IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 14 June 2017 17:45 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88065120726 for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 10:45:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BWqheivN-2Ut for <tls@ietfa.amsl.com>; Wed, 14 Jun 2017 10:45:38 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9C61201F2 for <tls@ietf.org>; Wed, 14 Jun 2017 10:45:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id D01362A474; Wed, 14 Jun 2017 20:45:36 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 4jkuBc9LrSqh; Wed, 14 Jun 2017 20:45:36 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 7D485C4; Wed, 14 Jun 2017 20:45:36 +0300 (EEST)
Date: Wed, 14 Jun 2017 20:45:31 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Bill Cox <waywardgeek@google.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170614174531.GA17930@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com> <20170613113232.GC8983@LK-Perkele-V2.elisa-laajakaista.fi> <CAH9QtQG0uk+eUozJxxMRwvcROO7x5FhKd5zDbwpCKuXj9zrecQ@mail.gmail.com> <20170613205113.GA13223@LK-Perkele-V2.elisa-laajakaista.fi> <CAH9QtQFez=tUVJOd7ztBaWFtVs5dAAojg8JrixGqjwqN5go+8A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAH9QtQFez=tUVJOd7ztBaWFtVs5dAAojg8JrixGqjwqN5go+8A@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-dDpakZ1PyvybmZx_T3TSZd3p1s>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Jun 2017 17:45:41 -0000

On Tue, Jun 13, 2017 at 03:24:24PM -0700, Bill Cox wrote:
> On Tue, Jun 13, 2017 at 1:51 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> > >   - Note that 0-RTT exporters are not safe for authentication on servers
> > > that do not enforce single-use tickets, or for clients that do not
> > > recompute authentication signatures on retransmission of early data.
> >
> > "Single-use tickets" imply global anti-replay.
> >
> 
> I assumed "gobal anti-replay" meant there would be a globally synchronized
> cache of valid single-use tickets.  It sounds like you mean "global
> anti-replay" includes schemes using orbit/metro/server bound tickets, since
> they can support single-use tickets.  In that case, I agree with you, but I
> think the phrase "single-use tickets" may be less confusing.  Maybe just
> say "anti-replay" instead of "global anti-replay"?

IMO, "anti-replay" also includes per-server anti-replay, which archives
"at most N replays" in global scale.

Of course, the ticket scope of server can be wider than the 0-RTT scope
(the server accepts tickets but rejects 0-RTT from any ticket in
between).
 
> And the latter part is way too obscure. I have no idea how it is
> > trying to fix ClientHello replay resulting the same exporter
> > output.
> >
> 
> I don't know what you mean by "resulting the same exporter output."  Auth
> signatures in a 1-RTT fallback need to be recomputed using the 1-RTT
> exporter to avoid having the same signature accepted twice.  Maybe this is
> too specific and should be left out.

If you replay ClientHello and it gets accepted twice, including to
different servers, both connections have the same 0-RTT exporter values.

The 1-RTT exporter values will not be the same, but this is not helpful
for 0-RTT data, or for that matter any 1-RTT data unless exporters are
switched mid-stream.

> > Even this is only partially true.  Anti-replay can be built above the TLS
> > > layer.  I'm considering doing token-binding replay defense in the
> > > authentication backend, to help ensure the token-binding guarantee: that
> > > auth tokens taken from one device cannot be used from another device
> > > without continued access to the first device's signing oracle.
> > > Unfortunately, 0-RTT master resumption secrets are a new kind of auth
> > > bearer token, and the token binding spec does not cover them.
> >
> > Doing stuff like this gets more and more complicated and fragile as
> > one moves up the layer stack.
> >
> 
> It depends on the task.  Moving channel ID from the TLS layer to token
> binding in the HTTP layer should simplify the TLS state machine enough to
> justify the change.

Implementing such thing without some TLS support at application layer is
just crazy.

IMO, the only reason token binding concerns itself at all with TLS is
that "0.5 RTT" (a TLS 1.3 feature) and HTTP/2 was not available when
token binding was started. Those (together with exporters) would have
enabled token binding in HTTPS without having to mess with TLS.

(The messing with TLS in token binding seems to be solely about saving
round-trips!)

> Anti-replay in the TLS layer would be good for 0-RTT
> token binding, but the cost and complexity of running the whole user-facing
> fleet of servers with anti-replay caches is huge, many times higher than
> the cost of token-binding anti-replay in the backend.  Also, the
> authentication backend is where bound tokens are currently verified, so
> putting the anti-replay there seems like the appropriate layer.

That greatly depends on the implementation and deployment. That's why it
is more fragile.

E.g. run more than one authentication backend for 0-RTT scope, and
your application layer anti-replay breaks. And I'm not convinced the
scale of anti-replay cache would be much smaller at application layer, in
fact, it could be even biger.

> I'm still not sure this scheme is worth implementing, but without it, I do
> not think we can support client certificates or token binding over 0-RTT.
> It doesn't really matter for the TLS 1.3 spec.  I'm just pointing out that
> the statement "0-RTT auth is insecure without anti-replay defense" is not
> 100% accurate.  There are other ways to improve the security.

Well, client certificates are currently forbidden for connections with
0-RTT data (indirectly, but it is still forbidden). It could become possible
in the future.





-Ilari

v2.23.0 | Report a Bug | By Email