Categories
Building Trust Encryption IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 95: All Things Encryption

We have come a long was in both time and distance from Yokohama to Buenos Aires, and the efforts of the Internet community to strengthen the Internet by improving deployment of encryption continue with IETF 95 this week. This time around we will highlight the curdle, tls, and uta working groups, the cfrg research group, and the IAB Privacy and Security program.

The first thing I’d like to mention is a working group that will be meeting for the first time here in Buenos Aires. The CURves, Deprecating and a Little more Encryption (CURDLE) working group will focus on updating cryptographic mechanisms for existing IETF protocols. The working group will add mature mechanisms that enjoy broad support from implementers. It will also look at removing the support for old algorithms where there is IETF consensus to do so. The initial protocols that the CURDLE group will address include SSH, DNSSEC, PKIX, CMS, XML Digital Signatures and potentially XML Encryption, Kerberos and JSON.

Along the same lines, the Using TLS in Applications (UTA) working group continues to look at adding TLS support to existing applications. This week the focus will be on support for TLS in SMTP. Of note from the uta working group since the last IETF is the recent publication of RFC 7817 “Updated Transport Layer Security (TLS) Server Identity Check Procedure for Email-Related Protocols”.

The Transport Layer Security (TLS) working group continues to work on an update to the TLS protocol. This is a very active working group with a plan to publish an update to TLS in 2016. This meeting will be devoted to resolving the open issues with the current specification as documented in the issue tracker: https://github.com/tlswg/tls13-spec/issues.

Next, the Internet Research Task Force (IRTF) Crypto Forum Research Group (cfrg) continues to focus on use of cryptography for IETF protocols. Since IETF 94, RFC 7748 on “Elliptic Curves for Security” has been published. This is a major milestone for this activity. Topics for this week’s meeting include extended hash-based signatures, secure state management for hash-based signatures, PAKE requirements, and quantum resistant cryptography. Anyone interested in the future direction of cryptographic curves and algorithms would be well served to follow these discussions.

The Internet Architecture Board (IAB), through its Privacy and Security Program, has been focusing on strengthening the Internet by looking at threats, mitigations, and trust models. Since the publication of RFC 7624 “Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement”, the focus has been on a draft discussing mitigations “Confidentiality in the Face of Pervasive Surveillance”. This document is approaching maturation so now is an excellent time to find a member of that program to discuss the draft.

Also related to the IAB Privacy and Security program work is the Managing Radio Networks in an Encrypted World (MaRNEW) workshop held jointly by the IAB and the GSMA in September 2015 and discussed at IETF 94. A draft of the report for this workshop is now available in addition to all the raw workshop materials. One concern going into the workshop was that radio networks would face challenges meeting their operational requirements in an encrypted world. Discussion at the workshop focused on alternatives to traditional content classification that could be deployed in conjunction with encryption. Here at IETF 95 there will be BoF on Alternatives to Content Classification for Operator Resource Deployment (accord). This should be an excellent discussion of the challenges being faced and possible next steps to address some of these challenges.

Finally, I’d like to give a quick plug for the Security Area Advisory Group (saag) session. This is an excellent way to get a quick view of some of the security related conversations ongoing in the IETF. This week’s session will include the challenges and possibilities represented by the Internet of Things along with security and privacy issues in numeric identifiers among other topics.

All in all, the work continues here at IETF 95 to make encryption more widespread and easier to deploy for a stronger Internet.

Related Meetings, Working Groups, and BOFs at IETF 95:

curdle (CURves, Deprecating and a Little more Encryption) WG
(Tuesday, April 5, 2016, 16:20 – 17:20 ART, Buen Ayre B)
Agenda: https://www.ietf.org/proceedings/95/agenda/agenda-95-curdle
Documents: https://datatracker.ietf.org/group/curdle/documents/
Charter: https://datatracker.ietf.org/group/curdle/charter/

uta (Using TLS in Applications) WG
(Monday, April 4, 2016, 14:00 – 15:30 ART, Atlantico C)
Agenda: https://datatracker.ietf.org/meeting/95/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/charter/
Charter: https://datatracker.ietf.org/group/uta/charter/

tls (Transport Layer Security) WG
(Tuesday, April 5, 2016, 10:00-12:30 ART, Atlantico B
Thursday, April 7, 2016, 10:00-12:30 ART, Atlantico C)
Agenda: https://tools.ietf.org/wg/tls/agenda-95-tls.html
Documents: https://tools.ietf.org/wg/tls
Charter: https://tools.ietf.org/wg/tls/charters

cfrg (Crypto Forum Research Group)
(Friday, 8 April 2016, 10:00 – 12:00 ART, Buen Ayre A)
Agenda: https://tools.ietf.org/agenda/95/agenda-95-cfrg.html
Documents: https://datatracker.ietf.org/rg/cfrg/documents/
Charter: https://irtf.org/cfrg

accord (Alternatives to Content Classification for Operator Resource Deployment ) BoF
(Thursday April 7, 2016, 10:00-12:30 ART, Pacifico A)
Agenda: https://datatracker.ietf.org/meeting/95/agenda/accord/

saag (Security Area Advisory Group)
(Thursday, 7 April 2016, 1400-1600 ART, Pacifico A)
Agenda: https://tools.ietf.org/agenda/95/agenda-95-saag.html

Follow Us

There’s a lot going on in Buenos Aires, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf95.

Categories
IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 91: Strengthening the Internet (STRINT) Activities Continue

The daily news stories and revelations related to pervasive Internet monitoring have slowed in recent months, but the work to strengthen the Internet (STRINT) continues within the Internet community. Now is an excellent time to take a quick look at some of the STRINT-related activities that are being discussed next week at IETF 91 in Honolulu.

First, the Internet Architecture Board (IAB), has established a Privacy and Security Program with three areas of focus: Resilience, Confidentiality, and Trust. While all of these contribute to general strengthening of the Internet, the confidentiality area in particular is actively working on a threat model and problem statement document: “Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement.” Additional details about this program will be presented at the IAB Technical Plenary on Monday evening (1850-1750 in Coral 3).

The Security Area Advisory Group (saag) has been discussing terminology over the last several months. This discussion has evolved into a draft with the fabulous title: “Opportunistic Security: Some Protection Most of the Time.” This draft is out for a second IETF Last Call which is scheduled to end on 18 November. Now is an excellent time to review the discussions on the saag and ietf mailing list archives and use the opportunity of the Honolulu face to face time to catch the key protagonists in the hallway to ask those burning questions.

The tls (Transport Layer Security) working group is actively working on an update to the TLS protocol. They just finished a two-day interim meeting in October, and they plan another pre-IETF interim meeting on Sunday (9 November 2014, 9:30 – 13:30) ahead of their regular session on Thursday. For those of you with extra space in your Inbox, this is just the working group for you. (https://www.ietf.org/mail-archive/web/tls/current/maillist.html)

Several additional working groups are taking a second look at how encryption is used within their protocols. While highlighting each one here is a bit too detailed, keep an eye out for those discussions in the individual working group meetings. One that does deserve mention is the relatively new uta (Using TLS in Applications) working group that is specifically tasked with looking at the use of TLS in applications.

The Crypto Forum Research Group is not actually meeting in person during IETF91, but the discussion related to choosing cryptographic curves has been quite active on the mailing list (https://www.ietf.org/mail-archive/web/cfrg/current/maillist.html). A successful open transparent multi-stakeholder (and yes I know those words sometimes seem overused these days, but…) process to establish consensus on cryptographic curves going forward is a key component to strengthening the Internet.

I mentioned this during my comments for IETF90, and while I see there hasn’t been much activity, I’d still like to put in a plug for it because volunteers are badly needed. There is an effort to review existing RFCs for privacy and pervasive monitoring issues. This is an excellent way to read some of those old RFCs that you never got around to. The wiki for that activity is at https://trac.tools.ietf.org/group/ppm-legacy-review/.

Finally, while this isn’t exactly an IETF activity, I’d like to mention that the CrypTech project is making excellent progress in developing an open hardware cryptographic engine. This effort could eventually provide a set of open source cryptographic building blocks along with a trustworthy set of tools to be used to build more secure Internet products. Join the public mailing lists to follow progress.

Related Meetings, Working Groups, and BOFs at IETF 90:

tls (Transport Layer Security) WG
Thursday, 13 Nov 2014, 900-1130, Coral 5
Agenda: https://tools.ietf.org/wg/tls/agenda
Documents: https://tools.ietf.org/wg/tls
Charter: https://tools.ietf.org/wg/tls/charters

uta (Using TLS in Applications) WG
Tuesday, 11 Nov 2014, 900-1130, Coral 2
Agenda: https://tools.ietf.org/wg/uta/agenda
Documents: https://tools.ietf.org/wg/uta
Charter: https://tools.ietf.org/wg/uta/charter

Follow Us

There’s a lot going on next week, and whether you plan to be there or join remotely, there’s much to follow. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf91.

Categories
Building Trust IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 90: Strengthening the Internet

The pervasive monitoring revelations over the past year have galvanized the Internet technical community around the topic of Strengthening the Internet (STRINT). The community responded with an Internet Architecture Board (IAB) technical plenary at IETF 88 and a joint IAB/W3C workshop prior to IETF 89 in London. A summary of the workshop is provided in our latest issue of the IETF Journal. The full set of papers and presentations is available at the workshop website. Now is an excellent time to take a quick look at some of the STRINT-related activities that are being discussed this week in Toronto at IETF 90.
 
The IETF community established consensus around the fact that pervasive monitoring is an attack with the publication of RFC 7258 “Pervasive Monitoring Is an Attack”. The next topic to be addressed is terminology. While the topic can seem mundane and frustrating, having a common set of well understood terms is one of the key factors to a productive discussion leading to community consensus. The Security Area Advisory Group (saag) has been discussing terminology over the last few months primarily through two drafts. The first draft (http://tools.ietf.org/draft- draft-dukhovni-opportunistic-security-01) is in the middle of an IETF Last Call. Now is a good time to review and comment on that document. Additionally, there is a more general draft on terminology in the works (draft-kent-opportunistic-security-01).
 
The Internet Architecture Board (IAB) has established a Security and Privacy Program with three areas of focus: Internet Scale Resilience, Confidentiality, and Trust. Members of this program will hold their first meeting during the week here in Toronto. One of the specific STRINT-related work items for the IAB will be the discussion of the pervasive monitoring threat model based on the draft (http://tools.ietf.org/html/draft-barnes-pervasive-problem-01).
 
Several working groups are taking a second look at how encryption is used within their protocols. While highlighting each one here is a bit too detailed, keep an eye out for those discussions in the individual work group meetings. One that does deserve mention is the relatively new uta (Using TLS in Applications) Working Group that is specifically tasked with looking at the use of TLS in applications. This is only their second IETF as a working group.
 
Also of interest is IRTF Crypto Forum Research Group, the cfrg. With the increased interest in encryption and the desire to have more standards track cryptographic algorithms, the profile of the cfrg has increased here at IETF. This meeting will focus on ChaCha20 and Poly1305, hash-based signatures, and elliptic curve cryptography.
 
Beyond the incorporation of more encryption in developing protocols, there is also an effort to review existing RFCs for privacy and pervasive monitoring issues. This is an activity that is looking for additional volunteers and is an excellent way to read some of those old RFCs that you never got around to. The wiki for that activity is:
https://trac.tools.ietf.org/group/ppm-legacy-review/
 
Finally, the CrypTech project is looking to develop an open hardware cryptographic engine (see our blog post on CrypTech for more information). The leaders of this project will be having another Wednesday lunch meeting to discuss its design and status. This effort could eventually provide a set of open source cryptographic building blocks along with a trustworthy set of tools to be used to build more secure Internet products.
 
Related Meetings, Working Groups, and BoFs at IETF 90
 
uta (Using TLS in Applications) WG
Agenda: https://tools.ietf.org/wg/uta/agenda
Charter: https://tools.ietf.org/wg/uta/charter
Tuesday, 22 July 2014; 900-1130
 
IRTF cfrg (Crypto Forum Research Group)
Agenda: https://tools.ietf.org/agenda/90/agenda-90-cfrg.html
Wednesday, 23 July 2014; 1300-1500