Re: [TLS] Fwd: New Version Notification for draft-bmoeller-tls-downgrade-scsv-00.txt

Bodo Moeller <bmoeller@acm.org> Tue, 01 October 2013 11:32 UTC

Return-Path: <SRS0=zENr=TL=acm.org=bmoeller@srs.kundenserver.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EEBA221F9F96 for <tls@ietfa.amsl.com>; Tue, 1 Oct 2013 04:32:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.498
X-Spam-Level:
X-Spam-Status: No, score=-1.498 tagged_above=-999 required=5 tests=[AWL=0.128, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HELO_EQ_DE=0.35, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xYFX5i6qKEXs for <tls@ietfa.amsl.com>; Tue, 1 Oct 2013 04:32:36 -0700 (PDT)
Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.9]) by ietfa.amsl.com (Postfix) with ESMTP id ED26021F9F8E for <tls@ietf.org>; Tue, 1 Oct 2013 04:32:32 -0700 (PDT)
Received: from mail-ie0-f175.google.com (mail-ie0-f175.google.com [209.85.223.175]) by mrelayeu.kundenserver.de (node=mreu1) with ESMTP (Nemesis) id 0Lvx1t-1Vuphd0moX-017Y2i; Tue, 01 Oct 2013 13:27:12 +0200
Received: by mail-ie0-f175.google.com with SMTP id e14so13063556iej.20 for <tls@ietf.org>; Tue, 01 Oct 2013 04:27:10 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=pxschSMzasUgeGRWa/8jX76yaXA+7b//OzBpWiHF41c=; b=LjeDsDW3kCv1BfxnyL3fTFfJYWevQP6fmmu+dO2L6v1ITl6PAEhbmdWLB9jEWejip9 sHYPiK1icdkztDl8p7fCSviorprywtNhlWVOKosYCC1X/Pl+wMzFhMH50MPwPicsPpUe ean2pyGihwqVBYWb4l19Nq5MbIx8YQXKYdODo2zvHGqfut5Z4x8xVDmzbu8mFFmPItED 0XsdGcVCgixTaON/at0tGYbEOvQKQFP/73U6vOq4pzHsG6BEU/DVkfoOR8z/j5q5JFNk 1/E0wPIj21Id8xOSE51qU0AmvqJn3EhNwTLnTWr0H8uFVeDEh0J9sy+2H6px2/Tbnwaa SafQ==
MIME-Version: 1.0
X-Received: by 10.50.6.71 with SMTP id y7mr17217859igy.8.1380626830939; Tue, 01 Oct 2013 04:27:10 -0700 (PDT)
Received: by 10.43.64.138 with HTTP; Tue, 1 Oct 2013 04:27:10 -0700 (PDT)
In-Reply-To: <20130930171657.C8BE01A9C2@ld9781.wdf.sap.corp>
References: <CADMpkc+vidEbfLfNK5QYCiry9tP7pQfvDx6oJ8hxhhHNXQa3MQ@mail.gmail.com> <20130930171657.C8BE01A9C2@ld9781.wdf.sap.corp>
Date: Tue, 1 Oct 2013 13:27:10 +0200
Message-ID: <CADMpkcLhUNW6tORdtDzOrcQbaJA1VB+Jz9Y-bi6v=EQasYxepQ@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary=047d7bd6c212d362ae04e7ac3b07
X-Provags-ID: V02:K0:URxAsmcVfKf19ZDIuBpMx7AcRycwq4JJ1Mtk0qZ+fNw lUWQYYYVYb2fh3WOvvhnrnq0R1g9Y0zTOYpYDmoB39MSigszPo IMPVIsihywr23i//R0bx6Y1GO6+kLByu6GS7xuhWQnZo71+NZl MBBCWPc5cHahbP54KbzAuFIDAPbPVk0xZaHg/GPq8V/VloOEdH GiT/dz+Feyl0AuU6lG5skymASuLlVjyBYU+GtuZhiu9XKHVqKP IR/DLePTbZDiXuKHNHRMTfAzCIROisceuApaMLQuQic/BQe+BG BgsmlcVTQF31uTvlucmrItQjIkVT5WcZ3cQbZybFC6wtguou0h MdSwzN19+Tjs5pdA/LMutctdDJ0N+RSy7x57CsUvMuO3ekJans Nz/5LGfgaDOffiKjww2mWak5mVdV/YpAU60GvqyOgaA0QnqHpi Hz+Ko
Subject: Re: [TLS] Fwd: New Version Notification for draft-bmoeller-tls-downgrade-scsv-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2013 11:37:38 -0000

Martin Rex <mrex@sap.com>om>:


> To me, these two requirements amount to an unnecessary knee-jerk reaction,
> while we are fully aware that most TLS version interop problems are
> non-malicious, i.e. _not_ caused by an active attacker.
>

Well, it's still supposed to be a security protocol, so we *need* to be
able to deal with the situation that the problem is caused by an active
attacker.  Also, even if a security-weakening downgrade is not an
intentional attack, it's still security-weakening.



> I really see harm in increasing the amount of TLS handshake failures
> with new "abort" requirements of the TLS protocol itself.  Any
> new/additional
> handshake failures ought to be left purely and entirely to the calling
> applications and their security trade-offs / policies, which may or
> may not involve the decision of an interactive user.  Our concern in
> TLS WG ought to be reducing handshake failures, and getting rid of
> the reconnect fallback entirely.
>

Yes, downgraded retries are a pain and it would be much better to avoid
them, but that's completely orthogonal
to draft-bmoeller-tls-downgrade-scsv-00.  Whenever you manage to avoid a
retry, nothing in draft-bmoeller-tls-downgrade-scsv-00 applies to that
handshake.

If you have a retry, with draft-bmoeller-tls-downgrade-scsv-00, it *is*
left to security trade-offs whether you'd rather see a handshake failure,
or accept the downgraded protocol even though the client and server should
have been able to negotiate something better.  The specification is written
to let the client make this decision, because such retry policies are
necessarily client-driven.  The specification currently does not explicitly
recommend that TLS implementations let the calling application influence
this policy (I certainly could add that, but then our specs don't typically
identify the many protocol configuration settings that can typically be
influenced by applications as such -- we're specifying protocols, not APIs
for using those protocols from applications).



> Another example for TLS version challenges are defective middle-boxes
> (Bluecoat seems popular for internet access from company networks):
>
> https://kb.bluecoat.com/index?page=content&id=KB5493&actp=search&viewlocale=en_US&searchid=1380557656642


That's why the Security Considerations in my Internet Draft have this:

   Section 4 does not require client implementations to send
   TLS_DOWNGRADE_SCSV in any particular case, it merely recommends it;
   behavior can be adapted according to the client's security needs.
   For example, during the initial deployment of a new protocol version
   (when some interoperability problems may have to be expected),
   smoothly falling back to the previous protocol version in case of
   problems may be preferrable to potentially not being able to connect
   at all: so TLS_DOWNGRADE_SCSV could be omitted for this particular

   protocol downgrade step.




> Yet another example would be the upgrade path for an installed server-farm,
> where you would get yourself into trouble if the existing server-farm
> causes clients to perform reconnect-fallbacks and trying to test
> a new implementation of the kind you suggest would cause occasional
> handshake failures for handshake where the first request went to an
> old server, and the reconnect fallback to the updated server.
> So for such a setup, this kind of feature would require a "flag day".
>

You mean something like the following, right?

- Broken servers support TLS 1.1 only, and will barf on a TLS 1.2
ClientHello.
- Fixed servers also supports TLS 1.2, and understand TLS_DOWNGRADE_SCSV.
- Connection are distributed to servers in a round-robin fashion, say.

You'd encounter a glitch in this scenario if a client tries a TLS 1.2
handshake to a broken server first, then retries with TLS 1.1 and
TLS_DOWNGRADE_SCSV and happens to hit one of the fixed servers so that the
connection attempt fails.  (There's no such problem if both connections go
to a broken server, or if the first connection goes to a fixed server.)
 So, for some proportion of cases, retrying clients wouldn't benefit from
their retries, and instead would encounter similar brokenness as those
clients that don't retry in the first place.

There's no requirement for a "flag day" (by which I assume you mean
changing the configuration for the entire server farm at once) if you roll
out fixed TLS 1.1 servers first (at any pace), and subsequently enable TLS
1.2 support (at any pace).




>   http://tools.ietf.org/html/rfc5288#section-4
>   http://tools.ietf.org/html/rfc6655#section-5
>
> Implementing AEAD for TLSv1.0 or TLSv1.1 would be simple and straight-
> forward, and the cipher suites (themselves) would exhibit the same
> security properties.  But this [...] prohibits clients from even
> proposing these cipher suites when they're doing a fallback, independent
> of what is causing the fallback.
>
[...]

> To really improve the situation, new protocol features (including
> TLS protocol versions >1.1) ought to be negotiated in a fashion that
> increases the amount of successful TLS handshakes for the entire
> installed base, and avoids the necessity for reconnect fallbacks--
> something that the majority of programmtic TLS clients do not
> even have.


I assume that those specs were written to disallow these AEAD cipher suites
for earlier protocol versions specifically to improve interoperability,
because a client wouldn't be able to indicate that it
supports TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 for TLS 1.2 but not for TLS
1.1.  Assigning additional cipher suite numbers for essentially the same
cipher suites *with* support for earlier protocol versions might be
worthwhile.

Bodo