[Search] [txt|xml|pdf|bibtex] [Tracker] [WG] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 03 04 05 06 rfc7435                     Informational
Network Working Group                                        V. Dukhovni
Internet-Draft                                                 Two Sigma
Intended status: Informational                           August 15, 2014
Expires: February 16, 2015

        Opportunistic Security: Some Protection Most of the Time


   This memo introduces the "Opportunistic Security" (OS) protocol
   design pattern.  Protocol designs based on OS depart from the
   established practice of employing cryptographic protection against
   both passive and active attacks, or no protection at all.  As a
   result, with OS at least some cryptographic protection should be
   provided most of the time.  For example, the majority of Internet
   SMTP traffic is now opportunistically encrypted.  OS designs remove
   barriers to the widespread use of encryption on the Internet.  The
   actual protection provided by opportunistic security depends on the
   advertised security capabilities of the communicating peers.

   This document promotes designs in which cryptographic protection
   against both passive and active attacks can be rolled out
   incrementally as new systems are deployed, without creating barriers
   to communication.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on February 16, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Dukhovni                Expires February 16, 2015               [Page 1]

Internet-Draft           Opportunistic Security              August 2014

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  The Opportunistic Security Design Pattern . . . . . . . . . .   5
   4.  Opportunistic Security Design Principles  . . . . . . . . . .   7
   5.  Example: Opportunistic TLS in SMTP  . . . . . . . . . . . . .   8
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   9
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   9
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   9
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   9
     8.2.  Informative References  . . . . . . . . . . . . . . . . .  10
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  10

1.  Introduction

   Historically, Internet security protocols have emphasized
   comprehensive "all or nothing" cryptographic protection against both
   passive and active attacks.  With each peer, such a protocol achieves
   either full protection or else total failure to communicate (hard
   fail).  As a result, operators often disable these security protocols
   at the first sign of trouble, degrading all communications to
   cleartext transmission.  Protection against active attacks requires
   authentication.  The ability to authenticate any potential peer on
   the Internet requires a key management approach that works for all.

   Designing and deploying a key management for the whole Internet is
   for now an unsolved problem.  For example, the Public Key
   Infrastructure (PKI) used by the web (often called the "Web PKI") is
   based on broadly trusted public certification authorities (CAs).  The
   Web PKI has too many trusted authorities and imposes burdens that not
   all peers are willing to bear.  Web PKI authentication is vulnerable
   to MiTM attacks when the peer reference identifier ([RFC6125]) is
   obtained indirectly over an insecure channel, perhaps via an MX or
   SRV lookup.  With so many certification authorities, which not
   everyone is willing to trust, the communicating parties don't always
   agree on a mutually trusted CA.  Without a mutually trusted CA,
   authentication fails, leading to communications failure.  The above
   issues are compounded by operational difficulties.  For example, a
   common problem is for site operators to forget to perform timely
   renewal of expiring certificates.  In interactive applications,

Dukhovni                Expires February 16, 2015               [Page 2]

Internet-Draft           Opportunistic Security              August 2014

   security warnings are all too frequent, and end-users learn to
   actively ignore security problems.

   DNS Security (DNSSEC [RFC4033]) can be used to leverage the global
   DNS infrastructure as a distributed authentication system.  DNS-Based
   Authentication of Named Entities (DANE [RFC6698]) provides the
   guidelines and DNS records to use the DNS as an alternative to the
   Web PKI.  However, at this time, DNSSEC is not sufficiently widely
   adopted to allow DANE to play the role of an Internet-wide any-to-any
   authentication system.  Therefore, protocols that mandate
   authentication for all peers cannot generally do so via DANE.
   Opportunistic security protocols on the other hand, can begin to use
   DANE immediately, without waiting for universal adoption.

   Other authentication mechanisms have been designed that do not rely
   on trusted third parties.  The trust-on-first-use (TOFU)
   authentication approach makes a leap of faith (LoF, [RFC4949]) by
   assuming that unauthenticated public keys obtained on first contact
   will likely be good enough to secure future communication.  TOFU is
   employed in SSH and in various certificate pinning designs.  TOFU
   does not protect against an attacker who can hijack the first contact
   communication and requires more care from the end-user when systems
   update their cryptographic keys.  TOFU can make it difficult to
   distinguish routine system administration from a malicious attack.

   The lack of a global key management system means that for many
   protocols only a minority of communications sessions can be
   authenticated.  When protocols only offer the choice between an
   authenticated encrypted channel or no protection, the result is that
   most traffic is sent in cleartext.  The fact that most traffic is not
   encrypted makes pervasive monitoring easier by making it cost-
   effective, or at least not cost-prohibitive; see [RFC7258] for more

   To reach broad adoption, it must be possible to roll out support for
   unauthenticated encryption or authentication incrementally.
   Incremental rollout on the scale of the Internet means that for some
   considerable time security capabilities vary from peer to peer, and
   therefore protection against passive and active attacks needs to be
   applied selectively peer by peer.

   We will use the phrase "opportunistically employed" to mean that the
   use of a type of protection or a security mechanism was tailored to
   the advertised capabilities of the peer.  Both opportunistically
   employed encryption and opportunistically employed authentication
   need to avoid deployment roadblocks and need to be designed with care
   to "just work".

Dukhovni                Expires February 16, 2015               [Page 3]

Internet-Draft           Opportunistic Security              August 2014

   To enable broader use of encryption, it must be possible to
   opportunistically employ encryption with peers that support it
   without always demanding authentication.  This defends against
   pervasive monitoring and other passive attacks, as even
   unauthenticated encryption (see definition in Section 2) is
   preferable to cleartext.

   The opportunistic security design pattern involves stepping up from a
   baseline security policy compatible with all relevant peers to the
   most secure policy compatible with the capabilities of a given peer.
   Note, this is rather different from setting a high standard and
   attempting to determine (perhaps by asking the user) whether an
   exception can be made.

   The risk of active attacks should not be ignored.  The opportunistic
   security design pattern recommends that protocols employ multiple
   cryptographic protection levels, with encrypted transmission
   accessible to most if not all peers.  Protocol designers are
   encouraged to produce protocols that can securely determine which
   peers support authentication, and can then establish authenticated
   communication channels resistant to active attacks with those peers.

   Operators must be able specify explicit security policies that
   override opportunistic security where appropriate.

2.  Terminology

   Perfect Forward Secrecy (PFS):  As defined in [RFC4949].

   Man-in-the-Middle (MiTM) attack:  As defined in [RFC4949].

   Trust on First Use (TOFU):  In a protocol, TOFU typically consists of
      accepting and storing an asserted identity, without authenticating
      that assertion.  Subsequent communication using the cached key/
      credential is secure against an MiTM attack, if such an attack did
      not succeed during the (vulnerable) initial communication.  The
      SSH protocol makes use of TOFU.  The phrase "leap of faith" (LoF,
      [RFC4949]) is sometimes used as a synonym.

   Authenticated encryption:  Encryption using a session establishment
      method in which at least the initiator (client) authenticates the
      identity of the acceptor (server).  This is required to protect
      against both passive and active attacks.  Authenticated encryption
      can be one-sided, where only the client authenticates the server.
      One-sided authentication of the server by the client is the most
      common deployment used with Transport Layer Security (TLS,
      [RFC5246]) for "secure browsing" in which client authentication is
      typically performed at another layer in the protocol.

Dukhovni                Expires February 16, 2015               [Page 4]

Internet-Draft           Opportunistic Security              August 2014

      Authenticated encryption can also be two-sided or "mutual".
      Mutual authentication plays a role in mitigating active attacks
      when the client and server roles change in the course of a single
      session.  Authenticated encryption is not synonymous with use of
      AEAD [RFC5116].  AEAD algorithms can be used with either
      authenticated or unauthenticated peers.

   Unauthenticated Encryption:  Encryption using a session establishment
      method that does not authenticate the identities of the peers.  In
      typical usage, this means that the initiator (client) has not
      verified the identity of the target (server), making MiTM attacks
      possible.  Unauthenticated encryption is not synonymous with non-
      use of AEAD [RFC5116].

3.  The Opportunistic Security Design Pattern

   Opportunistic Security is a protocol design pattern that aims to
   remove barriers to the widespread use of encryption on the Internet.
   A related goal is broader adoption of protection against active
   attacks, by enabling incremental deployment of authenticated

   The opportunistic security design pattern supports multiple
   protection levels, while seeking the best protection possible.

   The determination of which security mechanisms to use can vary from
   case to case and depends on the properties of the protocol in which
   OS is applied.  In many cases, OS will result in negotiating channels
   with one of the following security properties:

   o  No encryption (cleartext), which provides no protection against
      passive or active attacks.

   o  Unauthenticated encryption (definition in Section 2), which
      protects only against passive attacks.

   o  Authenticated encryption, (definition in Section 2) which protects
      against both passive and active attacks.

   An opportunistic security protocol first determines the capabilities
   of a peer.  This might include whether that peer supports
   authenticated encryption, unauthenticated encryption or perhaps only
   cleartext.  After each peer has determined the capabilities of the
   other, the most preferred common security capabilities are activated.
   Peer capabilities can be advertised out-of-band or (negotiated) in-

Dukhovni                Expires February 16, 2015               [Page 5]

Internet-Draft           Opportunistic Security              August 2014

   An OS protocol may elect to apply more stringent security settings
   for authenticated encryption than for unauthenticated encryption.
   For example, the set of enabled TLS cipher-suites might be more
   restrictive when authentication is required.

   Security services that "just work" are more likely to be deployed and
   enabled by default.  It is vital that the capabilities advertised for
   an OS-compatible peer match the deployed reality.  Otherwise, OS
   systems will detect such a broken deployment as an active attack and
   communication may fail.

   This might mean that peer capabilities are further filtered to
   consider only those capabilities that are sufficiently operationally
   reliable, and any that work only "some of the time" are treated by an
   opportunistic security protocol as "not present" or "undefined".

   Opportunistic security does not start with an over-estimate of peer
   capabilities only to settle for lesser protection when a peer fails
   to deliver.  Rather, opportunistic security sets a minimum protection
   level expected of all peers, which is raised for peers that are
   capable of more.

   Opportunistic security protocols should provide a means to enforce
   authentication for those peers for which authentication can be
   expected to succeed based on information advertised by the peer via
   DANE, TOFU or other means.  With DANE, the advertisement that a peer
   supports authentication is downgrade-resistant.  What is
   "opportunistic" here is the selective use of authentication for
   certain peers; much in the same way as unauthenticated encryption may
   be used "opportunistically" with peers capable of more than

   Enforcement of authentication is not incompatible with opportunistic
   security.  If an OS-enabled peer (A) makes available authenticated
   key material, e.g., via DANE, to peer (B), then B should make use of
   this material to authenticate A, if B is OS-enabled and supports

   With a peer that does not advertise authentication support, to which
   transmission even in cleartext is permissible, authentication (or the
   lack thereof) must never downgrade encrypted communication to
   cleartext.  When employing opportunistic unauthenticated encryption,
   any enabled by default authentication checks need to be disabled or
   configured to soft-fail, allowing the unauthenticated encrypted
   session to proceed.

   Cleartext support is for backwards compatibility with already
   deployed systems.  Even when cleartext needs to be supported,

Dukhovni                Expires February 16, 2015               [Page 6]

Internet-Draft           Opportunistic Security              August 2014

   protocol designs based on opportunistic security prefer to encrypt,
   employing cleartext only with peers that do not appear to be
   encryption capable.

4.  Opportunistic Security Design Principles

   Coexist with explicit policy:  Explicit security policy preempts
      opportunistic security.  Administrators or users can elect to
      disable opportunistic security for some or all peers and set a
      fixed security policy not based on capabilities advertised or
      published by the peer.  Alternatively, opportunistic security
      might be enabled only for specified peers, rather than by default.
      Opportunistic security never displaces or preempts explicit
      policy.  Some applications or data may be too sensitive to employ
      opportunistic security, and more traditional security designs can
      be more appropriate in such cases.

   Emphasize enabling communication:  The primary goal of opportunistic
      security is to enable secure communication and maximize
      deployment.  If potential peers are only capable of cleartext,
      then it may be acceptable to employ cleartext when encryption is
      not possible.  If authentication is only possible for some peers,
      then it is likely best to require authentication for only those
      peers and not the rest.  Opportunistic security needs to be
      deployable incrementally, with each peer configured independently
      by its administrator or user.  Opportunistic security must not get
      in the way of two peers communicating when neither advertises or
      negotiates security services that are not in fact available or
      that don't function correctly.

   Maximize security peer by peer:  Opportunistic security strives to
      maximize security based on the capabilities of the peers.
      Communications traffic should generally be at least encrypted.
      Opportunistic security protocols may refuse to communicate with
      peers for which higher security is expected, but for some reason
      is not achieved.  Advertised capabilities must match reality to
      ensure that the only condition under which there is a failure of
      communication is when one or both peers are under an active

   Employ PFS:  Opportunistic Security should employ Perfect Forward
      Secrecy (PFS) to protect previously recorded encrypted
      communication from decryption even after a compromise of long-term

Dukhovni                Expires February 16, 2015               [Page 7]

Internet-Draft           Opportunistic Security              August 2014

   No misrepresentation of security:  Unauthenticated encrypted
      communication must not be misrepresented to users or in
      application logs of non-interactive applications as equivalent to
      communication over an authenticated encrypted channel.

5.  Example: Opportunistic TLS in SMTP

   Many Message Transfer Agents (MTAs, [RFC5598]) support the STARTTLS
   ([RFC3207]) ESMTP extension.  MTAs acting as SMTP clients are
   generally willing to send email without TLS (and therefore without
   encryption), but will employ TLS (and therefore encryption) when the
   SMTP server announces STARTTLS support.  Since the initial ESMTP
   negotiation is not cryptographically protected, the STARTTLS
   advertisement is vulnerable to MiTM downgrade attacks.  Further, MTAs
   do not generally require peer authentication.  Thus opportunistic TLS
   for SMTP only protects against passive attacks.

   Therefore, MTAs that implement opportunistic TLS either employ
   unauthenticated encryption or deliver over a cleartext channel.
   Recent reports from a number of large providers suggest that the
   majority of SMTP email transmission on the Internet is now encrypted,
   and the trend is toward increasing adoption.

   Not only is the STARTTLS advertisement vulnerable to active attacks,
   but also at present some MTAs that advertise STARTTLS exhibit various
   interoperability problems in their implementations.  As a result, it
   is common practice to fall back to cleartext transmission not only
   when STARTTLS is not offered, but also when the TLS handshake fails,
   or even when TLS fails during message transmission.  This is a
   reasonable trade-off, since STARTTLS protects only against passive
   attacks, and absent an active attack TLS failures are simply
   interoperability problems.

   Some MTAs employing STARTTLS ([RFC3207]) abandon the TLS handshake
   when the server MTA fails authentication, only to immediately deliver
   the same message over a cleartext connection.  Other MTAs have been
   observed to tolerate unverified self-signed certificates, but not
   expired certificates, again falling back to cleartext.  These and
   similar implementation errors must be avoided.  In either case, had
   these MTAs instead used the OS design pattern, the communication
   would still have been encrypted and therefore protected against
   passive attacks.

   Protection against active attacks for SMTP is proposed in
   [I-D.ietf-dane-smtp-with-dane].  That draft introduces the terms
   "Opportunistic TLS" and "Opportunistic DANE TLS", which are for now

Dukhovni                Expires February 16, 2015               [Page 8]

Internet-Draft           Opportunistic Security              August 2014

6.  Security Considerations

   Though opportunistic security potentially supports transmission in
   cleartext, unauthenticated encryption, or other cryptographic
   protection levels short of the strongest potentially applicable, the
   effective security for peers is not reduced.  If a cryptographic
   capability is neither required by policy nor supported by the peer,
   nothing is lost by going without.  Opportunistic security is strictly
   stronger than the alternative of providing no security services when
   maximal security is not applicable.

   Opportunistic security coexists with and is preempted by any
   applicable non-opportunistic security policy.  However, such non-
   opportunistic policy can be counter-productive when it demands more
   than many peers can in fact deliver.  Non-opportunistic policy should
   be used with care, lest users find it too restrictive and act to
   disable security entirely.

7.  Acknowledgements

   I would like to thank Steve Kent.  Some of the text in this document
   is based on his earlier draft.  I would like to thank Dave Crocker,
   Peter Duchovni, Paul Hoffman, Steve Kent, Scott Kitterman, Martin
   Thomson, Nico Williams, Paul Wouters and Stephen Farrell for their
   helpful suggestions and support.

8.  References

8.1.  Normative References

   [RFC3207]  Hoffman, P., "SMTP Service Extension for Secure SMTP over
              Transport Layer Security", RFC 3207, February 2002.

   [RFC4033]  Arends, R., Austein, R., Larson, M., Massey, D., and S.
              Rose, "DNS Security Introduction and Requirements", RFC
              4033, March 2005.

   [RFC5116]  McGrew, D., "An Interface and Algorithms for Authenticated
              Encryption", RFC 5116, January 2008.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.

   [RFC6125]  Saint-Andre, P. and J. Hodges, "Representation and
              Verification of Domain-Based Application Service Identity
              within Internet Public Key Infrastructure Using X.509
              (PKIX) Certificates in the Context of Transport Layer
              Security (TLS)", RFC 6125, March 2011.

Dukhovni                Expires February 16, 2015               [Page 9]

Internet-Draft           Opportunistic Security              August 2014

   [RFC6698]  Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
              of Named Entities (DANE) Transport Layer Security (TLS)
              Protocol: TLSA", RFC 6698, August 2012.

8.2.  Informative References

              Dukhovni, V. and W. Hardaker, "SMTP security via
              opportunistic DANE TLS", draft-ietf-dane-smtp-with-dane-11
              (work in progress), August 2014.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", RFC
              4949, August 2007.

   [RFC5598]  Crocker, D., "Internet Mail Architecture", RFC 5598, July

   [RFC7258]  Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
              Attack", BCP 188, RFC 7258, May 2014.

Author's Address

   Viktor Dukhovni
   Two Sigma

   Email: ietf-dane@dukhovni.org

Dukhovni                Expires February 16, 2015              [Page 10]