[TLS] Splitting all stateless 0RTT into its own document (was Re: analysis of wider impact of TLS1.3 replayabe data)
Dave Garrett <davemgarrett@gmail.com> Mon, 14 March 2016 19:25 UTC
Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 104BC12D737 for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 12:25:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mfGQpM4mrtiK for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 12:25:31 -0700 (PDT)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A19E412D717 for <tls@ietf.org>; Mon, 14 Mar 2016 12:25:31 -0700 (PDT)
Received: by mail-yw0-x235.google.com with SMTP id g3so180699682ywa.3 for <tls@ietf.org>; Mon, 14 Mar 2016 12:25:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-transfer-encoding:message-id; bh=ZB0NlCovF74bTwUaN8+CkMtCY7YF4h/uDLhwSu64EII=; b=bZn1r7M8LjoHM9de8NhBiPNzuJWqBP3c1EPrRh3BWFMwmkJQ9fFLzR37b3WptYvT+2 OXoarhUBtkQf8jMN1Qneq2MQVQNegnlo18BdG/3Iv1uCEd24AK8BPmu2oWP15ce8Pai9 k8mq1rQjDor4k8/m+HglZZj113dnHAE1adLIJ2WHO2z4CVWEuLGKyA/AVWvaV4TG44VF f4yDEBPW+biU91zP6gIq3ZBWaRZrQAMu3u/RZSeQzPxw85HweK2sts3edoEjyDwvv+4Y 26ahq+jE5hXds/DcclBxrM4RIzrle5K8wdRBP1WHY+XiZJzuE9vVs80v7CU3ju9euZfR 5srQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-transfer-encoding:message-id; bh=ZB0NlCovF74bTwUaN8+CkMtCY7YF4h/uDLhwSu64EII=; b=YrxGvjhBhCT1tj8Ns5twrcu3TmHzJR1MoCE7rEXit4/tHJB8Rp6m14DBeo3tYY2hDU e7hV+rC2EfogJ/1O+yrutDMFtvz1Lbz9Rk4qq19Hjm7jHzY26ezpEqrp1uHPSkjmZ+Bb 3Z+eyvHEH3UR+beCqFGfzr3o2QyxteHEheKwaKi2k+K7Li2x88cOanFYGeKTheEw7lY4 J77KKSLHQ5hJa/gAV5hnORJx1sYnK80V3vrj4tuaGy94/R68J26+qQ/7Ug4LO/+i/XmE k+msi9kFBQ0AgFbXcC5tJ5d0dCtSesS2EAR7SodJ05kfZGSmR4gOSdzhIZkYBRYV9K8p Gy/w==
X-Gm-Message-State: AD7BkJJtLdRLY8NGiL3yO6Dgby5o6xPLgmsXSzCJIHeC6hL5LWLIP6IuG8ntnw3X8CdpsA==
X-Received: by 10.37.4.129 with SMTP id 123mr2838976ybe.81.1457983530909; Mon, 14 Mar 2016 12:25:30 -0700 (PDT)
Received: from dave-laptop.localnet (pool-71-175-20-227.phlapa.fios.verizon.net. [71.175.20.227]) by smtp.gmail.com with ESMTPSA id f81sm14925033ywb.38.2016.03.14.12.25.30 (version=TLS1 cipher=AES128-SHA bits=128/128); Mon, 14 Mar 2016 12:25:30 -0700 (PDT)
From: Dave Garrett <davemgarrett@gmail.com>
To: tls@ietf.org
Date: Mon, 14 Mar 2016 15:25:28 -0400
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <56E54B85.4050204@cs.tcd.ie> <CAAF6GDc7mz6u_fu=k4LSqF+5fA-mkTbq0_AZ419WgVruk=BA7Q@mail.gmail.com> <CAH9QtQGti4SdCx2Cd73Moh+0qsx3utvc6trNYCib=BgyLiX=Nw@mail.gmail.com>
In-Reply-To: <CAH9QtQGti4SdCx2Cd73Moh+0qsx3utvc6trNYCib=BgyLiX=Nw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Message-Id: <201603141525.29198.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/0bbzpkPGxN873TeBZljs1qvMH_4>
Cc: Scott Schmit <i.grok@comcast.net>
Subject: [TLS] Splitting all stateless 0RTT into its own document (was Re: analysis of wider impact of TLS1.3 replayabe data)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2016 19:25:41 -0000
(This thread has gotten long and winding, so I'm replying to these two portions bellow under a new subject. Reply after quotations.) On Monday, March 14, 2016 02:38:27 pm Bill Cox wrote: > On Mon, Mar 14, 2016 at 9:10 AM, Colm MacCárthaigh <colm@allcosts.net> wrote: > > On Mon, Mar 14, 2016 at 8:35 AM, Bill Cox <waywardgeek@google.com> wrote: > >> As we all know, what matters most in security is the default mode. I am > >> suggesting making the default 0-RTT resumption mode stateful, with a > >> documented session-ID (and let's bring back the timestamp, too, since we'll > >> need it). > > > > Having state would make things much more robust; but rather than the state > > being around the channel itself (the TLS session), would it be more robust, > > and more flexible, for the state to be around the action? like some kind of > > hint cookie. > > It looks like server-side state is required to prevent replay. I don't > think any kind of token, cookie, or server-config can fix this. > > > One of the problems with session resumption is that in order to be replay > > safe; the sequence number has to restart where it left off. That requires > > some kind of transactional store, and if you're doing all of this for > > latency, you may end up eating all of the wins there. > > The new tickets can in theory end the debate over session caching vs > session tickets, since they can be used for database lookups or contain an > encrypted session state. However, the spec does not document how to do > session caching with tickets securely, which looks tricky. In reality, if > I were trying to build a speed and security sensitive site using TLS 1.3 > stateful 0-RTT resumption, I would probably do something like this: > > During the initial 1-RTT handshake: > - create a ticket containing only the session ID, resumption count, and a > session decryption key > - encrypt the session cache entry with the session encryption key stored in > the ticket > - encrypt the ticket with a semi-static ticket encryption key, which I > would rotate every few weeks > - send the ticket to the client, which is after encryption is enabled on > the connection > > During a 0-RTT resume handshake: > - check for a cache hit, and drop to 1-RTT if not found > - decrypt the ticket with ticket the semi-static ticket decryption key > - decrypt the cached session state with the session key from the ticket > - compare the resumption counts in the session state and ticket, and fall > back to 1-RTT if they do not match > - increment the resumption count > - create a new session ticket with a new session encryption key and the > updated resumption count > - encrypt the session cache entry with the new session encryption key > - send the client the new ticket On Monday, March 14, 2016 08:10:32 am Nikos Mavrogiannopoulos wrote: > It is important to see how protocols are perceived. For many people TLS > 1.3 with 0rtt will be the same as TLS 1.3. The first publication of an > attack against TLS 1.3 with rtt, will be perceived as an attack against > TLS 1.3 protocol. Even if the published attack against TLS 1.3 with > 0rtt was an expected one (i.e., replay of data), if the attack impact > is high, that may not be sufficient to stop the avalanche of bad > publicity. In turn that will lead several people losing confidence to > TLS 1.3 as a protocol, even TLS and the IETF process overall. > > My suggestion, if you need 0rtt, publish it as a different document, > don't mix it with TLS 1.3. The security requirements from TLS are > vastly different from the security requirements of a 0rtt protocol. Previous discussion seemed to land on the conclusion that semi-static DH 0RTT should be defined in a separate document, and after this discussion I'm beginning to agree that all stateless 0RTT should be defined as a separate companion document to the main TLS 1.3 specification. We can likely agree on defining a stateful 0RTT PSK resumption system which is sufficiently safe and mistake-resistant, and we could restrict the official TLS 1.3 spec to only specify that, whilst referencing the other document as a more experimental feature that could be available to certain applications (possibly a non-standards-track document). HTTPS could then, itself, have a separate document laying out the necessary practices to do stateless 0RTT safely, and other applications should be warned that without a similar such document, things are very risky. Is this in the ballpark of what the WG could agree on to help mitigate some of the problems here? Dave
- [TLS] analysis of wider impact of TLS1.3 replayab… Stephen Farrell
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Stephen Farrell
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Stephen Farrell
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Salz, Rich
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Yoav Nir
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Salz, Rich
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Stephen Farrell
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Kurt Roeckx
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Salz, Rich
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Ilari Liusvaara
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Andrei Popov
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Scott Schmit
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Erik Nygren
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Harlan Lieberman-Berg
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Ilari Liusvaara
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Nikos Mavrogiannopoulos
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Kyle Nekritz
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Viktor Dukhovni
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Subodh Iyengar
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Watson Ladd
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Subodh Iyengar
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Ilari Liusvaara
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Geoffrey Keating
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Ryan Hamilton
- [TLS] Splitting all stateless 0RTT into its own d… Dave Garrett
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Salz, Rich
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] Splitting all stateless 0RTT into its o… Eric Rescorla
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Geoffrey Keating
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Ryan Hamilton
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Ryan Hamilton
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Colm MacCárthaigh
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Kyle Nekritz
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Bill Cox
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Eric Rescorla
- Re: [TLS] Splitting all stateless 0RTT into its o… Ilari Liusvaara
- Re: [TLS] Splitting all stateless 0RTT into its o… Viktor Dukhovni
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Hubert Kario
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Martin Thomson
- Re: [TLS] analysis of wider impact of TLS1.3 repl… Hubert Kario