Re: [TLS] 0RTT?

Martin Thomson <martin.thomson@gmail.com> Sun, 03 August 2014 20:22 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5ED9A1ABD17 for <tls@ietfa.amsl.com>; Sun, 3 Aug 2014 13:22:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_46=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q6_JZn-BykW8 for <tls@ietfa.amsl.com>; Sun, 3 Aug 2014 13:22:07 -0700 (PDT)
Received: from mail-we0-x231.google.com (mail-we0-x231.google.com [IPv6:2a00:1450:400c:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ADA261A0303 for <tls@ietf.org>; Sun, 3 Aug 2014 13:22:06 -0700 (PDT)
Received: by mail-we0-f177.google.com with SMTP id w62so6694472wes.8 for <tls@ietf.org>; Sun, 03 Aug 2014 13:22:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xBMIfHq0O0Gv/AbIb1wUDFL/qnyq2FAm8/P/oZb2aMY=; b=C+w8sBgqxOu+7tNMilpVJ67YmxfRn0dGefHgyg59I4AuJF/lImxSioH7qeDeZCAxwV sWhR4LbKf0R21zE/7n5vzozj51eWW1BdF46a2Sd5VwbqISL8ABQMZt4UaWs0okYntEfD /SiNrrhr6tmi3Zo21IaFJb7zHZKrSIfDYJ0lINdmFLtMKxHXsde0EmgGSXKyNS6Zx0sM gNTgxQPbq3OMQNcGnU80p7dLKdB3eTZo0r410NEY7tD7UBt2V4cAJFUnIi7qsvwzCszH ur3SKQ5y3zTshPO9MoNosWhM2hFAf0CDn0Y99kZibuKFYX2KT95ufKpuBL23FilWJBfP OyMw==
MIME-Version: 1.0
X-Received: by 10.194.91.228 with SMTP id ch4mr25853488wjb.59.1407097325197; Sun, 03 Aug 2014 13:22:05 -0700 (PDT)
Received: by 10.194.6.229 with HTTP; Sun, 3 Aug 2014 13:22:05 -0700 (PDT)
In-Reply-To: <CACsn0c=wUvV1M0kZ2y6OcC_UPoRtBRz1Nh_zb_sLYamozoPrpw@mail.gmail.com>
References: <CACsn0c=wUvV1M0kZ2y6OcC_UPoRtBRz1Nh_zb_sLYamozoPrpw@mail.gmail.com>
Date: Sun, 3 Aug 2014 13:22:05 -0700
Message-ID: <CABkgnnWQn1D306KSJ70Qqe1=PJJ=wH=sy830=2kbzo0eLjjiSg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/2R2on6Th49vKpMrvttPEYznmP5A
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Aug 2014 20:22:08 -0000

This reads a like a halfway between the proposed 0RTT handshake and
resumption.  The advantage here I'm guessing being that this is
resumption, which means that you bind to a specific previous session.

However, I keep hearing that the main benefit of resumption is that it
doesn't require a new DH operation.  And yes, this is still important
even with the higher performance EC provides.

This relies on an old session, whereas the proposed 0RTT uses a DH
share that is essentially public, so that it can be cached and shared
(DNS, signaling).

As far as security goes, I don't see any major issues with this.  The
initial round of application data is going to be as well protected as
the previous session was.  As long as you aren't able to choose a
different cipher suite to what was previously used, and I can't see
why you would want to even contemplate allowing that.

Why do you need a new message?  Since you are using DH, you could just
use the remainder of the 1RTT handshake structure with
ServerKeyExchange.  You could, I suppose eliminate the authentication
messages in order to rely on the previous session.

If the fallback story when the ticket/nonce/share is bad is the
existing regular handshake, then this is quite close to the proposed
0RTT mode.  With a few differences in terms of the first flight keys
are derived and their lifecycle.

On Aug 3, 2014 10:09 AM, "Watson Ladd" <watsonbladd@gmail.com> wrote:
>
> Dear all,
>
> I think I came up with a decent idea for handling 0RTT handshakes,
> namely making resumption 0RTT, and doing a side rekeying.
>
> To see this work we assume that the usual resumption ticket gets set
> in the handshake, and determines the PMS. A resumption looks as
> follows:
>
> -The ticket
> -An anti-replay nonce: BLAH bytes
> -A refresh key: since we know what the server wants, we can provide a
> group it supports
>
> The PMS that gets used is PMS_interim= HMAC(old_PMS, nonce || refresh
> key): data encrypted as usual under the old ciphersuite follows. (Note
> that we may have to include the entire Client Hello hashed: this is
> probably easier, except that the data goes in the Client Hello when
> using the current inclusion mechanism)
>
> On receiving this a server looks up the anti-replay nonce and checks
> it is fresh. To make this easier we include UTC time since the epoch (
> midnight of 1 January 1970) and mandate some degree of synchronization
> and a window. To avoid tagging with clock drift we truncate some low
> order bits after adding a random small offset.
>
> If the nonce is not previously seem the server can send Application
> Data as normal.
>
> We now introduce a new handshake type: Rekey Finish, containing a new
> ticket and server key. CCS follows afterwards. These are sent
> encrypted.
>
> The new PMS will be HMAC(PMS_interim, ECDH(server, client keys)).
>
> The big limitation is ticket keys are going to need rotation. This
> also doesn't address the desire to put extra data in DNS to give some
> degree of forward secrecy, but I don't think you can change DNS that
> quickly without some problems.
>
> Furthermore, if we want rekeys without renegotiation, we can reuse
> Rekey Finish and add a Rekey Initiate handshake type that will send
> the client key.
>
> Open questions: how secure is this? We certainly need to hash the
> anti-replay nonce into the keys: is that all we need? (Not if we want
> to avoid attackers manipulating which method we use) Does noisy
> truncation work to prevent fingerprinting while reducing storage
> requirements?
>
> Sincerely,
> Watson Ladd
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls