Re: [TLS] network-based security solution use cases

Eric Rescorla <ekr@rtfm.com> Mon, 06 November 2017 17:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A109913FBA8 for <tls@ietfa.amsl.com>; Mon, 6 Nov 2017 09:44:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWkm-zfGdHks for <tls@ietfa.amsl.com>; Mon, 6 Nov 2017 09:44:34 -0800 (PST)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DFB313FAF7 for <tls@ietf.org>; Mon, 6 Nov 2017 09:44:34 -0800 (PST)
Received: by mail-yw0-x235.google.com with SMTP id i196so537656ywc.2 for <tls@ietf.org>; Mon, 06 Nov 2017 09:44:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ovkEDSdltTnfsRd50HePFBRYPhp1aQ20h+QHsTh3h/Q=; b=JbWqJfxAUijN9yeDHUFi+5+9bn0IGQK0VuW61zgS9b0xPc637M/qdAcAhEIgI8D8C/ vUJRrmHvgbmtBUyJ3JR/354KwfAAnmCvhMxWY5dXeDJUj5ieIVM/ijLHlVDA8g7Euzdx PBOFV039PnYtOV8RAIHNulPiU9MSL9MKb4efX+FyG7ZxK9YQjihnwSe6IpdB7YSC2UXO NTnkJQM0UdgNn9ufxn3Eq9qpy0gk6LjjqPzHCvWsSCWPVxboOo7WOLuq2E21VdjxPJkz PyczvpZcUoBaL+B7FP42C+My6zDymKeUbdirKbmK96uoO0zMRK8Ex3DEqWKS9VtO4UQJ 68tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ovkEDSdltTnfsRd50HePFBRYPhp1aQ20h+QHsTh3h/Q=; b=uBS9Zhic1Df5isLBzmux5BYKvqGOFUsYL2hJacgd9+G48htfqFVHbJRgPsCDDOaWye /VEw68vuMJUDue15L5EdeCtHtpkiFXE4oUzHqwEX9KF6Knd9OaQuMsNU7mBhKyc6HQOK 7fjxO1wuMtjkJsRshUEUhazZ/mbUubGHdHDXvbybd0j08oZDxNlJUVjdTi+sGVflsauN waPWX8QBTlj++lJ6ZYKdshqo+THCcTODeXiEzlvkyCWCOaW92ZIZUoyENMTB/ukTEEaP ZfiB4klzoM5NHJibS56j+2OHiqWTLHFhuxxdN+pa26kXNypeJLv+UMdkPfEqkZH3d39l zX8Q==
X-Gm-Message-State: AMCzsaWRiCxdmuRGA/54WEK7jm4Of1Hcg2iZyAG3Wn7u/oy6BZfAtQoh NZPw8YgOB4GF+OfrlrXAd1DPRY+/4ykmLE5BpEBPcw==
X-Google-Smtp-Source: ABhQp+RTJUeTwqSoJYROT/bjE/awDFyn39hujOkke0zgq4kgAzqL3ilN4AZakrdJnsJ1BgzbbA4BI7goYjyes+RgFpQ=
X-Received: by 10.37.44.141 with SMTP id s135mr9681851ybs.400.1509990273251; Mon, 06 Nov 2017 09:44:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.61.12 with HTTP; Mon, 6 Nov 2017 09:43:52 -0800 (PST)
In-Reply-To: <895D1206-28D1-43AB-8A45-11DEEC86A71D@cisco.com>
References: <895D1206-28D1-43AB-8A45-11DEEC86A71D@cisco.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 6 Nov 2017 09:43:52 -0800
Message-ID: <CABcZeBMe42rUQdsxYV8MTt+3FBoMswmwQJqVEshtSO6GjLpBTg@mail.gmail.com>
To: "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11431c64da123f055d5401e6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jLDnCsOgx8Ojvr3-elxs_DlA0ac>
Subject: Re: [TLS] network-based security solution use cases
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 17:44:38 -0000

I took a look at this.

Without getting into the question of whether the types of middleboxes
you describe here provide a security benefit, there are several points
in the document that are either wrong or at least misleading/confusing.

- Key Synchronization
This document notes that in TLS 1.2, it is possible for a middlebox
that traffic keys match on both sides of the connection it is proxying,
but in TLS 1.3 it is not:

   There are several techniques that can be utilized.  Those techniques
   function with TLS 1.2 and earlier versions but not with TLS 1.3.

   One technique is for the middlebox to negotiate the same master
   secret with the original TLS client and server, as if the two
   endpoints handshake directly.  This is also known as "Triple
   Handshake" used by legitimate middleboxes.  [BreakTLS] describes the
   methods with RSA and DH key exchanges.  When the proxy session keys
   are the same as for a direct handshake, the middlebox is able to
   "cut-through" the two TLS proxy sessions when it finishes the
   security inspection.

   This technique is not functional with TLS 1.3 since the transcript
   hash over the handshake messages is part of the key derivation
   procedure.

First, I would note that this property of TLS 1.2 is bad, as it leads
to Unknown Key Share (UKS) attacks, which can be the basis of real
attacks on TLS 1.2 as fielded. It is for this reason that the TLS
WG published RFC 7627.

Second, this property is really only available with RSA. Although
it is possible for an attacker to synchronize DH keys by generating
bogus DH parameters, the technique described by Bhargavan et al
results in an insecure MS (i.e., the server's public DH share).
[See Section V-B of https://www.mitls.org/downloads/tlsauth.pdf]
Any middlebox doing this, therefore, has completely broken TLS
for the endpoints on both sides of it. Your document suggests
that people do use this technique: I sincerely hope not.

In short, this property of TLS 1.3 is really a property of the use
of (EC)DHE [0], the use of which is important for security even in TLS 1.2
(hence the rapid increase in the use of ECDHE and the corresponding
decline in static RSA). Even if TLS 1.3 were never deployed, the
continued use of static RSA is going to be come increasingly
nonviable.

Finally, you note several times in the document (e.g., S 4.5), that
with key synchronization, the middlebox can perform the handshake and
then disengage from the connection. However, the cases you mention
(e.g.., detecting exploit attempts) ultimately require examining
all traffic in the connection.


- PSK and resumption
You write:

   In TLS 1.3, the above mechanism is replaced by Pre-Shared Keys (PSK),
   which can be negotiated as part of an initial handshake and then used
   in a subsequent handshake to perform resumption using the PSK.  TLS
   1.3 states that the client SHOULD include a "key_share" extension to
   enable the server to decline resumption and fall back to a full
   handshake, however it is not an absolute requirement.

   Example scenarios that are impacted by this are middleboxes that were
   not part of the initial handshake, and hence do not know the PSK.  If
   the client does not include the "key_share" extension, the middlebox
   cannot force a fallback to the full handshake.  If the middlebox
   policy requires it to inspect the session, it will have to fail the
   connection instead.

In TLS 1.3, PSKs and session resumption are basically the same and
have the same properties. While I concede that the document does
not require the client to offer key_shares, as a practical matter
it is very unlikely that a client will act in such a way that
failure to retain the PSK causes a hard failure, for two reasons:

(a) In every version of TLS, the ticket lifetime is just a hint, and
    the server can forget it at any time
    (https://tlswg.github.io/tls13-spec/draft-ietf-tls-tls13.html#NSTMessage).
Thus,
    a client which does not allow a full handshake will often
    find itself unable to connect.

(b) The relevant question is not whether the client offers a key share
    extension but whether it advertises any DH groups. If the client sends
    a group but not a key share, the server can send HelloRetryRequest
    to force the client to send a key share.

For these reasons, as far as I know, every client (and at least every
browser client) should allow a full handshake even when trying to resume.


- Server Certificate Concealment
You note that in TLS 1.2 the middlebox can examine both the SNI and the
server's certificate in order to decide whether to MITM the connection,
but that in TLS 1.3, the middlebox cannot guarantee that the SNI in
uses is correct:

   In TLS 1.2, the ClientHello, ServerHello and Certificate messages are
   all sent in clear-text, however in TLS 1.3, the Certificate message
   is encrypted thereby hiding the server identity from any
   intermediary.  Note that even _if_ the SNI is provided (in cleartext)
   by the client, there is no guarantee that the actual server
   responding is the one indicated in the SNI from the client.

In this case, it's important to distinguish between conformant and
nonconformant clients. In the former case -- as when the user is
not attempting to evade inspection -- the SNI will reflect the
identity that the client expects and therefore will compare the
certificate against.

Of course, in the case where the client is attempting to evade
inspection, the certificate might not match. However, in this
scenario, the client and server are colluding and so there are
a variety of ways to avoid inspection, even when doing TLS 1.2.

For example:

1. The client and server can share a prearranged public key and then
negotiate static RSA. The client sends an innocuous SNI and the server
can simply send the certificate of the corresponding server, captured
by connecting to that server. The client then enciphers the PMS
under the server's prearranged key and continues with TLS as usual.
This cannot be detected by the middlebox without decrypting the EPMS.

2. If an (EC)DHE cipher suite must be negotiated, then the attack
described above does not work directly because the server's signature
over the ServerKeyExchange can be validated, and of course the
attacker server does not have the legitimate server's key. However,
the server can forward the ClientHello to the legitimate server,
capture the Certificate and ServerKeyExchange and the proxy those to
the client. This looks legitimate to the inspection device and then
the client can simply send the Encrypted PMS in the first chunk of
data that is apparently encrypted under the server's key.

For these reasons, being able to see the server's certificate provides
a false sense of security, as this check is easily bypassed.

-Ekr


[0] Note: the use of static DH is very rare.


On Fri, Nov 3, 2017 at 6:49 PM, Nancy Cam-Winget (ncamwing) <
ncamwing@cisco.com>; wrote:

> All,
>
>
>
> @IETF99, awareness was raised to some of the security WGs (thanks Kathleen
> ☺) that TLS 1.3 will obscure visibility currently afforded in TLS 1.2 and
> asked what the implications would be for the security solutions today.
> https://tools.ietf.org/html/draft-camwinget-tls-use-cases-00 is an
> initial draft to describe some of the impacts relating to current network
> security solutions.  The goal of the draft is NOT to propose any solution
> as a few have been proposed, but rather to raise awareness to how current
> network-based security solutions work today and their impact on them based
> on the current TLS 1.3 specification.
>
>
>
> Regards, Nancy, Flemming and Eric
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>