Re: [TLS] Call for consensus: Removing 0-RTT client auth
Bill Cox <waywardgeek@google.com> Thu, 07 April 2016 15:52 UTC
Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 402C212D0E9 for <tls@ietfa.amsl.com>; Thu, 7 Apr 2016 08:52:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FK54vSwdPkZD for <tls@ietfa.amsl.com>; Thu, 7 Apr 2016 08:52:12 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9002412D0C6 for <tls@ietf.org>; Thu, 7 Apr 2016 08:52:12 -0700 (PDT)
Received: by mail-vk0-x230.google.com with SMTP id e185so104549117vkb.1 for <tls@ietf.org>; Thu, 07 Apr 2016 08:52:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=/cQsHdLBaCBvIEsCakWKTcol3WJlAux8DQ8NhdxnzwQ=; b=BIdoTBwzV4wC2BT9LP3LimG9jPPxeCGTujmkbJNzn3RtP001Z7QM+n6KqTnU+EPtqP /CvAHZ+ndzD8JJ+wdsqldEHrYdkHCKSaUGF6GovJO4G8Zc/2KAM6aeZPGRaRFCI8rLee 1m8p3Ps87hGTfWJskkTQo3PfzBUXIE78oXfGlM6X3O2l3x7PjUrWMNstoMuxOEbncwbA ISOd8010ZhkggIAulhgQc7pSNOR/3liuz/gkG0TyXrkIh1AzX4fPyBqzs5p/EvsedSZr wJFmnQo5qe6aLUWkWDFvh1fOLSDPYxo2wjnaa8IfWwVGOQaRFOeOP0maNKb9VSoOIpkq xtNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=/cQsHdLBaCBvIEsCakWKTcol3WJlAux8DQ8NhdxnzwQ=; b=U+sGG8ql/yR0TFM7m0gN6GHzswYcrYo7uVhjYdMxy4Yp33MhUyN+cf4t2rdX3rjVXx WGAG1Zh3GxURk2gmMsmKCVrqDsZZ4GG82jSmFLs8oVyAqYfb/iH/RYhGSBm4xan7gPc4 UpQlqQHerjyzeH8fTA32Ad5A3eXpg7pzVS9lbKxb4Tpa3G3Hduy4c78h6qhWmrYLAmiV sBOeBIbRVvP0Ud3CM5D43QA7h4nz8ndQijCly0idokfBHDi6CMdqh5uoc1/tGqLGyp0c VVQhG5wvjIonbjyaVh9s2PRcUmzSvCSaVlBMCdCU+yMDxdaqD+H3Mpq1lmAXfXa19UET zvcA==
X-Gm-Message-State: AD7BkJLuHWGLAJUe271CCN2kwDLNM0JfNStJwdcWaAOCc0T+kJRRPJduAyYMsEg2LFKSaCSchgiIFVlYL+CwVosF
MIME-Version: 1.0
X-Received: by 10.31.180.213 with SMTP id d204mr1502991vkf.80.1460044331569; Thu, 07 Apr 2016 08:52:11 -0700 (PDT)
Received: by 10.31.179.1 with HTTP; Thu, 7 Apr 2016 08:52:11 -0700 (PDT)
In-Reply-To: <CAH9QtQE20ihfhP=onKSuD1Rs4vMez3OmPy8hZo1EkS=hJM8CWg@mail.gmail.com>
References: <AABACDA8-6A12-4023-A971-1254CED4893F@sn3rd.com> <9d1de55db58e33f7e564a03bc140cb49.squirrel@www.trepanning.net> <974CF78E8475CD4CA398B1FCA21C8E995650125D@PRN-MBX01-4.TheFacebook.com> <CAH9QtQE20ihfhP=onKSuD1Rs4vMez3OmPy8hZo1EkS=hJM8CWg@mail.gmail.com>
Date: Thu, 07 Apr 2016 08:52:11 -0700
Message-ID: <CAH9QtQFFV4jezKPRbNPLxh595cfdFEayYMjNBBBJEUyP+CV+FQ@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Subodh Iyengar <subodh@fb.com>
Content-Type: multipart/alternative; boundary="001a1144030ebda41c052fe70f89"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/4NeZFw4etdvw9zaXjrrufulb50o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing 0-RTT client auth
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 15:52:14 -0000
On Thu, Apr 7, 2016 at 8:32 AM, Bill Cox <waywardgeek@google.com> wrote: > I've been reviewing this issue because I want to help figure out how to do > token binding over TLS 1.3 PKS 0-RTT. When the server emulates a session > cache, then the RMS is unique on every PSK 0-RTT resumption. That means > the client handshake hash is also unique, and it therefore becomes an > attractive value for the purpose of signing. If we allow client auth in > this mode, we gain some security. In particular, without access to the > client cert private key, an attacker cannot resume a session, even if they > have the RMS. > > Give this possible mode of operation, we may want to consider keeping > client auth as an option in 0-RTT PSK resumption. > This brings up another issue: the client does not currently know if the server is running stateless or if it has some form of replay protection. It was proposed on another thread to add this information to the new ticket with a 1-byte type. I think this is a good idea. With replay protection, allowing client auth makes some sense. The server loses freshness, but not uniqueness of the signature, and uniqueness is the more important of the two properties IMO. Without replay protection, only the initial 1-RTT signature actually proves possession of the private key, so we should probably not allow client auth on PSK 0-RTT in that case and instead advise the client to secure the RMS well, since it can be used to resume authenticated sessions without the client private key. Without extending the ticket format to provide this information to the client, it will not be possible to make this differentiation, and either we will have to disallow all 0-RTT client auth for replay-resistant servers, or we will have to require all servers supporting 0-RTT to provide a client signature, even when running stateless. Given that stateless 0-RTT client auth does not prove possession of the private key, I would prefer not to allow it in that mode. Bill
- [TLS] Call for consensus: Removing 0-RTT client a… Sean Turner
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Eric Rescorla
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Eric Rescorla
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Benjamin Kaduk
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Dan Harkins
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Subodh Iyengar
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Bill Cox
- Re: [TLS] Call for consensus: Removing 0-RTT clie… Joseph Salowey