IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Stephen Farrell <stephen.farrell@cs.tcd.ie> Wed, 19 July 2017 22:58 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46EDD124D37 for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 15:58:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dR8qm4PhesUh for <tls@ietfa.amsl.com>; Wed, 19 Jul 2017 15:58:06 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7C281200ED for <tls@ietf.org>; Wed, 19 Jul 2017 15:58:06 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id DBFE0BE39; Wed, 19 Jul 2017 23:58:04 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3FsZ74U2Ygi2; Wed, 19 Jul 2017 23:58:03 +0100 (IST)
Received: from [172.28.172.2] (unknown [185.51.72.72]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 16964BE24; Wed, 19 Jul 2017 23:58:01 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1500505083; bh=P84X4GMwnML5TaoqQurccKTRbiE/EsoG+uRcHGQommk=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=dYEEnCR5zmlWPki+P1Fgpm6aq9eK//goEi9MjNapgm2K2RCWgXv2BtVPdwjmCmgUd qP6vp0rf6pDWuP03+EnSKSTfL+CKlqyWTOgNhR3QNcQsCPK4kZa5O+jevJ9h2uLKQb uRc0vVYQu+MOazcPIQQmxKbQNcdzMIjkgbSv77MY=
To: mrex@sap.com, Ted Lemon <mellon@fugue.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
References: <20170719202515.919D11A6CB@ld9781.wdf.sap.corp>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <e890aee1-5ad6-7a8a-a5d7-d5bc408966db@cs.tcd.ie>
Date: Wed, 19 Jul 2017 23:57:59 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170719202515.919D11A6CB@ld9781.wdf.sap.corp>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="gF2ijWeHb4BM8qJR3AvP9D6XxlfwEuEnP"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nXvSVblPEp5m5ttfEiA3jRwvZ9M>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Jul 2017 22:58:09 -0000

Just to note that Martin's mail contains specific examples
and detailed argument. That should be the lowest bar that
needs to be met in this discussion, not the arm-waving about
"TLS as a DoS attack" or "what about grandma" nonsense that
we heard today. The contrast between such non-argument and
the care that has been taken, and continues to be taken, in
the development of TLS1.3 is stark.

S.

On 19/07/17 21:25, Martin Rex wrote:
> I just watched the presentation on static DH / TLS decryption in Enterprise
> settings of todays TLS session
> 
>   https://youtu.be/fv1AIgRdKkY?t=4473
> 
> and I'm seriously appalled by the amount of cluelessness in the
> Networking & IT Departments on the one hand, and by what seems like
> woefully inadequate apps on the other hand.
> 
> I've been doing middleware development and customer support of
> SSL/TLS-protected communication for our company's (legacy) app
> as well as maintenance & customer support for the TLS stack we're
> shipping with it for the past 17 years, and I can't stop shaking
> my head about the perceived problems, that *NEVER*EVER* occurred
> to me, nor our IT & Hosting and neither any of our customers using our app
> (and I would definitely know about it).
> 
> Although we do ship our own TLS implementation, we don't have any APIs
> to export cryptographic keys, simply because it's completely unnecessary.
> 
> 
> With extremely few exceptions, an API-level trace at the endpoints
> is totally sufficient for finding app-level problems, such as
> unexpected "expensive" requests.  App-level traces on *EITHER* side
> should provide *ALL* information that is necessary to determine _which_
> particular requests are taking longer than expected.  If your Apps do
> not provide meaningful traces, then you have an *APPS* problem, and
> should be fixing or replacing apps, rather than mess around with TLS.
> 
> 
> There were a few issues with F5 loadbalancers (that were just forwarding
> traffic, _not_ acting as reverse proxy) related to a borked F5 option called
> "FastL4forward", which occasionally caused the F5 box to truncate TCP streams
> (the box received&ACKed 5 MByte of TCP data towards the TLS Server, but
> forwarded only 74 KBytes to the client before closing the connection with
> a TCP FIN towards the TLS client.
> 
> And once I saw another strange TCP-level data corruption caused by some Riverbed WAN accellerator.
> 
> 
> I remember exactly _two_ occasions during that 17 years when I produced
> a special instrumented version of our library for the server endpoint,
> which dumped stuff into a local trace file, but I never ever thought
> about exporting crypto keys (because it wouldn't help, and those
> weren't _my_ keys (but those of a customer):
> 
>    (1) it dumped the decrypted RSA block from the ClientKeyExchange
>        handshake message when encountering a PKCS#1 BT02 padding
>        encoding failure
> 
>    (2) it dumped the final decrypted block of a TLS record for
>        when the CBC-padding-verification failed the check.
> 
> (1) was caused by a bug in the long integer arithmetic of an F5 load balancer
>     which ocassionally produced bogus (un-decryptable) PreMasterSecrets
> 
> (2) was caused by a design flaw in JavaSE 1.6 by Java's SSL when it was used with GenericBlockCipher over native-IO interfaces.
> 
> 
> I firmly believe that if you have a desire to decrypt TLS-protected
> traffic to debug APPS issues, then your APPS must be crap, and seriously
> lack capabilities to trace/analyze endpoint behaviour at the app level.
> 
> 
> With respect to "monitoring" SSL/TLS-protected traffic in the
> enterprise environment:
> 
> At least here in Germany, we're in the lucky position that wiretapping
> network traffic has been made a criminal offense in 2004.  If IT/Networking
> folks in the enterprise settings don't want to spend up to 4 years behind
> bars, they don't even try to decrypt SSL/TLS-protected traffic.
> 
>  
> -Martin
>

v2.23.0 | Report a Bug | By Email