[TLS] TLS and unnecessary complexity
Watson Ladd <watsonbladd@gmail.com> Fri, 14 March 2014 03:13 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8BC611A086D for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 20:13:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lBh20AUnnbnk for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 20:13:34 -0700 (PDT)
Received: from mail-yh0-x234.google.com (mail-yh0-x234.google.com [IPv6:2607:f8b0:4002:c01::234]) by ietfa.amsl.com (Postfix) with ESMTP id 3E8851A0700 for <tls@ietf.org>; Thu, 13 Mar 2014 20:13:34 -0700 (PDT)
Received: by mail-yh0-f52.google.com with SMTP id c41so1999094yho.39 for <tls@ietf.org>; Thu, 13 Mar 2014 20:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=5pE6/hpeWW6eOA1Nvskl95U4A/WmJr985zMy0O54FWo=; b=bRmVgag/ATbRrQLhiGr0plt3lWkKm+fWWY10QSsTwNQ0fU7PwN5Snx1R+XGFYOqe7/ lXZHNAFhcUR7uFODrtuu8Il3IiQVNITKikOOmBQot5MknTRo0rFZ+NrPMDEyG15S1pnI Pb6bMIMCj+rFXEvfpdk3gqoqhSnGFk1d3bcMq/R4wk4yReTxgFn1eZf7SthaoZ1aYbuu bwrE3Lzz94wRJvc2vL2+xZMOAjXzJNi5xaO1YFv7EJSdYDhEKmTXneR71PBj+5kWqGya IjtXSsiw44KtPuz+bOcYRPF58Ly0QVdVD2Wmb33CoK9CXidnZSisvYY9GM2vWX7Dv0uH 4y5w==
MIME-Version: 1.0
X-Received: by 10.236.129.36 with SMTP id g24mr7411127yhi.103.1394766807338; Thu, 13 Mar 2014 20:13:27 -0700 (PDT)
Received: by 10.170.80.214 with HTTP; Thu, 13 Mar 2014 20:13:27 -0700 (PDT)
Date: Thu, 13 Mar 2014 20:13:27 -0700
Message-ID: <CACsn0ckqkkwdWHp=Wv82M1gsgRr5F+oscE-MFPhCG40mQebfzw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ni2VbxGDz6olqSiVgi9xMobjKqs
Subject: [TLS] TLS and unnecessary complexity
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Mar 2014 03:13:36 -0000
Dear all, TLS is supposed to do three things. 1: Make connections in side of which data is secret, no matter what is sent through them. 2: Let one, both, or none of these sides be authenticated by a public key, plus additional information which TLS doesn't handle or impose restrictions on. 3: Provide information that only the two ends of the connection can possibly know. (SRTP, Channel Binding, etc). TLS 1.2 succeeds only at 1, and only in some configurations. 1,2,and 3 can be achieved with more than ordinary care. TLS 1.0 can't achieve 1, and neither can TLS 1.1. SSL v3 is utterly terrible. In order to fix this you need to deploy all sorts of things not in the RFCs that claim to define TLS, but are rather in extensions. Furthermore, this assumes that both sides actually can reach TLS 1.2. Unnecessary fallbacks are still not fixed. Each implementation is a ball of mud in the usual case: PolarSSL is slightly better. The specification is useful for implementors, but not for auditors: there is no explicit state machine, nor is it easy to determine how particular handshakes work. This is why the security failures of these past few years happened: it was impossible to determine they could not. Even when security issues where known, they were not fixed properly. The complexity of the protocol shows up in the implementations. By contrast a complete implementation of CurveCP fits in fewer pages than RFC 5246 takes to define the language it uses to explain the structures of TLS. The core cryptographic code is 16,000 characters. Purists will object that CurveCP doesn't do authentication, and they are right, but TLS doesn't do any of the TCP functions CurveCP does. Passing an opaque blob to higher levels is probably much shorter than a TCP implementation. This failure mode is not unique to TLS: the Scheme specification is shorter then the index to the Common Lisp specification. However, TLS is inevitably part of every TCB, because of its usefulness and ubiquity. Attempts such as MinimalLT to replace it recognise this and as a result are dead simple. How can TLS 1.3 solve this problem? TLS 1.3 should be described as a state machine that receives and sends messages. The functions used to send and receive messages should be deliberately crippled to force the author to remove complexity as much as possible. This would make it much easier to catch things like the return of renegotiation bugs, as the state machine would have enabled tools like ProVerif to run on it. There is a reason miTLS caught the resumption bug: they were the only people looking with tools powerful enough. No reference should be made to anything beyond the definition of cryptographic transforms. Certificates should be opaque and handed to higher layers, to enable DANE to work on the same basis as X509. Necessary extensions should be documented in the spec itself. All messages should be from regular languages. The current TLS spec fails badly in this respect. This is necessary to write clean, correct, parsing code. Key verification serves the purpose of making cryptographers unhappy. It should be removed. (I can explain at length why this is so) Finally, we should use well-understood primitives in correct manners, and prove that our use is correct. Sincerely, Watson Ladd
- [TLS] TLS and unnecessary complexity Watson Ladd