IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Colm MacCárthaigh <colm@allcosts.net> Fri, 19 May 2017 17:00 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C67812955A for <tls@ietfa.amsl.com>; Fri, 19 May 2017 10:00:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uCOTivrtacim for <tls@ietfa.amsl.com>; Fri, 19 May 2017 09:59:59 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE44112954E for <tls@ietf.org>; Fri, 19 May 2017 09:59:58 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id b68so37504541ywe.3 for <tls@ietf.org>; Fri, 19 May 2017 09:59:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=MMNbUTor1Ci3ctM6BTavS9rqN88pI8bXZBmFT8VBO48=; b=SZwatnVBkIdp9AGGaPH18mB+hoWj+VWE75Yhkcl5pbWQOW9dEr6oGPrlqpk/lF7BR5 U0/J1o1aKWva4L2p5AYD2mokEeAcwYaZZunNrAF3Opkix8OrvJffZDJCc+hAqN1cDN0h VhuAMF4oXKjAvE4R0uwIENLiN9UK64eNWITxuSpFfCl6PKT3XM0mFtamkRBDj4vFTtZO 591kafqDRspR0QwQ8mQ1LzH0KwI0EvV9iMEmV2jbgVG3PsD0TMeNv8s7rsofcBIKzpZD DkuUHqPW1lYqa0FaHN/PTd27DSNy0xyFKAcqXXihM7jW7UVOwWCbF2xsgu4uf1lnXnI1 sB/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=MMNbUTor1Ci3ctM6BTavS9rqN88pI8bXZBmFT8VBO48=; b=mPmUfH82F+xwIULysnbetmLw8WTMTk6hFths7fJccUSzk4/7WWHoXRXlS2S9UrEd05 m21kR+cqKlFQnbE8/+o0Ylzd+FJp1fIlVCro/V1nCb4pZLetR6Uzsl64lje/CIvEUuVO QyHfFKrlr2tiFSoybbZSX+X4KqE1LbdwmklSSkjKnN3cfigWhQbAL5o2oqO8EPE4rQtO q3EsKCbNN4gy7YkUICoNAHccSJx5O3So3mnHZ1fo967i3Adj9aenOQL4+4kF9aDL5GC7 1kciDVyaQO7qXVHSMnVcBNTlFrP00imAUeRGZ537zLF7Rx60p5vTLFl3NrRGSZq3nRDE RZXA==
X-Gm-Message-State: AODbwcCSEK2jyuSD5/udhueflfxJwzld4iavNovVtvsj4EtFvnPvXxhK Rg+cMfSL/YOxFgidfGlzGhKORrwWvzsG
X-Received: by 10.129.152.68 with SMTP id p65mr8697409ywg.1.1495213197983; Fri, 19 May 2017 09:59:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Fri, 19 May 2017 09:59:57 -0700 (PDT)
In-Reply-To: <20170519095316.GA30080@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <CAAF6GDe1_ih1aUShrzAHUuTzbLx6+0BdVexpGnq90RZsST8GvA@mail.gmail.com> <CABcZeBOX5NXuhgfap2S0naO9PFXv+K-+fZVPbgck6yciVnrYbQ@mail.gmail.com> <CABcZeBPuOupLTNKOtuCgOjYNdiuw571HM-pq1vNZz_8x-XX5mg@mail.gmail.com> <CABcZeBMqALJ10cU7FMUhv8k5Q=tw3yu1-5pdrKzOBM3=g5PHJw@mail.gmail.com> <20170519095316.GA30080@LK-Perkele-V2.elisa-laajakaista.fi>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Fri, 19 May 2017 09:59:57 -0700
Message-ID: <CAAF6GDeuRMZx9MRynrxMp1fCvRS2jjr0vcqt0R89cJEkD6u=rQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0ba6ca87b024054fe37378"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/3wdrRYM3aH8-q3CQCmz5wNzl1Rk>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 May 2017 17:00:01 -0000

On Fri, May 19, 2017 at 2:53 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:
>
> To me, that reads as gross understatement about the dangers involved in
> 0-RTT:
>
> - The side channel attacks with millions or billions of replays are hard
>   to protect against. This is if the side channels are in TLS library.
>   If not, protecting against that sort of side channels becomes
>   virtually impossible.

- Furthermore, with that kind of replay volume, protecting against DoS
>   attacks is virtually impossible.


> - Even if once-per-server or once-per-cluster replay detection limits
>   the number of replays to few hundred to few thoursand at maximum,
>   where the low-level crypto side channels are much less of a threat,
>   cache attacks can be used to break security (in fact, not sending a
>   mad burst of data to any one server is useful for carrying out these).
>

I wouldn't be too fatalistic about it. The speed of light is too slow for
human interaction, and 0-RTT is an important and awesome feature that we
should make safe and near universal.

Some protection is necessary; but it isn't too hard - a single-use session
cache, or a strike register, do protect against the side-channel and DOS
problems. Combined with a "fail closed" strategy and tickets that are
scoped to clusters or servers, these techniques do hard-stop the literal
0-RTT replays, and they are practical. Many of us run systems like that
already.


> Also, the kind of thing going on here seems exactly how I would imagine
> the past very bad decisions from TLS WG, that were known to be insecure
> at the time of specification and where then successfully attacked later,
> played out. However, I have not read those discussions from the ML
> archives.
>

In this case, I think people see the trade-offs differently and that's ok.
There's a sense that the risks or cost are worth it. After all, you can
mitigate a lot of the risk if you have a team of experts on standby who
manually mitigate these kinds of attacks, or more advanced automated
response systems. And many big providers do have both of these.

What concerns me most is that the 0-RTT interactions here are formalizable
and that the messaging interactions can be modeled in TLA+, F*, etc ... but
that hasn't been done as it has with the rest of the TLS1.3 state machine.

My TLA+ simple model convinced me that what's in the draft doesn't actually
work; there's nothing in the messages that allows a server to de-dupe, I
wrote up a simple 3-message example of this earlier in the thread, and it
seems to hold to the breaking the "X-" header trick that one provider came
up with.  That already in this draft deployment phase, that can advanced,
knowledgable, provider's attempt at a mitigation can be shown to be broken
should be cause for alarm. It's not a safe set-up.

Here's all I think we need to fix all of this though, in order of priority:

For relatively "Normal" clients (e.g. Browsers):

* Servers supporting 0-RTT need to robustly prevent replay of literal 0-RTT
sections. No time-based mitigation, which simply doesn't work. This is the
"cost" of doing 0-RTT.
* Clients should be the real arbiter of what to use 0-RTT; e.g. never use
for POST, etc. This could bear some emphasis. It's important because
middle-boxes exist.

For careful clients, think about something implementing a transaction over
TLS:

* If a 0-RTT section is sent but does not result in a successful receipt,
that failure needs to be signaled to the client.
* In order to fully reason about when that message may later get received,
there needs to be an agreed upon time-cap for 0-RTT receipt. Agreed by all
potential middle-boxes in the pipe that may be using 0-RTT.

And then separate to all of the above, and lower priority:

* There's a contradiction between the obfuscated ticket age add parameter
and the desire to use tickets multiple times in other (non-0RTT) cases. We
can't do one without defeating the point of the other. Either remove the
obfuscation because it is misleading, or move it into an encrypted message
so that it is robust.

-- 
Colm

v2.23.0 | Report a Bug | By Email