Re: [TLS] 0.5 RTT
Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Tue, 23 February 2016 20:49 UTC
Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 368CF1B3098 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 12:49:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OypnHWgX57HB for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 12:49:05 -0800 (PST)
Received: from mail-pa0-x234.google.com (mail-pa0-x234.google.com [IPv6:2607:f8b0:400e:c03::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB96A1B302D for <tls@ietf.org>; Tue, 23 Feb 2016 12:49:04 -0800 (PST)
Received: by mail-pa0-x234.google.com with SMTP id ho8so119370049pac.2 for <tls@ietf.org>; Tue, 23 Feb 2016 12:49:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Fm/HqqEOs8YeWx1mO06pmQ2ASvg7vD8ZxTptdhykZ/E=; b=VhM+M6G0RIVzOJsUy9d96NjfbWw1S0qPX/NSkLTe2q9iCo2joQmwl7yDXkJ2rkiRqn dzXxGPIPlhsqEnNg1LkNCRxp9NdBKwEuHQ0/RL2T5F4ofHoWMRnQukmhElXyEMbsWLEI S7ni07AvkzDozHAfyoPpjLYGmYorltZ90PKtRM5LrPOlq6bDaiAZ5AgcYKvICSnIKXsg /K12zzR52KMfp0SatDOOGOqLGEtCI+biyGKblaXpFp1y7kFs843xOgrWGiHQfrQ110rg 4gBnBF5P1wkMpt+8sV7dVYLsEK07LmCR5Eqy3DvCJEIph1PCuejWRbAJ7CrO+2NKfB+o DSrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:content-transfer-encoding:message-id:references :to; bh=Fm/HqqEOs8YeWx1mO06pmQ2ASvg7vD8ZxTptdhykZ/E=; b=NNy3IBCpEpCWAvety1b0+X2lYy1rQ1tCSQsJsIlABl0i2UW/B9fO/cvRucFzvk6jYB 4XvVKNjRbO4XwhRiifCg17n5Bte9fBExJ0LIxAtgIXRMErllwDEAoAzXEj2hYyTL29zt jh6N0s0wQioxPhd0dxCiUjS0hvdL81mkEBuXAOo1eeBGtm4/I2SmQ4w52FQCHd++zOZL ujkdDmwIpsQ2QlfLFS8Ok5eJ+bPFKIB3GJokH861ZQRgMyntOkJ8LY9/lcUvNhHndTwV kNm6Ot8q6aPS5aqJs1nUf8nH/41YOhjEJb0AuZsx8pQhSg9/DzBhqkEAj2FoklWAaUi6 syXQ==
X-Gm-Message-State: AG10YOTzERIpHrCsTgCSBYoFCWV2TeHnEzKI0Nmhsp2/S9U0QpsrU56lfanf/7ystNgzrw==
X-Received: by 10.66.191.104 with SMTP id gx8mr49009234pac.21.1456260544510; Tue, 23 Feb 2016 12:49:04 -0800 (PST)
Received: from [30.30.30.117] (rrcs-24-43-243-163.west.biz.rr.com. [24.43.243.163]) by smtp.gmail.com with ESMTPSA id l62sm46166719pfj.7.2016.02.23.12.49.03 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 23 Feb 2016 12:49:03 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
In-Reply-To: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com>
Date: Tue, 23 Feb 2016 12:49:02 -0800
Content-Transfer-Encoding: quoted-printable
Message-Id: <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com>
References: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/-Viv9uViuC8NfmR1X9cTFlyxBcc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 20:49:07 -0000
There are some fears about 0.5-RTT data that do not necessarily apply to post-client authentication, at which point at least both parties have sent their Finished messages.
When the server is sending 0.5-RTT data, this is effectively false-start; the client hasn’t confirmed its choice of ciphersuites yet, and downgrade attacks may become possible.
To be principled, we should look at the current browser best practices for false start and make sure that 0.5-RTT data abides by them.
For example, one may argue that 0.5-RTT is actually a bit worse than false-start in TLS 1.2 where at least the peer’s presence and DH key has been authenticated before false start data is sent.
There is no such guarantee in 0.5-RTT.
The question is whether this is just a server-side concern, or does the client need to be aware of 0.5-RTT.
I don’t know the answer to that, but if we wanted to setup a 0.5-RTT rule, I would say that it should *only*
be sent during PSK-resumption handshakes, because the PSK authenticates the peer, and because
the server is likely responding to some 0-RTT data sent by the client/
Again maybe this breaks some server push scenarios that I am not aware of.
Best,
Karthik
PS: The OPTLS proof does not require ClientFinished, but they do not consider downgrades or client auth.
On the whole, cryptographers including the authors of OPTLS would be happier with 0.5-RTT keys
not being the same as 1-RTT keys. Again, so far, this is a matter of taste and proof modularity.
> On 23 Feb 2016, at 11:27, Martin Thomson <martin.thomson@gmail.com> wrote:
>
> Karthik raised some concerns here, and I think that we have some
> thinking to do. But I don't think that it is intractable, nor even
> hard, to reason about this problem.
>
> The only thing that the client's second flight provides is
> authentication. The Finished isn't needed if there is no client auth
> [P]. Hugo's presentation at TRON did not include a client Finished in
> the earlier, simpler examples.
>
> Thus, based on Watson's observation that the client authentication is
> removable, we might conclude that the handshake is complete from the
> perspective of a server that does not require client authentication.
> There are still reasons we might like to keep the client
> authentication in the handshake, but those are decisions we can make
> on engineering grounds.
>
> If post-handshake client authentication is OK, then 0.5 RTT is equally
> OK [X]. I would assert that any decision about changing keys after
> the client Finished applies to post-handshake client auth (or vice
> versa).
>
> If that logic is sound, then I see no reason we can't have some very
> simple advice:
>
> 1. if the server does not request client authentication, it can send
> application data immediately following its Finished
>
> 2. if the server requests client authentication, it MUST NOT send
> application data until it receives and validates the client's first
> flight. UNLESS the server is certain that the data it sends does not
> depend on the client's identity (that is, it would send this
> application data to anyone).
>
>> From an API perspective, I believe that we should recommend that there
> be a separate function for sending in condition 2, just as we are
> going to recommend that there is a separate function for sending 0-RTT
> data (as well as there being one to receive on the server end).
>
> Based on this, we should recommend different points in time for the
> server API to report that the handshake is "complete" at a server. In
> condition 1, the handshake is complete after the server Finished is
> sent; in condition 2, the handshake is complete after the client
> Finished is received.
>
>
> [P] Note that a client Finished does confirm a PSK. Though you might
> reasonably argue that successfully generating valid application data
> works equally well in that regard.
> [X] Post-handshake client authentication has only been analyzed very
> lightly, so we have to caveat that statement too.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
- [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Stephen Farrell
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT stephen.farrell
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Rex
- Re: [TLS] 0.5 RTT Martin Rex
- Re: [TLS] 0.5 RTT Antoine Delignat-Lavaud
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Eric Rescorla
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT Hugo Krawczyk