[Search] [txt|xml|pdfized|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 rfc7435                     Informational
Network Working Group                                        V. Dukhovni
Internet-Draft                                                 Two Sigma
Intended status: Informational                            August 3, 2014
Expires: February 4, 2015

        Opportunistic Security: some protection most of the time


   This memo defines the term "opportunistic security".  In contrast to
   the established approach of employing protection against both passive
   and active attacks or else (frequently) no protection at all,
   opportunistic security strives to deliver at least some protection
   most of the time.  The primary goal is therefore broad
   interoperability, with security policy tailored to the capabilities
   of peer systems.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 4, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Dukhovni                Expires February 4, 2015                [Page 1]

Internet-Draft           Opportunistic Security              August 2014

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Opportunistic Security Design Philosophy  . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   5.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   5
   6.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   Historically, Internet security protocols have prioritized
   comprehensive protection against both passive and active attacks for
   peers capable and motivated to absorb the associated costs.  Since
   protection against active attacks relies on authentication, which at
   Internet scale is not universally available, while communications
   traffic was sometimes strongly protected, more typically it was not
   protected at all.  The fact that most traffic is unprotected
   facilitates nation-state pervasive monitoring (PM [RFC7258]) by
   making it cost-effective (or at least not cost-prohibitive).
   Indiscriminate collection of communications traffic would be
   substantially less attractive if security protocols were designed to
   operate at a range of protection levels; with encrypted transmission
   accessible to most if not all peers, and protection against active
   attacks still available where required by policy or opportunistically

   Encryption is easy, but key management is difficult.  Key management
   at Internet scale remains an incompletely solved problem.  The PKIX
   ([RFC5280]) key management model, which is based on broadly trusted
   public certification authorities (CAs), introduces costs that not all
   peers are willing to bear.  PKIX is not sufficient to secure
   communications when the peer reference identity ([RFC6125]) is
   obtained indirectly over an insecure channel or communicating parties
   don't agree on a mutually trusted CA.  DNSSEC ([RFC4033]) is not at
   this time sufficiently widely adopted to make DANE ([RFC6698]) a
   viable alternative at scale.  Trust on first use (TOFU) key
   management models (as with saved SSH fingerprints and various
   certificate pinning approaches) don't protect initial contact and
   require user intervention when key continuity fails.

   Without Internet-scale key management, authentication required for
   protection against active attacks is often not possible.  When
   protocols only offer the options of authenticated secure channels or
   else cleartext, most traffic is sent in the clear.  Therefore, in
   order to make encryption more ubiquitous, authentication needs to be
   optional.  When authenticated communication is not possible,

Dukhovni                Expires February 4, 2015                [Page 2]

Internet-Draft           Opportunistic Security              August 2014

   unauthenticated encryption is still substantially stronger than
   cleartext.  Opportunistic security encourages peers to employ as much
   security as possible, without falling back to unnecessarily weak
   options.  In particular, opportunistic security encourages
   unauthenticated encryption when authentication is not an option.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "OPTIONAL" in this document are to be interpreted as described in

   The following definitions are derived from the Internet Security
   Glossary [RFC4949], where applicable.

   Perfect Forward Secrecy (PFS):  For a key management protocol, the
      property that compromise of long-term keys does not compromise
      session/traffic/content keys that are derived from or distributed
      using the long-term keys.

   Man-in-the-Middle attack (MiTM):  A form of active wiretapping attack
      in which an attacker intercepts and may selectively modify
      communicated data to masquerade as one of the entities involved in
      a communication.  Masquerading enables the MiTM to violate the
      confidentiality and/or the integrity of communicated data passing
      through it.

   Trust on First Use (TOFU):  In a protocol, TOFU typically consists of
      accepting an asserted identity, without authenticating that
      assertion, and caching a key or credential associated with the
      identity.  Subsequent communication using the cached key/
      credential is secure against a MiTM attack, if such an attack did
      not succeed during the (vulnerable) initial communication or if
      the MiTM is not present for all subsequent communications.  The
      SSH protocol makes use of TOFU.  The phrase "leap of faith" (LoF)
      is sometimes used as a synonym.

   Unauthenticated Encryption:  Encryption using a key management
      technique that enables unauthenticated communication between
      parties.  The communication may be 1-way or 2-way unauthenticated.
      If 1-way, the initiator (client) or the target (server) may be

3.  Opportunistic Security Design Philosophy

   Interoperate to maximize deployment:  The primary goal of designs
      that feature opportunistic security is to be able to communicate

Dukhovni                Expires February 4, 2015                [Page 3]

Internet-Draft           Opportunistic Security              August 2014

      with any reasonably configured peer.  If many peers are only
      capable of cleartext, then it is acceptable to fall back to
      cleartext when encryption is not possible.  If authentication is
      only possible for some peers, then it is acceptable to
      authenticate only those peers and not the rest.  Interoperability
      must be possible without a need for the administrators of
      communicating systems to coordinate security settings.
      Applications employing opportunistic security need to be
      deployable at Internet scale, with each peer independently
      configured to meet its own security needs (within the practical
      bounds of the application protocol).  Opportunistic security must
      not get in the way of the peers communicating if neither end is

   Maximize security peer by peer:  Subject to the above Internet-scale
      interoperability goal, opportunistic security strives to maximize
      security based on the capabilities of the peer (or peers).  For
      some opportunistic security protocols the maximal protection
      possible may be just unauthenticated encryption to address passive
      monitoring.  For others, protection against active MiTM attacks
      may be an option.  Opportunistic security protocols may at times
      refuse to operate with peers for which higher security is
      expected, but for some reason not achieved.  The conditions under
      which connections fail should generally be limited to operational
      errors at one or the other peer or an active attack, so that well-
      maintained systems rarely encounter problems in normal use of
      opportunistic security.

   Encrypt by default:  An opportunistic security protocol MUST
      interoperably achieve at least unauthenticated encryption between
      peer systems that don't explicitly disable this capability.  To
      facilitate incremental deployment, opportuistic security protocols
      may tolerate cleartext connections or sessions with peers that
      don't support encryption.  Over time, as peer software is updated
      to support opportunistic security, only legacy systems or a
      minority of systems where encryption is disabled should be
      communicating in cleartext.  Whenever possible, opportunistic
      security should employ Perfect Forward Secrecy (PFS) to make
      recovery of previously sent keys and plaintext computationally
      expensive even after disclosure of long-term keys.

   No misrepresentation of security:  Unauthenticated communication or
      use of authentication that is vulnerable to MiTM attacks is not
      represented as strong security.  Where protection against active
      attacks is required, unauthenticated opportunistic security is not
      a substitute.

Dukhovni                Expires February 4, 2015                [Page 4]

Internet-Draft           Opportunistic Security              August 2014

   In summary, opportunistic security is an umbrella term that
   encompasses protocol designs that remove barriers to the widespread
   use of encryption in the Internet.  The actual protection provided by
   opportunistic security depends on the capabilities of the
   communicating peers; opportunistic security MUST attempt to at least
   encrypt network traffic, while allowing fallback to cleartext with
   peers that do not appear to be encryption capable.

   It is important to note that opportunistic security is not limited to
   unauthenticated encryption.  When possible, opportunistic security
   SHOULD provide stronger security on a peer-by-peer basis.  For
   example, some peers may be authenticated via DANE, TOFU or other
   means.  Though authentication failure MAY be a reason to abort a
   connection to a peer that is expected to be authenticated, it MUST
   NOT instead lead to communication in cleartext when encryption is an
   option.  Some Message Transfer Agents (MTAs, [RFC5598] Section 4.3.2)
   employing STARTTLS ([RFC3207]) have been observed to abort TLS
   ([RFC5246]) transmission when the receiving MTA fails authentication,
   only to immediately deliver the same message over a cleartext
   connection.  This design blunder MUST be avoided.

4.  Security Considerations

   Though opportunistic security potentially supports transmission in
   cleartext, unauthenticated encryption, or other protection levels
   short of the strongest potentially applicable, the effective security
   for users is increased, not reduced.  Provided strong security is not
   required by policy or securely negotiated, nothing is lost by
   allowing weaker protection levels, indeed opportunistic security is
   strictly stronger than the alternative of providing no security
   services when maximal security is not applicable.

5.  Acknowledgements

   I would like to thank Steve Kent.  Some of the text in this document
   is based on his earlier draft.

6.  References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC3207]  Hoffman, P., "SMTP Service Extension for Secure SMTP over
              Transport Layer Security", RFC 3207, February 2002.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements", RFC
              4033, March 2005.

Dukhovni                Expires February 4, 2015                [Page 5]

Internet-Draft           Opportunistic Security              August 2014

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", RFC
              4949, August 2007.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC5280]  Cooper, D., Santesson, S., Farrell, S., Boeyen, S.,
              Housley, R., and W. Polk, "Internet X.509 Public Key
              Infrastructure Certificate and Certificate Revocation List
              (CRL) Profile", RFC 5280, May 2008.

   [RFC5598]  Crocker, D., "Internet Mail Architecture", RFC 5598, July

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, August 2012.

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, May 2014.

Author's Address

   Viktor Dukhovni
   Two Sigma

   Email: ietf-dane@dukhovni.org

Dukhovni                Expires February 4, 2015                [Page 6]