IETF Logo Mail Archive

Re: [TLS] SAS extension?

"Dan Wing" <dwing@cisco.com> Tue, 05 August 2008 17:07 UTC

Return-Path: <tls-bounces@ietf.org>
X-Original-To: tls-archive@ietf.org
Delivered-To: ietfarch-tls-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D15803A68BF; Tue, 5 Aug 2008 10:07:01 -0700 (PDT)
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E3F73A68DC for <tls@core3.amsl.com>; Tue, 5 Aug 2008 10:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.579
X-Spam-Level:
X-Spam-Status: No, score=-6.579 tagged_above=-999 required=5 tests=[AWL=0.020, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Irxotr+svbgg for <tls@core3.amsl.com>; Tue, 5 Aug 2008 10:06:59 -0700 (PDT)
Received: from sj-iport-2.cisco.com (sj-iport-2.cisco.com [171.71.176.71]) by core3.amsl.com (Postfix) with ESMTP id 374E13A68BF for <tls@ietf.org>; Tue, 5 Aug 2008 10:06:59 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="4.31,311,1215388800"; d="scan'208";a="72348075"
Received: from sj-dkim-3.cisco.com ([171.71.179.195]) by sj-iport-2.cisco.com with ESMTP; 05 Aug 2008 17:07:30 +0000
Received: from sj-core-5.cisco.com (sj-core-5.cisco.com [171.71.177.238]) by sj-dkim-3.cisco.com (8.12.11/8.12.11) with ESMTP id m75H7Uj6011519; Tue, 5 Aug 2008 10:07:30 -0700
Received: from dwingwxp01 ([10.32.240.194]) by sj-core-5.cisco.com (8.13.8/8.13.8) with ESMTP id m75H7TNG015361; Tue, 5 Aug 2008 17:07:29 GMT
From: Dan Wing <dwing@cisco.com>
To: 'Peter Saint-Andre' <stpeter@stpeter.im>
References: <038301c8f712$1b4c33f0$c2f0200a@cisco.com> <48988666.8020405@stpeter.im>
Date: Tue, 05 Aug 2008 10:07:29 -0700
Message-ID: <052f01c8f71d$be2fe020$c2f0200a@cisco.com>
MIME-Version: 1.0
X-Mailer: Microsoft Office Outlook 11
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
In-Reply-To: <48988666.8020405@stpeter.im>
thread-index: Acj3HFUp3SlMhetQTmK7uDzoIkfYaQAAME5w
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=5113; t=1217956050; x=1218820050; c=relaxed/simple; s=sjdkim3002; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=dwing@cisco.com; z=From:=20=22Dan=20Wing=22=20<dwing@cisco.com> |Subject:=20RE=3A=20[TLS]=20SAS=20extension? |Sender:=20; bh=NsLaxTQJ8TDhBlP+xvxmm6gmMPPWT1nOhZxtzPeEjzU=; b=BPZEcO4FqaRZ+IGkDKc2GmDfa4KNRsg6mVwNyrG3EBOJs7f0D+XomN39Wr 5M9xKW7fwzp1HnCuxHpVTvfuZnwq4YDX+/qoUWY8LPb4rQqa7pEHebnuKNO4 S9e0fsEWm4;
Authentication-Results: sj-dkim-3; header.From=dwing@cisco.com; dkim=pass ( sig from cisco.com/sjdkim3002 verified; );
Cc: tls@ietf.org
Subject: Re: [TLS] SAS extension?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: tls-bounces@ietf.org
Errors-To: tls-bounces@ietf.org

> Dan Wing wrote:
> > Peter Saint-Andre wrote:
> > 
> >> In the XMPP community we are defining a way to use TLS for
> >> end-to-end encryption. We'd love to use short authentication
> >> strings (SAS) for identity verification. As far as I can see no one
> >> has worked on a TLS extension for SAS. Is there interest in doing
> >> so? I'd be happy to help write an I-D on this topic, but I'm not a
> >> TLS or security expert so it might not be appropriate for me to
> >> lead the effort.
> > 
> > Yes, I'm interested in this, primarily from the perspective of
> > DTLS-SRTP.  Such a scheme could be helpful as an out-of-band
> > validator of end-to-end identity in the presence of SBCs which 
> > destroy signature scheme (RFC4474).  There have been active
> > discussions on SIP about this for over a year, but no forward 
> > progress.
> 
> Oh gosh, I don't know that I want to venture down the SIP 
> Identity rat hole. :) 

heh.

> But yes I suppose SAS could be helpful there. 
> And if building a SAS extension for TLS will help solve interesting 
> problems for both SIP and XMPP technologies, that's a good thing.

Yep.

> > In another message, Peter Saint-Andre wrote:
> > 
> >> The more I read about SAS, the more I wonder about applicability, 
> >> too.
> >>
> >> In the XMPP community we have worked on a technology for end-to-end
> >> encryption of messaging sessions (a.k.a. encryption sessions, see
> >> [1]), and it has a SAS feature, but it's not clear to me if that
> >> feature is well-specified with regard to the channel in which the
> >> SAS could be communicated (we can't use the XMPP channel, because
> >> we're trying to bootstrap that channel). In any case we have now
> >> begun investigating more seriously the use TLS for end-to-end
> >> encryption of XMPP traffic, both in the link-local case and over
> >> the typical XMPP client-server architecture (see [2], [3], and
> >> [4]). Those developers who have implemented the encrypted sessions
> >> technology think its SAS feature is nifty and would like to have
> >> that feature in the TLS-based technology as well. But as you say,
> >> the SAS would need to be communicated at least via a different
> >> channel and preferably via a trustworthy channel. Developers seem
> >> to think that communicating it via PSTN is sufficient, but doing so
> >> would mean only that an attacker would need to control two
> >> channels, not that the second channel is trustworthy. So we need to
> >> research what might function as a trustworthy channel (e.g.,
> >> encrypted email).
> >>
> >> Whether Aunt Tillie would even check the SAS (or any other
> >> credential) properly is another matter, but that's a separate
> >> topic...
> > 
> > That inability to audit is a significant hurdle for commercial
> > deployment, of course.  The problem isn't just Aunt Tillie, it
> > is the "busy" CxO who can't be bothered to verify they are
> > really talking to accounting versus talking to a social engineer
> > that wants to turn a profit prior to the release of a company's 
> > end-of-quarter financial results.  Similar risks exist with 
> > drug researchers or any other portion of a company that deals
> > with sensitive information or the company's intellectual 
> > property.
> 
> Well, I tend to think that people who can't be bothered to learn at 
> least a little bit about security don't deserve to have secured 
> communications. I realize that's a bit harsh, but so be it.

Internal auditors, HIPAA, SEC regulations, and Sarbanes-Oxley
all prefer auditable systems -- not systems that rely on humans
to remember something.

> >> [1] http://www.xmpp.org/extensions/xep-0116.html
> >> [2] http://www.xmpp.org/extensions/xep-0246.html
> >> [3] http://www.xmpp.org/extensions/xep-0174.html
> >> [4] http://www.xmpp.org/extensions/xep-0247.html
> > 
> > An approach that some SIP folks considered for end-to-end TLS is
> > to re-use HTTP's CONNECT (which is how you proxy HTTPS through
> > an HTTPS proxy).  This might also be helpful for XMPP.  The SIP 
> > approach is described in 
> > http://tools.ietf.org/html/draft-gurbani-sip-sipsec-01 
> > (now expired).
> 
> Yes, that might work for SIP -- I'm not competent to judge. 
> For XMPP, we 
> already use TLS for client-to-server streams, 
> server-to-server streams, 
> and direct client-to-client streams in the link-local case. 

That is very similar to SIP.

> So re-using TLS for end-to-end connections (via a reliable 
> transport such as a 
> direct TCP connection negotiated via ICE-TCP, a mediated 
> bytestream, or 
> even XMPP itself) makes a lot of sense for our developer 
> community.

Are you trying to secure the data connection between the XMPP
peers, or trying to secure XMPP signaling between XMPP peers
that have successfully rendezvoused via XMPP?

(SIPSEC does the latter.)

> Join 
> the security@xmpp.org list if you're interested in discussing 
> the topic:
> 
> http://mail.jabber.org/mailman/listinfo/security

Thanks,
-d


> Peter
> 

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email