Network Working Group | J.M. Mattsson |
Internet-Draft | Ericsson |
Intended status: Informational | February 14, 2014 |
Expires: August 18, 2014 |
Opportunistic Encryption
draft-mattsson-opportunistic-encryption-00
Following the recent pervasive monitoring revelations, one of the discussed remedies has been opportunistic encryption. In this paper, we give an overview of various opportunistic and unauthenticated encryption techniques, discuss their benefits, limits, and disadvantages, and try to conclude how effective they are as a mean to thwart pervasive monitoring.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 18, 2014.
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Following the recent pervasive monitoring revelations, one of the discussed remedies has been opportunistic encryption. The term opportunistic encryption is, however not very well defined and has been used for very different systems, only having in common that something in the setup is opportunistic. The term opportunistic encryption is sometimes used as a synonym to unauthenticated encryption, meaning that the endpoint is opportunistic about the other endpoint being the desired endpoint and not an adversary. But opportunistic encryption can also mean that the endpoint is opportunistic about the other endpoint’s support of encryption (falling back to unencrypted otherwise). In most cases, it refers to a system where encryption is added (sometimes or always) without any pre-deployment of credentials between the two endpoints (at least not for the protocol in question), and where the endpoints do not authenticate each other. The end result is that the endpoints can be unauthenticated, weakly authenticated, or strongly authenticated, in some cases without the endpoints even knowing which.
Whereas encryption traditionally has only been used where necessary and when the end user specifically asks for it (secure email, TLS, crypto phones) or when set up by a network administrator (IPsec between sites), one could say that the aim of opportunistic encryption is to encrypt whenever possible. Similar to [OPPENC], we define opportunistic encryption to mean systems where encryption (authenticated or unauthenticated) is automatically set up (if supported) without user requests or administrator involvement. We define unauthenticated encryption to mean systems where the endpoints are not strongly authenticated and where man-in-the-middle attacks may be possible.
The most common and successful usage of opportunistic encryption has been for server-to-server encryption, and the most widely deployed and used system is probably STARTTLS for SMTP [RFC3207], which opportunistically tries to upgrade a plaintext SMTP connection to an encrypted connection over TLS. Another example is the swan projects (FreeS/WAN, Openswan, and Libreswan [SWAN]) that rely on DNS for dynamic discovery and negotiation of IPsec tunnels between gateways. If DNSSEC is used, the encryption is authenticated and secure also against active attacks. In these use cases, the end user is totally unaware of the encryption.
Opportunistic encryption for client-server or client-to-client communication is not widely deployed. One client-to-server system is HTTPS Everywhere [EFF] which enables HTTPS where supported.
Unauthenticated encryption is often strengthened by some form of weak authentication [WEAK] that gives imperfect, but -in some cases- good enough, security. By weak authentication, we mean authentication without relying on trusted third parties and without physically meeting and exchanging credentials.
All these methods have weaknesses but e.g. key continuity may be excellent when the first communication is on a trusted local network. Short authentication strings between people knowing each other have traditionally been used in crypto phones, but agencies are now believed to have developed experimental voice analysis and synthesis systems [ZRTP].
As described, the so-called “weak” authentication may give high assurance and similarly the so-called “strong” authentication methods may give low assurance when used incorrectly. The classification into strong and weak authentication methods is therefore far from optimal and it may be better to talk about the level of assurance in the authentication.
While the use of unauthenticated encryption increases the cost of pervasive monitoring, we estimate that the cost increase is quite low. Just as adding encryption and authentication to a protocol usually only increases the CPU usage by a small percentage, the cost increases for an eavesdropper forced to decrypt, or decrypt and re-encrypt is low. An eavesdropper doing pervasive monitoring is already saving the information or at least scanning the messages for relevant information, adding some cryptographic processing which could be done in hardware is not going to be a major obstruction. An evaluation in [IMPACT] shows that the throughput of an SIP proxy with TLS is slightly below half that of a SIP proxy with unprotected TCP. We estimate that an agency doing pervasive monitoring would face a similar performance penalty, and that the use of dedicated hardware can shrink this difference even further.
On the other hand, it is likely that an agency doing pervasive monitoring, and especially active attacks, places a high value on not being detected. Unauthenticated encryption with Diffie-Hellman key exchange would enable detection of man-in-the-middle attacks. To reveal pervasive monitoring on a massive scale it would only be necessary to manually compare session keys out-of-band on a regular basis.
Introducing opportunistic or unauthenticated encryption in protocols is likely to introduce yet another option, therefore increasing complexity. It’s a fact that the secure modes of many protocols are often not implemented, implemented later, or not well tested. Assuming that developers will suddenly begin implementing two different secure modes is not realistic.
There is also a risk that developers, people deploying systems, and end-users (wrongfully) think that unauthenticated encryption is good enough, therefore reducing the implementation and use of strong authentication. In fact, very few people deploying or using the systems are likely to understand what kind of security is really offered, and under which circumstances they are protected against various attacks. One example of an extremely complicated trust model is DTLS-SRTP [RFC5764], which on top of all ciphersuites and key management options in DTLS and SRTP adds two forms of weak authentication in the form of certificate fingerprints and key continuity. Average end users can in most cases not be expected to do much more than to distinguish between secure or not secure (e.g. by looking for a padlock icon), and nor should they.
Opportunistic and unauthenticated encryption certainly has its uses and may with the right choices provide good enough security for a low cost. The use of opportunistic encryption in STARTTLS for SMTP and the use of key continuity as a weak authentication method in SSH are excellent examples of that.
However, we do not think that massive deployment of opportunistic and unauthenticated encryption is a general solution to the pervasive monitoring problem, and may even cause as much harm as good. The additional cost for processing and memory is likely quite low, or at least not high enough to substantially reduce the amount of pervasive monitoring. However a high risk of being detected might refrain agencies from pervasive monitoring. But even if it’s possible to identify that there is an active man-in-the-middle, it might still be difficult to identify where it’s located and who it is.
Our opinion is that any recommendation should not be stressed and that the Internet community should take its time to think and discuss before agreeing on any general BCP for opportunistic and unauthenticated encryption.
Our recommendation is that unauthenticated encryption is only used when some form of weak authentication is likely to be available. For opportunistic encryption we think that the impacts such as operational and network management aspects needs to be analyzed and understood for each protocol and that general recommendations are therefore hard to make.
We recommend the Internet community to clearly define the term “opportunistic encryption” or to use other terms. If encryption without authentication is meant, we suggest that “unauthenticated encryption” is a better expression. If used, the number of options should be reduced and that the implementation and naming should not lead the end user to believe that the security is better than it really is.
The authors would like to thank Mats Näslund, Ben Smeets, and András Méhes for their support and valuable comments.
[RFC3207] | Hoffman, P., "SMTP Service Extension for Secure SMTP over Transport Layer Security", RFC 3207, February 2002. |
[RFC4568] | Andreasen, F., Baugher, M. and D. Wing, "Session Description Protocol (SDP) Security Descriptions for Media Streams", RFC 4568, July 2006. |
[RFC5764] | McGrew, D. and E. Rescorla, "Datagram Transport Layer Security (DTLS) Extension to Establish Keys for the Secure Real-time Transport Protocol (SRTP)", RFC 5764, May 2010. |
[OPPENC] | Citizendium, "Opportunistic Encryption", . |
[SWAN] | The Libreswan Project", . | , "
[EFF] | EFF, "HTTPS Everywhere", . |
[TOR] | Tor Project", . | , "
[WEAK] | Arkko, Nikander, "How to Authenticate Unknown Principals without Trusted Parties", . |
[ZRTP] | Wikipedia, "ZRTP", . |
[IMPACT] | Shen et al., "The Impact of TLS on SIP Server Performance", . |