IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Nico Williams <nico@cryptonector.com> Tue, 02 May 2017 18:28 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 90FCF129B8D for <tls@ietfa.amsl.com>; Tue, 2 May 2017 11:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fRf5bLPgTPdU for <tls@ietfa.amsl.com>; Tue, 2 May 2017 11:27:58 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A21DF127843 for <tls@ietf.org>; Tue, 2 May 2017 11:25:33 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id 438A2C086D1D; Tue, 2 May 2017 11:25:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=nwPAFOUAMuRlqHqzVnIgXQZPwdQ=; b=mBRAFbcar1g EdZiz1B/T3OEFL93R9Hxki/jfkud+NsMuuxPmoxS9R6cLn5QcWVvUFr57bW790U/ 07UoObfwHGDkssNqBYif0wNiQKxXbYy32vwDgqFNAKsbGansukfntmoBIZfvAe8+ LpdMI9S8OgFZmd4reDspnlP0tOC5zqq0=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id B41A1C0028A3; Tue, 2 May 2017 11:25:32 -0700 (PDT)
Date: Tue, 02 May 2017 13:25:30 -0500
From: Nico Williams <nico@cryptonector.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20170502182529.GG10188@localhost>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <C29356B3-6D71-4088-9AB3-4954327F1E7B@dukhovni.org> <20170502173905.GC10188@localhost> <CAAF6GDeYc5o=eeeyV6HhK9vrLngB-Y=Ed5BdedrE8h2-py4oAw@mail.gmail.com> <20170502180049.GE10188@localhost> <CAAF6GDecd=x-Ob_eO1vSWr6cb6jAeyHBx7zf6cpX=GfxBosfLQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <CAAF6GDecd=x-Ob_eO1vSWr6cb6jAeyHBx7zf6cpX=GfxBosfLQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/16EbyecnG3t-JBCdCJAScRxMOeo>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 18:28:01 -0000

On Tue, May 02, 2017 at 11:17:42AM -0700, Colm MacCárthaigh wrote:
> On Tue, May 2, 2017 at 11:00 AM, Nico Williams <nico@cryptonector.com>
> wrote:
> > I would think that the ticket itself is enough for that when using
> > 0-rtt.  I.e., if you don't want connection correlation to be possible,
> > you can't use 0-rtt.
> 
> I don't think so. If the ticket is encrypted when it issued, I don't follow
> how it could be used to correlate the original connection with the 0-RTT
> connection.

The ticket's _ciphertext_ is not visible to the eavesdropper when it is
issued, but it IS visible to the eavesdropper when it is used in 0-rtt.
The client cannot change the ticket's _ciphertext_.  Therefore the
eavesdropper can correlate 0-rtt connections when tickets are reused.
The obfuscated ticket age is irrelevant to that.

Now, I understand that the obfuscated ticket age goes in the clear in
0-rtt connections, and that if the attacker could work out the
unobfuscated time then the attacker could correlate not just the 0-rtt
ticket-reusing connections with each other, but also some earliere
ticket-establishing connection(s) observed at that time.

I find the obfuscated ticket age business a bit silly, but maybe I'm
missing something.  The client should really send an [encrypted]
authenticator that includes a timestamp, thus allowing the server to
detect replays and so on -- just like Kerberos.  Then this problem
wouldn't happen.

In any case, given that ticket-reusing 0-rtt connections can be
correlated with each other, the ability to further correlate them with a
ticket-issuing connection(s) established earlier doesn't seem to be that
much more of a big deal.

If it's at all possible to move this timestamp into an authenticator at
this point, I think that's the best solution.

Nico
--

v2.23.0 | Report a Bug | By Email