Re: [TLS] TLS interception technologies that can be used with TLS 1.3

Richard Barnes <rlb@ipv.sx> Thu, 15 March 2018 22:45 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5188E1243F3 for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 15:45:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NttVY8PeQI3x for <tls@ietfa.amsl.com>; Thu, 15 Mar 2018 15:45:27 -0700 (PDT)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF1D41241FC for <tls@ietf.org>; Thu, 15 Mar 2018 15:45:26 -0700 (PDT)
Received: by mail-wm0-x236.google.com with SMTP id n3so548795wmd.1 for <tls@ietf.org>; Thu, 15 Mar 2018 15:45:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=A2Si0yReLwTgetXf/Aftfro61T3NmfLBjPm071UT06k=; b=XPQSudN20B6G3B0+PqPm8Mpsv4Aj0Hx54axg2clUmIQf4NKd/WUAcFbaEx59ANEp09 uUrCo0ynUVLrCphAiVdDVfVGLeA/kvPvIvXP2pb4epEHWjLeNMfwsFC9Zl6c08MVDASI IL9Ui2Xb2yPn1RPLt4TJKHeyp8NM5sTP+CSriHOJr2XnTSyF+t2M/lCR3Ky8MQG4RZYh cq7yux2Jw/sg5kM3b4Eh+gaXqXONsDE8+HZ5tYKlbZIqGcQSZmpKQbGfaTSV1bRGs/17 itnTDoL7HCvWUcQ6nwCCLBwdFbd7TVbCYnswcNobKT3vCK6/xJYwmNyj3ITy7OFw7jS+ L9/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=A2Si0yReLwTgetXf/Aftfro61T3NmfLBjPm071UT06k=; b=kU4Dg3uT7KYf2vGswpyZ7IqA0ehUCuwA0u81UdUbGoIS7d2WM5IfpgG+kaMkyvZNem RZ5O9Z2pcgl1op68vI/RBwXpuNdDU4s5mP9gue0VyV986pNjBQcRDml6zCAmFarwpu6y E6J7iG1NYmQz3eprr3putbWNaQFSnUuSIp/K+czmv1UEuAJVgAK/bIOzcFyNZwwVKGJb coYgaY5bU2rPOsBa1ZwKKHxuMSN1ARgfJ43gGeypWfVNDd0SAPUeSayUlzDhqIgPpJNG ZDsCOHLH5Nv8aVnP+n4AcowTbvcaQJ5Y8qIU5TbxBU1ejX4h6bxdQdUUNv48mi1+XmKW Fsew==
X-Gm-Message-State: AElRT7EOGqRRPyTixTB3VboUpUqhx/ELLTpwc5dS7DrieLSlu3dx5ndo XnGzcAR0/jetVxnFl+hg/MEYcEzkBLrCbf1LKHSdEg==
X-Google-Smtp-Source: AG47ELvs6bDlXcsQK9iWOOjC91ERdHXobrikDL/yE2flYqv7ZTNoNytX6pmp7GKsTHI2dmU3Lu9tsNmpybXvnF/Bp5U=
X-Received: by 10.28.66.65 with SMTP id p62mr29745wma.8.1521153925366; Thu, 15 Mar 2018 15:45:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.28.12.140 with HTTP; Thu, 15 Mar 2018 15:45:24 -0700 (PDT)
In-Reply-To: <619FD02D-8F30-4261-BFE9-22CCFD145BE7@akamai.com>
References: <CACsn0cmNuuG4dhkouNzb=RDfYwG25VaKN7cGhm21wfLk-NmS5A@mail.gmail.com> <9B30F837-8F6A-4AF0-A3BD-69F9AFED5D7B@gmail.com> <2832089.SA8sAEVfAM@pintsize.usersys.redhat.com> <6BC4335A-D2E9-41FC-9F72-04B06594883B@gmail.com> <5CFD360D-818E-41A0-A140-59C283DC6CB0@akamai.com> <CAL02cgQQ7vve5+ndj1tUNgO+eH8cro2Mhhwj-bfBK=BnxECfRw@mail.gmail.com> <A2B23437-63DE-42B0-A29E-3A0635BCA85E@gmail.com> <619FD02D-8F30-4261-BFE9-22CCFD145BE7@akamai.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 15 Mar 2018 18:45:24 -0400
Message-ID: <CAL02cgSBwsHoeWxpD7+FA+NH9tzYmK7wHrswae9CWpOTf7FZfw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: Yoav Nir <ynir.ietf@gmail.com>, Hubert Kario <hkario@redhat.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c06d6565ee8fb05677b3f0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qng8owtibjz2KW4euqoOFJN-tJU>
Subject: Re: [TLS] TLS interception technologies that can be used with TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Mar 2018 22:45:29 -0000

Well, exactly.  It seems like the following have equivalent security
properties:

- Shipping out each session's keys as lines in SSLKEYLOGFILE over an ECDHE
TLS connection
- Shipping out each session's keys as an ECIES-encrypted package carried in
a TLS extension

Either way, you're doing a DH with the key recipient's public key and using
that to encrypt the keys.

On Thu, Mar 15, 2018 at 6:42 PM, Salz, Rich <rsalz@akamai.com>; wrote:

> I think if we ship the keys over some kind of secure socket layer we
> should be okay, right?
>
>
>
>
>
> *From: *Yoav Nir <ynir.ietf@gmail.com>;
> *Date: *Thursday, March 15, 2018 at 6:41 PM
> *To: *Richard Barnes <rlb@ipv.sx>;
> *Cc: *Rich Salz <rsalz@akamai.com>;, Hubert Kario <hkario@redhat.com>;, "
> tls@ietf.org"; <tls@ietf.org>;
> *Subject: *Re: [TLS] TLS interception technologies that can be used with
> TLS 1.3
>
>
>
> IIUC not quite. There is an API, so the application that uses the library
> can get the keys. The application can then save it to a file, send it to a
> central repository, send it to the government, or whatever else it might
> want to do.
>
>
>
> There is no built-in setting where OpenSSL writes the keys to a file, nor
> do applications such as web servers do this AFAIK.
>
>
>
> It should not be difficult to write, but is not provided in off-the-shelf
> software.
>
>
>
> Making the library send this in-band in some protocol extension is a far
> bigger endeavor. It’s also a dangerous switch to leave lying around.
>
>
>
> On 16 Mar 2018, at 0:16, Richard Barnes <rlb@ipv.sx>; wrote:
>
>
>
> Just to confirm that I understand the scope of the discussion here:
>
>
>
> - TLS libraries have facilities to export keys from the library
>
> - Obviously, it's possible to ship these exported keys elsewhere (`tail -f
> $SSLKEYLOGFILE | nc $LOGBOX`)
>
>
>
> So all we're really talking about is whether to define a way to do the
> shipment of the exported keys in-band to the TLS session.
>
>
>
>
>
> On Thu, Mar 15, 2018 at 3:05 PM, Salz, Rich <rsalz@akamai.com>; wrote:
>
> This is what OpenSSL provides:
>     https://www.openssl.org/docs/manmaster/man3/SSL_CTX_get_
> keylog_callback.html
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
>
>
>