IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 20 May 2017 10:16 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F7B4128CFF for <tls@ietfa.amsl.com>; Sat, 20 May 2017 03:16:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KBOYjx1O3LXw for <tls@ietfa.amsl.com>; Sat, 20 May 2017 03:16:19 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 41D1F127333 for <tls@ietf.org>; Sat, 20 May 2017 03:16:18 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 63639602B9; Sat, 20 May 2017 13:16:17 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id PUYW8sGSTsKz; Sat, 20 May 2017 13:16:17 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 2E21E283; Sat, 20 May 2017 13:16:17 +0300 (EEST)
Date: Sat, 20 May 2017 13:16:16 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170520101616.GC32428@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <CAAF6GDe1_ih1aUShrzAHUuTzbLx6+0BdVexpGnq90RZsST8GvA@mail.gmail.com> <CABcZeBOX5NXuhgfap2S0naO9PFXv+K-+fZVPbgck6yciVnrYbQ@mail.gmail.com> <CABcZeBPuOupLTNKOtuCgOjYNdiuw571HM-pq1vNZz_8x-XX5mg@mail.gmail.com> <CABcZeBMqALJ10cU7FMUhv8k5Q=tw3yu1-5pdrKzOBM3=g5PHJw@mail.gmail.com> <20170519095316.GA30080@LK-Perkele-V2.elisa-laajakaista.fi> <CAAF6GDeuRMZx9MRynrxMp1fCvRS2jjr0vcqt0R89cJEkD6u=rQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAF6GDeuRMZx9MRynrxMp1fCvRS2jjr0vcqt0R89cJEkD6u=rQ@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1BkCsxqmWHUsqZxiki2lAzTBBok>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 20 May 2017 10:16:21 -0000

On Fri, May 19, 2017 at 09:59:57AM -0700, Colm MacCárthaigh wrote:

> 
> Some protection is necessary; but it isn't too hard - a single-use session
> cache, or a strike register, do protect against the side-channel and DOS
> problems. Combined with a "fail closed" strategy and tickets that are
> scoped to clusters or servers, these techniques do hard-stop the literal
> 0-RTT replays, and they are practical. Many of us run systems like that
> already.

As requirements:

- Clients SHOULD NOT use the same ticket multiple times.
- Clients MUST NOT use the same ticket multiple times for 0-RTT.
- Servers MAY accept the same ticket multiple times.
- Servers MUST NOT accept the same ticket with the same binder multiple
  times for 0-RTT (if any part of ClientHello covered by binder is
  different, one can assume binders are different). This holds even
  across servers (i.e., if server1 accepts 0-RTT with ticket X and
  binder Y, then server2 can not accept 0-RTT with ticket X and binder
  Y).

The "with the same binder" requirement is to deal with the following:

1) Bad client sends 0-RTT with ticket X and in-window age age1.
2) Some days pass...
3) Bad client sends 0-RTT with ticket X and in-window age age2.

Without the "with the same binder", that would mean the server MUST
reject the 0-RTT for 3), which would mean keeping state for days,
which leads to excessive resource usage.

With the "with same binder", the server can time out the state for
1) as soon as the age1 is out-of-window. And then it MAY accept
0-RTT for 3). This will not lead into mass replay possibility for
either 1) nor 3).

The part of assuming binders different if any part covered is
different comes from strong hash requirement TLS 1.3 has.


?

v2.23.0 | Report a Bug | By Email