Re: [TLS] analysis of wider impact of TLS1.3 replayabe data

Bill Cox <waywardgeek@google.com> Sun, 13 March 2016 22:22 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14E7212D869 for <tls@ietfa.amsl.com>; Sun, 13 Mar 2016 15:22:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnSmY4VjjPwB for <tls@ietfa.amsl.com>; Sun, 13 Mar 2016 15:22:48 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D92912D84B for <tls@ietf.org>; Sun, 13 Mar 2016 15:22:48 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id g203so203018180iof.2 for <tls@ietf.org>; Sun, 13 Mar 2016 15:22:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=7ZArWY+CXaLFIecYgyFHP1uC8mHjtFUBzmMcOTF/dgk=; b=MA8YioNXhG8VXh3bDe/8Ya6pgW8aFUcr8Dg/X6F8pvXysBG4eyGYcDqZPdpXghhs3m NzhJwdjLB+tTyibTfxBPqtYijCVqeXvr+b7lJT9TJeecX3r77UjYp7xRcEcHNqMtUiZ4 q2MbcuK73fsufZk8VXlRk6SEpE0noouQidWK+uimIlf2vEs8Kgfw10ViT6Ttxc5UhwJL qZaO33ggpstkBLSD7wt9Ru90Ipl1b2ArSbu5bBiwH3DcwPY2swhuXGRWc8IBpG7FJ7LC +Kt82qpbyXxMKsf2E1bM41JspCbemx5ARnmasBEgmJrHlow4591tegaFnf/h7vkE5lth TfaA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=7ZArWY+CXaLFIecYgyFHP1uC8mHjtFUBzmMcOTF/dgk=; b=jngCXHH+UOOS5AOIVnFRfTWmbbM39hUiQx2IRRSvQlpwd87ptDs7HZLx6b+2evr0TO 6amcguVSZUVA50IlTpA4pFfOu0n7Nhq72uZ1bCmwJJ4xAmh/z3CDnM+uW0hEieBnEqa9 oeoy9WUi+LZ6c6wsPJKt+E3gOshR+FZTneMCRD10K+yMvqD7dhIizZOhwBo/EjwmlGz7 r6vxnyVQyS4QyEqZ9qe3WwNjTw+YtGY4YQEgE5mXVfu+YKWH4pH17vfNZheCr78nQsOp HeF0yVrPhnaMe9iVnAj0023QvgVauDdyTMTioDsZNN/WxkLgIKQ9mgA0zZuMQ8Us6K3v sHcA==
X-Gm-Message-State: AD7BkJJJu9a5qD44vdlvDO/utkTCHO9xk6NpiJdwtPxXYENoLmvy4H9+upmglTLkgSgzNTZWl+582a0u2SRz+8NP
MIME-Version: 1.0
X-Received: by 10.107.138.35 with SMTP id m35mr22405915iod.127.1457907767429; Sun, 13 Mar 2016 15:22:47 -0700 (PDT)
Received: by 10.107.183.141 with HTTP; Sun, 13 Mar 2016 15:22:47 -0700 (PDT)
In-Reply-To: <20160313212342.GA27160@odin.ulthar.us>
References: <56E54B85.4050204@cs.tcd.ie> <20160313212342.GA27160@odin.ulthar.us>
Date: Sun, 13 Mar 2016 15:22:47 -0700
Message-ID: <CAH9QtQFAJkq-cmY3xhvw43N4q1E7i1JJoECKLpVFb_vTRbGs4A@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Scott Schmit <i.grok@comcast.net>
Content-Type: multipart/alternative; boundary=001a113f2da898170e052df59a52
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1H6WrH1BOzfvHaGie2jixO_-Ap4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] analysis of wider impact of TLS1.3 replayabe data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Mar 2016 22:22:50 -0000

On Sun, Mar 13, 2016 at 2:23 PM, Scott Schmit <i.grok@comcast.net>; wrote:

>
> So why are we adding a protocol optimization known from the start to be
> insecure (or less secure than you'd expect from using a PFS cipher
> suite)?
>

If you require PFS with resolution on the order of seconds to minutes
rather than hours to days, you probably do not want to use tickets either.
The ticket decryption key rotation schedule limits PFS.  0-RTT resumes do
not make this worse.

What percentage of servers that have a perceived need for 0-RTT will be
> able to securely use and benefit from this feature as their
> infrastructure is actually implemented?
>

Well, Google already sees a significant fraction.  Going back to 1-RTT
would be a significant downgrade.

If almost everyone should turn it off, why are we including it?
>

Almost every small site on the Internet should turn it off, but the large
sites that want to enable it could make up a large fraction of all traffic.

Most server admins won't be reading the TLSv1.3 spec.  They're going to
> see "shiny feature added specifically in this version that makes it
> faster!" with *maybe* a warning that there are risks, which they'll
> dismiss because "if it was so insecure, they wouldn't have included it
> in the protocol in the first place."  Unless 0-RTT can be fixed, it
> looks like an attractive nuisance.
>

I agree.  Instead of dropping 0-RTT, I think we should make it easy for
admins to learn about what is involved in using 0-RTT in ways we believe
are secure.  The two modes I am aware of that are potentially as secure as
TLS 1.2 session resumption are:

- Do 0-RTT session resumption using a session cache, using the ticket as
the session ID.  This should have the same security as TLS 1.2 resume,
right?
- At the HTTP app layer, make all requests that change state transaction
based with unique transaction numbers, so replay attacks fail to change
server state.  Done successfully, this should be more secure than TLS 1.2
resumption, shouldn't it?

Are we aware of other secure ways to do 0-RTT?

Bill