IETF Logo Mail Archive

Re: [TLS] Getting started, clock not set yet

Kyle Rose <krose@krose.org> Mon, 15 August 2022 12:54 UTC

Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 446F9C1524A5 for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 05:54:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JDoSJOwT5miR for <tls@ietfa.amsl.com>; Mon, 15 Aug 2022 05:54:22 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 188E2C14F73D for <tls@ietf.org>; Mon, 15 Aug 2022 05:54:21 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id y13so13318562ejp.13 for <tls@ietf.org>; Mon, 15 Aug 2022 05:54:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=pWnuET1xQjc4zs6sd9MXksXxin6SiyJwuhT6DQjM3xo=; b=X3i2hSdXDDfPuKVddHL3+sTlJQtJwlRqsIVWKOkJkJtZ7XjXqAb2rMiV5cUD7Tq7dj qe0eqHncw3nl4UMHDnULjjdUl0HNQPYwcx+QpGvWfGRabKPlDPyU03PhY2lA/FXZ5HwC VYB6qyM20ugJL1DbPJxxpyOYMpUkts/NYmD2I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=pWnuET1xQjc4zs6sd9MXksXxin6SiyJwuhT6DQjM3xo=; b=HXWzYFw3ebaWQsE+6/Oh364xRyNDWSdLcAwTFtQIQdAMMWkOH+rX9Kl/uzBkmp45HD PffjThOqFQKUyibNv4+ly7RHiJZlHsEj1fYYyXLv7dk/tizXZBKo6oOfwyTMF0bsM/qZ 5UxGc8csEp6SxU02hovVkIM6y7pWKmGtLO+Opv8OR1ezr+RFNMY7LcOlAkRnBUmQf+8B 0ALK0j1ekT3DlUtBtH7z9IjWXRr0quqtSYg4Oa1ETxDHhHiicOcrFZiHopTCup3vpvNc riPG/FOk1yK24MpoQRiOSTuxJPGJvN6hQcwwUCydyC1ub2Q0sjaQuk0BTfxq0+3DVBWx cB9g==
X-Gm-Message-State: ACgBeo2CFIcEyAp0qQyNNC/JZDmKrG2LL79L7oOk1pxeebjdodQVJHKO 9pjrBQwCBIOm6q6T6ErbdReJHxnquFGh6+MzqvXFAP6hsKM=
X-Google-Smtp-Source: AA6agR42hZUPBw1RbnfbXR1C5OAq89qO5mmbwDvlqL4uahflyvHCbKjFnQ74fIapwSIqufGo5znyTIY/gdDsVJLYico=
X-Received: by 2002:a17:907:2d0f:b0:731:87d0:13aa with SMTP id gs15-20020a1709072d0f00b0073187d013aamr10931643ejc.142.1660568059327; Mon, 15 Aug 2022 05:54:19 -0700 (PDT)
MIME-Version: 1.0
References: <krose@krose.org> <CAJU8_nWC+GRZFm02trAgB_bmUfkNF9bMfUHenVRNojydzi1NNw@mail.gmail.com> <20220814212506.A6A1A28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
In-Reply-To: <20220814212506.A6A1A28C1CA@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
From: Kyle Rose <krose@krose.org>
Date: Mon, 15 Aug 2022 08:54:08 -0400
Message-ID: <CAJU8_nUZCR3ihGBj101n8zd6e9+nqFR0NW=u6EgpqDwKX+=aUg@mail.gmail.com>
To: Hal Murray <halmurray+tls@sonic.net>
Cc: tls@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004d536f05e6472187"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bErHX2ujd29dxPphK4jPW2ZN-es>
Subject: Re: [TLS] Getting started, clock not set yet
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Aug 2022 12:54:26 -0000

On Sun, Aug 14, 2022 at 5:25 PM Hal Murray <halmurray+tls@sonic.net> wrote:

> Thanks.
>
> > It's been a few years, but IIRC my thinking was that the degree of trust
> > required in the Roughtime servers' long-term public keys is very low:
> you're
> > trusting them only for one server's assertion of the current time, not
> for
> > general web traffic; and if you ask enough servers, the likelihood of
> being
> > tricked into trusting a bad timestamp is very low even over long time
> > periods.
>
> I've been assuming self-signed certificates with long lifetimes -- one per
> server.
>

It's a testament to how certificate infrastructure has evolved that one
year is now considered "long lived". :-) I was responding to an earlier
hypothetical about a device sitting on a shelf for ten years, and trying to
figure out how one could bootstrap the PKI after that time without explicit
intervention. I'm starting to think I was trying too hard to address a
(possibly contrived) edge case that really deserves a simpler solution:
manual re-bootstrapping.

> In other words, much of the security of the scheme is in the practical
> > difficulty of mounting a successful attack even if the keys have been
> > compromised. NTS doesn't even attempt to address this kind of attack
> vector.
>
> Is there a first order difference between NTS using self signed
> certificates
> and Roughtime?
>

Miroslav's answer is probably the right one: Roughtime gives you the
ability not only to detect bad timestamps but to prove it to others. Upon
reflection, that doesn't seem especially useful in this context because
you're already talking about devices that have appeared out of nowhere
after a long period of inactivity.

There have been semi-endless debates about how many NTP servers to use.  (I
> haven't seen one recently.)  With 3 servers, 2 can outvote 1 bad guy. With
> 4
> servers, you still have 3 if one is down.  ...  Adding security
> complicates
> that discussion.  You have to add deliberate malfeasance to the list of
> things
> that can go wrong.  And things can change over 10 years.
>
> Are there any good papers or web pages discussing the security of TLS?
>

Did you mean NTP here? The security of TLS has been discussed far and wide.
:-)

One quirk on my 10 year problem.  If the boxes are sitting on a shelf, it's
> at
> least possible to open them up and update firmware.  It would be
> expensive,
> but it is another branch of the cost-benefit tree.
>

And this was my first bit of advice to Peter: if it's out of service that
long, it probably has known vulnerabilities, so you should probably upgrade
the firmware before reattaching it to a network or it's likely to get
pwn3d. That firmware update would come with updated CAs, and a notion of
the current time (to bootstrap the first TLS handshakes, after which
trusted sources can provide updated timestamps) if the device has no RTC of
its own.

I wish I had some more context for this area of embedded devices. For
example:

 * Why is an RTC more expensive (along whatever axis you choose) than a NIC
(wifi or ethernet)?
 * What classes of devices would reasonably sit on a shelf for ten years
and subsequently prove useful without being updated?
 * If it's been sitting on a shelf for ten years, why is reattaching it to
the network easy, while plugging it into an upgrade klosk first and *then*
reattaching it to the network is hard?

After this thread, I'm now trying to figure out why this whole endeavor
isn't contrived.

Kyle

v2.23.0 | Report a Bug | By Email