IETF Logo Mail Archive

Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 11 February 2021 02:40 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4573A0F47 for <tls@ietfa.amsl.com>; Wed, 10 Feb 2021 18:40:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JB3HNoLj-PZS for <tls@ietfa.amsl.com>; Wed, 10 Feb 2021 18:40:54 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DD803A0E06 for <tls@ietf.org>; Wed, 10 Feb 2021 18:40:53 -0800 (PST)
Received: from [192.168.1.177] (unknown [192.168.1.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by straasha.imrryr.org (Postfix) with ESMTPSA id 1CC0C1A5D10 for <tls@ietf.org>; Wed, 10 Feb 2021 21:40:52 -0500 (EST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <DM5PR2201MB1643298487B0234F0FE7820A998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
Date: Thu, 11 Feb 2021 00:40:51 -0200
Content-Transfer-Encoding: quoted-printable
Reply-To: IETF TLS WG <tls@ietf.org>
Message-Id: <D71EB884-51C0-4A10-AAE1-903037D92CA4@dukhovni.org>
References: <378F0459-19FB-4A38-83E0-85024AF42237@ericsson.com> <9926f2a8-bcd8-b478-adfe-c800eb7d745d@cs.tcd.ie> <DM5PR2201MB1643A7717E7E9EA39EE71AA0998D9@DM5PR2201MB1643.namprd22.prod.outlook.com> <57d243b8-ccf3-80e2-eb0a-4692609b4eb6@cs.tcd.ie> <DM5PR2201MB1643298487B0234F0FE7820A998C9@DM5PR2201MB1643.namprd22.prod.outlook.com>
To: IETF TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bSFIfi5BLWF2CUjlRD4etM3tqTo>
Subject: Re: [TLS] EXTERNAL: TLS 1.3 Authentication and Integrity only Cipher Suites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Feb 2021 02:40:56 -0000

> On Feb 10, 2021, at 11:57 PM, Jack Visoky <jmvisoky=40ra.rockwell.com@dmarc.ietf.org> wrote:
> 
> I would just like to recognize that there are some situations where it isn't needed.

One classic case where Postfix supports TLS 1.[0-2] NULL ciphers
is loopback TLS (process to process communication via [127.0.0.1]
or a unix-domain socket).  Here, one would generally not use TLS
at all, but it can be useful for client authentication.

The use-case is far from common, and encrypting anyway is typically
a viable alternative, but there is a sound case that encryption adds
little value, if you can capture the traffic on [127.0.0.1] you can
also capture the same content prior to encryption (just trace the
sending process reading cleartext data from disk, or the receiving
process writing it to disk).

I am not saying there is or is not a compelling case for NULL ciphers,
but just noting a use-case where encryption does not add much value.

Performance-wise, indeed on many a CPU AESGCM is cheaper than SHA2.
So turning off encryption is not always a performance win.  It rather
depends...

If client and server conditionally support NULL ciphers in a debugging
configuration, one might also be able to debug some TLS-related problems
that are otherwise difficult to debug.  This too is a rare situation, and
comes with a risk of accidental misuse.

There is merit in keeping the combinatorial complexity of TLS 1.3
as small as possible, reducing implementation attack surface, ...

The key question, that is difficult to answer is whether the right
balance is adequately accomplished with "N" in the recommended column,
with most implementations then either not supporting said ciphersuites
at all, or disabling them by default.  If so, perhaps some specialised
implementations could use them appropriately.  On the other hand the
"specialised" applications might get used outside their originally
intended use-cases, in ways the designers never anticipated.

Do we leave the choice to use TLS wisely to the developers and users,
or we judge that misuse is inevitable, and the use-case not sufficiently
compelling?  I am somewhat inclined to do the latter.  Despite the fact
that'd I'd otherwise be inclined to argue for anonDH ciphers, which have
reasonable applications in unauthenticated opportunistic TLS, where any
presented certificates are just ignored bloat that increase the attack
surface.  I would have liked to see support for these retained in TLS 1.3,
but accept their omission as a legitimate tradeoff.  If NULL ciphers are
added (which IMHO are the greater risk), then perhaps I'd have a good
case to make to have anonDH/anonECDH ciphers re-introduced...

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email