C5-7BB6-4AB4-8A2D-7569EC57D15D@ll.mit.edu> <388DA0F2-E3FC-47D2-B97C-D244ACE50E61@fugue.com> <m2o9sarky7.fsf@bos-mpeve.kendall.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <m2o9sarky7.fsf@bos-mpeve.kendall.corp.akamai.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/axeWT22VFz4lTuWjle_iuytVvIc>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jul 2017 15:19:53 -0000

On Mon, Jul 24, 2017 at 10:03:28AM -0400, Brian Sniffen wrote:
> Ted Lemon <mellon@fugue.com> writes:
> 
> > On Jul 23, 2017, at 9:01 PM, Blumenthal, Uri - 0553 - MITLL <uri@ll.mit.edu> wrote:
> >> What I am trying to avoid is the ability to *surreptitiously* subvert a protocol that’s assumed to be secure.
> >
> > You don't seem to be hearing what I'm trying to say.   What you are
> > proposing is physically impossible.
> 
> Is it?  I could imagine making the server ECDH share dependent on the
> client ECDH share, plus a local random value.  At the end of the
> session, the server discloses that random value, showing that it
> properly constructed a fresh ECDH share.

I do not think this works. As a blatant example, have server generate
the ServerRandom and then the ECDH seed using Dual-EC-DRBG...

The ECDH share will then change every connection and there is a
seed to demonstrate, but the connections can still be decrypted by who
controls the Dua-EC-DRBG backdoor key.

Yes, Dual-EC-DRBG is quite crappy with sizable biases, but discovering
those would take way too many connections. And there are similar
methods that have much much smaller biases.


Basically, if implementation wants to be secretly evil, it can be
secretly evil, and there is nothing you can do to discover it remotely.

Bad implementations are a separate problem. E.g., repeating the same
DH share for a long time because there is no key rotation. That sort
of behavior is pretty blatant if one monitors the DH shares used.


-Ilari

v2.23.0 | Report a Bug | By Email