Members of the financial industry have proposed a visibility extension that CyberScoop reports would effectively weaken the Transport Layer Security (TLS) 1.3 protocol.
BITS, the technology policy division of the Financial Services Roundtable (FSR), introduced an "Option for Negotiation of Visibility in the Datacenter." A not-for-profit consortium that counts 100 of the largest financial institutions in the United States as members, BITS made the recommendation in response to TLS 1.3 draft conditions that limit "effective and safe operation of… enterprise networks."
Current drafts of TLS 1.3 use ephemeral-mode Diffie-Hellman (DHE) and elliptic-curve Diffie-Hellman (ECDHE) as their primary cryptographic key exchange mechanisms. Those methods, are effective BITS' proposal notes, constituting "in nearly all ways an improvement over the TLS RSA handshake." But they fall short, the Internet-Draft argues, in that they prevent "the use of current enterprise network monitoring tools" like IDS systems.
To address those shortcomings, BITS recommends the creation of a "TLS Visibility Extension." that would allow an authorized party to gain visibility into a TLS 1.3 session. After a TLS client opts in, the server responds by including resources that would enable decryption of the session.
Janet Jones, a Microsoft senior security program manager, thinks such an option is a terrible idea. As she told CyberScoop:
“The bank industry is pushing the TLS working group to create a decryption option as part of the specification, and of course the tech sector is saying 'That’s not going to happen.' Can you imagine us supporting something that gave an API with a decrypt button? We can’t do that. We went to the banks and said there are ways to do what you want to do. But you need to build that appliance on your own. I’m not going to build a decryption feature in. If I did, I might as well quit my job.”
Jones isn't alone in her disapproval. The proposal met with fierce backlash from many in the technical community.
Take Stephen Checkoway's reasoning, for instance. An assistant professor of computer science at the University of Illinois at Chicago, Checkoway sees huge problems with bringing back "static key exchange," something provided by previous TLS versions to allow retroactive decryption of a session using a certificate's private key. His main concern is whether it's possible to limit non-forward secrecy use to just data centers.
"The reason is that the nature of cryptographic and security software means the code to run this will likely spread outside of data centers and a government could, for example, mandate that the option is turned on or block traffic," Checkoway explains. "Creating security protocols is a hard thing to do even when we’re trying to make them as secure as possible. Our best option is to design a protocol that doesn’t have built-in weaknesses which is what they’re trying to introduce."
The TLS Visibility Extension Internet-Draft is set to expire on 2 April 2018. To learn more about the proposal, review its text here.