ietf
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [saag] Is opportunistic unauthenticated encryption a waste of time?

2014-08-22 09:00:40
from [Viktor Dukhovni] [Permanent Link] 
On Fri, Aug 22, 2014 at 08:11:38AM +0000, 
l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk wrote:

[ top-post rearranged ]


Nico wrote:


On Fri, Aug 22, 2014 at 12:25 AM,  
<l(_dot_)wood(_at_)surrey(_dot_)ac(_dot_)uk> wrote:


Okay, so with opportunistic security, all a man in the middle
has to do is block any communications he can't decrypt, and it
automatically downgrades to select something he can break?

Ah, there's the opportunity. Got it.


Eh?  The idea is to be downgrade resistant.


no, it's at encyption above a baseline. assume mitm can't crack
maximum level,,but can crack baseline and above. if maximum can't
be negotiated because mitm prevents it , and less is settled for...
well. may as well have fallen back to clear.


For the record:

OS is primarily about high level security mechanism selection
(cleartext, passive-only, active and passive protection).  The
draft says deliberately little about the fine details of crypto
handshakes, which may or may not support a range of ciphers and
will typically do exactly the same thing when used opportunistically
in an OS protocol as otherwise.

For example, I don't see TLS changing to become opportunistic.
Rather I see higher level application protocols that can employ
TLS using it opportunistically when previously they might have sent
in cleartext.  (Vocabulary point I try to keep straight, "plaintext"
is input to encryption, or output of decryption, while "cleartext"
is unecrypted content on the wire).

OS does not impact the active attacker's ability to tamper with
unathenticated communication.  However, OS encourages authentication:

   * Any currently protected traffic remains protected, OS does not
     trump existing policy that mandates comprehensive security.
     For example, opportunistic security for HTTP does not downgrade
     HTTPS, all it does is upgrade HTTP to resist passive and
     perhaps some day with some peers also active attacks.

   * OS suggests that it is a good idea to employ downgrade resistant
     mechanisms to discover which peers can be authenticated, and then
     authenticate those peers.

It used to be easy to dismiss opportunistic security as a waste of
time, it is now clear to most that it is not.

-- 
        Viktor.
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Recentattendees] IETF 91 - Registration is now open!, Ted Lemon
Next by Date:  Re: [saag]: Review of: Opportunistic Security -03 preview for comment, Paul Wouters
Previous by Thread:  RE: [saag] Adept Encryption: Was: DANE should be more prominent (Re: Review of: Opportunistic Security -03 preview for comment), l.wood
Next by Thread:  RE: [saag] Is opportunistic unauthenticated encryption a waste of time?, Bernard Aboba
Indexes:  [Date] [Thread] [Top] [All Lists]