Hey folks, we came across a novel use-case that highlights the need for non-AEAD ciphers in TLS and would like to start a discussion on that.
Our use-case is passive TLS decryption on network monitors (NMs). Non-AEAD ciphers would allow to selectively forward the TLS write keys from clients to a NM that can then passively decrypt TLS sessions, without touching their integrity (as the write MAC keys remain on the host). This would be a major improvement compared to the usage of MitM proxies as current state of the art. MitM proxies terminate all TLS connections and establish own connections. Thus, a compromised MitM proxy cannot only decrypt all packets, but also change packet contents. We propose an approach for passive TLS decryption [1] in which cooperating hosts selectively forward TLS keys to the NM that then decrypts TLS sessions. The approach is (i) completely passive and thus does not interfere with the overall connection security and (ii) is able to selectively decrypt certain TLS connections with the hosts retaining full authority over the key material. While a MitM proxy can also claim to selectively decrypt traffic, we can guarantee this by keeping key material for selected connections on the client. Furthermore, for non-AEAD ciphers only the write keys, but not the write MAC keys, are forwarded, so that the NM can inspect but not modify TLS packets. Our prototype is built for the Zeek network monitor [2] and is currently in the process of being upstreamed with explicit interest from the maintainers [3]. Once merged, this will be the first open-source solution for passive TLS decryption on both client host (for which we built a small prototype) and network monitor (Zeek). We understand that AEAD ciphers offer many advantages and we understand the decision to limit the set of available ciphers to secure choices only. However, we think the use-case of passive TLS decryption is highly relevant especially for enterprise settings. In such settings, mainly MitM proxies are used that are a security problem on their own. We look forward to your feedback. Best, Florian [1] https://arxiv.org/abs/2104.09828 [2] https://zeek.org [3] https://github.com/zeek/zeek/pull/1518 -- M.Sc. Florian Wilkens Research Associate Phone: +49 40 42883 2353 IT-Sicherheit und Sicherheitsmanagement (ISS) Universität Hamburg Fachbereich Informatik Vogt-Kölln-Straße 30 22527 Hamburg Deutschland
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
