IETF Logo Mail Archive

Re: [TLS] Is there a way forward after today's hum?

Ted Lemon <mellon@fugue.com> Thu, 20 July 2017 11:25 UTC

Return-Path: <mellon@fugue.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02C621270B4 for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 04:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=fugue-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nQK4U2ty3WVV for <tls@ietfa.amsl.com>; Thu, 20 Jul 2017 04:25:31 -0700 (PDT)
Received: from mail-pg0-x229.google.com (mail-pg0-x229.google.com [IPv6:2607:f8b0:400e:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F36BD131C03 for <tls@ietf.org>; Thu, 20 Jul 2017 04:25:28 -0700 (PDT)
Received: by mail-pg0-x229.google.com with SMTP id y129so13538572pgy.4 for <tls@ietf.org>; Thu, 20 Jul 2017 04:25:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fugue-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=P3upmT5aNBLExztsDhc0PRR5Qh2kJZqJA00vDCHA4Yw=; b=Wgxza11vPag7Xl7VzQFchGuyVE9sMGIFcTksebgMuhsM/k0HqyvH7j9zss3v92WQ3f SiBBm287hQHReV1dQTOYYElJnjsUW9dehxi4lDbmqHtVfHUO25Z95sUK0S5QDFSZNZB5 amwQDi3uX/ItaQyiGmu71b1/txdzIzDU7rQ9pchlZoyTf2xtBmpu6bCnjUEC/dJlydhT 9yqe1j0DEPQoz7rWosIf3yk1jpv4ZaB+YICL+eXv6+3A64+FayEog9+TJxe0xfbgY6CC s47Qj2RBtJmbLM2h1kKjeQ3abvWjs8J0fBNKjBhQFub+7Unr8eyLzwDj5JI1yMgQvadc J9lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=P3upmT5aNBLExztsDhc0PRR5Qh2kJZqJA00vDCHA4Yw=; b=Wyrkh5nSZwDpO2a/HXM5TFlezxumJYz2Jfu6OXoQRrccOnyPb1tvam4yMC1k8Bmzl7 bH5ElnnwyWAoAa1TlBq9W1QBR3kH52/JkvW6gvg6ibnniFi+WSyWhFfX93Aa7mfwBUGI kIAsY9lIy2/MiVkpRoF4JPKKYvLuNfKEoB7x2ZRwu6un2Dd6WdfdXDgVcpfZvqQ9MBhW oG5Grpo7mpkYXa4vuyrO/cdGVBIAhWUKLmIlxUA5NRnkcHbF4FAS06y+tqM3AlIRaEMl RYfpWCt5Vw8NhiDjlhvqXcrqM81rZiA8eJkeNaf+CzFAvAyiGKbrtKfzjaWLwqfTPbg4 00hQ==
X-Gm-Message-State: AIVw113pEwM1rPR0kIaoQxGluU8W9eIYn6i/e99RoP6LCh3rciNwEeut HopuXxkho0PUyvcZkZeVpC/B6M+tP83Y
X-Received: by 10.99.43.5 with SMTP id r5mr3461642pgr.135.1500549928429; Thu, 20 Jul 2017 04:25:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.100.181.42 with HTTP; Thu, 20 Jul 2017 04:25:27 -0700 (PDT)
Received: by 10.100.181.42 with HTTP; Thu, 20 Jul 2017 04:25:27 -0700 (PDT)
In-Reply-To: <bbd5d287b07d4e5aac7cbd3add41da03@venafi.com>
References: <BN6PR06MB3395E47F181D02D5772EEC81BFA70@BN6PR06MB3395.namprd06.prod.outlook.com> <bbd5d287b07d4e5aac7cbd3add41da03@venafi.com>
From: Ted Lemon <mellon@fugue.com>
Date: Thu, 20 Jul 2017 13:25:27 +0200
Message-ID: <CAPt1N1kRf-Z_FnK8pmRH_hp7wKTYPW1zu55136Dmp2jF7vgH3w@mail.gmail.com>
To: Paul Turner <PAUL.TURNER@venafi.com>
Cc: Robin Wilton <wilton@isoc.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a1146e2e073c5670554be01ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/n5qkz-f_GdAc1GGFIqGxG00RWPY>
Subject: Re: [TLS] Is there a way forward after today's hum?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jul 2017 11:25:34 -0000

Paul, it would be trivial to normal that exchange to conceal from the
client that a static key is being used. No software mods required on either
end: just in the middle.

On Jul 20, 2017 1:04 PM, "Paul Turner" <PAUL.TURNER@venafi.com> wrote:

>
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *Robin Wilton
> *Sent:* Thursday, July 20, 2017 05:58
> *To:* tls@ietf.org
> *Subject:* Re: [TLS] Is there a way forward after today's hum?
>
>
>
> Apologies for not replying "in thread" on this occasion, for noob
> reasons... but here's the specific comment from Russ that I wanted to
> respond to:
>
>
> ------------------------------
>
> The hum told us that the room was roughly evenly split.  In hind sight, I wish the chairs had asked a second question.  If the split in the room was different for the second question, then I think we might have learned a bit more about what people are thinking.
>
>
>
> If a specification were available that used an extension that involved both the client and the server, would the working group adopt it, work on it, and publish it as an RFC?
>
>
>
> I was listening very carefully to the comments made by people in line.  Clearly some people would hum for "no" to the above question, but it sounded like many felt that this would be a significant difference.  It would ensure that both server and client explicitly opt-in, and any party observing the handshake could see the extension was included or not.
>
>
>
> Russ
>
> ====
>
>
>
> Stephen Farrell articulated a concern with that approach - namely, that if
> we are relying on a setting that is meant to ensure both parties must be
> aware that static DH is in use, then a bad actor would find ways to
> suppress that notification. In your proposal, Russ, the notification
> mechanism would take the form of an extension... so I think we would need
> to understand what the failsafe is, for instance if that extension is
> disabled, or not present, in a given deployment of TLS.
>
>
>
> There's an implicit assumption about the threat model, too, which I just
> want to call out. The assumption is that a bad actor would suppress the
> notification so that the client is not aware that static DH is in use. For
> completeness, should we also consider whether there are attacks in which
> it's the *server* whose notification is suppressed? (I can't think of such
> an attack, off the top of my head, but then, that's probably why I'm not a
> hacker. ;^, )
>
>
>
> Best wishes,
>
> Robin
>
>
>
> Robin,
>
>
>
> With respect to your threat concerns, can you be more clear about the
> threats you’re considering? Here are a few things that come to mind:
>
>
>
>    1. TLS Server has all of the decrypted data and can provide that to a
>    third party (whether compelled or otherwise) without any indication to the
>    TLS client. This seems true TLS 1.3 today.
>    2. TLS Server has their ephemeral DH keys and session keys and can
>    provide them to a third party without any indication to the TLS client.
>    This seems true with TLS 1.3 today.
>    3. TLS Server can create a TLS server implementation that uses static
>    DH keys and provide them to a third party. The client can use methods to
>    detect this (though there are measures and countermeasures here). This is
>    true seems TLS 1.3 today.
>    4. TLS Client has all of the decrypted data and can provide that to a
>    third party (whether compelled or otherwise) without any indication to the
>    TLS server. This seems true in TLS 1.3 today.
>    5. TLS Client has their ephemeral DH keys and session keys and can
>    provide them to a third party without any indication to the TLS server.
>    This seems true with TLS 1.3 today.
>
>
>
> I believe Russ was outlining a method where an extension would be added to
> TLS 1.3 that would provide for delivery of a decryption key to a third
> party during the handshake (correct me if I got that wrong, Russ). Because
> it would be during the handshake, it would seem to be visible to the TLS
> Client—in fact, the client would have to include the extension to begin
> with. If the TLS client saw the extension and did not consent, it could
> abort the connection. If the TLS Server were attempting to provide access
> to the exchanged data to a third party, it would seem they could use 1, 2,
> or 3 above and not have to go to the trouble of attempting to subvert the
> mechanism that Russ proposes (and others have previously proposed).
>
>
>
> Can you clarify?
>
>
>
> Paul
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email