Opportunistic encryption: Difference between revisions
imported>Sandy Harris No edit summary |
imported>Sandy Harris |
||
Line 22: | Line 22: | ||
| url = http://tools.ietf.org/html/rfc4322 | | url = http://tools.ietf.org/html/rfc4322 | ||
| date = December 2005 | | date = December 2005 | ||
}}</ref> documenting the design. | }}</ref> documenting the design. | ||
Like any encryption scheme, an OE system must rely on some form of [[information security#source authentication|source authentication]]. It does no good at all to encrypt messages so that only the recipient can read them unless the recipient is who you think it is. Different OE designs rely on different authentication mechanisms. FreeS/WAN relied on [[DNS]] to manage authentication data.<ref>{{citation | |||
| id = RFC4025 | | id = RFC4025 | ||
| author = M. Richardson | | author = M. Richardson |
Revision as of 10:15, 17 September 2010
Opportunistic encryption, often abbreviated OE is the attempt to arrange network communication systems so that any two nodes can encrypt their communication, without any connection-specific setup by the system administrators. Once two machines are set up for OE, they can set up secure connections automatically.
Some encryption systems come into play only when the user asks for encryption, for example applying PGP to an email message (instead of sending in the clear), logging in to a remote system with SSH (instead of unencrypted telnet), or requesting an encrypted web connection by using https (instead of just http). Some infrastructure is required — you must know the recipient's key for PGP, have the password to log in with SSH, and check the server's certificate for https.
For other systems, administrators must configure each connection which is to be encrypted. For example, in building a VPN between two offices, the administrators on the two ends must co-operate to set up the connection. If you want your laptop to connect either to a wireless access point or to your office VPN, then you need to get some information from the system administrator and configure your machine to match; at the very least, you need a password and there may be other things to set up. In these cases, you are being the second administrator configuring your end of the connection. Alternately, you might give the laptop to your IT staff and let them set it up, but in any case someone has to set up both ends of each connection.
Opportunistic encryption aims to avoid all that. Other encryption systems aim at providing encryption wherever necessary, wherever a user requests it or an administrator sets it up. OE is opportunistic; it tries to encrypt wherever possible. Once a machine is set up for OE, it automatically checks whether the other end of any connection is capable of OE. If so, the two machines automatically set up an encrypted connection. This works without any user requests and without any need for administrators to configure connections. It even works when the two administrators have had no contact with each other. Of course, there is still some administrative work involved; the machines must be set up for OE and related policies set. An important policy decision is what to do if OE fails — communicate in the clear or refuse the connection.
One benefit is a reduction in administrative workload. If the administrators must set up every connection, worst case effort for a network of N machines scales by N2. Of course, some networks are simpler; if all you need is N machines connecting to a single server or wireless access point, then you need only set up N+1 devices. However, for N machines with everyone able to talk to everyone, there are connections; if you must configure each of them and N is large, this becomes highly problematic. There are several ways to avoid this disaster on large networks. A centralised authentication system such as Kerberos can manage authentication and keying for many machines, a public key infrastructure may help (though it also brings its own complications), and a few strategically placed encryption devices — whether hardware encryption at link level or IPsec gateways at network level — can provide an encryption service to many clients. These techniques can often reduce the workload to something manageable. However, none of them scales very well to a large heterogeneous network such as the Internet.
OE, however, cuts the Gordian knot. For OE, the effort scales linearly; the work to set up N machines so that any of them can communicate securely with any other for OE is just N. Once OE is set up, any two OE-capable machines can secure their connections. This could, at least in theory, scale to the whole Internet. This was a large part of the political motivation for FreeS/WAN, the project that invented OE; their goal was to encrypt a large portion of the Internet and block various government monitoring programs. If OE were sufficiently widespread, then secure connections could be the default, more-or-less everything would be encrypted, and monitoring the net would become nearly impossible. This is what the cypherpunks on the FreeS/WAN project wanted to achieve.
Opportunistic encryption for IP
The term "opportunistic encryption" comes from the FreeS/WAN project, who built OE into a Linux implementation of IPsec and wrote an RFC[1] documenting the design.
Like any encryption scheme, an OE system must rely on some form of source authentication. It does no good at all to encrypt messages so that only the recipient can read them unless the recipient is who you think it is. Different OE designs rely on different authentication mechanisms. FreeS/WAN relied on DNS to manage authentication data.[2] In particular, they put the authentication keys in the DNS reverse maps so that they could be looked up when all the IPsec software knows is the IP address it needs to communicate with. The DNS reverse maps also had data which supported a single OE gateway doing IPsec on behalf of a range of client addresses; the partner could discover the gateway address with DNS lookup on any client address.
Used alone, this would be secure against passive attacks; add DNS security to protect the authentication data and it is also secure against active attacks.
Normal IPsec or FreeS/WAN-style OE are both secure against passive eavesdroppers who only try to listen in; encrypting the connection stops them. Normal IPsec, or OE with secure DNS, are also secure against active attackers who try to trick systems into communicating with them instead of legitimate partners. OE without secure DNS is not; you need authentication to block those attacks.
The Planete project are building OE for IPv6. They claim "Unlike existing schemes (e.g. FreeS/WAN), our proposal does not rely on any global Third Trusted Party (such as DNSSEC or a PKI). Hence, we claim it is more secure, easier to deploy and more robust."
OE done at the IP layer of the protocol stack protects everything above that layer, and does so without any assistance from higher-layer protocols and generally entirely transparently to the users.
Opportunistic encryption of mail
The most widely deployed OE system encrypts server-to-server SMTP mail transfers. The original implementation was ssmail or Secure Sendmail [3], which built encryption into the mail server code. The current standard[4] instead relies on TLS. This does not provide all of the benefits of end-to-end mail encryption systems such as PGP; in particular it provides no protection against an enemy with privileged access to one of the mail servers involved, or against someone monitoring the connection between the user and the mail server. However, it does prevent attacks at routers between the mail servers. It provides partial protection against wholesale mail monitoring, forcing a government that wants to do large-scale monitoring either to subvert mail servers or to get the server owners to co-operate.
There are also TLS-based systems for encrypting the link between user and mail server. [5] [6] These are not opportunistic; the user must request encryption. However, they combine nicely with Secure SMTP to give an almost end-to-end solution; the combination blocks all eavesdropping "on the wire". Note however that — unlike a genuine end-to-end method such as PGP — it does not block eavesdropping by anyone with privileged access to a mail server.
Projects with similar goals
OE at the IP level offers one way to encrypt more-or-less the entire net, but it is not the only way. There are other projects which have similar aims.
Better-than-Nothing Security or BTNS [7] is basically IPsec done without authentication. This gives the same security level as FreeS/WAN-style OE done without DNS security; it is secure against passive attacks, but not against active attacks.
There are also systems which apply OE to TCP connections, Google's obfuscated TCP and the later TCP crypt. These too are secure against passive attacks but vulnerable to active attacks, in particular to man-in-the-middle attacks.
The EFF project HTTPS Everywhere aims at encrypting most web traffic by making https the default, always trying that first and only falling back to http if that fails. This is essentially opportunistic; it makes the browser use https encryption whenever the server supports it.
HTTPS Everywhere resists passive attacks and moreover is secure against active attacks provide that the SSL protocol underlying https is. SSL is designed to be secure against such attacks, but it depends on certificates and therefore on certificate authorities and there is room for doubt about some certificate authorities. If an authority were subverted, then a man-in-the-middle attack using bogus certificates would be possible.
References
- ↑ M. Richardson & D.H. Redelmeier (December 2005), Opportunistic Encryption using the Internet Key Exchange (IKE), RFC4322
- ↑ M. Richardson (February 2005), A Method for Storing IPsec Keying Material in DNS, RFC4025
- ↑ Damian Bentley, Greg Rose, Tara Whalen (1999), ssmail: Opportunistic Encryption in sendmail
- ↑ P. Hoffman (February 2002), SMTP Service Extension for Secure SMTP over Transport Layer Security, RFC3027
- ↑ C. Newman (June 1999), Using TLS with IMAP, POP3 and ACAP, RFC2595
- ↑ K. Zeilenga, Ed. (August 2006), The PLAIN Simple Authentication and Security Layer (SASL) Mechanism, RFC4616
- ↑ N. Williams, M. Richardson, ed. (November 2008), Better-Than-Nothing Security: An Unauthenticated Mode of IPsec, RFC5386