Re: [TLS] draft-urien-tls-dh-tripartite-00
Martin Rex <mrex@sap.com> Wed, 07 July 2010 17:28 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 87F3F3A67E5 for <tls@core3.amsl.com>; Wed, 7 Jul 2010 10:28:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.105
X-Spam-Level:
X-Spam-Status: No, score=-8.105 tagged_above=-999 required=5 tests=[AWL=-1.696, BAYES_50=0.001, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6pPzPaVWZt6O for <tls@core3.amsl.com>; Wed, 7 Jul 2010 10:28:28 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by core3.amsl.com (Postfix) with ESMTP id 40FA23A6843 for <tls@ietf.org>; Wed, 7 Jul 2010 10:28:28 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id o67HSPFF021879 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 7 Jul 2010 19:28:30 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201007071728.o67HSOUk000852@fs4113.wdf.sap.corp>
To: pascal.urien@gmail.com
Date: Wed, 07 Jul 2010 19:28:24 +0200
In-Reply-To: <AANLkTilJc03vI4-juQWyVnDErCeCfLo7osQNRx1IDIcN@mail.gmail.com> from "Pascal Urien" at Jul 6, 10 07:49:07 am
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-Scanner: Virus Scanner virwal07
X-SAP: out
Cc: tls@ietf.org
Subject: Re: [TLS] draft-urien-tls-dh-tripartite-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Jul 2010 17:28:29 -0000
Pascal Urien wrote: > > Most of privacy exchanges over the Internet rely on the TLS protocol. > According to this protocol two entities the client and the server > computes a master secret from which are deduced cryptographic keys > used for data privacy and security. Digital transactions may deal > with critical information (payments ...) that need to be recorded for > traceability issues or for legal requirements. However messages are > secured by the TLS protocol, so it is not possible for a third party > that logs packets to perform decryption operations upon legitimate > requests. > > The goal of this draft is to support a Trusted Third Party (TTP) that > could recover the protected information when needed. The proposed > protocol uses the Tripartite Diffie-Hellman (tdh) algorithm based on > bilinear pairings over elliptic curves. I'm sorry, but this approach appears to be built on severely flawed assumptions. The data integrity protection and data encryption in TLS is based purely on symmetric crypto using SHARED secrets. This means that both communication peer can not only verify all application data received from the peer, each of them can also create perfect fakes. And if the master secret plus the randoms from the initial handshake are shared with a misleadingly called "Trusted Third Party" (TTP), then also that TTP can perfectly modify a communication between two peers. TLS cipher suites are not built to provide anything in the direction of non-repudiation for communication contents at the transport level. Personally, I think that the concept of "escrowing application data at the transport level" for any kind of evidence purposes to be an unconditionally bad idea. Early 2007 there was a proposal (draft-housley-evidence-extns-00) with a similar motivation, but technically correct architecture, posted on the TLS mailing list, IIRC, it required the peers to apply digital signatures to application data, so that none of the parties involved (peer and TTP) woulde be able to perfectly modify the application data stream that was escrowed in full at the transport level. If there is a need to get proof/evidence for specific application-level information, that put exactly that data -- and nothing else -- into a digitally signed container, e.g. PKCS7,CMS or XMLdsig and have it signed at the application level. In several jurisdictions, this is anyway one of the prerequisite for visualization to end users with a means of trusted hardware before legally binding digital signatures can be applied to data. Digital signatures over non-canonical application data that is arbitrarily fragmented over several different independent communication connections, with open/dangling external references (some of which may be filled by caches) with arbitrary amounts of intermediate protocol layer stuffing, codepage translations and transport encodings is an unconditionally bad idea. The idea of logging (let alone archiving) a complete application level datastream for other than very short term technical problem solving is completely incompatible with data protection laws in Europe based on the European data protection directive if any of the data that is exchanged is or can be related to human beings or legal entities. Trying to think about where this technology could be used, I can only think of scenarios that are either technically useless or illegal privacy violations und the data protection laws in Germany and likely most other countries of the European Union. -Martin
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Pascal Urien
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Paul Hoffman
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Pascal Urien
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Paul Hoffman
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Pascal Urien
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Paul Hoffman
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Pascal Urien
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Paul Hoffman
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Paul Hoffman
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Martin Rex
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Pascal Urien
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Pascal Urien
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Nelson B Bolyard
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Paul Hoffman
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Kemp, David P.
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Martin Rex
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Kemp, David P.
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Blumenthal, Uri - 0668 - MITLL
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Marsh Ray
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Peter Gutmann
- Re: [TLS] draft-urien-tls-dh-tripartite-00 Martin Rex