idnits 2.17.1 draft-hallambaker-prismproof-req-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack a Security Considerations section. ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (September 11, 2013) is 3879 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 2 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 1 Internet Engineering Task Force (IETF) Phillip Hallam-Baker 2 Internet-Draft Comodo Group Inc. 3 Intended Status: Standards Track September 11, 2013 4 Expires: March 15, 2014 6 PRISM-Proof Security Considerations 7 draft-hallambaker-prismproof-req-00 9 Abstract 11 PRISM is reputed to be a classified US government that involves 12 covert interception of a substantial proportion of global Internet 13 traffic. This document describe the security concerns such a program 14 raises for Internet users and security controls that may be employed 15 to mitigate the risk of pervasive intercept capabilities regardless 16 of source. 18 Status of This Memo 20 This Internet-Draft is submitted in full conformance with the 21 provisions of BCP 78 and BCP 79. 23 Internet-Drafts are working documents of the Internet Engineering 24 Task Force (IETF). Note that other groups may also distribute 25 working documents as Internet-Drafts. The list of current Internet- 26 Drafts is at http://datatracker.ietf.org/drafts/current/. 28 Internet-Drafts are draft documents valid for a maximum of six months 29 and may be updated, replaced, or obsoleted by other documents at any 30 time. It is inappropriate to use Internet-Drafts as reference 31 material or to cite them other than as "work in progress." 33 Copyright Notice 35 Copyright (c) 2013 IETF Trust and the persons identified as the 36 document authors. All rights reserved. 38 This document is subject to BCP 78 and the IETF Trust's Legal 39 Provisions Relating to IETF Documents 40 (http://trustee.ietf.org/license-info) in effect on the date of 41 publication of this document. Please review these documents 42 carefully, as they describe your rights and restrictions with respect 43 to this document. Code Components extracted from this document must 44 include Simplified BSD License text as described in Section 4.e of 45 the Trust Legal Provisions and are provided without warranty as 46 described in the Simplified BSD License. 48 Table of Contents 50 1. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 3 51 2. Attack Degree . . . . . . . . . . . . . . . . . . . . . . . . 3 52 2.1. Content Disclosure . . . . . . . . . . . . . . . . . . . 3 53 2.2. Meta Data Analysis . . . . . . . . . . . . . . . . . . . 4 54 2.3. Traffic Analysis . . . . . . . . . . . . . . . . . . . . 4 55 2.4. Denial of Service . . . . . . . . . . . . . . . . . . . . 4 56 2.5. Protocol Exploit . . . . . . . . . . . . . . . . . . . . 5 57 3. Attacker Capabilities . . . . . . . . . . . . . . . . . . . . 5 58 3.1. Passive Observation . . . . . . . . . . . . . . . . . . . 5 59 3.2. Active Modification . . . . . . . . . . . . . . . . . . . 5 60 3.3. Cryptanalysis . . . . . . . . . . . . . . . . . . . . . . 6 61 3.4. Kleptography . . . . . . . . . . . . . . . . . . . . . . 6 62 3.4.1. Covert Channels in RSA . . . . . . . . . . . . . . . 6 63 3.4.2. Covert Channels in TLS, S/MIME, IPSEC . . . . . . . 6 64 3.4.3. Covert Channels in Symmetric Ciphers . . . . . . . . 7 65 3.4.4. Covert Channels in ECC Curves . . . . . . . . . . . 7 66 3.4.5. Unusable Cryptography . . . . . . . . . . . . . . . 7 67 3.5. Lawful Intercept . . . . . . . . . . . . . . . . . . . . 7 68 3.6. Subversion or Coercion of Intermediaries . . . . . . . . 7 69 3.6.1. Physical Plant . . . . . . . . . . . . . . . . . . . 8 70 3.6.2. Internet Service Providers . . . . . . . . . . . . . 8 71 3.6.3. Router . . . . . . . . . . . . . . . . . . . . . . . 8 72 3.6.4. End Point . . . . . . . . . . . . . . . . . . . . . 8 73 3.6.5. Cryptographic Hardware Providers . . . . . . . . . . 8 74 3.6.6. Certificate Authorities . . . . . . . . . . . . . . 8 75 3.6.7. Standards Organizations . . . . . . . . . . . . . . 9 76 4. Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 77 4.1. Confidentiality . . . . . . . . . . . . . . . . . . . . . 9 78 4.1.1. Perfect Forward Secrecy . . . . . . . . . . . . . . 10 79 4.2. Policy, Audit and Transparency . . . . . . . . . . . . . 10 80 4.2.1. Policy . . . . . . . . . . . . . . . . . . . . . . 10 81 4.2.2. Audit . . . . . . . . . . . . . . . . . . . . . . . 10 82 4.2.3. Transparency . . . . . . . . . . . . . . . . . . . . 10 83 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 11 85 1. Requirements 87 PRISM is reputed to be a classified US government that involves 88 covert interception of a substantial proportion of global Internet 89 traffic. While the precise capabilities of PRISM are unknown the 90 program is believed to involve traffic and meta-data analysis and 91 that the intercepts are obtained with the assistance of 92 intermediaries trusted by Internet end users. Such intermediaries may 93 or may not include ISPs, backbone providers, hosted email providers 94 or Certificate Authorities. 96 Government intercept capabilities pose a security risk to Internet 97 users even when performed by a friendly government. While use of the 98 intercept capability may be intended to be restricted to counter- 99 terrorism and protecting national security, there is a long and 100 abundant history of such capabilities being abused. Furthermore an 101 agency that has been penetrated by an Internet privacy activist 102 seeking to expose the existence of such programs may be fairly 103 considered likely to be penetrated by hostile governments. 105 The term 'PRISM-Proof' is used in this series of documents to 106 describe a communications architecture that is designed to resist or 107 prevent all forms of covert intercept capability. The concerns to be 108 addressed are not restricted to the specific capabilities known or 109 suspected of being supported by PRISM or the NSA or even the US 110 government and its allies. 112 2. Attack Degree 114 Some forms of attack are much harder to protect against than others 115 and providing protection against some forms of attack may make 116 another form of attack easier. 118 The degrees of attack that are of concern depend on the security 119 concerns of the parties communicating. 121 2.1. Content Disclosure 123 Content disclosure is disclosure of the message content. In the case 124 of an email message disclosure of the subject line or any part of the 125 message body. 127 The IETF has a long history of working on technologies to protect 128 email message content from disclosure beginning with PEM and MOSS. At 129 present the IETF has two email security standards that address 130 confidentiality with incompatible message formats and different key 131 management and distribution approaches. 133 S/MIME and PGP may both be considered broken in that they reveal the 134 message subject line and content Meta-data such as the time. This 135 problem is easily addressed but at the cost of sacrificing backwards 136 compatibility. 138 2.2. Meta Data Analysis 140 Meta Data is information that is included in a communication protocol 141 in addition to the content exchanged, This includes the sender and 142 receiver of a message, the time, date and headers describing the path 143 the message has taken in the Internet mail service. Meta-data 144 analysis permits an attacker to uncover the social network of parties 145 that are in frequent communication with each other. 147 Preventing disclosure of meta-data is possible through techniques 148 such as dead drops and onion routing but such approaches impose a 149 heavy efficiency penalty and it is generally considered preferable to 150 limit the parties capable of performing meta-data analysis instead. 152 The IETF STARTTLS extension to email permits the use of TLS to 153 encrypt SMTP traffic including meta-data. However use of STARTTLS has 154 two major limitations. First SMTP is a store and forward protocol and 155 STARTTLS only protects the messages hop-by-hop. Second there is 156 currently no infrastructure for determining that an SMTP service 157 offers STARTTLS support or to validate the credentials presented by 158 the remote server. The DANE Working Group is currently working on a 159 proposal to address the second limitation. 161 2.3. Traffic Analysis 163 Analysis of communication patterns may also leak information about 164 which parties are communicating, especially in the case of 165 synchronous protocols such as chat, voice and video. 167 Traffic analysis of store and forward protocols such as SMTP is more 168 challenging, particularly when billions of messages an hour may pass 169 between the major Webmail providers. But clues such as message length 170 may permit attackers more leverage than is generally expected. 172 2.4. Denial of Service 174 Providing protection against denial of service is frequently at odds 175 with other security objectives. In most situations it is preferable 176 for a mail client to not send a message in circumstances where there 177 is a risk of interception. Thus an attacker may be able to perform a 178 Denial of Service attack by creating the appearance of an intercept 179 risk. 181 Whether the potential compromise of confidentiality or service is 182 preferable depends on the circumstances. If critical infrastructure 183 such as electricity or water supply or the operation of a port 184 depends on messages getting through, it may be preferable to accept a 185 confidentiality compromise over a service compromise even though 186 confidentiality is also a significant concern. 188 2.5. Protocol Exploit 190 Many protocols are vulnerable to attack at the application layer. For 191 example the use of JavaScript injection in HTML and SQL injection 192 attacks. 194 A recent trend in Internet chat services is to permit the 195 participants in a group chat to share links to images and other 196 content on other sites. Introducing a link into the chat session 197 causes every connected client to retrieve the linked resource, thus 198 allowing an attacker with access to the chat room to discover the IP 199 address of all the connected parties. 201 3. Attacker Capabilities 203 Some forms of attack are available to any actor while others are 204 restricted to actors with access to particular resources. Any party 205 with access to the Internet can perform a Denial of Service attack 206 while the ability to perform traffic analysis is limited to parties 207 with a certain level of network access. 209 A major constraint on most interception efforts is the need to 210 perform the attack covertly so as to not alert the parties to the 211 fact their communications are not secure and discourage them from 212 exchange of confidential information. Even governments that 213 intentionally disclose the ability to perform intercepts for purposes 214 of intimidation do not typically reveal intercept methods or the full 215 extent of their capabilities. 217 3.1. Passive Observation 219 Many parties have the ability to perform passive observation of parts 220 of the network. Only governments and large ISPs can feasibly observe 221 a large fraction of the network but every network provider can 222 monitor data and traffic on their own network and third parties can 223 frequently obtain data from wireless networks, exploiting 224 misconfiguration of firewalls, routers, etc. 226 A purely passive attack has the advantage to the attacker of being 227 difficult to detect and impossible to eliminate the possibility that 228 an intercept has taken place. Passive attacks are however limited in 229 the information they can reveal and easily defeated with relatively 230 simple cryptographic techniques. 232 3.2. Active Modification 234 Active attacks are more powerful but are more easily detected. Use of 235 TLS without verification of the end-entity credentials presented by 236 each side is sufficient to defeat a passive attack but is defeated by 237 a man-in-the-middle attack substituting false credentials. 239 Active attacks may be used to defeat use of secure after first 240 contact approaches but at the cost of requiring interception of every 241 subsequent communication. 243 While many attackers have the ability to perform ad-hoc active attack 244 only a few parties have the ability to perform active attack 245 repeatedly and none can expect to do so with absolute reliability. 247 A major limitation on active attack is that an attacker can only 248 perform an active attack if the target is known in advance or the 249 target presents an opportunity that would compromise previous stored 250 communications. 252 3.3. Cryptanalysis 254 Many parties have the ability to perform cryptanalysis but government 255 cryptanalytic capabilities may be substantially greater. 257 3.4. Kleptography 259 Kleptography is persuading the party to be intercepted to use a form 260 of cryptography that the attacker knows they can break. Real life 261 examples of kleptography include the British government encouraging 262 the continued use of Enigma type cryptography machines by British 263 colonies after World War II and the requirement that early export 264 versions of Netscape Navigator and Internet Explorer use 40 bit 265 symmetric keys. 267 3.4.1. Covert Channels in RSA 269 One form of kleptography that is known to be feasible and is relevant 270 to IETF protocols is employing a RSA modulus to provide a covert 271 channel. In the normal RSA scheme we choose primes p and q and use 272 them to calculate n = pq. But the scheme works just as well if we 273 choose n' and p and look for a prime q in the vicinity of n'/p then 274 use p and q to calculate the final value of n. Since q ~= n'/p it 275 follows that n' ~= n. For a 2048 bit modulus, approximately 1000 bits 276 are available for use as a covert channel. 278 Such a covert channel may be used to leak some or all of the private 279 key or the seed used to generate it. The data may be encrypted to 280 avoid detection. 282 3.4.2. Covert Channels in TLS, S/MIME, IPSEC 284 Similar approaches may be used in any application software that has 285 knowledge of the actual private key. For example a TLS implementation 286 might use packet framing to leak the key. 288 3.4.3. Covert Channels in Symmetric Ciphers 290 A hypothetical but unproven possibility is the construction of a 291 symmetric cipher with a backdoor. Such an attack is far beyond the 292 capabilities of the open field. A symmetric cipher with a perfect 293 backdoor would constitute a new form of public key cryptography more 294 powerful than any known to date. For purposes of kleptography however 295 it would be sufficient for a backdoor to limit the key space that an 296 attacker needed to search through brute force or have some other 297 limitation that is considered essential for public key cryptography. 299 3.4.4. Covert Channels in ECC Curves 301 Another hypothetical but unproven possibility is the construction of 302 a weak ECC Curve or a curve that incorporates a backdoor function. As 303 with symmetric ciphers, this would require a substantial advance on 304 the public state of the mathematical art. 306 3.4.5. Unusable Cryptography 308 A highly effective form of kleptography would be to make the 309 cryptographic system so difficult to use that nobody would bother to 310 do so. 312 3.5. Lawful Intercept 314 Lawful intercept is a form of coercion that is unique to government 315 actors by definition. Defeating court ordered intercept by a domestic 316 government is outside the scope of this document though defeating 317 foreign lawful intercept requests may be. 319 While the US government is known to practice Lawful Intercept under 320 court order and issue of National Security Letters of questionable 321 constitutional validity, the scope of such programs as revealed in 322 public documents and leaks from affected parties is considerably more 323 restricted than that of the purported PRISM program. 325 While a Lawful Intercept demand may in theory be directed against any 326 of the intermediaries listed in the following section on subversion 327 or coercion, the requirement to obtain court sanction constrains the 328 number and type of targets against which Lawful Intercept may be 329 sought and the means by which it is implemented. A court is unlikely 330 to sanction Lawful Intercept of opposition politicians for the 331 political benefit of current office holders. 333 3.6. Subversion or Coercion of Intermediaries 335 Subversion or coercion of intermediaries is a capability that is 336 almost entirely limited to state actors. A criminal organization may 337 coerce an intermediary in the short term but has little prospect of 338 succeeding in the long term. 340 3.6.1. Physical Plant 342 The Internet is at base a collection of data moving over wires, 343 optical cables and radio links. Every form of interconnect that is a 344 practical means of high bandwidth communication is vulnerable to 345 interception at the physical layer. Attacks on physical interconnect 346 require only a knowledge of where the signal cables are routed and a 347 back hoe. 349 Even quantum techniques do not necessarily provide a guarantee of 350 security. While such techniques may be theoretically unbreakable, the 351 physical realization of such systems tend to fall short. As with the 352 'unbreakable' One Time Pad, the theoretical security tends to be 353 exceptionally fragile. 355 Attacks on the physical plant may enable high bandwidth passive 356 intercept capabilities and possibly even active capabilities. 358 3.6.2. Internet Service Providers 360 Internet Service Providers have access to the physical and network 361 layer data and are capable of passive or active attacks. ISPs have 362 established channels for handling Lawful Intercept requests and thus 363 any employee involved in an intercept request that was outside the 364 scope of those programs would be on notice that their activities are 365 criminal. 367 3.6.3. Router 369 Compromise of a router is an active attack that provides both passive 370 and active intercept capabilities. such compromise may be performed 371 by compromise of the device firmware or of the routing information. 373 3.6.4. End Point 375 Compromise of Internet endpoints may be achieved through insertion of 376 malware or coercion/suborning the platform provider. 378 3.6.5. Cryptographic Hardware Providers 380 Deployment of the 'kleptography' techniques described earlier 381 requires that the attacker be capable of controlling the 382 cryptographic equipment and software available to the end user. 383 Compromise of the cryptographic hardware provided is one means by 384 this might be achieved. 386 3.6.6. Certificate Authorities 388 Certificate Authorities provide public key credentials to validated 389 key holders. While compromise of a Certificate Authority is certainly 390 possible, this is an active attack and the credentials created leave 391 permanent evidence of the attack. 393 3.6.7. Standards Organizations 395 Another route for deployment of cryptography would be to influence 396 the standards for use of cryptography although this would only permit 397 the use of kleptographic techniques that are not publicly known. 399 Another area of concern is that efforts to make strong cryptography 400 usable through deployment of key discovery infrastructure or security 401 policy infrastructure may have been intentionally delayed or 402 discouraged. The chief security failure of the Internet today is that 403 insecurity is the default and many attacks are able to circumvent 404 strong cryptography through a downgrade attack. 406 4. Controls 408 Traditionally a cryptographic protocol is designed to resist direct 409 attack with the assumption that protocols that provide protection 410 against targeted intercept will also provide protection against 411 pervasive intercept. Consideration of the specific constraints of 412 pervasive covert intercept demonstrates that a protocol need not 413 guarantee perfect protection against a targeted intercept to render 414 pervasive intercept infeasible. 416 One of the more worrying aspects of the attempt to defend the 417 legality of PRISM program is the assertion that passive intercept 418 does not constitute a search requiring court oversight. This suggests 419 that the NSA is passively monitoring all Internet traffic and that 420 any statement that a citizen might make in 2013 could potentially be 421 used in a criminal investigation that began in 2023. 423 At present Internet communications are typically sent in the clear 424 unless there is a particular confidentiality concern in which case 425 techniques that resist active attack are employed. A better approach 426 would be to always use encryption that resists passive attack, 427 recognizing that some applications also require resistance to active 428 attacks. 430 4.1. Confidentiality 432 Encryption provides a confidentiality control when the symmetric 433 encryption key is not known to or discoverable by the attacker. Use 434 of strong public cryptography provides a control against passive 435 attacks but not an active attack unless the communicating parties 436 have a means of verifying the credentials purporting to identify the 437 parties. 439 4.1.1. Perfect Forward Secrecy 441 One of the main limitations of simple public key exchange schemes is 442 that compromise of an end entity decryption key results in compromise 443 of all the messages encrypted using that key. Perfect Forward Secrecy 444 is a misnomer for a technique that forces an attacker to compromise a 445 separate private key for every key exchange. This is usually achieved 446 by performing two layers of public key exchange using the credentials 447 of the parties to negotiate a temporary key which is in turn used to 448 derive the symmetric session key used for communications. 450 Perfect Forward Secrecy is a misnomer as the secrecy is not 451 'perfect', should the public key system used to identify the 452 principals be broken, it is likely that the temporary public key will 453 be vulnerable to cryptanalysis as well. The value of PFS is not that 454 it is 'perfect' but that it dramatically increases the cost of an 455 attack to an attacker. 457 4.2. Policy, Audit and Transparency 459 The most underdeveloped area of internet security to date is the lack 460 of a security policy infrastructure and the audit and transparency 461 capabilities to support it. 463 4.2.1. Policy 465 A security policy describes the security controls that a party 466 performs or offers to perform. One of the main failings in the 467 Internet architecture is that the parties have no infrastructure to 468 inform them of the security policy of the party they are attempting 469 to communicate with except for the case of Certificate Policy and 470 Certificate Practices Statements which are not machine readable 471 documents. 473 A machine readable policy stating that a party always offers a 474 minimum level of security provides protection against downgrade 475 attack. 477 4.2.2. Audit 479 Audit is verifying that a party is in compliance with its published 480 security policy. Some security policies are self-auditing (e.g. 481 advertising support for specific cryptographic protocols) others may 482 be audited by automatic means and some may require human 483 interpretation and evaluation. 485 4.2.3. Transparency 487 A security policy is transparent if it may be audited using only 488 publicly available information. 490 An important application of transparency is by trusted intermediaries 491 to deter attempted coercion or to demonstrate that a coercion attempt 492 would be impractical. 494 Author's Address 496 Phillip Hallam-Baker 497 Comodo Group Inc. 499 philliph@comodo.com