IETF Logo Mail Archive

Re: [TLS] integrity only ciphersuites

Geoffrey Keating <geoffk@geoffk.org> Mon, 20 August 2018 23:45 UTC

Return-Path: <geoffk@geoffk.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 604FC130E42 for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 16:45:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G4KEQYKFsvz1 for <tls@ietfa.amsl.com>; Mon, 20 Aug 2018 16:45:44 -0700 (PDT)
Received: from dragaera.releasedominatrix.com (dragaera.releasedominatrix.com [198.0.208.83]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07B90130E3D for <tls@ietf.org>; Mon, 20 Aug 2018 16:45:44 -0700 (PDT)
Received: by dragaera.releasedominatrix.com (Postfix, from userid 501) id 797DA33D283; Mon, 20 Aug 2018 23:45:43 +0000 (UTC)
Sender: geoffk@localhost.localdomain
To: "Nancy Cam-Winget (ncamwing)" <ncamwing=40cisco.com@dmarc.ietf.org>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com>
From: Geoffrey Keating <geoffk@geoffk.org>
Date: Mon, 20 Aug 2018 16:45:43 -0700
In-Reply-To: <E29465D4-E4C5-466F-9E3F-240E258DC7C2@cisco.com>
Message-ID: <m2bm9wfvq0.fsf@localhost.localdomain>
Lines: 30
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.4
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uI8xVgp7gTuJgwUyY-UgZfmUkRo>
Subject: Re: [TLS] integrity only ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 23:45:47 -0000

"Nancy Cam-Winget \(ncamwing\)" <ncamwing=40cisco.com@dmarc.ietf.org> writes:

> In following the new IANA rules, we have posted the draft
> https://tools.ietf.org/html/draft-camwinget-tls-ts13-macciphersuites-00
> to document request for registrations of HMAC based cipher
> selections with TLS 1.3…..and are soliciting feedback from the WG on
> the draft and its path forward.

This draft needs more security analysis than is currently there, and
probably it needs to define not just a ciphersuite but an entire
profile for using TLS with this ciphersuite.  Some topics:

* Anything that relies on EncryptedExtensions should probably not be
used.

* The session ticket properties change in the absence of encryption.  In
existing TLS 1.3, they are sent only after Finished and so are
encrypted; now they are public.  I am not sure if this changes the
security model but it definitely makes it easier to attack the ticket.

* A less-obvious consequence to the lack of confidentality is that a
typical implementation, an attacker can selectively block messages
knowing their contents (by breaking the connection).  In the weather
example this might be used to manipulate average daily temperature by
blocking only higher or only lower readings.  In the robot example
this might be used to cause it to exceed its limits by allowing
movement commands only in one direction.

I wonder whether it's really helpful to call the result 'TLS' and
not something else?

v2.23.0 | Report a Bug | By Email