Opportunistic encryption

Last updated

Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt communications channels, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

Contents

Opportunistic encryption can be used to combat passive wiretapping. [1] (an active wiretapper, on the other hand, can disrupt encryption negotiation to either force an unencrypted channel or perform a man-in-the-middle attack on the encrypted link.) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. However, it does make the encryption of most Internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.

Opportunistic encryption on the Internet is described in RFC   4322 "Opportunistic Encryption using the Internet Key Exchange (IKE)", RFC   7435 "Opportunistic Security: Some Protection Most of the Time", and in RFC   8164 "Opportunistic Security for HTTP/2".

Routers

The FreeS/WAN project was one of the early proponents of OE. [2] The effort is continued by the former freeswan developers now working on Libreswan. Libreswan aims to support different authentication hooks for Opportunistic Encryption with IPsec. Version 3.16, which was released in December 2015, had support for Opportunistic IPsec using AUTH-NULL [3] which is based on RFC 7619. The Libreswan Project is currently working on (forward) Domain Name System Security Extensions (DNSSEC) and Kerberos support for Opportunistic IPsec.[ citation needed ]

Openswan has also been ported to the OpenWrt project. [4] Openswan used reverse DNS records to facilitate the key exchange between the systems.

It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains. [5]

Linux and Unix-like systems

The FreeS/WAN and forks such as Openswan and strongSwan offer VPNs that can also operate in OE mode using IPsec-based technology. Obfuscated TCP is another method of implementing OE.

Windows OS

Microsoft Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. It is accessed via the MMC and "IP Security Policies on Local Computer" and then editing the properties to assign the "(Request Security)" policy. [6] This will turn on optional IPsec in a Kerberos environment. Many systems also have problems when either side is behind a NAT. This problem is addressed by NAT traversal (NAT-T) and is accomplished by editing a registry item. [7] Using the filtering options provided in MMC, it is possible to tailor the networking to require, request or permit traffic to various domains and protocols to use encryption.

Email

Opportunistic Encryption can also be used for specific traffic like e-mail using the SMTP STARTTLS extension for relaying messages across the Internet, or the Internet Message Access Protocol (IMAP) STARTTLS extension for reading e-mail. With this implementation, it is not necessary to obtain a certificate from a certificate authority, as a self-signed certificate can be used.

Many systems employ a variant with third-party add-ons to traditional email packages by first attempting to obtain an encryption key and if unsuccessful, then sending the email in the clear. PGP, p≡p, Hushmail, and Ciphire, among others can all be set up to work in this mode.

In practice, STARTTLS in SMTP is often deployed with self-signed certificates, [8] which represents a minimal one-time task for a system administrator, and results in most email traffic being opportunistically encrypted. [9]

VoIP

Some Voice over IP (VoIP) solutions provide for painless encryption of voice traffic when possible. Some versions of the Sipura Technology and Linksys lines of analog telephony adapters (ATA) include a hardware implementation of SRTP with the installation of a certificate from Voxilla, a VoIP information site. When the call is placed an attempt is made to use SRTP, if successful a series of tones are played into the handset, if not the call proceeds without using encryption. Skype and Amicima use only secure connections and Gizmo5 attempts a secure connection between its clients. Phil Zimmermann, Alan Johnston, and Jon Callas have proposed a new VoIP encryption protocol called ZRTP. [10] They have an implementation of it called Zfone whose source and compiled binaries are available.

Websites

For encrypting WWW/HTTP connections, HTTPS is typically used, which requires strict encryption and has significant administrative costs, both in terms of initial setup and continued maintenance costs for the website operator. Most browsers verify the webserver's identity to make sure that an SSL certificate is signed by a trusted certificate authority and has not expired, usually requiring the website operator to manually change the certificate every one or two years. The easiest way to enable some sort of opportunistic website encryption is by using self-signed certificates, but this causes browsers to display a warning each time the website is visited unless the user manually marks the website's certificate as trusted. Because unencrypted websites do not currently display any such warnings, the use of self-signed certificates is not well received.

In 2015, Mozilla started to roll out opportunistic encryption in Firefox version 37. [11] This was quickly rolled back (in update 37.0.1) due to a serious vulnerability that could bypass SSL certificate verification. [12]

Browser extensions like HTTPS Everywhere and HTTPSfinder [13] find and automatically switch the connection to HTTPS when possible.

Several proposals were available for true, seamless opportunistic encryption of HTTP/2 protocol. [14] These proposals were later rejected. Poul-Henning Kamp, lead developer of Varnish and a senior FreeBSD kernel developer, has criticized the IETF for following a particular political agenda with HTTP/2 for not implementing opportunistic encryption in the standard. [15] [16]

Weaknesses

STARTTLS implementations often used with SMTP are vulnerable to STRIPTLS attacks when subject to active wiretapping.

See also

Related Research Articles

<span class="mw-page-title-main">HTTPS</span> Extension of the HTTP communications protocol to support TLS encryption

Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It uses encryption for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS) or, formerly, Secure Sockets Layer (SSL). The protocol is therefore also referred to as HTTP over TLS, or HTTP over SSL.

The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typically use SMTP only for sending messages to a mail server for relaying, and typically submit outgoing email to the mail server on port 587 or 465 per RFC 8314. For retrieving messages, IMAP is standard, but proprietary servers also often implement proprietary protocols, e.g., Exchange ActiveSync.

The Session Initiation Protocol (SIP) is a signaling protocol used for initiating, maintaining, and terminating communication sessions that include voice, video and messaging applications. SIP is used in Internet telephony, in private IP telephone systems, as well as mobile phone calling over LTE (VoLTE).

In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in virtual private networks (VPNs).

<span class="mw-page-title-main">Email client</span> Computer program used to access and manage a users email

An email client, email reader or, more formally, message user agent (MUA) or mail user agent is a computer program used to access and manage a user's email.

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.

In computing, Internet Key Exchange is the protocol used to set up a security association (SA) in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP. IKE uses X.509 certificates for authentication ‒ either pre-shared or distributed using DNS ‒ and a Diffie–Hellman key exchange to set up a shared session secret from which cryptographic keys are derived. In addition, a security policy for every peer which will connect must be manually maintained.

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs) or as part of the delivery of services by ISPs. It uses encryption ('hiding') only for its own control messages, and does not provide any encryption or confidentiality of content by itself. Rather, it provides a tunnel for Layer 2, and the tunnel itself may be passed over a Layer 3 encryption protocol such as IPsec.

Datagram Transport Layer Security (DTLS) is a communications protocol providing security to datagram-based applications by allowing them to communicate in a way designed to prevent eavesdropping, tampering, or message forgery. The DTLS protocol is based on the stream-oriented Transport Layer Security (TLS) protocol and is intended to provide similar security guarantees. The DTLS protocol datagram preserves the semantics of the underlying transport—the application does not suffer from the delays associated with stream protocols, but because it uses User Datagram Protocol (UDP) or Stream Control Transmission Protocol (SCTP), the application has to deal with packet reordering, loss of datagram and data larger than the size of a datagram network packet. Because DTLS uses UDP or SCTP rather than TCP it avoids the TCP meltdown problem when being used to create a VPN tunnel.

Network address translation traversal is a computer networking technique of establishing and maintaining Internet Protocol connections across gateways that implement network address translation (NAT).

A VoIP VPN combines voice over IP and virtual private network technologies to offer a method for delivering secure voice. Because VoIP transmits digitized voice as a stream of data, the VoIP VPN solution accomplishes voice encryption quite simply, applying standard data-encryption mechanisms inherently available in the collection of protocols used to implement a VPN.

Opportunistic TLS refers to extensions in plain text communication protocols, which offer a way to upgrade a plain text connection to an encrypted connection instead of using a separate port for encrypted communication. Several protocols use a command named "STARTTLS" for this purpose. It is a form of opportunistic encryption and is primarily intended as a countermeasure to passive monitoring.

Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients. Email encryption may also include authentication.

Server Name Indication (SNI) is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process. The extension allows a server to present one of multiple possible certificates on the same IP address and TCP port number and hence allows multiple secure (HTTPS) websites to be served by the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 name-based virtual hosting, but for HTTPS. This also allows a proxy to forward client traffic to the right server during TLS/SSL handshake. The desired hostname is not encrypted in the original SNI extension, so an eavesdropper can see which site is being requested. The SNI extension was specified in 2003 in RFC 3546

Obfuscated TCP (ObsTCP) was a proposal for a transport layer protocol which implements opportunistic encryption over Transmission Control Protocol (TCP). It was designed to prevent mass wiretapping and malicious corruption of TCP traffic on the Internet, with lower implementation cost and complexity than Transport Layer Security (TLS). In August 2008, IETF rejected the proposal for a TCP option, suggesting it be done on the application layer instead. The project has been inactive since a few months later.

In computer networking, tcpcrypt is a transport layer communication encryption protocol. Unlike prior protocols like TLS (SSL), tcpcrypt is implemented as a TCP extension. It was designed by a team of six security and networking experts: Andrea Bittau, Mike Hamburg, Mark Handley, David Mazières, Dan Boneh and Quinn Slack. Tcpcrypt has been published as an Internet Draft. Experimental user-space implementations are available for Linux, Mac OS X, FreeBSD and Windows. There is also a Linux kernel implementation.

SMTPS (Simple Mail Transfer Protocol Secure) is a method for securing the SMTP using transport layer security. It is intended to provide authentication of the communication partners, as well as data integrity and confidentiality.

HTTP/2 is a major revision of the HTTP network protocol used by the World Wide Web. It was derived from the earlier experimental SPDY protocol, originally developed by Google. HTTP/2 was developed by the HTTP Working Group of the Internet Engineering Task Force (IETF). HTTP/2 is the first new version of HTTP since HTTP/1.1, which was standardized in RFC 2068 in 1997. The Working Group presented HTTP/2 to the Internet Engineering Steering Group (IESG) for consideration as a Proposed Standard in December 2014, and IESG approved it to publish as Proposed Standard on February 17, 2015. The initial HTTP/2 specification was published as RFC 7540 on May 14, 2015.

DNS-based Authentication of Named Entities (DANE) is an Internet security protocol to allow X.509 digital certificates, commonly used for Transport Layer Security (TLS), to be bound to domain names using Domain Name System Security Extensions (DNSSEC).

References

  1. "FreeS/WAN Project: History and Politics". 2003-05-13. Retrieved 2007-11-24.
  2. Wouters, Paul (September 12, 2013). "History and implementation status of Opportunistic Encryption for IPsec" . Retrieved 2021-04-13.
  3. "HOWTO: Opportunistic IPsec - Libreswan". libreswan.org. Retrieved July 14, 2022.
  4. "IPSec Howto". OpenWrt Community wiki. Archived from the original on 2010-02-20. Retrieved 2007-10-24.
  5. "Creating a Dynamic VPN". Archived from the original on 2007-09-28. Retrieved 2007-10-24.
  6. "(Request Security)". Archived from the original on 2012-03-13. Retrieved 2006-03-15.
  7. "L2TP/IPsec NAT-T update for Windows XP and Windows 2000". Microsoft. Archived from the original on 2013-04-24. Retrieved 2007-10-24.
  8. "Starttls(8) - OpenBSD manual pages".
  9. "The Current State of SMTP STARTTLS Deployment". Facebook. May 13, 2014.
  10. ZRTP: Extensions to RTP for Diffie-Hellman Key Agreement for SRTP
  11. "Firefox 37 arrives with Opportunistic Encryption support". Hacker News. 2015-04-04. Retrieved 2015-04-07.
  12. "Mozilla Dials Back on Firefox Opportunistic Encryption". eWeek. 2015-04-06. Retrieved 2015-05-08.
  13. "Google Code Archive - Long-term storage for Google Code Project Hosting".
  14. Minimal Unauthenticated Encryption (MUE) for HTTP/2
  15. "HTTP/2.0 — The IETF is Phoning It In (Bad protocol, bad politics)". ACM Queue. 2015-01-06. Retrieved 2015-01-12.
  16. "Re: Last Call: <draft-ietf-httpbis-http2-16.txt> (Hypertext Transfer Protocol version 2) to Proposed Standard". ietf-http-wg@w3.org (Mailing list). 2015-01-07. Retrieved 2015-01-12.