Re: [TLS] ops review of draft-ietf-tls-sslv3-diediedie

Martin Thomson <martin.thomson@gmail.com> Sun, 22 March 2015 13:57 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F041D1A90DD; Sun, 22 Mar 2015 06:57:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4hVpYUe_xRfl; Sun, 22 Mar 2015 06:57:08 -0700 (PDT)
Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com [IPv6:2607:f8b0:4003:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F29CF1A90E0; Sun, 22 Mar 2015 06:57:07 -0700 (PDT)
Received: by obdfc2 with SMTP id fc2so106823953obd.3; Sun, 22 Mar 2015 06:57:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=4nwqvHn2UNKBReEqaXDmqaLwyrPLzCz5OIAOYJtDEAo=; b=0xudl2oDJqdMrV+DcK7L6LCIjqUsUPucEklCrrgMC3UYc9hElKZNOlvlgF7m3mOFTD YjmCdaKkjLMtlOlsKdEjNsFyHsznSdVuOD/8gBxCmzEu2nQAGabo1gNDCPjhOsJeRtXs Hbv9U02GC7VNi8jHmVQ68u4i8cPmPQLFDXpjnYkwAB2+3ouys6aGfM2PKyIYAAxfzmJu eBrj2WhZRmeFqA8Ylj9+SUvET9H6SmjAY7IWlKh+fni6nuZ4zKYXGCzkIBeA4JL9VUd6 XvqFSYF3DJffu4bNTmc3/cn4xH9SGVSH/h0cMdMpFGSq2Th8dA+6GCS4g82YJVNA087u Qqlw==
MIME-Version: 1.0
X-Received: by 10.182.39.195 with SMTP id r3mr31145530obk.44.1427032627272; Sun, 22 Mar 2015 06:57:07 -0700 (PDT)
Received: by 10.202.48.151 with HTTP; Sun, 22 Mar 2015 06:57:07 -0700 (PDT)
In-Reply-To: <E68CA0D0-68B9-4389-8934-58505BB28F3D@cisco.com>
References: <5287A99D-C512-498A-9F8C-3B7E38D7844B@cisco.com> <550EB8F2.10203@cs.tcd.ie> <E68CA0D0-68B9-4389-8934-58505BB28F3D@cisco.com>
Date: Sun, 22 Mar 2015 06:57:07 -0700
Message-ID: <CABkgnnVJzwsYLqC96sco_PtC3=AqmgXt0C=v0SzYt8S6dL4tTw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "Fred Baker (fred)" <fred@cisco.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pI5WvDr0KTbZAmWvK86KSaajcS4>
Cc: "ops-dir@ietf.org" <ops-dir@ietf.org>, "draft-ietf-tls-sslv3-diediedie.all@tools.ietf.org" <draft-ietf-tls-sslv3-diediedie.all@tools.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] ops review of draft-ietf-tls-sslv3-diediedie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 13:57:10 -0000

On 22 March 2015 at 06:01, Fred Baker (fred) <fred@cisco.com>; wrote:
>> On Mar 22, 2015, at 7:43 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie>; wrote:
>> On 22/03/15 06:29, Fred Baker (fred) wrote:
>>> One implication that the document doesn’t bring out directly, but
>>> which follows from the discussion of the attacks, is that any key or
>>> certificate that has been exchanged using SSL may have been
>>> compromised via a man-in-the-middle attack, and is therefore suspect.
>>> Such certificates and keys should be replaced
>>
>> I don't think that is the case, as SSL's imperfections bad as they
>> are, don't expose long-term (private) keying material. But it is
>> worth checking. Short-term keys will naturally be replaced without
>> any operator action in any SSL->TLS transition I think. And any
>> trust anchors that were accepted via self-signed certificates will
>> be as good or bad as ever and are probably best left alone if one
>> isn't changing s/w but just a config.
>
> You may ell be correct. I also noted, after having sent the email, that it is fairly probable that a different crypto algorithm might be selected as a result of the transition, which would entail obtaining relevant keys and certificates anyway.


Hi Fred,

Thanks for the writeup.

With respect to this issue, I just did some double-checking and the
treatment of certificates and the associated long-term keying material
is identical between SSL3 and TLS 1.1.  Some changes were made with
respect to signatures in TLS 1.2, but those probably won't materially
affect the analysis.

So, absent new attacks being found, my analysis is that we're OK with
respect to long-term keying material.  If someone does find an attack,
then we'll be retiring TLS 1.0 and 1.1 in a panic.

--Martin