Network Working Group D. Crocker
Internet-Draft Brandenburg InternetWorking
Intended status: Informational P. Resnick
Expires: July 20, 2014 Qualcomm Technologies, Inc.
January 16, 2014
STRINT Workshop Position Paper: Levels of Opportunistic Privacy
Protection for Messaging-Oriented Architectures
draft-crocker-strint-workshop-messaging-00
Abstract
Given a concern for pervasive monitoring, messaging information
needing protection includes primary payload, descriptive meta-data,
and traffic-related analysis. Complete protection against pervasive
monitoring (PM), for traffic through complex handling sequences, has
not yet been achieved reliably in real-world operation.
Consequently, it is reasonable to consider a range of mechanisms, for
protecting differing amounts of information and against monitoring of
different kinds. Although channel-based encryption can be helpful,
it is not sufficient. This paper considers pursuing different levels
of end-to-end protection, referencing examples of component
mechanisms that already have encouraging field experience.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 20, 2014.
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
Crocker & Resnick Expires July 20, 2014 [Page 1]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1. Background
Concern for pervasive monitoring motivates the deployment of strong
mechanisms that will protect against intrusive disclosure of
information. Information needing protection can be primary payload,
descriptive meta-data, or traffic-related analysis. Most Internet
services operate according to a relatively simple, two-party client/
server model, with the server holding primary data and performing
primary actions, and the user having a direct relationship with the
service being provided. For these arrangements, concerns over
privacy violations tend to focus on wiretapping of the data transfer
mechanism and on server compromise.
In contrast messaging architectures, such as for email [MAILARCH],
can be highly distributed, with any number of application-level
store-and-forward intermediaries. This can produce complex sequences
through many independent administrative authorities, possibly unknown
to either the user or the recipient. Because multi-hop store-and-
forward messaging can involve several systems not under the
administrative control of either end of the messaging transaction,
compromise of any of the intermediate systems can expose messages to
monitoring past the first, or before the last, hop. Therefore end-
to-end encryption is still highly desirable. Key distribution and
validation is one of the greatest impediments to deployment.
Current multi-hop store-and-forward messaging on the Internet uses
primarily two security technologies:
1. Channel encryption between the submitter and its submission
server and final recipient and its receiving server,
respectively, that encryption generally relying on CAs for
authentication; and
2. End-to-end content encryption that relies on pre-authenticated
certificates available to the end-points.
The former is used, but does not provide sufficient protection
against certain kinds of pervasive monitoring, and the latter is
Crocker & Resnick Expires July 20, 2014 [Page 2]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
rarely used because of deployment and use barriers. More
opportunistic mechanisms might have a higher likelihood of
deployment, with minimal effect on services, and therefore should be
attempted. Further if these opportunistic mechanisms do gain
success, they can be used for further minimization of some forms of
abuse.
Complete protection against pervasive monitoring (PM), for traffic
through complex handling sequences, has not yet been achieved
reliably in real-world operation. Consequently, it is reasonable to
consider a range of mechanisms, for protecting differing amounts of
information and against monitoring of different kinds. The premises
are that one or more of these might prove more effective than others
and that some protection is better than none.
Given the scale and urgency of community need for this protection,
mechanisms should be based on established technologies, where
possible. While innovation is needed, it should be kept as modest as
possible. So the major challenge should be system design, rather
than component invention, where possible and practical.
There are four types of data to be considered for protection in a
distributed messaging architecture:
o Message Content
o Header Content
o Envelope meta-data
o Handling meta-data
Message content is considered the primary payload; for email this is
the body of the message. However messaging often contains additional
content in a header, such as the names and addresses of authors and
recipient, content summary, such as a Subject field, date of posting,
and so on. Envelope meta-data is the information used by the transit
service, including recipient and return addresses. Handling
information is created during transit, such as for recording
processing tags by intermediaries. The placement of these bits of
information can vary, so that distinguishing among them can sometimes
be confusing. As an example email relay handling meta-data is placed
into the message header.
Almost all efforts to protect messages have focused on the primary
message content, with two well-known capabilities being standardized.
[OPENPGP][SMIME] However after twenty-five years of these efforts to
Crocker & Resnick Expires July 20, 2014 [Page 3]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
protect messages that are in transit, nearly all such traffic is
still sent in the clear.
In the absence of a success scenario for end-to-end payload privacy
protection, it is not possible to be certain which barriers are
critical, nor how to overcome them. In current discussions, the
primary culprits are believed to be key administration and end user
interface design and performance complexity. Both are deemed to
require too much human effort, and a common view is to essentially
remove humans from needing to configure their services or choose to
use them.
Channel encryption is low-hanging fruit when it comes to messaging
security, though it only offers minimal protections against pervasive
monitoring in its current use. Right now, messaging-related channel
encryption is almost exclusively used between end clients and their
directly-associated servers, mostly for purposes of protecting the
login credentials from monitoring. It does result in clear message
contents also being protected from snooping on the channel between
the end client and server, and it protects envelope information
(which is not otherwise protected by end-to-end content encryption.)
However this protection only operates for the first and last message
hops and leaves intermediate hops unprotected. So the addition of
channel security at every hop is still desirable. Authentication can
be recorded in the envelope if it takes place, presumably in a way
that allows the recipient to confirm that the authentication took
place, but authentication is not necessary for a large increase in
security. For intermediate hops opportunistic encryption would be a
significant improvement and would be deemed sufficient for most
cases. The intermediate servers can simply do key exchange in-band.
2. Incremental End-to-End Protection
Channel encryption can not protect against some of the PM activities
that have been documented. So the more challenging concern is
protection against collaborating or compromised intermediate nodes
and even source and destination servers. Ideally protection
therefore must be end-to-end, defined in terms of the author's and
recipient's independent user agents. The difficulty of achieving
this is exacerbated by the degree of existing Internet messaging
activity that has all user agent behavior on, or controlled by, end-
system web servers, rather than by independent software that is
solely under the control of the author or recipient. Hence the best
end-to-end protection that will be achievable for many users is
between originating server and receiving server.
This highlights the need for incremental mechanisms that provide
increasing protection. Greater user independence should be able to
Crocker & Resnick Expires July 20, 2014 [Page 4]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
permit greater user protection. Another benefit of this incremental
approach is that it is likely to provide some useful protection while
still permitting exposure information necessary to legitimate
management. Of course, balancing between protecting against
problematic monitoring and facilitating legitimate monitoring
(management) requires agreement on the trade-offs and explicit
choices amongst them. The discussion and agreement remain an open
and challenging task.
An observation about focusing on PM protection is that use of
encryption for that purpose does not necessarily carry the usual,
accompanying requirement for strong authentication of one or both
principals in the interaction. In the extreme, this might mean that
typical man-in-the-middle scenarios are not a concern, but it also
can mean that authentication related to an agent -- rather than to
the user -- is sufficient.
This well might permit opportunistic privacy protection without
direct user involvement, possibly with unauthenticated encryption and
no human configuration, and for authentication to take place as a
separate piece of user interface when that is desirable. To the
extent that human involvement is needed for the basic setup, it might
be limited to service administrators, rather than end users. The
obvious appeal of this is that there are orders of magnitude fewer
administrators than there are users, and administrators typically
have far more technical skill.
Key discovery is the most significant challenge during operation of a
protection mechanism. A promising approach that already has some
field experience achieves key distribution through the [DNS]. The
core requirement, of course, is determining what domain name to
query. The most obvious choice in a messaging service is the domain
name of the recipient's address. Enhancing this to permit DNS
queries on an entire email address would be the refinement to
attempt.
A DNS-based mechanism would facilitate query, but would not deal with
key administration. Although there is activity in this space, easy
key generation remain an open issue for the Internet. However note
that by making the critical actors for this service be operators, the
scale of this challenge is dramatically smaller than if end users
need to be involved.
Given a basic key-discovery ability, the question then is what to
encrypt? Simply encrypting a message body is appealing, but leaves
exposed all of the message header, as well as associated handling and
envelope information. This is where the "levels" reference in the
paper's title comes in. Additional mechanisms or services can
Crocker & Resnick Expires July 20, 2014 [Page 5]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
protect increasing amounts of message-related information. However,
a pragmatic basis for choosing different levels is likely to prove
challenging, since users cannot be relied on to make such decision.
Still it will be worth pursuing an activity to describe the choices.
Essentially, they are:
o Content
o Content + Header
o Content + Header + Envelope
For email, one challenge in encrypting the message header is that the
header is modified in transit. A plausible approach is to
encapsulate the original message as a [MIME] attachment, so that the
visible message header is only a form of envelope.
In order to obscure the origin/receiver envelope information, the
message in transit needs to use different envelope data. Given that
the information is essential to message transit, this will require an
overlay relay service, designed to hide actual author/recipient
information. It is worth considering enhancements, to integrate it
more seamlessly for well-motivated users.
3. Exemplars to Demonstrate Feasibility
Although it is easy to offer appealing design ideas, estimating their
real-world feasibility and utility can be challenging. This paper is
not intended to formulate detailed solutions, but it does need to
provide some basis for comfort with the basic approaches it suggests.
The discussion in this section is therefore intended to provide some
substance, to that end.
Rather than consider whether a detail discussed in this section is
good or bad, or whether one approach is better or worse than another,
the reader is encouraged merely to review the examples in terms of
existing deployment experience and the likely pragmatics of
incremental engineering and operations that is described. While it
is likely that superior designs can be specified, the requirement now
is to develop a reasonable degree of comfort that the basic
approaches are plausible.
3.1. Administrators vs. Users
There is considerable field experience with the difference between
the administrative skills of professional operators, versus end-
users. With respect to key administration, specific examples include
[DNSSEC] and [DKIM]. The experience shows that key administration
Crocker & Resnick Expires July 20, 2014 [Page 6]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
tends to be daunting even for professionals, but is infeasible for
most end users.
A related point is the greater deployment and use success that is
likely when providing protection between servers rather than between
end-users. An exemplar of this approach being successful for a
security mechanism is [DKIM] as compared against the problematic
deployment histories of [OPENPGP] and [SMIME]. However the obvious
concern is that the end-users must rely on the safety of their server
operations.
3.2. Key Discovery
Key discovery through the DNS already has several examples, including
[DNSSEC], [DANE] and [DKIM]. In the aggregate they demonstrate that
this basic approach is operationally reasonable.
3.3. Per-User Keys
The history of per-user key administration is particularly
disheartening. To the extent that key discovery via domain names has
established a strong proof of concept, it is appealing to consider
extending it to the granularity of complete email addresses.
Although there have been some attempts at doing this, they gained no
large-scale traction.
Historically, there has been a basic incompatibility between email
address encoding and domain name encoding. A domain name is an
undifferentiated sequence, whereas an email address is structured
into two, semantically-distinct parts (separated by the "@" sign.) A
recent, popular enhancement to DNS naming is the use of an
underscore-based node name, such as [SRVDNS] for information that
does not need to be treated as a hostname. The application of this
enhancement could produce a query name in the style of:
Mailbox._at.example.net
Hence, key query would be for a domain name, where the name might be
a hostname or might be an encoded email address. Although this would
be a new mechanism, it entails no enhancement to infrastructure
services and it re-uses a well-established and reasonably inexpensive
form of DNS-based mechanism.
3.4. Message Encapsulation
Protecting the message header means that it needs to be hidden during
transit, in spite of the header's being modified in transit, for
email. One approach to solving this is to encapsulate the entire
Crocker & Resnick Expires July 20, 2014 [Page 7]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
message as a MIME attachment; the visible header therefore would only
contain handling information. This model of encapsulation only
requires adoption by author (or originating server) and recipient (or
receiving server) and is transparent to the message-handling
infrastructure. Architecturally, it is identical with the way MIME
was propagated, in the 1990s, so it's viability has been well
demonstrated. Also, encapsulating an entire message as an attachment
has already been enabled through [BSMTP].
3.5. Protecting Envelope Meta-Data
If envelope data is to be hidden during transit, it must be
encapsulated in a message with different envelope data, and processed
by special, trusted relays that hide addressing and transit
information, and ensure that none is associated with the message when
it is finally delivered. This is in the spirit of [TOR].
4. Security Considerations
Everything in this draft related to security, and especially to
confidentiality in the service of privacy protection.
5. IANA Considerations
There are no IANA considerations for this draft.
Note to RFC Editor: Please remove the entire IANA Considerations
section, prior to publication
6. References - Informative
[BSMTP] Freed, N., Newman, D., Hoy, M., and , "The Batch SMTP
Media Type", RFC 2442, November 1998.
[DANE] Hoffman, P. and J. Schlyter, "The DNS-Based Authentication
of Named Entities (DANE) Transport Layer Security (TLS)
Protocol: TLSA", RFC 6698, August 2012.
[DKIM] Crocker, D., Hansen, T., and M. Kucherawy, "DomainKeys
Identified Mail (DKIM) Signatures", RFC 6376, September
2011.
[DNSSEC] Arends, R., Austein, R., Larson, M., Massey, D., and S.
Rose, "DNS Security Introduction and Requirements", RFC
4033, March 2005.
[DNS] Mockapetris, P., "Domain names - concepts and facilities",
STD 13, RFC 1034, November 1987.
Crocker & Resnick Expires July 20, 2014 [Page 8]
Internet-Draft STRINT: Opportunistic Messaging Privacy January 2014
[MAILARCH]
Crocker, D., "Internet Mail Architecture", RFC 5598, July
2009.
[MIME] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996.
[OPENPGP] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R.
Thayer, "OpenPGP Message Format", RFC 4880, November 2007.
[SMIME] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Message
Specification", RFC 5751, January 2010.
[SRVDNS] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for
specifying the location of services (DNS SRV)", RFC 2782,
February 2000.
[TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[TOR] "TOR Project", WEB https://www.torproject.org/, .
Authors' Addresses
Dave Crocker
Brandenburg InternetWorking
675 Spruce Drive
Sunnyvale, CA 94086
USA
Phone: +1.408.246.8253
Email: dcrocker@bbiw.net
Pete Resnick
Qualcomm Technologies, Inc.
5775 Morehouse Drive
San Diego, CA 92121
US
Phone: +1 858 6511 4478
Email: presnick@qti.qualcomm.com
Crocker & Resnick Expires July 20, 2014 [Page 9]