IETF Logo Mail Archive

Re: [TLS] EXTERNAL: Re: integrity only ciphersuites

Jack Visoky <jmvisoky@ra.rockwell.com> Tue, 21 August 2018 17:06 UTC

Return-Path: <jmvisoky@ra.rockwell.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D120E130FF0 for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 10:06:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 818lLbCn66uW for <tls@ietfa.amsl.com>; Tue, 21 Aug 2018 10:06:42 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0067.outbound.protection.outlook.com [104.47.36.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2AB5F130FEA for <tls@ietf.org>; Tue, 21 Aug 2018 10:06:42 -0700 (PDT)
Received: from DM5PR2201MB1433.namprd22.prod.outlook.com (10.174.186.154) by DM5PR2201MB1531.namprd22.prod.outlook.com (10.174.187.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.21; Tue, 21 Aug 2018 17:06:40 +0000
Received: from DM5PR2201MB1433.namprd22.prod.outlook.com ([fe80::49f1:7875:b984:9a65]) by DM5PR2201MB1433.namprd22.prod.outlook.com ([fe80::49f1:7875:b984:9a65%2]) with mapi id 15.20.1059.023; Tue, 21 Aug 2018 17:06:40 +0000
From: Jack Visoky <jmvisoky@ra.rockwell.com>
To: "Fries, Steffen" <steffen.fries@siemens.com>, "Salz, Rich" <rsalz@akamai.com>
CC: "ncamwing=40cisco.com@dmarc.ietf.org" <ncamwing=40cisco.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: EXTERNAL: Re: [TLS] integrity only ciphersuites
Thread-Index: AQHUOUQUkJpihrEzjkez1izxv4krA6TKHVCAgAASLoCAAAX/gIAAI7YAgAACPQCAAAJBAIAAA5mAgAALN4CAAAMNsA==
Date: Tue, 21 Aug 2018 17:06:40 +0000
Message-ID: <DM5PR2201MB1433B9D7F9AA3B7B688CD33C99310@DM5PR2201MB1433.namprd22.prod.outlook.com>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com> <64d23891-2f32-9bb8-1ec8-f4fad13cdfb9@cs.tcd.ie> <982363FD-A839-4175-BA53-7CA242F9ADA6@ll.mit.edu> <2D7F2926-6376-4B2C-BDE9-7A6F1C0FA748@gmail.com> <5B7C1571020000AC0015C330@gwia2.rz.hs-offenburg.de> <E6C9F0E527F94F4692731382340B337804AEFA24@DENBGAT9EH2MSX.ww902.siemens.net> <A51CF46A-8C5F-4013-A4CE-EB90A9EE94CA@akamai.com> <E6C9F0E527F94F4692731382340B337804AEFB10@DENBGAT9EH2MSX.ww902.siemens.net>, <D5FF0E0E-F9C3-4843-AB77-19F45E3C00D5@akamai.com> <8A2746A8-6B41-45C3-9D77-6AF3536C6E2D@siemens.com>
In-Reply-To: <8A2746A8-6B41-45C3-9D77-6AF3536C6E2D@siemens.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [205.175.250.246]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR2201MB1531; 6:YgwAcbQSXBcyOrb2PjaK2OQwng4Jt+twvcsRIOQg5uUznqZtjV59kPijLMci/yLy6ntEw+ypWraNTo8+EfsNnYUKnt/DZkh2VkmZ6a5J9WmN5PUAGbJDnRKJnMXTEXUjuyvd4UB9m9f4WiL+0SwS4MX/B2brw73nakLUQo3Jvnd1/YwbCoe5erjF3l/UcLLOIsRbJeelCMI2rSOAZm2R6uZhS6nkg0CX6tc6ZGZWlVye/Dmz4yU/y2lAQa/tMbz+/ei9S9v6kty6X13lJH86SjGIhaVsIZUaAUfKKGeyEFcRQKqY1SOe1oLinn+3JT2f9lsI5kt/FlMjfLsV4dkmDUbdSW2Qz5kvfH1JWWkTULfeikY3xebIF+ISGiV8wejvdRRX7FAfMUmR3gVZVgporkldfKtiNf1ABEugOlCtA9AhrZKLl5LObcbx+fe1+60XQ/6NGKM9WNVJsDdR0UTVkA==; 5:TnQxlK56ygVcMmFRONuLOSsWxIUxyo5DgfrYgciLAsZ//nVEDYdyBg/8QvzrZE0IwoJSDtY9pLu7b3hw/5zQaEEEZpcMK5zXF2qjMdZtyszVWpfJ5+tcoA4b9jhVK3kZ7QBWzb4/QjedNr6klz4O9lUXjxfCMSRgjpeTPxHNvO8=; 7:+J7ulskVJ+WhaFdmdh7/tt8+ebQbxzMDQjVwOv0WZ3ps0372N3tUTIX4Al/F6DATccVHsN8jJymvuiijdYbpq9JMfMOeusHSaPvWNtzzJqktqB1gCUiHBd9FiIEu/tLdAvPtQKjNhcN3zHKSC1Ka487MDJBd9VwRDnTT+LozvkCqXohCNEznftEV/uNICEvPJHUAaU3yuCc0WpXpeql2JKpQkQZX3P2vm6xbcVZ4FdNNnGcRFjTchCs+F+F0n/pk
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 2081268f-fa7f-489a-8b2f-08d6078876b2
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM5PR2201MB1531;
x-ms-traffictypediagnostic: DM5PR2201MB1531:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jmvisoky@ra.rockwell.com;
x-microsoft-antispam-prvs: <DM5PR2201MB153191BCB795BD872470D09799310@DM5PR2201MB1531.namprd22.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(72170088055959)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231311)(944501410)(52105095)(10201501046)(3002001)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123562045)(20161123564045)(20161123560045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699016); SRVR:DM5PR2201MB1531; BCL:0; PCL:0; RULEID:; SRVR:DM5PR2201MB1531;
x-forefront-prvs: 0771670921
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(346002)(376002)(366004)(136003)(189003)(199004)(110136005)(102836004)(5024004)(106356001)(256004)(14444005)(2900100001)(68736007)(86362001)(5250100002)(105586002)(6506007)(2906002)(53546011)(93886005)(6436002)(8936002)(486006)(446003)(66066001)(476003)(14454004)(229853002)(11346002)(316002)(81156014)(99286004)(19609705001)(53936002)(7696005)(54906003)(33656002)(97736004)(6306002)(478600001)(186003)(76176011)(236005)(6246003)(26005)(54896002)(81166006)(8676002)(55016002)(74316002)(7736002)(790700001)(5660300001)(3846002)(25786009)(4326008)(6116002)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR2201MB1531; H:DM5PR2201MB1433.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ra.rockwell.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: hxZVaMjbixp249fIZxFOCwb1YcHN0qxBWkExTlbEuSZ7H9zxb0GulcXdMxKzkDqCyrr/QxPnkpuM6RIpZncHDsYsnGixYYhl5Gje3w/DUt0kJOELh0t+kxrcHsIObIB9QjUZr3y7tcRtOb/P4O3/ZdxcLKqyueSTJAdQJilDrg4/05pd5nSIqc7AIBoEzV1cn4dIRgpYHV1lCpZuMyWNJaytTWRTvcTA0rLfiAU36pijbjdp0gc3BWY2XMqoxQkrcvP6ILybOg3PWCqkzKfzdaN6+x4HeKMyOV4spVMh8wtv4xE739K4uZGsstpbyM4dqHmxK/uG70iQjvAu0E1sUKdkkTY8CwVbkEhdck75syE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM5PR2201MB1433B9D7F9AA3B7B688CD33C99310DM5PR2201MB1433_"
MIME-Version: 1.0
X-OriginatorOrg: ra.rockwell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2081268f-fa7f-489a-8b2f-08d6078876b2
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2018 17:06:40.6782 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 855b093e-7340-45c7-9f0c-96150415893e
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2201MB1531
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VA4rYAJEIUYQKFCWQrB1VL7Utk4>
Subject: Re: [TLS] EXTERNAL: Re: integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 17:06:54 -0000

Just to pile on what Steffen is saying, the motivation for this is mainly around device communication that happens at high speeds (sub millisecond is not uncommon for an update rate).  The communications is generally not HTTP, but rather industrial protocols built on TCP and UDP.

Thanks and Best Regards,

--Jack

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Fries, Steffen
Sent: Tuesday, August 21, 2018 12:54 PM
To: Salz, Rich <rsalz@akamai.com>
Cc: ncamwing=40cisco.com@dmarc.ietf.org; tls@ietf.org
Subject: EXTERNAL: Re: [TLS] integrity only ciphersuites


[Use caution with links & attachments]



On 21. Aug 2018, at 18:13, Salz, Rich <rsalz@akamai.com<mailto:rsalz@akamai.com>> wrote:
?  If there would be support for integrity ciphers in TLS 1.3 it would enable the straight forward switch from TLS 1.2 also in these environments by keeping existing monitoring options.

Why do you want to move to TLS 1.3?  Why isn't your existing solution good enough?

?  [stf] Currently it is sufficient to use TLS 1.2- For certain use cases the utilized components have a rather long lifetime. One assumption is that TLS 1.3 will exist longer that TLS 1.2 and that certain software tools (also browsers) may not support TLS 1.2 in the future  ...

Most browsers already do not support NULL encryption, and it is highly unlikely that any will add it for 1.3.  Have you any indication otherwise?  If you're not going to use the algorithms in general use on the public Internet, then you should expect that standard clients such as browsers, will not work.  PeterG can attest to this. :)

True. I was more referring to an embedded device, which currently supports TLS 1.2 (for using integrity only) for machine to machine communication  If this device is accessed by a service technician, it will also use today cipher suites with encryption. If a browser provider decides to deprecate TLS 1.2 in the future, access by standard software would be hindered. This would end up in a device supporting TLS 1.3 for service technicians access and 1.2 for machine to machine communication to (still) have integrity only.

v2.23.0 | Report a Bug | By Email