Re: [TLS] chairs - please shutdown wiretapping discussion...

Ted Lemon <mellon@fugue.com> Tue, 11 July 2017 13:11 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 635E8129ADA for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 06:11:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZFknFEgRywX for <tls@ietfa.amsl.com>; Tue, 11 Jul 2017 06:11:44 -0700 (PDT)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46C6D128B8D for <tls@ietf.org>; Tue, 11 Jul 2017 06:11:44 -0700 (PDT)
Received: by mail-yw0-x234.google.com with SMTP id l21so48593406ywb.1 for <tls@ietf.org>; Tue, 11 Jul 2017 06:11:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gRcAFQm3keztKYQF3pj6MWOld6A0hEMOb1ssYMN4JXc=; b=mgDv+vyCVw0DPkCEAR9oatfnppq9vCCBPIe6Yg6wNaxKT2ea6Z8hqlL3noPf0hLgQc zFnc7Sm7sUzIa3p8jzyQ2QwA+9wDFvbMpp4+AVRbrvffzM1NowhyYbtIH60eQnJ6Y4u/ S+gSrqwBmsCeZdWkJJcSMDI5OG9CgBEpGQFr3eZhcX7GB93wHrsOqccu4xr5rF/6LUVs M5Cv0szP80/mI2qd0Vbd44bDIN0ZGjEla+IMSaTY3zNzgqC0x6JQs5Ghirvq1c9zAiaZ wEQysOL8tPV/hixpaGvZrQnNGmkox1g05BSGwwyLcow4l/EMNXoiPo/wSutP7LOMj0Zf M3Pw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=gRcAFQm3keztKYQF3pj6MWOld6A0hEMOb1ssYMN4JXc=; b=oN3gkre5txboc66pks81JBJS6iLWlGIFLa3/DudtKvaubyJFSTycSJ8aTXzapaleUG SWN7qsXmTx44d3SpHNvr14fB2D6SRZSGKU5HsKDBB8bqnK3bvMsmxLhrx+/erSJZoZso q+zJvdW+3ulY8kpdP9pRiIXVbdcfFgxC7+ZCGNviZsIyz1sz8JzrEX6r/TyG6UuAab5T aDlRBMhv4X+HNDD8vyqzOU/UkpLLyL/RYV6wsO9Ossc1tfml5l7HRfrlmb8Bhq5kX53y CKkGFnYRMRTnsusKJcEDhf+rOyqcWGsiqUWiN43EGnue6r6xk2wz9GFt6mKGs3w+Flav GdLw==
X-Gm-Message-State: AIVw110DOwC3nCSB0MJdrLs1Ov8kSsqWhrNjcLqsUKkz7P55pA6teQLB itFGTUXYrkRXlJWd
X-Received: by 10.200.49.73 with SMTP id h9mr11382057qtb.13.1499778703172; Tue, 11 Jul 2017 06:11:43 -0700 (PDT)
Received: from [10.0.30.114] (c-73-167-64-188.hsd1.ma.comcast.net. [73.167.64.188]) by smtp.gmail.com with ESMTPSA id d17sm11838659qtb.47.2017.07.11.06.11.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 11 Jul 2017 06:11:41 -0700 (PDT)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (1.0)
From: Ted Lemon <mellon@fugue.com>
X-Mailer: iPad Mail (15A5304i)
In-Reply-To: <0c87999c-9d84-9eac-c2c4-0f1fc8a70bdb@cs.tcd.ie>
Date: Tue, 11 Jul 2017 09:11:40 -0400
Cc: Russ Housley <housley@vigilsec.com>, "Polk, Tim (Fed)" <william.polk@nist.gov>, IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <6DA3E09E-5523-4EB2-88F0-2C4429114805@fugue.com>
References: <E9640B43-B3AD-48D7-910D-F284030B5466@nist.gov> <CY4PR14MB13688370E0544C9B84BB52A3D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <9693fc25-6444-e066-94aa-47094700f188@cs.tcd.ie> <CY4PR14MB1368BA01881DD9495FE86DF0D7A90@CY4PR14MB1368.namprd14.prod.outlook.com> <d806a69c-af30-c963-a361-91075332a61b@cs.tcd.ie> <F87D7646-DC53-4EF8-A2D8-D0939A0FB351@vigilsec.com> <b9001044-83d7-805c-2a49-c2780401bbf8@cs.tcd.ie> <C4125902-CA3A-4EA8-989B-8B1CE41598FB@fugue.com> <0c87999c-9d84-9eac-c2c4-0f1fc8a70bdb@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hU8C-SvhcbkhccHAOFKlXjxBm-o>
Subject: Re: [TLS] chairs - please shutdown wiretapping discussion...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2017 13:11:45 -0000

What the draft actually says is that you can install a fixed key on the server rather than generating new keys every time, and then that fixed key can also be installed on monitoring software.   This is, I believe, the actual intended use of the proposal.

It’s also true that you can just exfiltrate every key as it’s generated, but that’s not what’s being proposed and would not, I think, suit the needs of the operators who are making this proposal.

I don’t see how you could mitigate against deliberate key exfiltration.   At some point you really are relying on the security of the endpoint.   But being able to detect repeated keys is useful for preventing pervasive monitoring: it requires the monitored either to have access to the key generation stream in realtime, or to request the key for a particular conversation.

So I think there is some value in defending against this attack.  I look forward to seeing a defense that uses perfect forward secrecy and protects against key exfiltration.