Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt

Viktor Dukhovni <ietf-dane@dukhovni.org> Fri, 24 October 2014 13:37 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0885F1A00B0 for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 06:37:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id StsglDJ7f6oj for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 06:37:31 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27E501A007B for <tls@ietf.org>; Fri, 24 Oct 2014 06:37:31 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 387AC2AB109; Fri, 24 Oct 2014 13:37:29 +0000 (UTC)
Date: Fri, 24 Oct 2014 13:37:29 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141024133728.GI19158@mournblade.imrryr.org>
References: <CAO7N=i3gC=+qcgHU=aMKtRyT7tZV5fm=9gJii-=yOpcNECOEvA@mail.gmail.com> <20141022175238.GF19158@mournblade.imrryr.org> <544837FD.202@cs.tcd.ie> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF651E4@USMBX1.msg.corp.akamai.com> <5449A667.9040105@cs.tcd.ie>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5449A667.9040105@cs.tcd.ie>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/m3sWMUjQkKGGQDIF3u1tF_st73M
Subject: Re: [TLS] I-D Action: draft-ietf-tls-prohibiting-rc4-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 13:37:33 -0000

On Fri, Oct 24, 2014 at 02:07:51AM +0100, Stephen Farrell wrote:

> Yep. I badly write:-) Fair comment though, I wasn't clear so
> apologies. As you guessed, what I meant was:
> 
>   OS is a fine design pattern. Algorithms can be considered-good
>   or dodgy. AES is considered-good. RC4 is dodgy. OS requires
>   considered-good algorithms (I think).

When OS is a just-in-case "upgrade" from cleartext to unauthenticated
encrypted communication, there is requirement for "considered good"
algorithms.  The prime-directive is to not disrupt communication,
only then do we try to encrypt if possible.

Thus, for example, if we're doing STARTTLS with SMTP, the handshake
is:

	C: EHLO amnesiac.example
	S: 250-smtp.example
	S: 250 STARTTLS
	C: STARTTLS
	S: 220 make my day
	C: <TLS client HELLO (with some cipher list)>
	S: <TLS server HELLO (with chosen "best" shared cipher) or else fatal TLS alert!>
	...

The client and server commit to TLS without any prior knowledge of
what cipher suites they might share in common.  If the client's
list is too strict, the server will abort with a TLS alert.  Since
we were willing to send in cleartext had the server not indicated
STARTTLS, any cipher suite (even dodgy) is better than a handshake
failure.

Even if years later some TLA recovers the plaintext after a
crypt-analytic breakthrough finally renders the dodgy vulnerable
at reasonable cost.

The alternative is either cleartext transmission or failure.  The
former is immediately available to the TLA.  The latter is not what
the opportunistic client "signed up for".  It was just trying to
deliver the mail with as much security as is available, but no
more.

Therefore, opportunistic TLS needs to be more permissive.  With
opportunistic TLS stricter policies are counterproductive.

Leaving a cipher suite out is only practical once it is no longer
the best shared cipher with any peers.  Thus we can if we wish
disable EXPORT cipher suites since they are now never used, but it
serves no purpose to do so (they are never used) beyond perhaps
preventing accidents in which a grossly misconfigured peer selects
EXPORT despite having better options.  I have never observed such
an accident.

-- 
	Viktor.