Re: [TLS] Fixing TLS

Nikos Mavrogiannopoulos <nmav@redhat.com> Wed, 13 January 2016 09:53 UTC

Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B08501A0025 for <tls@ietfa.amsl.com>; Wed, 13 Jan 2016 01:53:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.902
X-Spam-Level:
X-Spam-Status: No, score=-6.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3XMWRWdYnM60 for <tls@ietfa.amsl.com>; Wed, 13 Jan 2016 01:53:40 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2536E1A0021 for <tls@ietf.org>; Wed, 13 Jan 2016 01:53:40 -0800 (PST)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (Postfix) with ESMTPS id 857298CF5D; Wed, 13 Jan 2016 09:53:39 +0000 (UTC)
Received: from dhcp-10-40-2-130.brq.redhat.com (dhcp-10-40-2-130.brq.redhat.com [10.40.2.130]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u0D9ra7n009417 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 13 Jan 2016 04:53:38 -0500
Message-ID: <1452678816.25588.38.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Yoav Nir <ynir.ietf@gmail.com>, Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Wed, 13 Jan 2016 10:53:36 +0100
In-Reply-To: <5C687CFB-E86A-4458-96D2-D47EFCDBA598@gmail.com>
References: <9A043F3CF02CD34C8E74AC1594475C73F4BC6849@uxcn10-5.UoA.auckland.ac.nz> <5C687CFB-E86A-4458-96D2-D47EFCDBA598@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/knFcKr_2qI9JJjqe-PWBKbvMsQk>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Fixing TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2016 09:53:41 -0000

On Tue, 2016-01-12 at 19:13 +0200, Yoav Nir wrote:
> Hi, Peter
> 
> Ignoring for a moment the merits of this proposal vs the TLS 1.3 (or
> 2.0) that this WG is working on right now, why?
> Other groups are not working on HTTP/1.2 or IKEv1.1 or any other
> $protocolv$(major-1).$(minor+1).

Note that these are not security protocols and they don't benefit from
a formal analysis of a protocol. Such an analysis takes several years
to be done and it often applies to small parts of the protocol.
Switching to a new version invalidates all the existing analysis.

That is of course not necessarily bad, but as we are moving towards
formally verified protocols it is very bad to give these two options:
1. Stay with a formally verified but with known vulnerabilities
protocol
2. Switch to a new unknown protocol which has not been studied by as
many cryptographers but is _believed_ to solve the issues found in TLS.


> Any TLS library that exists now doesn’t have an implementation of
> either “your” TLS 1.3 or “our” TLS 1.3. To get either, you’ll need to
> get an upgraded version of your favorite library. So the upgrade path
> is no smoother for either protocol.   If this had been brought up
> before the work on the current draft started, maybe we would be
> convinced. As it is, I don’t see the point.

The main problem of TLS 1.2 is that it is vulnerable to cross-protocol
attacks and there is no way to mitigate that. There was such an attack
described in 2012 and another in 2015 [0]. Whether there will be a new
one in 2017 is an open question. Switching to a protocol like TLS 1.3
as it is today to fix that thing it is an overkill.

That is because TLS 1.3 is a rewrite of the protocol, and requires a
rewrite of the code base. Given that the majority of the issues in TLS
implementations are in the code bases and not in the protocol, it is
very risky to switch to such a new version just like that. For old
systems it most likely will never happen and they will remain
vulnerable.

[0]. https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf

regards,
Nikos