Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Tim Hollebeek <tim.hollebeek@digicert.com> Fri, 15 December 2017 19:14 UTC

Return-Path: <tim.hollebeek@digicert.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF50C126C19 for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 11:14:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=digicert.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VAOOpM3eP6uL for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 11:14:06 -0800 (PST)
Received: from mail1.bemta12.messagelabs.com (mail1.bemta12.messagelabs.com [216.82.251.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B0C812706D for <tls@ietf.org>; Fri, 15 Dec 2017 11:14:06 -0800 (PST)
Received: from [216.82.249.212] (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256 bits)) by server-1.bemta-12.messagelabs.com id 78/92-15086-DFE143A5; Fri, 15 Dec 2017 19:14:05 +0000
X-Brightmail-Tracker: H4sIAAAAAAAAA1WSWUwTURSGe2emw0ioGQvIsQLGJibY2AYQI0a N+qAhKpEYMKYh6CBDW+1COsXgixADBMGgLLGIKEQalSpowH2FugIaFI0IuIDiBiKCG5Jq7PTW 7WXy3fv/557/3jkMKR+gFQyfZeOtZs6opP2pDk1totodHqONPPpgTux4aQUZO3LRTsWOdRSip WScw/GdiMs798Mvrreoik4gtVKDOdWStVGqr+l+QmQ4VmaNHttL5SD7ikLkz1DsCAHtjz+Q4k LOlhHw/G0+wovrCHJfNNKFaBJDs5Hw6PItQuQgVgvH+yYokUl2Jox0HvRyIGuEA/XNFPaYoGG ozw/zduh4XC4VmWJnQcmRJq9HxibDjituX+edUiitGkaiMImNgav1Y97GiJ0K39qOE7hZCPQM VHsZ2CDov99OYw6Gdy9/SrE/GQ58cvn2ldBbP44wh0FndZH3ZsC6/OBVSz+JBQ2cLhn2meKh7 FsdjU2HEbyqPUlhQQW3Xfk+0xbY2zXsKWY8vAqchRHYf42E7uJLPk8oHGpwSrFQQEPdqQJvJD mbBuVOHC+QVcDThzvRHjS78p/bYa5GULYnodL7TFOgdd8AhffVcOFKM4l5BpwdrvLxQqiYaKE rfb+kvKjfD/M8GLoximoQ40QRAm/dylvV0Qs0qVaDTm8zcQajOioqWmPiBYHT8UYuVdBsspga kWfKsiUSdA79/BzvQtMYQhksszVGa+WTUy1p2/ScoN9gzTTygguFMowSZB1hMVr5FCuv47PSD UbPqP6WgQlQBslCRVkmZHAmwaDDUhtawNxsfOAmGPelHs/39b6hHFJOmS1mXhEi6xILWLFAn2 n+c9zv4e9EYYpAGZJIJPKADN5qMtj+1wdRCIOUgbJ68ZQAg9n2p+ugJxDhCTSgmysGsnF/JUU OumNatuZg39RibmmxEOpIz509mh1xd0nily0m1e42f/dt1b038RVJ5R+dCZ2DpUmZfcHr+nep t3EZiZUR+yMr1ibPXz1mswuLpj98fb61yX/z+I3mu8trZrXMSKptSFmvep+XMtZlX+9oKrU/y z5z/+vMEupDCuq2BISdmFj89OP08HAlJei5KBVpFbhfv6QIefcDAAA=
X-Env-Sender: tim.hollebeek@digicert.com
X-Msg-Ref: server-7.tower-219.messagelabs.com!1513365242!196769649!1
X-Originating-IP: [207.46.163.84]
X-StarScan-Received:
X-StarScan-Version: 9.4.45; banners=-,-,-
X-VirusChecked: Checked
Received: (qmail 29982 invoked from network); 15 Dec 2017 19:14:04 -0000
Received: from mail-bl2nam02lp0084.outbound.protection.outlook.com (HELO NAM02-BL2-obe.outbound.protection.outlook.com) (207.46.163.84) by server-7.tower-219.messagelabs.com with AES256-SHA256 encrypted SMTP; 15 Dec 2017 19:14:04 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=digicert.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=5Ovs5OMy19XdNBgsio8CsjiY8jvW675j5qxc/gHNo4s=; b=A1wpgOEHUmIbCsXqSG+bRsBhURgqsCpa8vRMCYwsPfyqHH8qhxQqtSEfCCfYtiUq7ZbqlC2S2hwan+4HscFAs9rapS6KzKESpFnViMYqRAgZKKfZJpwLy1mHPnx80w1ywzfWFex/AqZQof3r25rgMTkTXq/eLg6EAF8Pr10QkpY=
Received: from DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) by DM5PR14MB1289.namprd14.prod.outlook.com (10.173.132.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.302.9; Fri, 15 Dec 2017 19:14:01 +0000
Received: from DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) by DM5PR14MB1289.namprd14.prod.outlook.com ([10.173.132.19]) with mapi id 15.20.0302.012; Fri, 15 Dec 2017 19:14:01 +0000
From: Tim Hollebeek <tim.hollebeek@digicert.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Andrei Popov <Andrei.Popov@microsoft.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
Thread-Index: AQHTdSnZboSBNXzd9E6O2/oU/bBgd6NDc+yAgAAd44CAAARIAIAAATeAgADhAoCAADa3EYAABbkAgAABmYCAAACsgIAABVAAgAAEZ/+AAAJE8A==
Date: Fri, 15 Dec 2017 19:14:00 +0000
Message-ID: <DM5PR14MB1289FA656DB8D87DCA0B355F830B0@DM5PR14MB1289.namprd14.prod.outlook.com>
References: <20171215020116.04f9ae15@pc1> <CAAF6GDe79w9XH1GrGvvR-+=uEKfi6GczacUX3Jhy0dL_zW67-Q@mail.gmail.com> <20171215143057.GA17121@LK-Perkele-VII> <MWHPR21MB01897F29048C1B2AB66EA7488C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <20171215174628.GA17601@LK-Perkele-VII> <CABcZeBOsL0a0xHvVWEus_EY3mUNioaV9fsz89Gt+HeqdHpoyDw@mail.gmail.com> <CACsn0ckYPpp5nD2jj4Zmx=ZJvqWzHW0tmmXo-9JeKL45+pRUqw@mail.gmail.com> <CABcZeBPPozOsTxxJO63RmHwTr56Wucx6OYW=kvvhosRUHR1ctA@mail.gmail.com> <20171215183424.GA17780@LK-Perkele-VII> <MWHPR21MB01893A20A8D0812E880926568C0B0@MWHPR21MB0189.namprd21.prod.outlook.com> <20171215184951.GB17780@LK-Perkele-VII>
In-Reply-To: <20171215184951.GB17780@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [74.111.107.128]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR14MB1289; 6:7jzAa3hJ4NAbpUT38LtQjGfjpo07hILDe7CSUbyaKmMnpbPOOcyOVoAoqQeI/ZmpStul6COMnxd9PCrIvvBfCMhGz8Q2Bn4Xvj7k/TTGx6bvPWwfvx9kM0CC0++SuJnopj37kDHtmX5NTI17bdXQYtxaW/PQFlxQ0M6+dkhEV9KzXY/ln7S8AUoCy6vbIfq1aFVQlXSnEFg2u/YPktpZqtD9MWIgzSUbHdwHdrhuw2hGS/ZpjL3b7nnvxHtQhXvD0/zY8KW2bvifYU75nWJazZQW9matMuAIaL2CejYGIDg+Wlci52UOEgoJHDmc06PR59L0Fp21beFzdrqtmdVjER8TZQFVh+ohrIVUuQTFSrs=; 5:OIouTF/h9lbrv9MmIALTF5pM6kXvANWRLTyWzTak/kEwYVCYMUSEMWYDlYTUA1GnqcFyHm5jRvFDAE584Ixeu03Ew2peD44IsjUUYQH2sFhLs9CXunE+VFu0WsiqAQ1KZxwIwHzt2cQ8No6ryX8MGqO7xCsunrtuq3P8T3+kvTI=; 24:JrHPm3iuhkPjKjjq5bWyFVPLRNPHych7jiCXqS7RdUBqFZXzdnyGaO1Ua5FzVPBNjMQ6Dv0MJW7CQqXq+LACoi2PM1PRd4kjn6IF+8ZuzRM=; 7:W70a3d1rTgTU82QR8b4TcwSqag/4Eqqs3J+5VkbQRuOJT3ykOtd5OwyOXsdaE2ipgu0mcxW5SNnqdl57KnjuFSb1ghqhQ5yY9xh9I9sm713IMbakHHVLcCwRM91xAUM9te8WROumMdCEkfkkqZu/gQBBSz606OQV85v+8GZbK83yMkZl1p+3+CAaUSzYvpKHw095dlxYaDv26ndDLJhGJNj+NNyZ+Fodyawvb/FHXYLP+EVHQ7wZj5RS3lOiOHsU
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 803656d0-7add-4811-05df-08d543efffd2
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4603075)(4627115)(201702281549075)(5600026)(4604075)(2017052603307)(49563074); SRVR:DM5PR14MB1289;
x-ms-traffictypediagnostic: DM5PR14MB1289:
x-microsoft-antispam-prvs: <DM5PR14MB1289291C4A53F0B03E06DD85830B0@DM5PR14MB1289.namprd14.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(89211679590171)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415395)(6040450)(2401047)(8121501046)(5005006)(93006095)(93001095)(3002001)(3231023)(10201501046)(6041248)(2016111802025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123562025)(20161123558100)(20161123555025)(20161123564025)(6043046)(6072148)(201708071742011); SRVR:DM5PR14MB1289; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:DM5PR14MB1289;
x-forefront-prvs: 05220145DE
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(366004)(396003)(376002)(199004)(24454002)(13464003)(189003)(966005)(229853002)(3280700002)(93886005)(86362001)(6116002)(2950100002)(14454004)(4326008)(110136005)(6506007)(77096006)(478600001)(2906002)(99936001)(76176011)(316002)(59450400001)(102836003)(2561002)(305945005)(8666007)(7696005)(25786009)(106356001)(66066001)(105586002)(2421001)(3846002)(8936002)(1511001)(74316002)(81166006)(6436002)(8676002)(81156014)(9686003)(99286004)(5660300001)(33656002)(53936002)(68736007)(97736004)(3660700001)(7736002)(6246003)(2900100001)(55016002)(53546011)(6306002)(29543002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR14MB1289; H:DM5PR14MB1289.namprd14.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: digicert.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=2.16.840.1.101.3.4.2.1; boundary="----=_NextPart_000_04A8_01D3759E.2D366B20"
MIME-Version: 1.0
X-OriginatorOrg: digicert.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 803656d0-7add-4811-05df-08d543efffd2
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2017 19:14:00.9898 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf813fa1-bde5-4e75-9479-f6aaa8b1f284
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR14MB1289
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bQP9aumzz27aJxA82-qJyUVTxhU>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 19:14:09 -0000

So, this has been discussed extensively at the CA/Browser forum, for obvious
reasons.

In my mind, it is not so important to identify and define and implement an
alternative hash.

What *is* important is that the protocol and associated software is able to
support a smooth transition period where people are moving from one
algorithm to another.

Ideally, you'd want certificates to be able to have two signatures during
the transition period, in order to support clients who have transitioned and
those who have not.  Unfortunately RFC 5280 is deficient in that regard.
Hosting multiple certificates and switching based on the client is feasible,
but requires some technical wizardry and isn't possible in all situations.

A lot of these transitions are painful because with the way things currently
work, algorithms have to reach near ubiquity before the transition can begin
(the popularity of Windows XP was a huge problem).

The transition will happen at different rates for various industries and use
cases that have different security requirements, so everyone needs to be
able to move at a pace that makes sense for their needs.  It needs to be
carefully coordinated, and yes, transitions will take years.  The current
maximum certificate lifetime is a compromise between the speed at which
changes can be made, and the pain imposed by replacement, which largely
still isn't automated.  I know people are working to improve that, but we
are where we are.

-Tim

> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Ilari Liusvaara
> Sent: Friday, December 15, 2017 11:50 AM
> To: Andrei Popov <Andrei.Popov@microsoft.com>;
> Cc: tls@ietf.org
> Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in
> general, and what we can do in TLS
> 
> On Fri, Dec 15, 2017 at 06:41:06PM +0000, Andrei Popov wrote:
> > It's true, the migration will be slow, but IMHO it still makes sense
> > to define and implement an alternative hash.
> 
> Agreed. However, on certificates front, we need a method to perform
> backward-compatible algorithm transition. Because non-backward-
> compatible ones are just too hard. As we have seen _twice_.
> 
> On TLS handshake hashes, the transitions are already backward- compatible.
> But that does not mean the transition will be easy.
> 
> 
> 
> 
> -Ilari
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls