Re: [TLS] Let's remove gmt_unix_time from TLS
Nick Mathewson <nickm@torproject.org> Mon, 09 December 2013 18:49 UTC
Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A211AE3DE for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 10:49:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PnwcAdn_LmTY for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 10:49:20 -0800 (PST)
Received: from mail-qc0-x22c.google.com (mail-qc0-x22c.google.com [IPv6:2607:f8b0:400d:c01::22c]) by ietfa.amsl.com (Postfix) with ESMTP id AA3721AE04B for <tls@ietf.org>; Mon, 9 Dec 2013 10:49:20 -0800 (PST)
Received: by mail-qc0-f172.google.com with SMTP id e16so3050820qcx.31 for <tls@ietf.org>; Mon, 09 Dec 2013 10:49:15 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=i7motttgY8VTOBpCHJnSMF/IaVbJb3VUWoNZFAHk1p8=; b=yyeOAH/p7enW8KOlKnvuBT0IBEsvMmnqaco7QZZFblGAwLYM9/l4FVBx5ZBH9WKxqt vlRsLjcchH9SqekugqBbcK7qqZBMTCqyP+qVSRbAnpnCl5ZLm8N6HoO8wQaQO6B6Fxyp 6mFLhZeL4TBXkboa2nPNCDP3IKbeTKx/gWqTDCO0MziGsegLgJCyOBPIjqglxGpN5Gsu 6siltaWFXjJdHZwOXoBEYv28hYotPNI3XaIB1fyhovIUKAz1xgA1elIXxAElNXenWYsF ix9k9msWufJSQrpqxSCmf8UfAwt7U/h6mY78Sqbwg+UkI3PDidZQQIkGKNrdUJB1PKS+ tXFg==
MIME-Version: 1.0
X-Received: by 10.49.35.52 with SMTP id e20mr186051452qej.63.1386614955680; Mon, 09 Dec 2013 10:49:15 -0800 (PST)
Sender: nick.a.mathewson@gmail.com
Received: by 10.140.102.82 with HTTP; Mon, 9 Dec 2013 10:49:15 -0800 (PST)
In-Reply-To: <CALTJjxHGFqH+-C_9+Mr09zcNZ9HuW6XeeDNk4f+8vnMP0Tg5KA@mail.gmail.com>
References: <CAKDKvuw240Ug4xB3zi2w0y7pUvCwSe0nNFZ2XP2vL-tbtKT0tg@mail.gmail.com> <CALTJjxHGFqH+-C_9+Mr09zcNZ9HuW6XeeDNk4f+8vnMP0Tg5KA@mail.gmail.com>
Date: Mon, 09 Dec 2013 13:49:15 -0500
X-Google-Sender-Auth: 6IPXFbRb3OFYRZJ_wbr81euzEKA
Message-ID: <CAKDKvuxsODprMSnBB35NanEmjAHy2OkHCAAt4UCKwQJudseiVA@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Wan-Teh Chang <wtc@google.com>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Let's remove gmt_unix_time from TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 18:49:22 -0000
On Fri, Dec 6, 2013 at 2:59 PM, Wan-Teh Chang <wtc@google.com> wrote: > Sorry about my late reply. I am a programmer working on the NSS crypto > libraries. While reviewing recent changes to NSS, I noticed that > Nick's proposal 1 has been implemented in the OpenSSL and NSS source > code repositories, which led me to this old email thread. > > The only protocol feature I know of that uses the gmt_unix_time field > of ClientHello.random is Adam Langley's TLS Snap Start Internet-Draft > [1]. See Section 3 of Adam's draft. This method is one of the > anti-reply mechanisms being considered in Eric Rescorla's TLS 1.3 new > handshake flows Internet-Draft [2], and is being used in the QUIC > protocol. > > So, I'd like to offer another proposal: > > PROPOSAL 4: > > Add a random clock skew to the current time. For example, generate a > random signed integer in the interval [-512, 511] (inclusive) and add > it to the return value of time(). This adds roughly a +/-8.5 minutes > skew to the current time. > > If this proposal is an acceptable solution to the client > fingerprinting problem, then gmt_unix_time in ClientHello.random will > remain viable as part of an anti-reply mechanism for TLS 1.3 new > handshake flows. Hello, and thanks for thinking about this! I'd suggest that this approach should be considered only with caution, and used only when absolutely necessary (in other words, when 0-RTT truly is in use). If it can be avoided entirely, as with Brian Smith's idea, it's probably better to do so. If the timestamp can be removed from the Random and added as encrypted data to a proposed snap-start extension somehow, that's also an improvement, though an imperfect one. Random skew helps only a little: * It does nothing to conceal large drifts, which seem to be fairly common in practice. If two clients have drifted more than 1024 seconds apart, they'll remain completely partitioned. * Given multiple observations from the same client, it's trivial to recover a good estimate of the client's clock skew and use that to link other observations probabilistically to the same client. On the latter point, I'd suggest that rounding is a little better than adding random skew, since only a smaller fraction of a client's declared times will leak anything about the client's skew. Randomize-and-round might be better still, though I'm afraid I haven't worked through the full analysis. (As a reminder, using the time to avoid snap-start replays would be a _new_ purpose for gmt_unix_time . As discussed earlier in this thread and in http://datatracker.ietf.org/doc/draft-mathewson-no-gmtunixtime/ , the gmt_unix_time is neither necessary nor sufficient for its current declared purposes.) peace, -- Nick Mathewson
- [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Alfredo Pironti
- Re: [TLS] Let's remove gmt_unix_time from TLS Russ Housley
- Re: [TLS] Let's remove gmt_unix_time from TLS Eric Rescorla
- Re: [TLS] Let's remove gmt_unix_time from TLS Adam Langley
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Ryan Hurst
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Paul Wouters
- Re: [TLS] Let's remove gmt_unix_time from TLS p.j.bakker
- Re: [TLS] Let's remove gmt_unix_time from TLS Hanno Böck
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Martin Rex
- Re: [TLS] Let's remove gmt_unix_time from TLS Xiaoyong Wu
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Nick Mathewson
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Martin Rex
- Re: [TLS] Let's remove gmt_unix_time from TLS Peter Gutmann
- Re: [TLS] Let's remove gmt_unix_time from TLS Marsh Ray
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Stephen Farrell
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Peter Gutmann
- Re: [TLS] Let's remove gmt_unix_time from TLS Wan-Teh Chang
- Re: [TLS] Let's remove gmt_unix_time from TLS Brian Smith
- Re: [TLS] Let's remove gmt_unix_time from TLS Stephen Farrell
- Re: [TLS] Let's remove gmt_unix_time from TLS Wan-Teh Chang
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Martin Thomson
- Re: [TLS] Let's remove gmt_unix_time from TLS Martin Rex