IETF Logo Mail Archive

Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)

Colm MacCárthaigh <colm@allcosts.net> Fri, 25 March 2016 19:23 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2B6212D0C1 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:23:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yhM7wfdEoeR for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:23:11 -0700 (PDT)
Received: from mail-qk0-x231.google.com (mail-qk0-x231.google.com [IPv6:2607:f8b0:400d:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E27E812D0FC for <tls@ietf.org>; Fri, 25 Mar 2016 12:23:10 -0700 (PDT)
Received: by mail-qk0-x231.google.com with SMTP id s5so37924186qkd.0 for <tls@ietf.org>; Fri, 25 Mar 2016 12:23:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=j8aTAiHQ3Tvf97M6+dAZHwWQmkaGrxpGZET/kNNNzhs=; b=U1C9UOiHEowQ/f5/O5fsJpL7VtMoWHF9X6bq4dkXR5NhheLS5CQ2eZtEbcnKb8Npmk 52BmqvBzNKf3asauv9eBbDY3rg8IxJg8FGDnKWDgKYWPrBNBGvovjZ1Fpqu/6Q1YMpXX ZkwVwAcma38cslsUUGtpadPJBHbC4UaqDB/8HWdpXF2wBhMOVUQghG9cfnu91MrzSIWb k5PEH+WNM9aC3OZUfZZ4tQO5d4t8MS7VvrA+lXx88nKrOaXYPCPMk7iyPN4sEJ51bTJa YeW9RGJqnyJDi/jqv4M/AAa66DVruQdeGRoQi72EjoftPYp/6Y8X2euiwth74BlHDMXf +7Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=j8aTAiHQ3Tvf97M6+dAZHwWQmkaGrxpGZET/kNNNzhs=; b=F/RzUULF/d0c4fnrOE7NncSR0hYo2TA2vy44VzasbHX48Z7e8ylwGxQxkvFrTDFfVe 7J62NqL4n97+YnhB9JEmamC2E0mRwwEWvr3Z4OcO/t6d5J0Sy+aEFPcSBtcTO5huwctH Twvdu4KLC7Reb+6KIXvm7AH6+LBF5vm056FLeKI3MDtl7cB4hNfYfJabqOlz7t2v2hZx P+ieQSOz99HgGINmvsNvEnq56Da6sAA7aGQkkr23Q3uTZRLxRabm7lQYw8qSttFo98eF MVeaHn86TBhzyEnF2Khc15TmRz3eG0cJdp0JY7vdL5Ws/FN5TFWitNGP7UkcR2oEr2u5 6G+w==
X-Gm-Message-State: AD7BkJJYYBZ+7xwPqwPheqklkLLRKeX7cJlESYoYS1uUqbH2yHzidFBFqqUW4Agz/NpBUWalng9thFqPjme9JA==
MIME-Version: 1.0
X-Received: by 10.129.155.81 with SMTP id s78mr7968438ywg.24.1458933790020; Fri, 25 Mar 2016 12:23:10 -0700 (PDT)
Received: by 10.129.88.137 with HTTP; Fri, 25 Mar 2016 12:23:09 -0700 (PDT)
In-Reply-To: <CABcZeBOigwqtBsuKTNTVAztFKuv75m+GmdVdYWX+nWGAkRJM5g@mail.gmail.com>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com> <CABcZeBOigwqtBsuKTNTVAztFKuv75m+GmdVdYWX+nWGAkRJM5g@mail.gmail.com>
Date: Fri, 25 Mar 2016 12:23:09 -0700
Message-ID: <CAAF6GDdRzFZ_9YO4KguwTuR2Mi+pvUY6e=yS1MjD0hH9ymC=Ng@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="94eb2c0b8e7c4e4c02052ee47ec3"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/25Lws3XDx9Uikx622qUXEw0HgvU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 19:23:13 -0000

On Fri, Mar 25, 2016 at 11:36 AM, Eric Rescorla <ekr@rtfm.com> wrote:

> On Fri, Mar 25, 2016 at 11:27 AM, Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>>
>> +1 but I think we can go further here and specify 0RTT in such a way that
>> it only works when the server maintains state, and so that any given 0RTT
>> ticket may only be used once (to preserve forward secrecy as much as
>> possible within the constrains of 0RTT).
>>
>
> I'm not enthusiastic about this. This seems like it would rule out a bunch
> of implementations
> which don't need that guarantee.
>

With 0RTT, it doesn't seem to be possible to have anti-replay of the
message itself without some kind of server state. It's also beneficial for
cryptographic safety to prevent at-will re-use of the ticket - other-wise
the data is subject to the kind of "try and iterate" attacks we've seen be
very successful against DTLS because of its tolerance for duplicate and out
of order messages. If server state is required, some more good can come of
it by improving the forward secrecy of the 0RTT data to match that of
regular data; which I think is most important of all.

An implementation would have to be willing to sacrifice replay protection,
some cryptographic safety and forward secrecy for the 0RTT data. I'm sure
there are implementations that would sacrifice these things to get lower
latency more cheaply, but should they be encouraged?  I'll admit that this
is an unfair simplification in this case since it's a more grey area, but
"fast, secure, cheap: pick two" is at play here, and many would pick "fast,
cheap".


-- 
Colm

v2.23.0 | Report a Bug | By Email