[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TLS] Please discuss: draft-housley-evidence-extns-00

To: "Mark Brown" <mark@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
From: "Kyle Hamilton" <aerowolf@xxxxxxxxx>
Date: Thu, 4 Jan 2007 11:02:47 -0700
Cc: tls@xxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ngsFSFwmr7zPqlJSma5QUmO5EkLwPzj0nj4rVbMd7Md9s9W+I+4dat1S0RE8+OrMVoc2kXj9/GABaJhnu/0aqGfdCqCfb+8JpQxza+m4ZeOcTKbT1pg9YFaNZMZHbxaARXpBLwWE6uEs+OAZj/7h7ViU9qIbzY8Iz8MkMSLivo4=
In-reply-to: <004701c73022$bc8ae8f0$6801a8c0@xxxxxxxxx>
List-archive: <http://www1.ietf.org/pipermail/tls>
List-help: <mailto:tls-request@lists.ietf.org?subject=help>
List-id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-post: <mailto:tls@lists.ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
References: <200701041529.QAA29263@xxxxxxxxxxxxxxxxxxx> <004701c73022$bc8ae8f0$6801a8c0@xxxxxxxxx>

On 1/4/07, Mark Brown <mark@xxxxxxxxxxxxxxxxxxxx> wrote:


Why?  Because no one can generate TLS Evidence by compromising only the
server's private keys.  TLS EvidenceResponse structures are only valid after
both TLS client and TLS server have signed them.  So for your scenario to
generate valid TLS Evidence you need the attacker to have compromised the
TLS server's authentication key and evidence key (they may be one and the
same though) and to have possession of the client's authentication key and
evidence key (they may be one and the same).  This is not very feasible
unless the attacker is the client.


Isn't the entire point of an attack to harm the attacked?  Motives
differ for attacks.  The motives for attacks help describe/define what
attack is going to be carried out, and how.

As an example, let's look at the "disgruntled employee" concept.
Sysadmin, disgruntled, has possession of the traffic and
signature-evidence keys, as he's responsible for making sure they get
into the correct place and are used in the correct manner.

Owner or CFO or whathaveyou overlook this during employment/contract
termination.  (Which is ASTOUNDINGLY easy to do.)

Bingo, you suddenly have an attack against your business's legal existence.

The attacker knows that just about anyone could check the TLS Evidence
later.  So the attacker needs to make some hard choices.  Should the
attacker get the dummy client PKC signed by a CA?  Should the dummy client
PKC be signed by a CA that the TLS server trusts -- perhaps a CA that
charges money for its PKCs, or perhaps a CA operated by the TLS server's
organization?  Perhaps the app server shows the last 4 digits of a credit
card number used to pay for the ticket on all real receipts -- should the
attacker use a real credit card number in the app data sent in the lab?  Now
that credit card info is part of the TLS Evidence record.  Or perhaps the
app server requires the buyer to send in his/her name to be printed on the
ticket receipt -- should the attacker use a real name?  Etc.


Should the attacker put an alternate server up, make it look like the
real thing, be authenticable as it... and let others connect to it
without realization that it's fake?

The attacker would have to be pretty bold to use a PKC with his real name
and/or embed a real credit card number into the app data signed by TLS
Evidence.  If a credit card number was used, a suspicious third party could
check to see if the charge actually went through.  In a dispute, a third
party might ask for secondary identification -- show me the credit card,
show me your driver's license -- if forgery was suspected (the attacker did
grab both private keys from the TLS server by force...).


Or, be bold enough to let others do it.  Every one of the transactions
is individually actionable, and that can cripple a business with legal
fees.

On the other hand, you could buy a server certified at EAL6+ to do the TLS
and TLS Evidence for you, and that would make the foregoing discussion moot
by today's standards.  Key compromise of an EAL6+ box is supposed to be
pretty hard to do.


...except by people who have access regardless.

In any case, TLS Evidence makes no guarantees about the law / legality, or
that it prevents crime, etc.  What it does is to use cryptography to make
forgery more difficult.  This could be useful to applications.


This is not something that can be solved at the network layer.  It's
an application issue, and needs to be dealt with as such.

-Kyle H

_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls

Follow-Ups:
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00
  - From: Mark Brown

References:
- Re: [TLS] Please discuss: draft-housley-evidence-extns-00
  - From: Martin Rex
- RE: [TLS] Please discuss: draft-housley-evidence-extns-00
  - From: Mark Brown

Prev by Date: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by Date: Re: [TLS] Please discuss: draft-housley-evidence-extns-00
Previous by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Next by thread: RE: [TLS] Please discuss: draft-housley-evidence-extns-00
Index(es):
- Date
- Thread