RE: [EXTERNAL] Going STEK-less with QUIC?
Andrei Popov <Andrei.Popov@microsoft.com> Tue, 27 July 2021 21:23 UTC
Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 545FC3A083A for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 14:23:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T00_NYerHx6I for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 14:23:16 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-dm3nam06on0711.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe56::711]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 92FDD3A082B for <quic@ietf.org>; Tue, 27 Jul 2021 14:23:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L3Z19GfM35phC7NDbBCzvVF7hlwveoVkKgZvUPWUkwnImuqwuhqAHrxCGujqPb7XsrZ8odS055eTcKOqEovSrtUkTZo7R0IgxKcsLz3HiyhfRzDHB/m1AYFEx8E49KgTpvdgKgjBR5m2CaM+sdXUfMBTybqDqtM1+LWGmdwmTIIJ8Ky0w2AKH9G5P8M+lrYgmtVQTXYrGI+vwhqpz58c2O75JyhYMxEZcy47ECMpBDxjENE2QyNdAjm2tlKYdfyXgPZD3waQd/0ignTbqlpRpzcvF+v5fCEEr1qktFX7zKPTtqI4cV4ENFAElvl7dzxDzEqSP8DSqrRtBoqaVkNgVA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=okTEXR4bjnhlMyHEIiBUA/NxKw/ZtZadTjj7Jacr1WY=; b=dRzje7jF/dsiPeBxs5wPv8gcZqDuJStJ5m7/zKkdtiT4p93xeQ9AOYZICCWGN1xNEELkLQRmvNnuvOPIY4o7XFFUcCfL3BnlAoug6FxU/oKWQw6UoPloOwlk9tk6yrrSbus9Xl7WARR+kJBZ+mhp5LLgMYc9mZlouaSm5tlEc4rOoG3FzMB+sR1xY9kwVkZPEuwK2a8K0JdQeFCC3RNXlcSSWLrSp6P/VCTalmos8WAr1yfp8XSjR61As+DXuAUhIo50+IhvAerm98/JDQbbqw4dMTwW752LVo2Sry/dlD5csYEALE5jNH+EHSC1fA/RtdoEPH4rOylgc34FLRGT6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=okTEXR4bjnhlMyHEIiBUA/NxKw/ZtZadTjj7Jacr1WY=; b=T5NhEYrOhNPWHVgqgZ3pCt8XG82roQT0ttWcBTZE0bRDpWnJinLZDwXQXzDLdCEWLdTL4pbz1Rt/qpPo27CtVfU4ygdZf42dvbyizBU1thTmxReDu5hghuXHYUsHmAZfasCMpbL6sNzWqcESRkYomwVUDnaIiu+fsf0ocYHHHoU=
Received: from BY5PR00MB0707.namprd00.prod.outlook.com (2603:10b6:a03:211::12) by SJ0PR00MB1142.namprd00.prod.outlook.com (2603:10b6:a03:335::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4399.0; Tue, 27 Jul 2021 21:22:05 +0000
Received: from BY5PR00MB0707.namprd00.prod.outlook.com ([fe80::f1fb:5765:e492:a082]) by BY5PR00MB0707.namprd00.prod.outlook.com ([fe80::f1fb:5765:e492:a082%5]) with mapi id 15.20.4410.000; Tue, 27 Jul 2021 21:22:05 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Christian Huitema <huitema@huitema.net>, "quic@ietf.org" <quic@ietf.org>
Subject: RE: [EXTERNAL] Going STEK-less with QUIC?
Thread-Topic: [EXTERNAL] Going STEK-less with QUIC?
Thread-Index: AQHXgytDouGJReVSIkqUndPpFM00QatXU5JA
Date: Tue, 27 Jul 2021 21:22:05 +0000
Message-ID: <BY5PR00MB070737A84BC38992F2BFF1DA8CE99@BY5PR00MB0707.namprd00.prod.outlook.com>
References: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net>
In-Reply-To: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=8b6b0b8d-1627-4c43-9770-cf1f039cefca; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-07-27T21:18:33Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: huitema.net; dkim=none (message not signed) header.d=none;huitema.net; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2e7f9d22-1560-4855-2ef3-08d95144958f
x-ms-traffictypediagnostic: SJ0PR00MB1142:
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <SJ0PR00MB11423747615FD7904674A45F8CE99@SJ0PR00MB1142.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xskDeSGaYOWNr4DdjsULGNSsA3oDm5Z8qz0GZTmIXabz/W4Dxdr8bEkhMey8xy7wfjgQUxL6Yg9+PrhjoV9nXF2M+4NIoYmfivNN6SgCZjgTBrosW85E77sVsGEj5VrlVfPv662zeDdmFtczMC0JdlrckLBo8o/wPpr3omQgAhPovz2vvs3vFy+OENEMqpJntvWIxIqYzkW6B9Es4sxNlqPDRVsiCHDlP9Rjkac8bXcOZSs4kLcEge7ZOsXm4P4n1PZ5BQ+WyMEG5rleE6UOPyShg2oeC18oFLBSHv7/ZodTCC0KfaZjpTbKOlbdhioQOgbS96U4guA2DuX8Sz9z4HKmRUfMOGa58KqXeQ+g/2t0KYmEavpUxYWCICNHTtk0Oyoy0OqyEHpkDbfxi1J92EkITGZcg6tucufGONvrozVNgt06cuEIO2sZMLjmUKQYUWvdpBfSv0u2d+pYaMd7MlGh9/nM8KNA8UP3PAlEQTtgiOToBZxHU38Hf1RyJV/W9Hum/LeCl8ietJ7qnTpPJEQjKSpVnGHRVLRHJGL2gW5EfJk74F6TepRqkU8zAxlQcbFhDhxiBhlsnfCxV6uNWDhqQ2lWvXeIIO6moLMc1Vv2KwRTC7RACJ3KmD27NAzodwp8ns88FJdeTbKld2/FIQ/GKokv3T93bqU97r3myR/04LstxbKF0HO0YzE3ZaQZ4jU1WChP+enFHBekDGxggg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR00MB0707.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(82960400001)(7696005)(66556008)(508600001)(76116006)(82950400001)(64756008)(316002)(71200400001)(38100700002)(38070700005)(186003)(66946007)(6506007)(122000001)(5660300002)(2906002)(8990500004)(110136005)(53546011)(66446008)(66476007)(8676002)(86362001)(52536014)(8936002)(55016002)(9686003)(10290500003)(26005)(83380400001)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 6/g4xCwd3WLOHvhgt7rHwuJgVkdJ16PrwkMm+ecX/TNVOs86J4lFv/VddCmYUU7DYZ35uX0Csq801BxCfCbZ/RePi1ax4QlUE6AHZ0+wRUSWg2vYGg6aapVansf/soQOU/UYV4iB5fJ5yvrq9dbZhjxTpOvqw7+U+Z1/UBEFBRA1bx7AwEcyJmKIM8+DaNeVXtXawhhSD+Kg/DRcxmjgqqcOneGEW0HNRW9FPsf7u/tW9rucHJQr8V24dj5RrUihd+y089oxfSxJZl6GLr+gzgsdTc04Q6LmfGOfg4uBFzg/Mrt0xLcfrSFWG+F7FmQan4d8xxTJy58J3GZoBsT2OpWWemvOnsbU7xz44pCXnO8y7BqNS3WHc7vhuWOvniNf9STzgjbaXNLIgEoAbKpzOwbgUJDAEkKbj8klBm3h8LH4K0RY4YGzD+fU9yvOzUmBXhOfKhoPqLIvqQGQJc3SA3odrcwa2f2ACmGTDzFulBmpmJj7hZhMhzmrQFX3PRxPKgPjBywm6jI/MTLzhN0wSu3pAbVltaifb4EZ+NSa2jUUfqnL2t5vDH++BepACRiZrsHd1otdHpSprF/ItY9SXqWafmkj3WCWk8Uuu6D3jzl5xzbKXQ2idTOUFYC9tUBt0eZzgSIxx0yYff02PJJtgJsM4TMpDGysZtgzp2SjF/SUQMUC8dG4FC+7gJZ/EcDt3bmuuPysY5VXQOnP6VuoiuxNXeC5NeiKS1xcEq+B+GN8FNn7xS/A3ITfFXTsu5rNilm170ZhuKyPvfdAwoJRDxFzhWvpRIrrSy5paAttubpw9RG6iwWGgRjIabh+gi9CRK1KWxLJbpDIP0nTKvjvB9QPtN3+e8OdZ1kTWey7Tl9sR0M0+0l4lL+23yG79rQILjxzkxU4uX18ofBnuiPQfy4+KCaJ+tqLnP2ctWn27tGGFcgCQhiFonK6cjUw6w2ZyFcs6ue+dBgFNVEHJANhCQWO/INVE5x95iKXZL/0PQjjPXlsPv4xx445RoI8tQn+lV+UharavJzbff6DDu8VFvE2ZECVcXRMOOOmqerhLwvDsvA+TRdXQi5HuKwkvAemqSGFkPk91lb8nX+BVZO6fk74VdbQS/GmOKAaQP9rHzrgkTw0kb/UqJ9C+NMWJkEZrAeJTjui2BBl0Ffpe/nMgEsLoLz/HOM02sYEkeaXJ1jNH7iG2os1lEu999juChmXEwmecCDGYmDuNSJeDgiN5Bvs+gxl50qXQKaHNa4CCrOr3xHKLNzllH0/pFj8xNLDnwWp5LgS5UccP8HlVpImKwyjpQLG+ZPNL7mWfYnak8g=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR00MB0707.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2e7f9d22-1560-4855-2ef3-08d95144958f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jul 2021 21:22:05.7226 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7AN+SddVqCnkOMej3js/spFsgxDsS4Sxuu0xTjIvdwIbH1cB3WOwMYHPfJyqHULpwD4ewpDRjLrqYCJYxJyoVQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR00MB1142
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/FwlAu0bKU1E2r9FR72oQ_eoL9rM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 21:23:20 -0000
> if the STEK leaks, the attackers can decrypt all the sessions that were encrypted with that STEK, and might also be able to decrypt the initial sessions. In short, STEKs are convenient but risky. This is only a problem if the client and server negotiate psk_ke mode, rather than psk_dhe_ke, correct? Cheers, Andrei -----Original Message----- From: QUIC <quic-bounces@ietf.org> On Behalf Of Christian Huitema Sent: Tuesday, July 27, 2021 2:02 PM To: IETF QUIC WG <quic@ietf.org> Subject: [EXTERNAL] Going STEK-less with QUIC? In theory, TLS 1.3 provides strong future secrecy guarantees, but the handling of session tickets can compromise that. In theory, the session Ticket could be a simple identifier, used by the server to retrieve the context of a past session. In practice, many servers encode the relevant session context data in the session ticket itself, using a Session Ticket Encryption Key (STEK). For server farms, there is no guarantee that the resumed session will hit the same server as the initial session, so in practice all servers in the farm share the STEK. And then, we have a serious future secrecy issue: if the STEK leaks, the attackers can decrypt all the sessions that were encrypted with that STEK, and might also be able to decrypt the initial sessions. In short, STEKs are convenient but risky. The load balancing draft defines Connection ID formats that assure that packets get routed to the right server in a pool. I think that we could use these connection IDs to ensure that a resumed connection goes back to the same server as the initial server. The simplest implementation would be for the client to remember one of the "New connection IDs" received in the initial session, and use that as Initial Connection ID in the resumed session. Once we do that, we get options. The server could for example have a server specific STEK, which reduces the impact of leaking STEk to just the sessions handled by that server, instead of all the sessions by servers sharing the STEK. Or, the server could just remember contexts of past sessions locally, and just place an identifier of that context in the session ticket, effectively going STEK-less. Would there be any interest in pursuing that idea? -- Christian Huitema
- Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: [EXTERNAL] Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: Going STEK-less with QUIC? Kazuho Oku
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Duke