[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Nits]

Versions: 00

General                                                B. Carpenter, Ed.
Internet-Draft                                         Univ. of Auckland
Intended status: Informational                        September 19, 2013
Expires: March 23, 2014


                         Prismatic Reflections
                draft-carpenter-prismatic-reflections-00

Abstract

   Recent public disclosure of allegedly pervasive surveillance of
   Internet traffic has led to calls for action by the IETF.  This draft
   exists solely to collect together a number of possible actions that
   were mentioned in a vigorous discussion on the IETF mailing list.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 23, 2014.

Copyright Notice

   Copyright (c) 2013 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Carpenter                Expires March 23, 2014                 [Page 1]

Internet-Draft            Prismatic Reflections           September 2013


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Suggestions Made  . . . . . . . . . . . . . . . . . . . . . . . 4
   3.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   4.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 8
   6.  Informative References  . . . . . . . . . . . . . . . . . . . . 8
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . . . 9










































Carpenter                Expires March 23, 2014                 [Page 2]

Internet-Draft            Prismatic Reflections           September 2013


1.  Introduction

   Recent public revelations about PRISM, the alleged pervasive
   collection and analysis of Internet traffic, including various forms
   of metatdata, are perhaps not surprising to those who recall ECHELON
   and the background to [RFC1984] and [RFC2804].  However, public
   knowledge that such activities are not only possible but allegedly
   widespread has renewed concerns about Internet surveillance and
   privacy.  It is further alleged that some encryption systems widely
   regarded as reasonably safe have been compromised (https://
   www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html).

   A call for IETF action has been made at http://www.theguardian.com/
   commentisfree/2013/sep/05/government-betrayed-internet-nsa-spying.
   Bruce Schneier states that "we need open protocols, open
   implementations, open systems - these will be harder for the NSA to
   subvert" and suggests that the IETF "needs to dedicate its next
   meeting to this task.  This is an emergency, and demands an emergency
   response."

   It is in fact alleged that the surveillance and compromised
   encryption are not mainly the result of defective standards, but
   rather of manufacturers and carriers being suborned.  Whether it's a
   real emergency can be debated.  Nevertheless, it seems reasonable to
   discuss what the IETF could do better, in its specifications, to
   improve the protection of privacy, confidentiality and integrity of
   Internet traffic.  With that in mind, the only purpose of this draft
   is to record a number of actionable ideas that have been mentioned in
   recent contributions to the IETF list.  "Actionable" means that, in
   the editor's view, they suggest concrete actions that the IETF could
   take as part of its work in developing and improving Internet
   technical specifications.  There is no intention to imply that these
   ideas are good, bad or indifferent, and certainly other ideas have
   been and will be proposed.  Important suggestions may have been
   missed: these are simply the ones that caught the editor's eye, and
   they do not represent the outcome of an organised discussion or any
   kind of consensus.  The contributions are presented essentially
   unedited (but abbreviated or truncated) and without further comment.
   Where a contribution led to discussion, that can be found in the
   mailing list archive.

   This draft might be revised once or twice before IETF 88, but there
   are no plans for it beyond then.  The editor is aware that prisms
   normally refract light rather than reflect it, but in this case, we
   are seeing reflections from a PRISM.






Carpenter                Expires March 23, 2014                 [Page 3]

Internet-Draft            Prismatic Reflections           September 2013


2.  Suggestions Made

   o  We certainly need to apply RFC 3552.  (Brian Carpenter)
   o  This list (http://www.nytimes.com/interactive/2013/09/05/us/
      unlocking-private-communications.html) includes a lot of IETF work
      that probably use MAY instead of SHOULD for some key choices.
      (Lucy Lynch)
   o  S/MIME is almost what we need to secure email.  What is missing is
      an effective key discovery scheme.  We could add that and add Ben
      Laurie's Certificate Transparency and have a pretty good start on
      a PRISM Proof email scheme. ...

      So that means that we have to have a key distribution
      infrastructure such that when you register a key it becomes
      available to anyone who might need to send you a message.  We
      would also wish to apply the Certificate Transparency approach to
      protect the Trusted Third Parties from being coerced, infiltrated
      or compromised.  Packaging the implementation is not difficult, a
      set of proxies for IMAP and SUBMIT enhance and decrypt the
      messages.  The client side complexity is separated from the proxy
      using Omnibroker. ...

      We do have several areas where we could make significant advances
      however:

      1) Technical improvements to TLS such as recommending sites turn
      on PFS by default and remove weak ciphers.

      2) Stop sending authentication cookies in the clear whether or not
      they are sent inside an encrypted tunnel
      ([I-D.hallambaker-httpsession]).

      3) Fix the missing 5% that stops people using secure email.  We
      have PGP that has mindshare and S/MIME that has deployment and
      both are too much trouble for most IETF people to use, let alone
      the typical Internet user.  We can and should fix that.  (Phill
      Hallam-Baker)

      Also see [I-D.hallambaker-prismproof-req].
   o  Encrypting everything on the wire raises the cost for untargeted
      mass surveillance significantly.  And that is what it is all
      about.  And best is of course if this can be end to end, though
      hiding metadata requires either something onion like or transport
      encryption by layers below said metadata.  (Martin Milnert)
   o  I think we can do more.  Some examples:

      * we're having a discussion in http 2.0 work whether encryption
      should be mandatory



Carpenter                Expires March 23, 2014                 [Page 4]

Internet-Draft            Prismatic Reflections           September 2013


      * the perpass list has talked about understanding better where
      fingerprinting is an issue with IETF protocols

      * maybe it would be time to start having specs say that
      implementations must refuse older, weak algorithms

      * we could do more analysis and review to understand where the
      weak points and development opportunities are -- too early to say
      there are none (Jari Arkko)
   o  I just recently produced a short writeup about the efforts related
      to this topic ongoing at the last IETF meeting on my blog:
      http://www.tschofenig.priv.at/wp/?p=993.  (Hannes Tschofenig)
   o  One way to frustrate this sort of dragnet surveillance would be to
      reduce centralization in the Internet's architecture.  Right now,
      the way the Internet works in practice for private individuals,
      all your traffic goes up one pipe to your ISP.  It's trivial to
      tap, since the tapping can be centralized at the ISP end.  [If
      the] IETF focused on developing protocols (and reserving the
      necessary network numbers) to facilitate direct network peering
      between private individuals, it could make it much more expensive
      to mount large-scale traffic interception attacks.  (Adam Novak)
   o  There is a whole bunch of stuff we can do to make transit traffic
      less observable.  In other words we can modify things so the only
      think you know about a packet is where it is going, not what it is
      or who it came from. ...

      Clearly, we have a lot of specification work ongoing in different
      areas that helps to mitigate various security vulnerabilities.
      This ranges from recent work on XMPP end-to-end security (as in
      [I-D.miller-3923bis]) all the way to the recent RTCWEB discussions
      on using DTLS-SRTP as a key management protocol.(Stewart Bryant)
   o  We setup the perpass list
      <https://www.ietf.org/mailman/listinfo/perpass> as a venue for
      triaging specific proposals in this space.  A few weeks in, we
      have [I-D.trammell-perpass-ppa] that tries to describe a threat
      model that matches the recent revelations, and that could be a
      good reference when folks are developing protocols.

      We have found volunteers to write a draft for a BCP on how to use
      perfect forward secrecy in TLS, more common use of which (we still
      think) would mitigate a bunch of the ways in which TLS traffic
      could be subverted, given various forms of collusion/coercion.
      (Stephen Farrell)
   o  If we took protection against MitM attacks seriously, we would be
      using ZRTP for RTCWEB instead of DTLS-SRTP.  See
      [I-D.johnston-rtcweb-zrtp].  (Alan Johnston)





Carpenter                Expires March 23, 2014                 [Page 5]

Internet-Draft            Prismatic Reflections           September 2013


   o  I think we need to separate the concept of end-to-end encryption
      from authentication when it comes to UI transparency.  We design
      UIs now where we get in the user's face about doing encryption if
      we cannot authenticate the other side and we need to get over
      that.  In email, we insist that you authenticate the recipient's
      certificate before we allow you to install it and to start
      encrypting, and prefer to send things in the clear until that is
      done.  That's silly and is based on the assumption that encryption
      isn't worth doing *until* we know it's going to be done completely
      safely.  We need to separate the trust and guarantees of safeness
      (which require *later* out-of-band verification) from the whole
      endeavor of getting encryption used in the first place.  (Pete
      Resnick)
   o  One thing that would be helpful is to encourage the use of Diffie-
      Hellman everywhere. ...  Using TLS with DH to secure SMTP
      connections is valuable even if it is subject to MITM attacks, and
      even if the NSA/FBI can hand a National Security Letter to the
      cloud provider.  (Ted Ts'o)
   o  And I think that one of the more important things we can do is to
      rethink UIs to give casual users more information about what it
      going on and to enable them to take intelligent action on
      decisions that should be under their control.  There are good
      reasons why the IETF has generally stayed out of the UI area but,
      for the security and privacy areas discussed in this thread, there
      may be no practical way to design protocols that solve real
      problems without starting from what information a UI needs to
      inform the user and what actions the user should be able to take
      and then working backwards.  (John Klensin)
   o  What we should probably be thinking about here is:

      - Mitigating single points of failure (IOW, we _cannot_ rely on
      just the root key)

      - Hybrid solutions (more trust sources means more work to
      compromise)

      - Sanity checking (if a key changes unexpectedly, we should be
      able to notice)

      - Multiple trust anchors (for stuff that really matters, we can't
      rely on the root or on a third party CA)

      - Trust anchor establishment for sensitive communications (e.g.
      with banks) (Ted Lemon)
   o  We could be telling the public about the protocols that we
      designed 10, 15, and even 20 years ago.  Some of which even have
      rather widespread implementation, but seem to have zero use.
      (S/MIME is in every copy of Outlook and Thunderbird, AFAIK)



Carpenter                Expires March 23, 2014                 [Page 6]

Internet-Draft            Prismatic Reflections           September 2013


      What would the spam situation be like if 90% of emails were
      regularly signed back in 1999?  Yes, and DKIM can sign message
      bodies now too.  We should be telling people about it.

      Use this stuff ourselves!!!!  (Michael Richardson)
   o  In other words, the IETF needs to assume that we don't know what
      will work for end users and we need to therefore focus more on
      processing by end systems rather than end users.  (Dave Crocker)
   o  In effect, DANE exchanges one trust model for another.  I happen
      to believe that the damage risque is lower with DNSSEC + DANE than
      the traditional "any CA can issue a certificate for any domain
      name" setup. ...

      Audit and open source seem to be good starting points.  (Mans
      Nilsson)
   o  There was actually a proposal a couple of weeks back in the WG to
      encrypt all traffic on the inter-xTR stage [in the LISP protocol].
      (Noel Chiappa)
   o  Review all key length recommendations and make them larger and
      strongly recommend not using any shorter than <foo>.  While the
      reports are probably true that NSA can break common algorithms,
      making the key length longer will make it harder to do it in
      scale.

      Move to real end to end security where key are shared via a
      different communication path.  Perhaps like PGP.

      Remove man in the middle attacks on common protocols like SSL/TLS.
      This is a giant problem, some people sell products that view this
      as a feature (including my employer).  This is part of a general
      problem of middle boxes that change content, but can be fixed if
      we make sure they can't alter the secure content.

      Make everything run over secure paths.  Even things like the DNS
      and ICMP.  Perhaps if we can secure ICMP, it will mean that middle
      boxes will stop dropping things like PMTU discovery packets.  (Bob
      Hinden, in private mail, included with permission).
   o  It is a shame that this opportunity was not taken to highlight the
      need for authentication.  Having a totally secure channel with
      perfect encryption is of little value if the other end of the
      channel is a hostile power.  (Tom Petch)


3.  Security Considerations

   See above.  Also, an observation by Hannes Tschofenig seems relavant:

   While we are able to fill gaps in security protocols fairly quickly



Carpenter                Expires March 23, 2014                 [Page 7]

Internet-Draft            Prismatic Reflections           September 2013


   we don't always seem to make the right choices because the interests
   of various participants are not necessarily aligned.  In general, we
   seem to develop an insecure version and a secure version of a
   protocol.  Unfortunately, the insecure version gets widely deployed
   and we have an incredible hard time to introduce the secure version.

   In addition to the specification work we could think about how to
   reach out to the broader Internet ecosystem a bit better.  Since we
   have lots of folks in the IETF I don't think it is an impossible task
   but it might require a bit of coordination.  Right now would be a
   good time to launch some of those initiatives since most people
   currently understand the need for security.


4.  IANA Considerations

   This document requests no action by IANA.


5.  Acknowledgements

   The ideas are credited above.

   This document was produced using the xml2rfc tool [RFC2629].


6.  Informative References

   [I-D.hallambaker-httpsession]
              Hallam-Baker, P., "HTTP Session Management",
              draft-hallambaker-httpsession-01 (work in progress),
              May 2013.

   [I-D.hallambaker-prismproof-req]
              Hallam-Baker, P., "PRISM-Proof Security Considerations",
              draft-hallambaker-prismproof-req-00 (work in progress),
              September 2013.

   [I-D.johnston-rtcweb-zrtp]
              Johnston, A., Zimmermann, P., Callas, J., Cross, T., and
              J. Yoakum, "Using ZRTP to Secure WebRTC",
              draft-johnston-rtcweb-zrtp-00 (work in progress),
              August 2013.

   [I-D.miller-3923bis]
              Miller, M. and P. Saint-Andre, "End-to-End Object
              Encryption for the Extensible Messaging and Presence
              Protocol (XMPP)", draft-miller-3923bis-02 (work in



Carpenter                Expires March 23, 2014                 [Page 8]

Internet-Draft            Prismatic Reflections           September 2013


              progress), June 2010.

   [I-D.trammell-perpass-ppa]
              Trammell, B., "The Perfect Passive Adversary: A Threat
              Model for the Evaluation of Protocols under Pervasive
              Surveillance", draft-trammell-perpass-ppa-00 (work in
              progress), September 2013.

   [RFC1984]  IAB, IESG, Carpenter, B., and F. Baker, "IAB and IESG
              Statement on Cryptographic Technology and the Internet",
              RFC 1984, August 1996.

   [RFC2629]  Rose, M., "Writing I-Ds and RFCs using XML", RFC 2629,
              June 1999.

   [RFC2804]  IAB and IESG, "IETF Policy on Wiretapping", RFC 2804,
              May 2000.


Author's Address

   Brian Carpenter (editor)
   Department of Computer Science
   University of Auckland
   PB 92019
   Auckland,   1142
   New Zealand

   Email: brian.e.carpenter@gmail.com






















Carpenter                Expires March 23, 2014                 [Page 9]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/