Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?
Richard Barnes <rlb@ipv.sx> Mon, 06 November 2017 03:38 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E175B13FAE2 for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 19:38:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OgoLiwrDgLAA for <tls@ietfa.amsl.com>; Sun, 5 Nov 2017 19:38:39 -0800 (PST)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F27813FAD8 for <tls@ietf.org>; Sun, 5 Nov 2017 19:38:39 -0800 (PST)
Received: by mail-wm0-x22f.google.com with SMTP id r196so11361020wmf.2 for <tls@ietf.org>; Sun, 05 Nov 2017 19:38:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=A/0KzB0f3ceh1ytx+EQg1khgB04Gd64K1stVrweCiTs=; b=wNbM6ET5Es6Gi3fi7grnbpXnWK9jKrDArZ1En7gvGr0QS5Qo3UKWnEm62UDXjlYvft rNB6taQzgaoLzU70byLKwICvdDTiOUkD80W6ryGx8dRg3mc/IMJaxqCPKBTY3KSZAPVv DCT9bMLZt2OvW3IPvOUgpjytB6QsgG5ZGPHQwrjirHrIjdaCrmrAUAQIn6istwqv78hi uPkN3qfE3NHSXScqzbgTW1kAflwKB+edpDgT5HJDpsgrJlORqGghDPVr8KCz+62Rcg7O U/3JER10PyKPJJ2fOu/Vxjno4iUrKEXy6M18BTfa2fuqGbGtdayRAIXfHC0Khh0oQP/n Ed/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=A/0KzB0f3ceh1ytx+EQg1khgB04Gd64K1stVrweCiTs=; b=qSbtxf1qYO3c2wW16n34Y0YnbUWFQ7eCiz64ffGkvjvNe8Tu2ke9bWQ6462YEjuejA cllSXESKjdn2PR+r4/zoohHQXyISh2kHsP+H3YL2VIwrgI+kefWCEbbZvhaVCE+W0eTM tf5Z2LuHV5w1GrR0EFaEnTuUpdQteELLO5WE48+UPcEZM2GL+VG8kgpvJs+zC1547VUW YPYixhGMs8tbSeswx0KRNlZhioomcmrhnyXh4nBNGkAQD7vetVt24K34yQILFXO3aTL2 aYgUBfKYOGtVMnE2FuRMLNgjF/viFSfbbHYMjokRYJSSliPBOzWXjznUaG+osK5fbUih 3uJw==
X-Gm-Message-State: AJaThX46ev9HlxRBeS5NNMawveTYcZww/Q4eG3LcXlVSUYYssz+n0AEI jmDZ/XzMl8WXzY9tkCXIZIB8AdSSt2RO2tnCq9fLGw==
X-Google-Smtp-Source: ABhQp+QK8CdBP06GTcrNAur+ntTl12t1XDvtTSypCY3EfYj/bcx9hlOHPOFlO6IauFzo5z2bOVcnaIhE+xZ2wyrrRtU=
X-Received: by 10.28.192.25 with SMTP id q25mr3844005wmf.98.1509939517348; Sun, 05 Nov 2017 19:38:37 -0800 (PST)
MIME-Version: 1.0
Received: by 10.28.174.81 with HTTP; Sun, 5 Nov 2017 19:38:36 -0800 (PST)
In-Reply-To: <CAOgPGoA6N4rwYet61ABNJCKzqEuMrtZ2a6Zk=FaB4uhFtxjT3w@mail.gmail.com>
References: <CABdrxL4ZX5GbUhdqmVrhVqwM-MqMsgLL6ow9ksQ8NYBCPvgnfA@mail.gmail.com> <CAL02cgQMeJAqTtrVBzv254arGQU-88NTJJWgZdoRQguPn14TkQ@mail.gmail.com> <CABdrxL7eE1rND6b-q-La7gwzgZmt2VEo3CKUcEfGMoiMWZ71wQ@mail.gmail.com> <CAOgPGoA6N4rwYet61ABNJCKzqEuMrtZ2a6Zk=FaB4uhFtxjT3w@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Sun, 05 Nov 2017 22:38:36 -0500
Message-ID: <CAL02cgT-SY3LcSHVMm1D_vP3ZbeHiY48BUOpjaRdUZAxR7nyTg@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: Cas Cremers <cas.cremers@cs.ox.ac.uk>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="089e082fa15c907084055d4830bc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kTYu90Xk4fd4So054NFQuckuLLY>
Subject: Re: [TLS] Technical comment on design draft-rhrd-tls-tls13-visibility-00: why also break integrity/authentication?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Nov 2017 03:38:42 -0000
I understood Cas to be observing that you could in principle remove confidentiality with regard to the third party to whom keys are being exfiltrated, without also removing integrity and authenticity. So the third party could observe application traffic, but not modify or inject. The solution in draft-rhrd removes all three properties with regard to the third party (all still of course hold with regard to all other attackers). So you would still have a risk of violating applications' assumptions with regard to confidentiality, but only with regard to confidentiality, and only relative to the chosen third party. To Stephen's point, though, this is of course a pretty subtle point for application developers to understand. --Richard On Sun, Nov 5, 2017 at 8:57 PM, Joseph Salowey <joe@salowey.net> wrote: > I'm not sure what use cases you are targeting, but this type of solution > can be dangerous for application security. Most application security models > assume that TLS will provide both confidentiality and authenticity. > Breaking confidentiality will often expose vulnerabilities that can result > in escalation of privilege or spoofing resulting in a loss of > integrity/authenticity in the application. For example, the use bearer > tokens such as passwords or session cookies is widespread. It will take > much more work to make applications resilient to loss of confidentiality. > There may be use cases where confidentiality compromise is limited to just > confidentiality, but I think these are in the minority. > > Joe > > On Fri, Nov 3, 2017 at 7:41 AM, Cas Cremers <cas.cremers@cs.ox.ac.uk> > wrote: > >> Hi Richard, >> >> Thanks for the pointer, I had missed your earlier observation of >> essentially the same thing in the large mail threads. >> >> Personally, I think it is a substantial and unmotivated loss in security >> to also give up authentication/integrity. >> >> Note that any changes towards PERC would require some significant changes >> in the security analyses; for mctls, I expect it would be a completely new >> analysis. (I haven't seen any analyses of rhrd, but of the three, it is of >> course closest to the current setup.) >> >> Best, >> >> Cas >> >> >> On Fri, Nov 3, 2017 at 2:00 PM, Richard Barnes <rlb@ipv.sx> wrote: >> >>> Hey Cas, >>> >>> This question is a good one. Earlier I brought up mcTLS, which some >>> folks have been working on to provide even more granular separations than >>> you suggest: >>> >>> https://mctls.org/ >>> >>> I think the authors of draft-rhrd are trying for a more lightweight >>> change to TLS. That said, there might be some intermediate points on the >>> spectrum here. For example, you could define a TLS ciphersuite akin to >>> what we defined in PERC when we wanted to break integrity partly and >>> confidentiality not at all. >>> >>> https://tools.ietf.org/html/draft-ietf-perc-double-07 >>> >>> That would be less invasive than mcTLS, while still getting the >>> properties you describe. >>> >>> --Richard >>> >>> >>> On Nov 3, 2017 09:43, "Cas Cremers" <cas.cremers@cs.ox.ac.uk> wrote: >>> >>> Dear all, >>> >>> Disclaimer: I am not a proponent of the idea behind draft >>> visibility/green/rhrd; I think such a mechanism should not be part of the >>> TLS 1.3 standard. >>> >>> I have a technical problem with the current design, whose goal is to >>> allow eavesdropping for inspection, i.e., selectively decreasing >>> confidentiality. >>> >>> However, the design in the draft also enables arbitrary traffic >>> modification/insertion, additionally breaking all authentication and >>> integrity guarantees. Once someone has the session keys, they can not only >>> eavesdrop but can also start to insert/modify traffic. This additional >>> decrease in security is entirely unmotivated by the cited use cases. >>> >>> It is possible to offer authentication and integrity, while >>> selectively giving up confidentiality. For example, one could replace the >>> AEAD by (i) a mechanism for authentication and (ii) a separate mechanism >>> for confidentiality, and then possibly reveal the keys used for (ii), but >>> make sure only the real endpoint has the keys for (i). That seems more >>> rational to me, and may retain the authentication/integrity guarantees. >>> However, it would require a much more invasive change. >>> >>> Best, >>> >>> Cas >>> >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >>> >>> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> >
- [TLS] Technical comment on design draft-rhrd-tls-… Cas Cremers
- Re: [TLS] Technical comment on design draft-rhrd-… Richard Barnes
- Re: [TLS] Technical comment on design draft-rhrd-… Cas Cremers
- Re: [TLS] Technical comment on design draft-rhrd-… Joseph Salowey
- Re: [TLS] Technical comment on design draft-rhrd-… Stephen Farrell
- Re: [TLS] Technical comment on design draft-rhrd-… Richard Barnes
- Re: [TLS] Technical comment on design draft-rhrd-… Joseph Salowey
- Re: [TLS] Technical comment on design draft-rhrd-… Karthikeyan Bhargavan
- Re: [TLS] Technical comment on design draft-rhrd-… Cas Cremers