Re: Fixing SSL

[Werner Koch]

On Thu, 31 Jan 2008 03:04, [EMAIL PROTECTED] said:

> If you want a "public" example of client certificate usage:
> https://secure.cacert.org/
> (You need a (free) client certificate from www.CAcert.org to be able to 
> access 

Which has the problem that you may use any certifcate you ever created
wit cacert.org to log in.  Even certificates created for demo purposes
with published private keys.  That was the case up until a year ago; I
don't know whether this has been changed.  I was a bit surprised about
such a security flaw.


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Auschnahme regelt ein Bundeschgesetz.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Dutch Transport Card Broken

[Victor Duchovni]

On Thu, Jan 31, 2008 at 02:28:30PM -0500, Anne & Lynn Wheeler wrote:

> TCP requires minimum of seven message exchange for reliable transport
>  VMTP (rfc 1045) got that down to minimum of five messages, and XTP 
> then
> got it down to three messages minimum for reliable transport (disclaimer
> we were on the XTP technical advisory board).
> 

SMTP does not need TCP to provide reliability for the tail of the session,
the application-level "." (end-of-data) and server "250" response complete
a transaction, everything after that is optional, so for example Postfix
will send (when PIPELINING).

DATA  354 Go ahead
Message-Content Lots of acks
.QUIT   250 Ok

and will disconnect after reading the "250 response" without waiting
for the 221 response. The TCP 3-way shutdown (FIN, FIN-ACK, ACK) happens
in the kernel in the background, the SMTP server and client are by that
point handling different connections. So the reliable shutdown latency
is of no consequence for application throughput.

A pipelined SMTP delivery can be completed over TCP in 5 RTTs not 7.

0. SYN  SYN-ACK
1. ACK  220
2. EHLO 250
3. MAIL RCPT DATA   250 250 354
4. MSG . QUIT   250 221
5. close socket

TCP is fine, latency is primarily the result of application protocol
details, not TCP overhead. The only TCP overhead above is 1 extra RTT
for the connection setup. Everything else is SMTP not TCP, and running
SMTP over UDP (with ideal conditions and no lost packets, ...) would
save just 1 RTT.

-- 
Viktor.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[Tim Dierks]

On Jan 30, 2008 9:04 PM, Philipp Gühring <[EMAIL PROTECTED]> wrote:

> Hi,
>
> > Huh? What are you claiming the problem with sending client certificates
> > in plaintext is
>
> * It´s a privacy problem
> * It´s a security problem for people with a security policy that requires
> the
> their identities to be kept secret, and only to be used to authenticate to
> the particular server they need
> * It´s an availability problem for people that need high-security
> authentication mechanisms, combined with high-privacy demands
> * It´s a identity theft problem in case the certificate contains personal
> data
> that can be used for identity theft


I totally disagree that this is a material problem that is in any meaningful
way impeding the use of SSL client certificates (there are totally different
reasons that client certs aren't being widely adopted, but that's beside the
point).

However, TLS supports what you want right now: just do the initial handshake
without client auth, then renegotiate after the session encryption starts.
The renegotiation will happen under the encrypted, identity-protected and
server-authenticated session, and client authentication can be requested in
the renegotiation; the client cert will then be confidential.

The reason nobody actually bothers to do this is because there's no customer
demand (see paragraph 1).

 - Tim

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Dutch Transport Card Broken

[Anne & Lynn Wheeler]

Victor Du

Jumping in late, but the idea that *TCP* (and not TLS protocol design)
adds round-trips to SSL warrants some evidence (it is very temping to
express this skepticism more bluntly).

With unextended SMTP for example, the minimum RTT count is:

0. SYN  SYN-ACK
1. ACK  220
2. HELO 250
3. MAIL 250
4. RCPT 250
... n recipients
   RCPT 250
4+n DATA 354
5+n ... stream of message content segments
250

so it takes at least 6 RTTs to perform a delivery (of a short
single-recipient message), but only 1 of the 6 RTTs is TCP
"overhead". This is improved with PIPELINING:

0. SYN  SYN-ACK
1. ACK  220
2. EHLO 250 ... PIPELINING ...
3. MAIL RCPT(n times) DATA  250 250 (n times) 354
4. ... stream of message content segments
250
   

re:
http://www.garlic.com/~lynn/aadsm28.htm#15 Dutch Transport Card Broken
http://www.garlic.com/~lynn/aadsm28.htm#16 Dutch Transport Card Broken
http://www.garlic.com/~lynn/aadsm28.htm#20 Fixing SSL (was Re: Dutch 
Transport Card Broken)


TCP requires minimum of seven message exchange for reliable transport
 VMTP (rfc 1045) got that down to minimum of five messages, and XTP 
then

got it down to three messages minimum for reliable transport (disclaimer
we were on the XTP technical advisory board).

i've frequently pontificated that with reliable registration of public keys
in the dns system and then piggy-backing any registered public key in
standard DNS response  then it would be possible to encode the
randomly generated secret key (with that public key) and the encrypted
message in the XTP packet for minimum 3 packet exchange.
http://www.garlic.com/~lynn/subtopic.html#subpubkey.html#catch22

http already went thru its period of problems of implicit assumptions
with tcp. tcp sessions were assumed to be long lived and session shutdown
was assumed to be relatively infrequently. non-session activity like http
was always assumed to use udp for efficiency. the http ignored all of
that and used tcp for non-session activity. as a result, webserver systems
went thru a period where the processors was spending 95+ percent of
processor in the session shutdown processing. systems then were retrofited
with new kind of tcp session shutdown implementation to handle the
misuse by http.

the original ssl deployment was to 1) encrypt data in transit and
2) authenticate the server. the implicit assumption was that the
user understood the binding between the business and the url.
the browser then provided the second part, verifying the binding
between the url and the server contacted (was the server that
the user thot they were talking to, the server they were actually
talking to).

The dependency for valid ssl operation was violated almost
immediately when merchants found that ssl overhead reduced thru
thruput by 5-10 times. the regression was instead of initial contact
of the webserver (presumably url supplied by user) being ssl,
ssl was moved to checkout/pay phase where the user clicked
on a button (and url) provided by the webserver (not a url
provided by the user). It was no longer possible to provide
any assurances as to the authentity of the webserver contacted
(ssl purely being reduced to encrypting data in transmission).

we had been called in to consult with the small client/server
company on using this technology (they created) called SSL
for payment transactions
http://www.garlic.com/~lynn/subnetwork.html#gateway

and had to go thru detailed walk thrus of the technology as
it applied to actual business processes (and the associated
implicit dependencies) ... as well as detailed walk thrus of the
new business operations that were calling themselves
certification authorities.

the other issue that we came up in applying this SSL technology
was communication between webservers and something called
the payment gateway. for  this communication we mandated mutual
authentication ... this was before mutual authentication had
been implemented in SSL. It turns out that by the time
we had it all implemented and deployed ... it also became
very apparent that the things called digital certificates
were redundant and superfluous.

the basic design point for digital certificates is first time
communication between total strangers. the payment gateway
business processes required that all the merchants had
to be pre-registered with the payment gateway and the payment
gateway pre-registered with all the merchants  violating the
basic justification for having digital certificates.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Gutmann Soundwave Therapy

[Ivan Krstić]

On Jan 31, 2008, at 4:07 PM, Guus Sliepen wrote:

I hope that in the future, if you see an application doing something
wrong, you don't immediately give the developers the soundwave  
therapy.



The wider point of Peter's writeup -- and of the therapy -- is that  
developers working on security tools should _know_ they're working in  
a notoriously, infamously hard field where the odds are  
_overwhelmingly_ against them if they choose to engineer new solutions.


With such understanding, no competent developer should ever set out to  
build new cryptosystems unless he can explain, point by point, why his  
needs cannot be met by existing, vetted systems. That explanation  
should ideally be made public for dissection by the community.


--
Ivan Krstić <[EMAIL PROTECTED]> | http://radian.org

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

RE: Fixing SSL (was Re: Dutch Transport Card Broken)

[Jim Cheesman]

To add to the examples Philipp has mentioned, I've been closely involved in
the design and implementation of a number of projects for the Spanish
government using SSL + client certificates; indeed, the new Spanish ID card
includes two certificates, one for authentication and the other for digital
signature.

There are some examples of services using SSL+client certs at:
http://www.mir.es/MIR/Servicios_Telematicos/ConCertificacion/

Regards,
Jim Cheesman



-Mensaje original-
De: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
En nombre de Philipp Gühring
Enviado el: jueves, 31 de enero de 2008 3:04
Para: Eric Rescorla
CC: Cryptography; Rasika Dayarathna
Asunto: Re: Fixing SSL (was Re: Dutch Transport Card Broken)

Hi,

> Huh? What are you claiming the problem with sending client certificates
> in plaintext is 

* It´s a privacy problem
* It´s a security problem for people with a security policy that requires
the 
their identities to be kept secret, and only to be used to authenticate to 
the particular server they need
* It´s an availability problem for people that need high-security 
authentication mechanisms, combined with high-privacy demands
* It´s a identity theft problem in case the certificate contains personal
data 
that can be used for identity theft

Quoted from Lynns email:
>i.e. the x.509 identity digital certificates from the early 90s, were 
>becoming
>more and more overloaded with personal information ... and by the
>mid-90s, lots of institutions were starting to realize all that personal
>information represented significant privacy and liability issues ... and
>the RPO digital certificates were born.

* It´s a liability issue

(Lynn, can you go into more details here? On the other hand, I would say
it´s 
self-explaining ...)

> (as if anyone uses client certificates anyway)? 

Guess why so few people are using it ...
If it were secure, more people would be able to use it.

If you want a "public" example of client certificate usage:
https://secure.cacert.org/
(You need a (free) client certificate from www.CAcert.org to be able to
access 
this page)

There are ISPs out there who provide internet access based on client 
certificates, authenticated in HTTPS sessions

Creative Commons is running a registry for digital works, based on authors 
client certificate authentication:
http://www.registeredcommons.org/

The Austrian governmental inhabitant register is using client certificates
for 
about 10,000 users all around Austria since 2001. (If I remember the details

correctly)  http://zmr.bmi.gv.at/pages/home.htm

And there are hundreds of internal systems I heard of that are using client 
certificates in reality every day.

> That the phisher gets to see the client's identity?

Validated email addresses for spamming. Spear-phishing perhaps, ...

> So what? 

Why doesn´t SSH leak the client identity in plaintext?

The problem isn´t a key-agreement problem. The problem is a 
client-authentication problem. 

> It doesn't let them impersonate the client to anyone. 

It does let them impersonate the client to anyone who doesn´t care about the

public key. (There are applications that just use the DN+Issuer information 
that they normally extract out of the certificates, ...)
But impersonation is just one threat out of the huge SSL/TLS threat-model.

> Certificates 
> shouldn't contain sensitive information anyway.

There are CA´s on this planet that put things like social security numbers 
into certificates.

(I guess those CA´s would say that SSL shouldn´t leak certificates in 
plaintext anyway.) Shovling around responsibility won´t help us. Let´s fix 
the problems. (Yes, we are already trying to get those CA´s to stop doing 
that ... but it´s a bit like asking credit card companies to not print those

sensitive creditcard numbers on those credit cards ...)

And there are a lot of people who would be interested to use certificates
for 
more applications than pure identity. (which aren´t necessarily sensitive, 
but they are personal related data)

Where does the SSL specification say that certificates shouldn´t contain 
sensitive information? I am missing that detail in the security
consideration 
section of the RFC.

There is a market demand for using sensitive information in certificates, 
dating back to the mid 90's (according to Lynn), and showing itself in 
various forms like Stefan Brands credentials, Attribute Certificates, and 
even the OACerts by Jiangtao Li and Ninghui Li. 
I have been talking to many people about client certificates and client 
authentication, and a lot of them are interested in using client
certificates 
for authentication, and also to add other attributes to the certificates.

> > We have the paradox situation that I have to tell people that they
should
> > use HTTPS with server-certificates and username+password inside the
HTTPS
> > session, because that´s more secure than client certificates ...
>
> No it isn't more secure.

Using username+password inside HTTPS do

Re: Dutch Transport Card Broken

[Perry E. Metzger]

"James A. Donald" <[EMAIL PROTECTED]> writes:
> Perry E. Metzger wrote:
>> (No, I'm not a fan of X.509 certs, but those are not
>> core to the protocol, and you can think of them as
>> nothing more than a fancy key container format if you
>> like. Key management is not addressed by SSL, so there
>> is no reason that fixing key management has anything
>> to do with SSL per se.)
>
> The two actually working, widely used, secure systems
> are SSH and Skype,

SSL is in use just about everywhere, James. https: is used constantly,
and there are many other applications that make use of it. My mom uses
SSL regularly, but by contrast I don't think she's ever touched SSH.

Perhaps you argue that SSL is not secure, but it appears to have
withstood all attacks to date. You might claim that it does not
prevent phishing attacks or some such, but then you are making a claim
about how people use https in practice,, not about SSL at all. The SSL
part of that protocol is fine, just as the RSA and AES or 3DES parts
of that protocol are fine.

> neither of which uses SSL/TLS/PKI

I'm going to start referring to you as James Donald/George W. Bush.

Why does James Donald/George W. Bush persist in involving us in wars
in foreign countries, I wonder? Please don't claim that you're not
somehow part of James Donald/George W. Bush, because as you see I've
juxtaposed your names, which is proof that you must be part of the
same entity.

If you don't like my doing that, then stop referring to SSL/TLS/PKI
because SSL has nothing to do with PKI.

SSL has nothing to do with PKI. X.509 certs are just a key container
format. The applications get to decide what to do with them. You
persistently claim that SSL has something to do with public key
infrastructure, but it has no more to do with public key
infrastructure at all. You shouldn't mention them at the same
time. You are free to write applications that use SSL with a PKI, or
without it -- the two have nothing to do with each other whatsoever. I
know of many apps that use SSL and don't touch PKI at all.

Constantly mentioning PKI and SSL at the same time betrays a
substantial ignorance of the system architecture we're mentioning --
it would make as much sense to claim that SSL has something to do with
IKE because both use X.509 certificates.

> The proof of the pudding is in the eating.  When large
> numbers of people use cryptography that really does make
> them secure, they are not using SSL/TLS/PKI.

Well, James Donald/George W. Bush, I presume this means that you have
a way of breaking SSL. Could you share it with us? If not, please stop
conflating things that are unconnected.

> SSL involves digital certificates.

Not really, James Donald/George W. Bush. It involves public keys, and
it provides a channel by which X.509 certificates can be exchanged,
but by the same token, SSH also provides a channel by which X.509
certs can be exchanged. Should we therefore refer to SSH/PKI

> The particular digital certificate format necessarily imply a PKI
> structure

No, James Donald/George W. Bush, that's not even remotely true. There
is no requirement that you use the certs as anything other than key
containers.

>> My opinion (and just about everyone else's) is well
>> known.
>
> There is a serious security problem in the network.  It
> needs fixing. SSL/TLS/PKI exists, yet is entirely
> ineffectual in fixing it.

Well, James Donald/George W. Bush, perhaps that is because SSL has
nothing to do with the issue. SSL works perfectly so far as we
know. The issue is that higher levels of the stack (like key
management) aren't properly designed, but SSL itself is just fine.


-- 
Perry E. Metzger[EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Gutmann Soundwave Therapy

[Guus Sliepen]

On Tue, Jan 29, 2008 at 12:26:21PM -0500, Perry E. Metzger wrote:

> Clearly, more people need to know about "Gutmann Soundwave Therapy".
> 
> Ivan Krstić <[EMAIL PROTECTED]> writes:
[...]
> > [0] Last paragraph, http://diswww.mit.edu/bloom-picayune/crypto/14238
> 
> As it turns out, the central image of Peter's post was popularized
> earlier*.
> 
> However, Peter clearly said this first in a security context, and I
> hope that the term "Gutmann Soundwave Therapy" spreads widely within
> our field as a way of ridiculing the desire to invent your own crypto
> algorithms and protocols. When it gets to the point where salesmen are
> vaguely aware of the phrase and fear it, we will know we have done our
> job successfully.

As one of the main developers of tinc, I have been at the receiving end
of Gutmann's therapy, or "drive-by shooting" as I experienced it at that
time.

Peter sent us his write-up up via private email a few days before he
posted it to this list (which got it on Slashdot). I had little time to
think about the issues he mentioned before his write-up became public.
When it did, I (and others too) felt attacked in a cruel way. Peter
ignored all the reasons *why* we used the kind of crypto we did at
that moment, compared it to a very high standard, and made it feel like
every thing we didn't do or didn't do as well as SSL made our crypto
worthless. 

We had some other people sending us security reviews of tinc, Jerome
Etienne for example. With them, we never had that feeling of being
"attacked". The conversations we had with them encouraged us to improve
tinc.

Peter's write-up was the reason I subscribed to this cryptography
mailing list. After a while the anger/hurt feelings I had disappeared.
I knew then that Peter was right in his arguments. Nowadays I can look
at Peter's write-up more objectively and I can see that it is not as
ad-hominem as it felt back then, although the whole soundwave paragraph
still sounds very childish ;)

When tinc 2.0 will ever come out (unfortunately I don't have a lot of
time to work on it these days), it will probably use the GnuTLS library
and authenticate and connect daemons with TLS. For performance reasons,
you want to tunnel network packets via UDP instead of TCP, so hopefully
there is a working DTLS implementation as well then.

I hope that in the future, if you see an application doing something
wrong, you don't immediately give the developers the soundwave therapy.
Be a little bit more gentle and try to find out why it was written that
way in the first place. It will create a lot more understanding and
willingness from the developers to fix the problems.

Also, from experimenting with a version of tinc that uses TLS, I can
tell you that it not the perfect solution for our problem. The main
issue I see with SSL and TLS is with the credentials. Both X.509 and
OpenPGP are focussed on URLs or email addresses. It is not clear to me
how to store other information (like which subnets a node on the VPN is
authorised to use) in such credentials in a nice way, other than
shoehorning it into a CN (X.509) or uid (OpenPGP) field. Certificate
chain verification is something that often goes wrong; some SSL libraries do
not offer that functionality, or only do it when an application
explicitly requests it. With OpenPGP you can have a web of trust, but
how do you make use of it in an automated way? I expect that the next
round of penis-shaped soundwave therapy will not be focussed on
whether or not an application uses SSL, but on how it (mis)uses SSL.

-- 
Met vriendelijke groet / with kind regards,
  Guus Sliepen <[EMAIL PROTECTED]>


signature.asc
Description: Digital signature

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[Thierry Moreau]

Philipp Gühring wrote:

Hi,



SSL key distribution and management is horribly broken,
with the result that everyone winds up using plaintext
when they should not.



Yes, sending client certificates in plaintext while claiming that SSL/TLS is 
secure doesn´t work in a world of phishing and identity theft anymore.


We have the paradox situation that I have to tell people that they should use 
HTTPS with server-certificates and username+password inside the HTTPS 
session, because that´s more secure than client certificates ...


Does anyone have an idea how we can fix this flaw within SSL/TLS within a 
reasonable timeframe, so that it can be implemented and shipped by the 
vendors in this century?


(I don´t think that starting from scratch and replacing SSL makes much sense, 
since it´s just one huge flaw ...)




If I recall correctly, SSL was designed chronologically after ISO OSI 
Network-Layer Security Protocol (yes, the official WAN was actually X.25 
at one point) or Transport Layer Security Protocol, both in their 
connection-oriented flavor, which used ideas originating from DecNET 
designs (researcher names Tardo, Alagappan; I once had a patent number 
in this thread of protocol engineering, but I lost it). Anyway, the key 
point in these visionary ideas is that the D-H exchange occurs *before* 
the exchange of security certificates. This provided the traffic-flow 
confidentiality that becomes desirable to protect privacy these days.


So, you got your fix with OSI NLSP or TLSP, you just have to overcome 
the *power of the installed base*!


Regards,

--

- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, Qc
Canada   H2M 2A1

Tel.: (514)385-5691
Fax:  (514)385-5900

web site: http://www.connotech.com
e-mail: [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[Eric Rescorla]

At Thu, 31 Jan 2008 03:04:00 +0100,
Philipp Gühring wrote:
> 
> Hi,
> 
> > Huh? What are you claiming the problem with sending client certificates
> > in plaintext is 
> 
> * It´s a privacy problem
> * It´s a security problem for people with a security policy that requires the 
> their identities to be kept secret, and only to be used to authenticate to 
> the particular server they need
> * It´s an availability problem for people that need high-security 
> authentication mechanisms, combined with high-privacy demands
> * It´s a identity theft problem in case the certificate contains personal 
> data 
> that can be used for identity theft

I don't find this at all convincing. There are a variety of different
threat vectors here:

1. Phishing.
2. Pharming (DNS spoofing).
3. Passive attacks.

In the case of phishing, the fact that the client sends its certificates
in the clear is totally irrelevant, since the client would simply send
its identity encrypted under the server's certificate. The only
fix for this alleged privacy leak in the phishing context is for
the client to refuse to deliver his certificate to anyone but people
who present valid certs that he otherwise trusts.

Now, this is potentially an attack if the attacker is passive but
on-path, either via pharming or via subverting some router, but
I'm unaware of any evidence that this is used as a certificate
disclosure attack vector.


> > (as if anyone uses client certificates anyway)? 
> 
> Guess why so few people are using it ...
> If it were secure, more people would be able to use it.

No, if it were *convenient* people would use it. I know of absolutely
zero evidence (nor have you presented any) that people choose not
to use certs because of this kind of privacy issue--but I know
of plenty that they find getting certs way too inconvenient.


> > That the phisher gets to see the client's identity?
> 
> Validated email addresses for spamming. Spear-phishing perhaps, ...

Validated email addresses are not exactly hard to obtain.


> > It doesn't let them impersonate the client to anyone. 
> 
> It does let them impersonate the client to anyone who doesn´t care about the 
> public key. (There are applications that just use the DN+Issuer information 
> that they normally extract out of the certificates, ...)

If those applications do not force the client to do proof of possession
of the private key, then they are fatally broken. It's not our job
to fix them.


> > > We have the paradox situation that I have to tell people that they should
> > > use HTTPS with server-certificates and username+password inside the HTTPS
> > > session, because that´s more secure than client certificates ...
> >
> > No it isn't more secure.
> 
> Using username+password inside HTTPS does not leak the client´s identity in 
> cleartext on the line. (If I am wrong and HTTPS leaks usernames sent as HTTP 
> Forms or with HTTP Basic Authentication, please tell me)

No, it just leaks the password to the phishing server. Yeah, that's totally
a lot better.



> > This gets discussed on the TLS mailing list occasionally, but the
> > arguments for making this change aren't very convincing.
> 
> Yes, there are regularly people popping up there that need it, but they 
> always 
> get ignored there, it seems.

Because the arguments they present are handwavy and unconvincing, just like
yours.



> > If you have 
> > an actual credible security argument you should post it to
> > [EMAIL PROTECTED]
> 
> Do you think the the security arguments I summed up above qualify on the tls 
> list?

It's an open list. Feel free to make these arguments.


> Should I go into more detail? Present practical examples?

I would certainly find practical examples more convincing than the ones
you've presented.



> I see several possible options:
> * We fix SSL  
> Does anyone have a solution for SSL/TLS available that we could propose on 
> the 
> TLS list? 
> If not: Can anyone with enough protocol design experience please develop it?

There's already a solution: double handshake. You do an ordinary
handshake with server auth only and then you do a second handshake
with client auth. This hides the certificate perfectly well.  Yes, you
have to do two private key ops on the server, but if this issue is as
important as you say, this is a tradeoff you should be happy to make.
I've pointed this out on the TLS mailing list a number of times, but
maybe you missed it.


> * We change the rules of the market, and tell the people that they MUST NOT 
> ask for additional data in their certificates anymore

Fundamentally, this *is* the fix. Even if SSL guaranteeed that nobody
but the person you were handshaking with got the certificate, this
is still incredibly brittle because any random server can ask you
for your cert and users can't be trusted not to hand them over.
The basic premise of certs is that they're public info. If you
want to carry private data around in them then you should encrypt
that data.



> > > TC

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[Philipp Gühring]

Hi,

> Huh? What are you claiming the problem with sending client certificates
> in plaintext is 

* It´s a privacy problem
* It´s a security problem for people with a security policy that requires the 
their identities to be kept secret, and only to be used to authenticate to 
the particular server they need
* It´s an availability problem for people that need high-security 
authentication mechanisms, combined with high-privacy demands
* It´s a identity theft problem in case the certificate contains personal data 
that can be used for identity theft

Quoted from Lynns email:
>i.e. the x.509 identity digital certificates from the early 90s, were 
>becoming
>more and more overloaded with personal information ... and by the
>mid-90s, lots of institutions were starting to realize all that personal
>information represented significant privacy and liability issues ... and
>the RPO digital certificates were born.

* It´s a liability issue

(Lynn, can you go into more details here? On the other hand, I would say it´s 
self-explaining ...)

> (as if anyone uses client certificates anyway)? 

Guess why so few people are using it ...
If it were secure, more people would be able to use it.

If you want a "public" example of client certificate usage:
https://secure.cacert.org/
(You need a (free) client certificate from www.CAcert.org to be able to access 
this page)

There are ISPs out there who provide internet access based on client 
certificates, authenticated in HTTPS sessions

Creative Commons is running a registry for digital works, based on authors 
client certificate authentication:
http://www.registeredcommons.org/

The Austrian governmental inhabitant register is using client certificates for 
about 10,000 users all around Austria since 2001. (If I remember the details 
correctly)  http://zmr.bmi.gv.at/pages/home.htm

And there are hundreds of internal systems I heard of that are using client 
certificates in reality every day.

> That the phisher gets to see the client's identity?

Validated email addresses for spamming. Spear-phishing perhaps, ...

> So what? 

Why doesn´t SSH leak the client identity in plaintext?

The problem isn´t a key-agreement problem. The problem is a 
client-authentication problem. 

> It doesn't let them impersonate the client to anyone. 

It does let them impersonate the client to anyone who doesn´t care about the 
public key. (There are applications that just use the DN+Issuer information 
that they normally extract out of the certificates, ...)
But impersonation is just one threat out of the huge SSL/TLS threat-model.

> Certificates 
> shouldn't contain sensitive information anyway.

There are CA´s on this planet that put things like social security numbers 
into certificates.

(I guess those CA´s would say that SSL shouldn´t leak certificates in 
plaintext anyway.) Shovling around responsibility won´t help us. Let´s fix 
the problems. (Yes, we are already trying to get those CA´s to stop doing 
that ... but it´s a bit like asking credit card companies to not print those 
sensitive creditcard numbers on those credit cards ...)

And there are a lot of people who would be interested to use certificates for 
more applications than pure identity. (which aren´t necessarily sensitive, 
but they are personal related data)

Where does the SSL specification say that certificates shouldn´t contain 
sensitive information? I am missing that detail in the security consideration 
section of the RFC.

There is a market demand for using sensitive information in certificates, 
dating back to the mid 90's (according to Lynn), and showing itself in 
various forms like Stefan Brands credentials, Attribute Certificates, and 
even the OACerts by Jiangtao Li and Ninghui Li. 
I have been talking to many people about client certificates and client 
authentication, and a lot of them are interested in using client certificates 
for authentication, and also to add other attributes to the certificates.

> > We have the paradox situation that I have to tell people that they should
> > use HTTPS with server-certificates and username+password inside the HTTPS
> > session, because that´s more secure than client certificates ...
>
> No it isn't more secure.

Using username+password inside HTTPS does not leak the client´s identity in 
cleartext on the line. (If I am wrong and HTTPS leaks usernames sent as HTTP 
Forms or with HTTP Basic Authentication, please tell me)

> > Does anyone have an idea how we can fix this flaw within SSL/TLS within a
> > reasonable timeframe, so that it can be implemented and shipped by the
> > vendors in this century?

Do we have any more ideas how we can get this flaw fixed before it starts 
hurting too much?


> This gets discussed on the TLS mailing list occasionally, but the
> arguments for making this change aren't very convincing.

Yes, there are regularly people popping up there that need it, but they always 
get ignored there, it seems.

I think we have the boiling frog probl

Re: Dutch Transport Card Broken

[James A. Donald]

Perry E. Metzger wrote:
> (No, I'm not a fan of X.509 certs, but those are not
> core to the protocol, and you can think of them as
> nothing more than a fancy key container format if you
> like. Key management is not addressed by SSL, so there
> is no reason that fixing key management has anything
> to do with SSL per se.)

The two actually working, widely used, secure systems
are SSH and Skype, neither of which uses SSL/TLS/PKI
The proof of the pudding is in the eating.  When large
numbers of people use cryptography that really does make
them secure, they are not using SSL/TLS/PKI.

SSL involves digital certificates.  The particular
digital certificate format necessarily imply a PKI
structure with the same sort of defects as the existing
PKI structure, which secures what does not matter much,
and fails to secure that which does matter.  In this
sense, X.509 certificates are core to the protocol, and
that is the big problem with the protocol, though
neither am I happy about the fact that when the client
initiates a communication, the data it actually wants to
send only gets sent after the the *third* round trip.

> My opinion (and just about everyone else's) is well
> known.

There is a serious security problem in the network.  It
needs fixing. SSL/TLS/PKI exists, yet is entirely
ineffectual in fixing it.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[James A. Donald]

Eric Rescorla wrote:
> Huh? What are you claiming the problem with sending
> client certificates in plaintext is (as if anyone uses
> client certificates anyway)?

Well that is one problem - no one uses them, and no one
should use them, while PKI was designed under the
assumption that everyone would be using them.

Another problem is that in practice the system merely
ensures you are getting the purported domain name. Since
we are overwhelmed by a multitude of irrelevant and
confusing domain names, this is not much help. Further,
I frequently get the warning that the certificate does
not agree with the domain name when I know well that I
am communicating with the intended entity - frequent
misconfiguration results in false warnings, which I am
thus trained to ignore, rendering the system entirely
useless.

Since we rely on passwords, social security numbers, and
so forth, shared secrets, people are trained to give
away secrets to purported authority, which creates the
phishing hazard. We need to fix both problems.

Of course, if the phishing hazard was fixed, we would
still have the malware hazard, but we now know how to
fix the malware hazard.

We should fix both problems, rather than using one as an
excuse for not fixing the other.  We need to fix the
network assuming the node is going to be made safe, and
fix the node assuming the network is going to be made
safe.

>> Does anyone have an idea how we can fix this flaw
>> within SSL/TLS within a reasonable timeframe, so that
>> it can be implemented and shipped by the vendors in
>> this century?

Eric Rescorla wrote:
> This gets discussed on the TLS mailing list
> occasionally, but the arguments for making this change
> aren't very convincing. If you have an actual credible
> security argument you should post it to [EMAIL PROTECTED]

I don't think that is a useful discussion forum.  The
IETF is moribund, paralyzed and increasingly irrelevant.
If the internet is to be fixed, the fixes have to bypass
the IETF.

When one has a large group, group dynamics can make the
large group a little bit smarter than its smartest
members, but more commonly, make it a lot dumber than
its dumbest members.  If the IETF was capable of
handling, or even noticing, the crisis that we in then
we would not be in this crisis.

To fix the phishing problem, we need to
cryptographically secure relationships, rather than
attempting to cryptographically secure true names, and
to greatly reduce reliance on revealing shared secrets.
It should be unusual and disturbing to reveal shared
secrets, rather than routine, and it should only be done
with humans, not machines.

1.  As with Skype to Skype IM, the fact that you can
receive a message from what purports to be an entity
with which you have a relationship, should be compelling
evidence that it really is that entity, the entity to
which you have given a petname on your contacts list.
Thus phishing is hard to initiate.  As with Skype, what
we seek to secure is petnames, not true names.  We want
to secure the bookmark list, and the list that comes up
in a Google search.  We want to secure that when you
click on a the top entry of the Google list, you are
contacting the intended entity.

2.  As with Skype to Skype IM, this should be symmetric.
If you respond to a message from your bank, or initiate
a message to your bank, you should not have to reveal
some shared secrets to prove an existing relationship
before getting on with your task. Thus phishing should
fail to catch any phish.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Gutmann Soundwave Therapy

[Hayden Stainsby]

On 30 Jan 2008, at 04:26, Perry E. Metzger wrote:



Clearly, more people need to know about "Gutmann Soundwave Therapy".



To this end, I would like to introduce the Gutmann Sound Wave Therapy  
Mobile Enlightenment Unit.

http://occasionallyhuman.net/gutmann/
(NSFW if depictions of phallic audio waves are an issue)


Do you know a programmer who believes they can write a replacement for  
SSL in the time it takes to finish their coffee?


Tell tale signs are phrases such as 'proprietary crypto' and 'secret  
algorithm'.


Simply apply the Gutmann Sound Wave Therapy Mobile Enlightenment Unit,  
stand back, wait and breath a sigh of relief - you've just made the  
world a better place.



I'll begin taking pre-orders shortly.

--
Hayden

PS: I don't care that the audio wave can't be produced. It's 'artistic'.


#!/usr/bin/perl
chop($_=<>);@s=split/ /;foreach$m(@s){if($m=='*')[EMAIL PROTECTED];$x=
[EMAIL PROTECTED];$a=eval"$x$m$z";[EMAIL PROTECTED],$a;[EMAIL 
PROTECTED],$m;}}print"$a\n";
# http://occasionallyhuman.net/


-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Dutch Transport Card Broken

[Victor Duchovni]

On Wed, Jan 30, 2008 at 06:08:37PM -, Dave Korn wrote:

> On 30 January 2008 17:01, Jim Cheesman wrote:
> 
> > James A. Donald:
>  SSL is layered on top of TCP, and then one layers
>  one's actual protocol on top of SSL, with the result
>  that a transaction involves a painfully large number
>  of round trips.

Jumping in late, but the idea that *TCP* (and not TLS protocol design)
adds round-trips to SSL warrants some evidence (it is very temping to
express this skepticism more bluntly).

With unextended SMTP for example, the minimum RTT count is:

0. SYN  SYN-ACK
1. ACK  220
2. HELO 250
3. MAIL 250
4. RCPT 250
... n recipients
   RCPT 250
4+n DATA 354
5+n ... stream of message content segments 
 250

so it takes at least 6 RTTs to perform a delivery (of a short
single-recipient message), but only 1 of the 6 RTTs is TCP
"overhead". This is improved with PIPELINING:

0. SYN  SYN-ACK
1. ACK  220
2. EHLO 250 ... PIPELINING ...
3. MAIL RCPT(n times) DATA  250 250 (n times) 354
4. ... stream of message content segments 
250

Here the application protocol is pipelined, and 5+n RTTs becomes 4 RTTs.
The solution is not replacing TCP, but reducing the number of lock-step
interactions in the application protocol.

If someone has a faster than 3-way handshake connection establishment
protocol that SSL could leverage instead of TCP, please explain the
design.

The TCP handshake adds a 1-RTT delay at the start of the connection.
What 0-RTT algorithm will allow the server to delay creating expensive
connections to clients until the client acks the server response or
discover the MSS before sending the first segment? With TCP, at least
SYN floods require unspoofed client IPs.

Most of the application protocols we wrap in TLS are not DNS. Sure if
you can guarantee a single packet response to a single packet request,
TCP is not the answer. Otherwise, claiming that SSL is less efficient
over TCP smacks of arrogance.

-- 

 /"\ ASCII RIBBON  NOTICE: If received in error,
 \ / CAMPAIGN Victor Duchovni  please destroy and notify
  X AGAINST   IT Security, sender. Sender does not waive
 / \ HTML MAILMorgan Stanley   confidentiality or privilege,
   and use is prohibited.

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Re: Fixing SSL (was Re: Dutch Transport Card Broken)

[Dave Howe]

Philipp Gühring wrote:

I once implemented SSL over GSM data channel (without PPP and without
TCP), and discovered that SSL needs better integrity protection than
raw GSM delivers. (I am quite sure that´s why people normally run PPP
over GSM channels ...) SSH has the same problems. It also assumes an
active attack in case of integrity problems of the lower layer, and
terminates the connection.


TBH I can't see the problem - the unix philosophy of doing one thing
well, and chaining simple tools to make complex ones, works well here.

we have:

TCP - well understood, has crude integrity and reliability checks built
in, works reasonably well at converting a bunch of packets leaving and
arriving via your network connection into something vaguely like a
stream point-to-point connection. Provided by every ISP across the
planet, problems at this level can be handed off to experienced network
engineers who will at least understand the problem.

SSL - Cludge thrown together by a browser manufacturer, probably to
create a market for a bunch of companies who generated two prime numbers
and now sell the answers to simple math queries involving the numbers.
However, works reasonably well, has some crude authentication of the
server built in (via the aformentioned bunch of companies) which at
least limits potential hackers to those whose money the bunch of
companies will accept ;)
  Again, works well in its domain, but requires a reasonably reliable
channel to talk over, and a message to carry. Effectively turns an
unencrypted channel into an encrypted one, Would work as well over a
serial link as a tcp link (modulo the domain name check in the cert)

HTTP - pretty basic file transfer protocol, with limited scope for
negotiation, but designed largely to move text files from a server to a
client. requires transport, can use tcp, ssl-over-tcp, serial, whatever
your server will listen on and your client request on.

add them together and you get HTTPS. leave out the SSL, and you get HTTP
as-normally-spoke, so the SSL and HTTP are pretty much drop in modules.
you could define HTTPG (HTTP over a security protocol other than SSL)
and if a browser could support it, both TCP and HTTP would still be
happy. you could also define HTTPS-over-adis-lamp and provided the
operators were sufficiently accurate, securely download your web page
from a server on a nearby hilltop after dark by replacing the TCP layer :)

-
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]