IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Nico Williams <nico@cryptonector.com> Wed, 03 May 2017 21:22 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1012129B4C for <tls@ietfa.amsl.com>; Wed, 3 May 2017 14:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqBGyA7IGugA for <tls@ietfa.amsl.com>; Wed, 3 May 2017 14:22:35 -0700 (PDT)
Received: from homiemail-a64.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB101200C1 for <tls@ietf.org>; Wed, 3 May 2017 14:20:51 -0700 (PDT)
Received: from homiemail-a64.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTP id 06BADA004936; Wed, 3 May 2017 14:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=uexOx8p+1nScdqi7U5I+Hqi4GfE=; b=X8DmTEkpnkh aG5uDeAF+u8+nzLHrrT6VjZ1ZZpxmx3zOx7IinESbW4b5haStL3UQDK4t3BPOlxT NSUcpi78aQcFOvWV0IX4hLnbheBVoUi+c9RGseWIcLlnIPlrZ9ovB5LFG4DWS6A5 9nxx7bveMz1KBz77oKB8lAF2VEMu+Yow=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTPSA id 971C5A004935; Wed, 3 May 2017 14:20:50 -0700 (PDT)
Date: Wed, 03 May 2017 16:20:48 -0500
From: Nico Williams <nico@cryptonector.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20170503212046.GT10188@localhost>
References: <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org> <CAAF6GDdpq8DgLx5Fo6apoTHgwQsbdn6hb=ozi1+JP9VMxPw6sA@mail.gmail.com> <539D071B-7DDD-4820-A9E4-EC178400B7B2@dukhovni.org> <420471d6016a41ecbcdf9562be303f62@ustx2ex-dag1mb1.msg.corp.akamai.com> <17414FC2-15BB-4A03-8673-7F8299E5428E@dukhovni.org> <20170503182955.GR10188@localhost> <CAAF6GDf_5tuU=L8vCv5f1wgwy8NxvDcJb9TjJ+iHcNOqETASoQ@mail.gmail.com> <20170503193517.GS10188@localhost> <CAAF6GDeJRPB+1JJ39VrrASHZ6-OT5EL-KVmd6Snw1n1h5DKyng@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <CAAF6GDeJRPB+1JJ39VrrASHZ6-OT5EL-KVmd6Snw1n1h5DKyng@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1E4lpyJs7kdjYT24cIzulX_1Ykg>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 21:22:37 -0000

On Wed, May 03, 2017 at 01:19:35PM -0700, Colm MacCárthaigh wrote:
> On Wed, May 3, 2017 at 12:35 PM, Nico Williams <nico@cryptonector.com>
> wrote:
> > No, please don't remove the obfuscated ticket age.  Either make it
> > encrypted or leave it as-is.
> 
> If it is to be encrypted, say AEAD'd, it needs to be encrypted under a key
> that the client and server share; because the client needs to modify the
> age before sending. Moving the age to its own message, post Client-Hello,
> could solve that - so it comes out of the ticket.

Naturally.  That's why we have ticket session keys.

> That scheme is a bit weird and circular: the server would have to "use" the
> ticket to derive a key that decrypts the age, to then decide if it should
> "really use" the ticket for 0-RTT data. That seems pretty convoluted to me
> - could be a fairly complicated security proof.

It's what Kerberos has been doing for decades.  RFC4120 (before that
RFC1510).

> > Type 2.1 - Ticket intended for 0-RTT, does include the ticket age (maybe
> > > not in the ticket itself, but somewhere in the handshake), can only be
> > used
> > > once.
> >
> > No.  Give advice.  Do not remove these features.
> 
> I think the can only be used once for 0-RTT needs to be firm. Otherwise
> 0-RTT mode is insecure.

I don't agree: the application may not care.

> > > Type 2.2 - Same as 2.1, but required to be smaller than RPSK in size, to
> > > prevent self-encryption.
> >
> > I don't grok this.
> >
> 
> Self-encrypting tickets require STEKs and all of their problems. [...]

Can you elaborate?  (I don't follow TLS WG that closely.  I'm from
KITTEN WG.)

Nico
--

v2.23.0 | Report a Bug | By Email