Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Colm MacCárthaigh <colm@allcosts.net> Fri, 15 December 2017 00:46 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 33473126C3D for <tls@ietfa.amsl.com>; Thu, 14 Dec 2017 16:46:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mTncS9jF-ri2 for <tls@ietfa.amsl.com>; Thu, 14 Dec 2017 16:45:58 -0800 (PST)
Received: from mail-yb0-x234.google.com (mail-yb0-x234.google.com [IPv6:2607:f8b0:4002:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7E7A1200F3 for <tls@ietf.org>; Thu, 14 Dec 2017 16:45:58 -0800 (PST)
Received: by mail-yb0-x234.google.com with SMTP id z11so4946074ybm.1 for <tls@ietf.org>; Thu, 14 Dec 2017 16:45:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=jL79D8vsy2w9ljXAZSE4RqJbszIEOlQOkWqQljDQAMQ=; b=gMUt2t0uOTZy4w4ZZjytHL+Sloyz8QtPGkItlH1Q4zBBqAk9YWZ2kITM53dMAPRU7r /duuje9va21BMp//4Ts+zzTTwD3pvfH0lzrr/v/Dn3CpUMh521W8Jy94MlJ9fdmdEraR RCyP7/JMFNoKiHJ/RXLTd5yDcJT5v+VXD05Fvdrn7q2M6m3fFrElPgV10ECCexwD0cdy LV71LBgEpfIg5hvKjvlCO2MsuZ11h6g4xB3YBPCDBPTe6e11INNV3YcKB5W0ED/dfCNC Xvhqt6D2uRfQYnw7SJLZW1L2CGl8wKRZMIZIQt3NjVEQdTPgVEXLgdK0j8MOL3jWORGi HLsg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=jL79D8vsy2w9ljXAZSE4RqJbszIEOlQOkWqQljDQAMQ=; b=UvsNgr84kqQX5Oa5++Olw1q7/RTRGKiw1LUR+gw18uCCaKa6ZE5Dh5pGDfH0pOhP/1 62xzxZVM/PHDCyY33aT6kXiHXJPF5xtzOhSj0w0zn+m8mQcK58LDhtccvFHcfcd1f0+T 1/7i7QXwkzwtSF0zjDZ+YSFNaavXU5++ok+z0WLzfp0n2o0de2ktRTFGPiva1KIl6Zxq WDLypGFhkiRJkWvng1T5uIoe6v/NpC+h+qZefqdjMn5o5F527CBMr3JPRrmStfjy5h9W 5IRx6D2M0M+vq/2HW5u1brvZJYZK8ez6xFR3chY86hZHb2n8hD5n5FG8vJMcLeAz19bP v2DA==
X-Gm-Message-State: AKGB3mJ/cYwXUQwwjFdjSybkAg42Y51f7BH4DHqlafPsLE1TJJ2GrApb zUMmnHBNMQXuLh+t6UifGSKwCOvq0HRFPNZ4CX+EoQ==
X-Google-Smtp-Source: ACJfBosGyOFOt0UqhzmRA0QIl89G7h2qvcJ+M1rpbW7me+a6GtKi2MwAg8BVG7kSZA8coFZxcKc5JmYrOFuiVwmO1Lk=
X-Received: by 10.37.89.68 with SMTP id n65mr5704610ybb.168.1513298757842; Thu, 14 Dec 2017 16:45:57 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.50.70 with HTTP; Thu, 14 Dec 2017 16:45:57 -0800 (PST)
In-Reply-To: <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
Date: Thu, 14 Dec 2017 16:45:57 -0800
Message-ID: <CAAF6GDf+GxToBAN83O3NtLO4zJ-8Qax8KjMCGhXv_EhY+NDsKg@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1140f874e688d205605652e9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jsPkFa6xRcQA2fBQ2y5Dan0xR5M>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 00:46:00 -0000

Bringing this back to TLS-WG territory. Deprecating algorithms is hard work
and can take a long time. Having been through MD5, RC4, 3DES, SHA1
deprecations and CBC de-prioritisations, it was a lot of work and network
effects work against rapid changes.

What else could we be doing here? One option might be to say that
implementations should aways maintain at least two active algorithms for
everything, both used with some frequency, and hence both likely to be
optimized, the goal being to be able to turn off one at a moments notice
with no availability or performance impact.

But what would that look like? What would we do now, in advance, to make it
easy to turn off AES? For example.


On Thu, Dec 14, 2017 at 2:58 PM, Watson Ladd <watsonbladd@gmail.com>; wrote:

> Let's not forget defense 0: migrating away from broken algorithms
> (which means turning them off). The fact that we didn't switch MTI
> away from RSA encryption in TLS 1.1 after these attacks were
> disclosed, or even in TLS 1.2, means that we've got a very long time
> before some sites can turn off these algorithms. Given that some
> places can't turn off SSL v3, it's not clear we can ever turn off a
> widely implemented protocol.
>
> Sincerely,
> Watson Ladd
>



-- 
Colm