Re: [kitten] TLS 0-RTT question regarding draft-schmaus-kitten-sasl-ht
Nadja von Reitzenstein Cerpnjak <me@dequbed.space> Wed, 19 October 2022 10:47 UTC
Return-Path: <me@dequbed.space>
X-Original-To: kitten@ietfa.amsl.com
Delivered-To: kitten@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89523C14CF03 for <kitten@ietfa.amsl.com>; Wed, 19 Oct 2022 03:47:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Level:
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, KHOP_HELO_FCRDNS=0.398, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (public key: not available)" header.d=dequbed.space
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbZQDZ_YecHD for <kitten@ietfa.amsl.com>; Wed, 19 Oct 2022 03:47:38 -0700 (PDT)
Received: from mail2.paranoidlabs.org (tureis.comfix.cc [148.251.10.134]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 55F0AC14CF0F for <kitten@ietf.org>; Wed, 19 Oct 2022 03:47:25 -0700 (PDT)
Received: from [IPV6:2001:9e8:17c7:4400:9811:67ca:296f:fb8c] (unknown [IPv6:2001:9e8:17c7:4400:9811:67ca:296f:fb8c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail2.paranoidlabs.org (PlabsMail) with ESMTPSA id E405234173C; Wed, 19 Oct 2022 10:47:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dequbed.space; s=rsa-20210101; t=1666176442; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=VsG+VH5RlW1OtRvOMdPkYAndHe8RMvjIDPJmioAQc78=; b=uhShdl7AaF0Ga7qrtcRwlNYtdCyhI0uF+GhWqyxUGcsbze30aKkiOUptrUQTlQGB8ucOGX 9+U5jr/QRFoZGKuqdrJLfkbUIV+uDTM8PnxRJ+VJ52o/RNkcJRlIpLrRF2ew8+AVZ/WzEe WNEuPKyRP8X4w61FZiKF1t8/255E7VrsHvS03gFHMgHekH2HjlHanTr6QZopewVOXUrqal Nf9fy0mdQC5IDdSzEGJhR/ISnKPundDOMV9oTgsz6kXLWony8vZ4Jqsi6FK111G7Kv9pwX 7Gi4KwJjr054B5BH63G4DKe4ASriY85EZRf5io/5rETVWBSIRwyd2gQ72C+kfQ==
Message-ID: <6572678a-8c1d-3061-d773-9d2e6cbe52fd@dequbed.space>
Date: Wed, 19 Oct 2022 12:47:15 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.3
Content-Language: en-US
To: Dave Cridland <dave@cridland.net>
Cc: Florian Schmaus <flo@geekplace.eu>, KITTEN IETF WG <kitten@ietf.org>, Christoph Egger <egger@cs.fau.de>
References: <5e747325-e63e-2cfb-9814-b52b85acedc6@dequbed.space> <CAKHUCzyk5HkRSM+z5WRyKMmMuSrH=x1=D8RdjWR5OxX0o0N2=Q@mail.gmail.com>
From: Nadja von Reitzenstein Cerpnjak <me@dequbed.space>
In-Reply-To: <CAKHUCzyk5HkRSM+z5WRyKMmMuSrH=x1=D8RdjWR5OxX0o0N2=Q@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/kitten/ZH4r3S1lU4dQMLtaXNvOof4XFVA>
Subject: Re: [kitten] TLS 0-RTT question regarding draft-schmaus-kitten-sasl-ht
X-BeenThere: kitten@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Common Authentication Technologies - Next Generation <kitten.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/kitten>, <mailto:kitten-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/kitten/>
List-Post: <mailto:kitten@ietf.org>
List-Help: <mailto:kitten-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/kitten>, <mailto:kitten-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 10:47:43 -0000
> After you recently linked it I was reading through your draft and I > would like a clarification regarding the intended interaction with > TLSv1.3 0-RTT data. > > > As a bit of background, HT-* was developed primarily with a view to > providing a "fast reauthentication" in XMPP, and technically, would be > initiated in the second client-sent data, normally as part of the new > "SASL2" profile (XEP-0388). The currently proposed update to SASL2 has > a "MUST NOT" for TLSv1.3 0-RTT data; I've argued that this ought to be > a SHOULD NOT (and the proposal already lists sensible mitigations as > far as I follow the detail). > > So if 0-RTT data were used, it'd be used in the initial stream open, > and then the client would read off stream features including the > supported authentication mechanisms (and SASL/SASL2 support), and only > then send the HT-* client-send-first data, by which time channel > binding information has been obtained: > > C->S (0-RTT) <stream:stream from='...' to='...' ... version=1.0> > C<-S <stream:stream ...><stream:features>...</stream:features> > C->S <authenticate mechanism='HT-*' > ...><initial-data>...</initial-data/></authenticate> Ah okay that does make more sense. Your draft does currently read "The early data should only contain the SASL-HT payload, i.e., the initiator-msg, and not an application protocol specific payload.", which is why I assumed you planned to send the `<authenticate>` tag in the 0-RTT data. > The alternative would be to optimistically pipeline the > client-send-first data (which would work on other SASL-using > protocols, too), in which case it would be possible to do so in the > 0-RTT data. My understanding of 0-RTT data is fairly weak, but I > understand that it may be subject to replay by an attacker. Assuming > this is so, its current form, HT-* would then allow for a replay > attack if the binding was not dependent on the session itself (ie, if > there were no channel bindings or tls-server-end-point were used). This is also an issue if `tls-exporter` is used. It can only rely on data the client produces (since the server hasn't responded yet), so there is no way for the exporter to contain any connection-specific randomness (i.e. the server nonce). > Whether the attack is actually useful is something of another matter - > I think an attacker would struggle to identify and use a useful > pipelined sequence, but perhaps that's not the point. There are valid attacks here. The most grievous being that 0-RTT data can not include an ephemeral KEX step so if the servers PSK store is leaked an otherwise passive attacker can *change* 0-RTT data in a replay, e.g. take your authentication and replace your benign action with creating a new admin user, all without having to know your authentication secret. And even if replay protection and single-use authentication like HT is used a passive attacker can still race you to the server. The only real solution to that problem I'm aware of are multi-step SASL mechanisms, or of course not using 0-RTT data to begin with. > In any case, I entirely appreciate the irony in having a fast > reauthentication mechanism that essentially mandates an additional > round-trip, and if you've any suggestions I would really welcome them. > One of the handy features of HT-* in its current form is that a server > could provide a token which is the encrypted username/password for the > user, for services that are forced into using PLAIN in the backend. If the goal is fast resumption of sessions by making use of 0-RTT data my personal preference would to just use SASL EXTERNAL. The resumed session is already cryptographically bound to the one in which the resumption PSK was generated, so we might as well bind authentication state to that. This is also really nice for e.g. the happy-eyeballs approach because a server can issue multiple session tickets, and a client can then use a different one for each parallel connection, keeping security high. And in that situation including the authentication in 0-RTT data is somewhat more safe, i.e. the following exchange happens: C->S (0-RTT) <stream:stream from='...' to='...' ... version=1.0><authenticate mechanism='EXTERNAL' ...><initial-data /></authenticate> C<-S <stream:stream ...><stream:features>...</stream:features> An attacker can then of course replay the whole first line, but if the server correctly aborts if 0-RTT contains anything after the closing > of </authenticate> this is not a major issue. And a later leak of the resumption secret (i.e. the server-side PSK store) will not give it any additional information, with HT-* on the other hand it would get at least the HT token. So to me it feels like the HT-* mechanisms are most useful in the non PSK, non 0-RTT case. A completely fresh TLS handshake doesn't let a server divine any relation to a previous connection at all, and the HT token would provide exactly that. ~Nadja
- [kitten] TLS 0-RTT question regarding draft-schma… Nadja von Reitzenstein Cerpnjak
- Re: [kitten] TLS 0-RTT question regarding draft-s… Dave Cridland
- Re: [kitten] TLS 0-RTT question regarding draft-s… Nadja von Reitzenstein Cerpnjak