IETF Logo Mail Archive

Re: [tsvwg] DTLS 1.3 over SCTP

Magnus Westerlund <magnus.westerlund@ericsson.com> Mon, 17 July 2023 12:51 UTC

Return-Path: <magnus.westerlund@ericsson.com>
X-Original-To: tsvwg@ietfa.amsl.com
Delivered-To: tsvwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C6586C151063 for <tsvwg@ietfa.amsl.com>; Mon, 17 Jul 2023 05:51:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wwxyZ1JRQQwA for <tsvwg@ietfa.amsl.com>; Mon, 17 Jul 2023 05:51:17 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-db5eur01on2085.outbound.protection.outlook.com [40.107.15.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A349C151542 for <tsvwg@ietf.org>; Mon, 17 Jul 2023 05:51:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=F8R6wo1HSWwmWHKkk2TZhZZIqMRyMBk+Z8PgPjZZR8qs8X7rsdn462Qini22W8h/bbSYb1WiuXguYM97H0Qoe44+N6NXIATqOddgxGzcuDtRB2gBXob03zxCI9ohGnnoZjImEmDwEcwX55/qYHiBTMIagO9Uq9D19GEZ0kVp3pwIGwfzJl357kdjalQTK+N8LD+FYMNQhDd8Yqba9uq+b70XR6vJK+6tJR0z3zs4GFqswHbUA/fCUUVKpy9a6jS6uxpXcQ8gFrhUlkOOuioRE1xKtcJ2Uv9c9D+rxxEWL884eMewLmLMkMbxyIZGPKG16NL6wLXu2qJSSto5ECItDQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=wk/vXTAAelkKFqjZYXwSaNRMlN/nxC6Um0tqvahUZR0=; b=Ar2AhL7EWCVIflkJbjPDQvsxTpjYvICwxQgnA1vqvmBdtkJtDy6E76PmAl89VfbwtSz6Yp3wJ+h5RUVCE2z2J1fsqLImRjs6wDdx83dh2qW/mNKXgi8tWHvjmhTKlQzFpNEbW0+UXfN4Py1xP24RJFYGMSA80etnPYrFuHZ5CeWo7jiMLdHrhPQt05yaNrdzSDWC6k3CFsToLSVhXb5SLhJOt/rPcbOaJXNZOtV9ZTppBu2dq6telZTJYF2ZmNYs3Ix1cDpj1uL0X+MqhOzbNeJWr6k7hzAC5xmWDQ6E9spZvBsapVmTx45wQQAVua4Sd+ciYu8Sb7xgVA0AMjkwcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wk/vXTAAelkKFqjZYXwSaNRMlN/nxC6Um0tqvahUZR0=; b=uJvV6u7j81Q6PC5JwfgoEUGLPCQigxjAykJ3VFdWhpaBZDjDf146Od/2KWM4mrk1pvZuEndmbjY0jfqwBUs2h6nF5/xezHOL1ZtmhEVZTSnmE7YMncz52VmxmtNbxmwayyMB9Fbg6TKte2VwmF47qa1qWfNsML2ekZWss4P6/4Y=
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com (2603:10a6:10:40e::17) by AS8PR07MB8343.eurprd07.prod.outlook.com (2603:10a6:20b:442::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.32; Mon, 17 Jul 2023 12:51:14 +0000
Received: from DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::f42d:c1c8:7d3:f559]) by DU0PR07MB8970.eurprd07.prod.outlook.com ([fe80::f42d:c1c8:7d3:f559%7]) with mapi id 15.20.6588.031; Mon, 17 Jul 2023 12:51:14 +0000
From: Magnus Westerlund <magnus.westerlund@ericsson.com>
To: Michael Tuexen <michael.tuexen@lurchi.franken.de>
CC: tsvwg IETF list <tsvwg@ietf.org>
Thread-Topic: [tsvwg] DTLS 1.3 over SCTP
Thread-Index: AQHZtZdYZRa9TnJdh0CQUleZ9o+qW6+5J6wRgAOJhoCAAQMdFIAAJ+OAgAAGAnY=
Date: Mon, 17 Jul 2023 12:51:14 +0000
Message-ID: <DU0PR07MB89707C2F5AB007DFE223408E953BA@DU0PR07MB8970.eurprd07.prod.outlook.com>
References: <0C990143-D450-4288-9390-E06D3469FF1D@lurchi.franken.de> <DU0PR07MB8970107616BF8A5E9D05AF939534A@DU0PR07MB8970.eurprd07.prod.outlook.com> <25FD6896-90BA-4298-A5BE-DDD869A71C37@lurchi.franken.de> <DU0PR07MB897089C304314A47B606EB82953BA@DU0PR07MB8970.eurprd07.prod.outlook.com> <6D224418-07D8-467E-A67D-A40B223207EB@lurchi.franken.de>
In-Reply-To: <6D224418-07D8-467E-A67D-A40B223207EB@lurchi.franken.de>
Accept-Language: en-US, sv-SE
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0PR07MB8970:EE_|AS8PR07MB8343:EE_
x-ms-office365-filtering-correlation-id: ff35e878-5c6c-4576-6e61-08db86c4815b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: IvI5CnoJOEdD4QI0fAGpvV0KROuEEc1GTx33uvlwcEDMu6DNo1aPom/LDpssYnyWe7nmu+cF9u3XUQeddN8BkXdV4/yAPnb0Q5OPkG4gb0xV7LXCE57QnTxBzISVrqmHeGHABMEWaoDmHr5cICWiFDRSuwRGXgcVfK0SGvmNn3eKTCb/AaLcugODWyXK8LdKd1a7Aziyxvn6nLO0sfQNCw+l0wBFAAzVGYqxrbChofMgTi8ElaXmAA2ucvRVsqXUi2MWY9hbrVHlOa5jjKcPY1PbOOCtgOSMT1S1gPYjsmH3wIGSc2RIkbUXUaxfipXQzOWlbucIZuDPqk7jgz9JmVkTXW7wm7V/2+KEEPoRaaB2Y4W+m2kioSQCOq7PBm3G3CCewwJRQoQzttD0nAS5341Quj3iTcZTJEjV2BK9TpRu4XxmzPc5VH2CQLHIMxdFPKo0I4sF+EOKKCddAxduQIJDKEfxtfp/zYC7UwY9BNDtIukkmDxyLStLu8DJkE7w/QVi6l27l70zPJAgBJ1cjtL9aVBvFY270QD7S+OKxbXEybaxVfkGo0SbWTIBuwEl+6zKlYol2JAwvmblfvAzkXDk8mz4Ak95Lc9PtJhkbMdSq42Dvmv5wUJDybDTp4GJiP1VrNv7esELS4dm2Z1niHvzrYQeCNWJ183hc6+xHLr8umHrbzDOSUV0JXLi6f00
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0PR07MB8970.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(39860400002)(376002)(366004)(396003)(136003)(451199021)(7696005)(91956017)(71200400001)(478600001)(83380400001)(33656002)(86362001)(38070700005)(55016003)(76116006)(2906002)(44832011)(26005)(186003)(6506007)(9686003)(966005)(122000001)(38100700002)(6916009)(82960400001)(166002)(66476007)(66946007)(64756008)(66556008)(66446008)(41300700001)(4326008)(316002)(8676002)(5660300002)(52536014)(8936002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 7QCjMarrf2eZzIBNHNR7mkN8Gp3eTcGgRccaBU8pXcuc5bjXJcbZA7rsnl4pYlL+VMwQ/DbUMSyiMSEto+e+F0OjLdo1RSxgqya+5WI30sDAeZPbjouWTADihK6dVs+MxRrvFSKOzSRskRlbSzb1RIIAiURTgkknezwfVj6/k6GUnpCPqkSyoGFlWvmw0di2tLSKLxkUzdFWGWAtXIpH0UtcHAmg5D2oW2qheZIkLuzJHo1g7xfWHZG05uqxnzOFRL79XJqHEUE+EQs1tkyLiJp0/dydZ18GtjEsBRlpUNjuTBHI604cuy3HwR/rosYNn77rcUo/f2kJA54cfuBS+owievKbQ7nwngzlzH7ZUS7N0vWUqJbY4nd4aaJr+IQXFxWDhjlshJW35w+oPL2v9RDOibBsSDL8PSjpUQdY+M4cuP7aTpeo7nZwgY//6OJz0rbtY/Kibzp2S4GuTaJ1a08Pj1uScP/9dKTIwfnbkxT3i5lTC5GhzodTQxQzH4J2JlVW+dqKS5HPb1TKyT1/wyBDAM+lzuCekVUgJKCYCYjXsef0rGFdTtSZQxodw/6OjuMH8271YU9pA8ojYeQjNE2CLqzS/9n020FAVGo2pg2vaM7/4NsuKXnBOaJNjScOs5SIPl9yEOVJ/jUueEX9X88nljE24NSY/6jR+f1GY9S+ziXsay3CQ4/N9fQoOcEmAbeKxb6cmdUOK76gDPtwMjz8azSigp5JHHUdcC8ZmfF8vmeDdWY5O4d/95fL0vZi3rTGHN9dDv1qTr5cSmjDoXi5iMOfpHYgOq13bKK6MuF1PwN+18/MbLzepu6Q/VZI+WIUUZQ65nH/PBQ1qD7/PB9jtpQhtmeEw6q7rBF3+dUBFREUaQNc5cGbeVKcdCUzmBdrKq6UTNShwQo9GlbuU4XpK4lS6azxBUynAklXIraQfQNRK3/V80GHMUMZ83FbrzoBFbzbdOEVJDHEdJ5SwAa+T8u92FWeTcVYnfzNEy1OrlGFiAZeG8zLYXsG+63kWwnl59wRo7CLGp5HS0NvBY8ZZQK4YqZhVppm50S5N6o8Tg5XyMDfpReUT7XcV62XIEeCofCNtk0i5EeFNeJn9Gv5VPWwA9q8poa5gZRfE7tUmytWzxJpKvwL25V1J+MchrwxioXw+6YNRZu/DsFMWdi664irdbv0gdDW3vADhBdESfL7Ly7n4yDd4tb8qHv/LM38VacZ9HsaNSzaDAnRIHwVQUwV1L7842K37KrWjfrj7nXK0GbhyKI8mGsp+oOGJ6N8NzJZRJYpDfwL0D4Ud0bceTYGotMH3k6rOITXh+dwCMIK1vtQrri+ntggsU5Hg8Agus6RZdrnRXH+XW0UR3/fSeynDm2x++CB995uKarE0Z7yc4jor0wxq0ofrxaE2HxDYQzaFJgmzNnmOaw0leZBILqmZcAGAF7tCYU7tLMj1YhATZsM/mkwATsu8VA6iTBWxHOtvHRMwL1dtyvC0SynLW1Hh1/SClCM8sRWTzERRVlQmiZtiL0YuZI3AFWIp3PGen8JNsHX6+psuOTVJilEjkHMWbrJdv8eIChMVyZ3ompCOjZKCZS6h7bCM8Ag7SPArhsFKRXJtl873pVKB9YfrelIac1ACtFEaUnSmHE=
Content-Type: multipart/alternative; boundary="_000_DU0PR07MB89707C2F5AB007DFE223408E953BADU0PR07MB8970eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0PR07MB8970.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: ff35e878-5c6c-4576-6e61-08db86c4815b
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2023 12:51:14.4483 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: etE4XnhzwMUQLay8cLXlK1uvVrxlHWXuC7AHlwYr/hdq3RuEcQar+DxgItHg3e1wimUXLX2k3oM9zzkKtkrCiFr+Ehp5ec8n4Wi7Y5DZv+s=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB8343
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsvwg/c_nxedJ9oGGd6xrsfWhyprY-TQg>
Subject: Re: [tsvwg] DTLS 1.3 over SCTP
X-BeenThere: tsvwg@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transport Area Working Group <tsvwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsvwg/>
List-Post: <mailto:tsvwg@ietf.org>
List-Help: <mailto:tsvwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsvwg>, <mailto:tsvwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Jul 2023 12:51:21 -0000

Hi,

>
> >  Otherwise, I think it is good that RFC 6083 are being fixed for its security issues unless completely replaces by a more capable solution. However, this draft it does not address all the requirements to our understanding that 3GPP has on a DTLS based security solution. The short-commings are the following:
> >
> >     • Do not support sufficiently large protected message sizes. As discussed in this thread the theoretical maximum message sizes for some of 3GPP application protocols are above 144 kb and even as large as 500 kb.
> >     • Periodic re-authentication of the peer
> >     • Forward secrecy rekeying, like re-running differ-hellman exchange, which is not done by the DTLS 1.3 keyupdate mechanism.
>
> Any idea how that last two goals are achieved by using TLS 1.3 or DTLS 1.3? Or were these
> features just dropped when getting rid of re-negotiation?
> MW: TLS 1.3 dropped these capabilities when re-negotiation was removed. I think the main reason is that no one was there and pushing for long lived use cases. In the web world there are rarely any real issue with dropping the connection and forcing the client to reconnect if one runs into these needs. SCTP application clearly has other expectations, especially the applications 3GPP have for it.
> So those two later issues and the lack for any solution in DTLS 1.3 is why we defined the parallel DTLS Connection procedure.

Doesn't provide (D)TLS forward secrecy? Where are the requirements for re-negotiation coming from? Was there a liaison statement making that requirement clear?

MW: Yes, the initial DTLS handshake will provide forward secrecy assuming the right handshake algorithms are used, like (EC)DHE. However, if one uses key-update that new transport key does not have all what might be considered forward secrecy properties. If an attacker manages to break or exfiltrate a particular transport key, the attacker will be able to continue to have access to the DTLS connection for the rest of its life time as the endpoint’s new key is provided protected by the old (broken) key. I do note that DTLS 1.3 Key-update will not allow to determine what the keys where in any transport key epoch before the one that was first broken. Note the more detailed wording below on these properties.
The basis of this requirement is good modern practices and as we have documented in the security consideration section of SCTP/DTLS this exists as recommendation from national security organizations. https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html#name-security-considerations

”(D)TLS 1.3 [RFC8446<https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html#RFC8446>] discusses forward secrecy from (EC)DHE, Key Update, and tickets/resumption. Forward secrecy limits the effect of key leakage in one direction (compromise of a key at time T2 does not compromise some key at time T1 where T1 < T2). Protection in the other direction (compromise at time T1 does not compromise keys at time T2) can be achieved by rerunning (EC)DHE. If a long-term authentication key has been compromised, a full handshake with (EC)DHE gives protection against passive attackers. If the resumption_master_secret has been compromised, a resumption handshake with (EC)DHE gives protection against passive attackers and a full handshake with (EC)DHE gives protection against active attackers. If a traffic secret has been compromised, any handshake with (EC)DHE gives protection against active attackers.

The document “Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement” [RFC7624<https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html#RFC7624>] defines key exfiltration as the transmission of cryptographic keying material for an encrypted communication from a collaborator, deliberately or unwittingly, to an attacker. Using the terms in RFC 7624, forward secrecy without rerunning (EC)DHE still allows an attacker to do static key exfiltration. Rerunning (EC)DHE forces and attacker to dynamic key exfiltration (or content exfiltration).

When using DTLS 1.3 [RFC9147<https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html#RFC9147>] AEAD limits and forward secrecy can be achieved by sending post-handshake KeyUpdate messages, which triggers rekeying of DTLS. Such symmetric rekeying gives significantly less protection against key leakage than re-running Diffie-Hellman as explained above. After leakage of application_traffic_secret_N, an attacker can passively eavesdrop on all future data sent on the connection including data encrypted with application_traffic_secret_N+1, application_traffic_secret_N+2, etc. Note that Key Update does not update the exporter_secret.

DTLS/SCTP is in many deployments replacing IPsec. For IPsec, NIST (US), BSI (Germany), and ANSSI (France) recommends very frequent re-run of Diffie-Hellman to provide forward secrecy and force attackers to dynamic key extraction [RFC7624<https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html#RFC7624>] ANSSI writes "It is recommended to force the periodic renewal of the keys, e.g., every hour and every 100 GB of data, in order to limit the impact of a key compromise." [ANSSI-DAT-NT-003<https://www.ietf.org/archive/id/draft-ietf-tsvwg-dtls-over-sctp-bis-06.html#ANSSI-DAT-NT-003>]”


So 3GPP has not expressed these requirements in any of the LS we have received. My understanding is that we have considered necessary requirements for the applications and their properties to meet modern security recommendations. John is on vacation, but I will see if I can learn if there exists some 3GPP documentation on requirements that I can point to, or if anyone else that can contribute their view on 3GPP.
I hope you see that forward secrecy and the possibility to re-run (EC)DHE exchanges periodically is quite relevant to minimize the impact of any breach if it would occur for this very long lived SCTP associations that these 3GPP applications are using as well as for any other usage of this security mechanism.
Cheers
Magnus

v2.31.3 | Report a Bug | By Email | System Status