IETF Logo Mail Archive

Re: [TLS] datacenter TLS decryption as a three-party protocol

Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 23 July 2017 07:02 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102B5131C3A for <tls@ietfa.amsl.com>; Sun, 23 Jul 2017 00:02:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_QU-Lq8llcC for <tls@ietfa.amsl.com>; Sun, 23 Jul 2017 00:02:46 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id C252F12741D for <tls@ietf.org>; Sun, 23 Jul 2017 00:02:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 07F6637710; Sun, 23 Jul 2017 10:02:43 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id kJ7K5OXLtIjT; Sun, 23 Jul 2017 10:02:42 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id ADA662316; Sun, 23 Jul 2017 10:02:40 +0300 (EEST)
Date: Sun, 23 Jul 2017 10:02:40 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: "Blumenthal, Uri - 0553 - MITLL" <uri@ll.mit.edu>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20170723070240.x7kmynzmu4jqco5t@LK-Perkele-VII>
References: <CAAF6GDeFuRy0DN6w3FwmR_nh1G=YBi4+qiEcw0MfSRj4SUCbZQ@mail.gmail.com> <20170720200114.AA2F91A6CB@ld9781.wdf.sap.corp> <06AE85BC-87AD-4CA5-8408-44F670358701@ll.mit.edu> <20170720203238.e66zurx5yn2jja3a@LK-Perkele-VII> <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <17109486-336E-44C0-B9FC-D65EE14310B5@ll.mit.edu>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/reIwonotV5oLxDyNjdaUb5YPjQo>
Subject: Re: [TLS] datacenter TLS decryption as a three-party protocol
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Jul 2017 07:02:48 -0000

On Thu, Jul 20, 2017 at 08:42:10PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> On 7/20/17, 16:32, "ilariliusvaara@welho.com on behalf of Ilari Liusvaara" <ilariliusvaara@welho.com> wrote:
> > Maybe we are better off just retrofitting RSA-key-transport back
>     > into TLS-1.3? 
>     
>     This has in fact been requested. Kenny Paterson said about the request:
>      -----------------------------------------------------------------------
>     My view concerning your request: no. 
>     Rationale: We're trying to build a more secure internet.
> 
> My rationale to resurrect it: others are trying to push TLS-1.3 into
> an invisibly-insecure state. If we must satisfy them (and I’m not at
> all sure we should), then this is the most obvious way to at least
> avoid the “insecurity” being silently pushed upon you. At the very
> least you’d have an option to continue under surveillance or abort
> connection. 

This isn't just matter of what is considered "secure enough" to
include. There are fundamential technical constraints that prevent
adding static RSA back.

Early on, there were all sorts of really fundamential decisions on how
TLS 1.3 works. The results of these decisions are baked deeply in the
protocol, and are extremely hard to change. These decisions were
already very apparent in draft-02, over 3 years ago, despite -02 being
unimplementable.

One implication of those assumptions is that any asymmetric key
exchange in TLS 1.3 is at least potentially forward secure[1] (the
actual constraints on asymmetric key exchanges are even stronger
than that, but this weaker version suffices here). Static RSA is not
even potentially forward-secure, so it can not be added.

If you try to add back RSA using the most straightforward method,
what you get is not an analog of static RSA from TLS 1.2. The result
would be closer to RSA_EXPORT from TLS 1.0.


On the other hand, there is no way to construct a key exchange that is
always forward-secure. Either endpoint can always act in a way that
destroys forward-security (even without leaking any per-connection
information), but can not be detected (DH share reuse is considered
detectable) by the other end.


[1] "potentially forward secure" means that there exists interoperating
client and server implementations, so that the key exchange is forward-
secure.


-Ilari

v2.23.0 | Report a Bug | By Email