IETF Logo Mail Archive

[TLS] Certificate compression draft

Victor Vasiliev <vasilvv@google.com> Mon, 06 March 2017 22:58 UTC

Return-Path: <vasilvv@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAD3D129A6B for <tls@ietfa.amsl.com>; Mon, 6 Mar 2017 14:58:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TauGQkrSCX6r for <tls@ietfa.amsl.com>; Mon, 6 Mar 2017 14:58:13 -0800 (PST)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40419129545 for <TLS@ietf.org>; Mon, 6 Mar 2017 14:58:10 -0800 (PST)
Received: by mail-qk0-x22d.google.com with SMTP id y76so49099077qkb.0 for <TLS@ietf.org>; Mon, 06 Mar 2017 14:58:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=0BcMc9C4GVjQiJdqqPXGV12qLMHlxAhAP+0FwqyXraw=; b=DOnjLTaYTOzJqyjpp4SAUpuCXwiyHHvtoF+1HFVej7LVoYEuJ8SgbK1QAsNZGPFii9 QC5GmliUlyyTHhYAVWcIG+dtmGq+U551qNhBmuGa8l/1GSA89moU+w64uVkIgj6P+pqY t4zncq6p3BCEC2GZRQETNh5g7Dn6aIcrtDSMI/0fhJk0Su5mD02hVHUwlwnb0J4j4hBa yCSQuN7KBmZuOg1/HZhOkB34NcxwQArBuKb1/ikliKwQTLzH1y0zzRjwEj4+sqmjZjFh Xg7/nLKNc8Q/ynH6L0u76zE1R/v/6C6eMZF7egEmEl8QyqfoUh1ibVdkcTMzF1lGIppA SOeg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=0BcMc9C4GVjQiJdqqPXGV12qLMHlxAhAP+0FwqyXraw=; b=i2H9EJIVGvix1sbvHf8nQpFT3iZjyYBx4UCXiwa8bAutq8FZzjWhi5qm0Pieig6vBI lWfYFUJpfawQaBR6jBv+iQEvrAyDM3o3DEnShdS98VGXSrzaHuu1Mg6b2bA8NP6tHfX+ MQ1yyKqgTd8naQLL+04/+ydMZDVLTsI4zAQ8SmMIgeuqoKBQa+pE6MU6wzPvgG+WV1HH Is1SlPBC1oZTdkpWQZ+yDUhXDBToHzEg22xYafhe14y1qMCK9Dohc2yU0ODr4ObdWgLn GyR9aMj+GfNVJV3wHU2rbe0gm5ZOBa9PhUWCX7Rdeoh3FLaE9gz1YbP4/Pcx++KzB8xW UM0w==
X-Gm-Message-State: AMke39nH/LV49tvFK86q9RTtb0vAXDEkIUJ8wT0i+I/lBhzcTDSFInNL9osXwVOcWi/rsbt7gyfdj8RtknXd2Tgx
X-Received: by 10.200.35.36 with SMTP id a33mr17815593qta.216.1488841089081; Mon, 06 Mar 2017 14:58:09 -0800 (PST)
MIME-Version: 1.0
Received: by 10.55.47.4 with HTTP; Mon, 6 Mar 2017 14:58:08 -0800 (PST)
From: Victor Vasiliev <vasilvv@google.com>
Date: Mon, 06 Mar 2017 17:58:08 -0500
Message-ID: <CAAZdMacAcSUL4sqLPA1E9-z_VaUSd1P5PpPryO+XQso0eUtThw@mail.gmail.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="001a113a7db83e4cfb054a17d438"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/20ZYRZgSkfIQs3ClBNGoaVW1CKo>
Subject: [TLS] Certificate compression draft
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Mar 2017 22:58:15 -0000

Certificate compression has been discussed on this list briefly before, and
there was some interest in at least considering a draft for it.  The draft
now
exists (co-authored by Alessandro and myself), and it can be found at:

https://datatracker.ietf.org/doc/draft-ghedini-tls-certificate-compression/
  [ GitHub repo: https://github.com/ghedo/tls-certificate-compression ]

The proposed scheme allows a client and a server to negotiate a compression
algorithm for the server certificate message.  The scheme is purely opt-in
on
both sides.  The current version of the draft defines zlib and Brotli
compression, both of which are well-specified formats with an existing
deployment experience.

There are multiple motivations to compress certificates.  The first one is
that
the smaller they are, the faster they arrive (both due to the transfer time
and
a decreased chance of packet loss).

The second, and more interesting one, is that having small certificates is
important for QUIC in order to achieve 1-RTT handshakes while limiting the
opportunities for amplification attacks.  Currently, TLS 1.3 over TCP
without
client auth looks like this:

  Round trip 1: client sends SYN, server sends SYN ACK
    Here, the server provides its own random value which client will
    have to echo in the future.
  Round trip 2: client sends ACK, ClientHello, server sends
ServerHello...Finished
    Here, ACK confirms to server that the client can receive packets and is
not
    just spoofing its source address.  Server can send the entire
ServerHello to
    Finished flight.

In QUIC, we are trying to merge those two rounds into one.  The problem,
however, is that the ClientHello is one packet, and ServerHello...Finished
can
span multiple packets, meaning that this could be used as an amplification
attack vector since the client's address is not yet authenticated at this
point.
In order to address this, the server has to limit the number of packets it
sends
during the first flight (i.e. ServerHello...Finished flight).  Since
certificates make up the majority of data in that flight, making them
smaller
can push them under the limit and save a round-trip.

Cheers,
  Victor.

v2.23.0 | Report a Bug | By Email