Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
Colm MacCárthaigh <colm@allcosts.net> Fri, 25 March 2016 19:40 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 79C1912D6B7 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K4DbMBMg5Y6N for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:40:08 -0700 (PDT)
Received: from mail-qk0-x234.google.com (mail-qk0-x234.google.com [IPv6:2607:f8b0:400d:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E892A12D682 for <tls@ietf.org>; Fri, 25 Mar 2016 12:39:45 -0700 (PDT)
Received: by mail-qk0-x234.google.com with SMTP id s68so38455446qkh.3 for <tls@ietf.org>; Fri, 25 Mar 2016 12:39:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=JQd7na7i6SJvkBwbO4gBt78a5SBvz3Ms6I1zEX197LU=; b=PEc1Qfhe82gTOKTjmRqQdCC08+PGumojcEP/0yDNKT8jVRFBFYhR/IidhU0hauiY7m n+gwprZOA+3MJ1haVD3gAgTqonpjh+i338HK3xWnNNeCGhGrg5wI9f1cmmaOquSnkiMD TWeppt2IuLE2hTOIpldNG3tgxc9cFAGV2fIeVS0e9JPBOXax79eKuP2dgRt7I42pYK+s GfdJd7QNHIhq2rD12hjM5jL5PBI8+xCQ+xxe8IquT/isXqboKwOHNpHQT4FwzPdC0627 JB6cryohfnwNm84s0CXOLm5ByxQfkuh0ygyLPuuj4DVVlTdbIZVXPRLW1PMvtK/py3zx esqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=JQd7na7i6SJvkBwbO4gBt78a5SBvz3Ms6I1zEX197LU=; b=dFuT7UvpEyrJoBz7cb1ucb9MX9s/CoxN0qjyvhRcEFEr5E8z4WLJMWILQYPOQwC8PQ 8m10Z84vec52+HTjuNs6ERz5kuEuGUNfqXEj6H3pLgVwaSvq3sL1kZ2yScBq4Pa3imvu 9NQcK8b7/DBSvXxSpEP0R8C1htPpZX4bhqcRFOjrkk8a5Dp/I+6925EmV46HCKy2RQmt VUdHG4SMzMNxcEUrij5OYKePzCMlE3LD37Xfc+PoFFff1Zf9mmpOb9rFYGTmiLEE8Pbg vnudlczMPKv1Aq4H6KGtPpdchgthv0w3TL+zDAGyOrb/fNRBEMwyTY7c+WXxHsKEMane J75A==
X-Gm-Message-State: AD7BkJLgZIMvwYACzZLUaGnHeDKH0ilPnXjagTDyg3Mh6S/fyEwvE0lwy6tQUZwWkwEuS3fSTG9liPcy4I91xA==
MIME-Version: 1.0
X-Received: by 10.13.212.202 with SMTP id w193mr8013621ywd.175.1458934785095; Fri, 25 Mar 2016 12:39:45 -0700 (PDT)
Received: by 10.129.88.137 with HTTP; Fri, 25 Mar 2016 12:39:45 -0700 (PDT)
In-Reply-To: <CABcZeBOThQ05O9WQsA5VfsZXv=DqZ83pV1EXH+ePcTugnr+8fA@mail.gmail.com>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com> <CABcZeBOigwqtBsuKTNTVAztFKuv75m+GmdVdYWX+nWGAkRJM5g@mail.gmail.com> <CAAF6GDdRzFZ_9YO4KguwTuR2Mi+pvUY6e=yS1MjD0hH9ymC=Ng@mail.gmail.com> <CABcZeBOThQ05O9WQsA5VfsZXv=DqZ83pV1EXH+ePcTugnr+8fA@mail.gmail.com>
Date: Fri, 25 Mar 2016 12:39:45 -0700
Message-ID: <CAAF6GDc7DaX-PaaT2y+QJz7_MRXUnDBkubZwXuse=28fV4bGEw@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a114fa17c9e32e1052ee4b937"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/1voUFvv4FdrEYTnH18L7VI-p8yY>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 19:40:09 -0000
On Fri, Mar 25, 2016 at 12:24 PM, Eric Rescorla <ekr@rtfm.com> wrote: > The issue isn't encouraged. It's whether we should design the protocol so > that it cannot be implemented any other way. > I think it is encouraged ... not really intentionally, but economically. We all know that the keys encrypting TLS tickets should be rotated frequently; but that's not something that happens that much in the real world. Take Apache httpd or nginx for example; both lack any support for rotation schedules or key id indication in the ticket. I've encountered a lot of environments using these, and other servers, and besides my own employer - I've *never* seen an environment in which the keys are actually rotated. Folks, developers and operators, just set up things up to the point there things "work". The end effect is that users have no way to know if their connections are actually forward secure. Now one could argue; that's impossible to begin with - maybe the provider is logging everything, including the full request and response bodies, and maybe those logs are weakly protected, and so on. That's true, but it's rare, and particularly egregious. The default at the transport layer should be to keep users sessions secret; even in the face of a credential compromise. That's what we're aiming for with TLS1.3 I think. 0RTT data is likely to contain request data; which I'd regard as sensitive - so I really want to make sure it's protected and that a user can tell with some confidence that it likely really is. If we require server state; it flips the economics. The default "cheap" way would be FS (no 0RTT), and if you do implement a session cache, you'll be incentivized to evict entries ASAP with a single-use requirement. And it gets us to a place where a compromise can only decrypt future sessions; not previous ones - which is the same as (EC)DHE. -- Colm
- [TLS] Cleaning up 0-RTT Signaling (ciphersuites, … Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Bill Cox
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Benjamin Kaduk
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh