IETF Logo Mail Archive

Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01

Tom Ritter <tom@ritter.vg> Sat, 22 February 2014 16:39 UTC

Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD221A012E for <tls@ietfa.amsl.com>; Sat, 22 Feb 2014 08:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.021
X-Spam-Level:
X-Spam-Status: No, score=0.021 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxgmsoMrggx8 for <tls@ietfa.amsl.com>; Sat, 22 Feb 2014 08:38:59 -0800 (PST)
Received: from mail-pb0-x232.google.com (mail-pb0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 6699B1A0127 for <tls@ietf.org>; Sat, 22 Feb 2014 08:38:59 -0800 (PST)
Received: by mail-pb0-f50.google.com with SMTP id rq2so4742339pbb.37 for <tls@ietf.org>; Sat, 22 Feb 2014 08:38:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Qb2KN1mzYcPM0O1WYYY7mGJaOYy6QfxxRJNcEKYBVCI=; b=0M9AyfnZH/YMk93EBeS+7CgmE1OGUWvfX06KDwJUO9oJWdtgNke1ESGr79+nzVCqtF eZ9hhVOuMAFjP/XMS3C4TdaBqsll6iucF4D5bpEBt3jqZC+c+StS07NvQHd1VsfghVMt NzfllBa3orD3KP4jISLuTI7+FxW25saRl8tVg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Qb2KN1mzYcPM0O1WYYY7mGJaOYy6QfxxRJNcEKYBVCI=; b=fdjc76vCcgc8iVtZTKlRDtu0JyilJ2QDExttxIMxMsIPvAx6aDOFzfDQecPAWjL6FG 4RryYc3GdXzIU8Cf+cRR3Sqq/5kNrFX7UKh+94MdDjhG9yLcp/Kh54vSJyUiQidwCpJw YtQZHFpSM1Gg9ebwjA1w5/yEUrdJYjaTI1Y28toKkhKLl0R9nr8M/zSP1grmtZuhfAEm xrCVe4SyF7WPrPb+q4JuOgFXtP9zHvKpyBIgMOKmvvpbNNGeYeV9O0Hk3k/ezVBm5MGB WLwYRJQ89UHTIL24P5VgUfXmEO+OG6CDhjAsRVSdrDIVPefLTeOVMkLJ99vNGIeS0fCb VNSg==
X-Gm-Message-State: ALoCoQlUn+haWRDC7MuTaEDTl1ClYXLdya1UuGk2AU9da2x9ndUOBkNbYYaPM0zbnoYE26YLT+0i
X-Received: by 10.68.96.99 with SMTP id dr3mr4323923pbb.40.1393087135025; Sat, 22 Feb 2014 08:38:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.198.68 with HTTP; Sat, 22 Feb 2014 08:38:34 -0800 (PST)
In-Reply-To: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Sat, 22 Feb 2014 11:38:34 -0500
Message-ID: <CA+cU71=XALidHzaW_k5U+ubzVrZM+TGm16HsT724zx_K57pvCg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/59TRxnru1M6DfA2Hm8afpbwmlc4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2014 16:39:01 -0000

On 19 February 2014 15:40, Eric Rescorla <ekr@rtfm.com> wrote:
> Folks,
>
> I have prepared a new version of the TLS 1.3 flows document which
> should appear in the repository shortly and in the meantime can be
> found at:
>
> https://github.com/tlswg/tls13-spec/blob/master/draft-rescorla-tls-1.3.txt

Thanks Eric!

> I think the high order bit here is whether we want to have
> encrypted SNI, because that dictates the position of the DHE
> exchanges with respect to the server's messages.
>
> There are three options here:
>
> - Never
> - Sometimes
> - Always
>
> The flows in this draft take the position of "Always" which is
> simple. "Never" is actually simpler. "Sometimes" is the most
> complicated.  There are two cases where we could shave off latency if
> we were willing to disclose the SNI to passive attackers (and in cases
> where the client and server have never talked before.) My sense of
> recent discussion is that people feel it's important to have modes
> that protect SNI

I agree with this.

> even if those are not the only modes. However, that
> means that if we want to have non-SNI protecting modes, they are
> additional complexity.

But not so much with this.  TLS has suffered from the multitude of
options and the complexity choosing them provides. If at all possible,
I lean away from accommodating more modes in favor of fewer much more
secure, but perhaps slightly more complicated modes.

> Thanks and comments welcome

Random:

---------------------------------------------
On replays

"   o Once the client and server have communicated once, they can
      establish an anti-replay token which can be used by the client to
      do a 0-RTT handshake with the server in future.  This is shown in
      Figure 5."

This confused me, because from this paragraph alone, it seemed like
the server was providing the client with a nonce, storing it, and when
the client used it again, the server forgot it and thus invalidated
it.  This does prevent replay - but it's not what the draft actually
describes.  I would try and rephrase this.

"Generally all of them require the server to give
   the client some identifier which is later replayed to the server to
   help it recover state and detect replays."

I don't think this is accurate wording either.  It implies a session
resumption. I would describe all of them as "the client remembers the
server's preferred parameters (ciphersuites, groups, orbit), and may
include something unique the server is expected to remember and use to
reject replays".

Two techniques I'm aware of for rejecting replays are relatively simple.
The first is the same as snap start, I'll mention that it's used by
mixmaster. The server stores identifiers, and discards any message
that has the same identifier or a timestamp older than X hours;
discarding state older than X hours as well.
The other is used by mixminion, and does not require roughly
synchronized clocks. The server stores the packet identifiers, and
rotates its keys every X hours, discarding the state and the keys upon
rotate. The server can detect replayed packets using it's state up
until discard and after discard, cannot decrypt any replayed packets
at all.  This also removes the need for an orbit.

On the topic of 0-RT and PFS. It adds complexity, but I can envision
an inline key exchange happening alongside the first few application
data packets.  I think this is what you mention on line 458, but I'm
not sure I understand why you say it's too expensive on a regular
basis? The client is doing two DH operations, the server similarly
does two. Normal PFS handshakes today require a RSA decryption and a
DH.  A resumption is much cheaper, yes.  Is this what you meant or did
I miss it?

---------------------------------------------

RE: No SNI and the issue on line 657 - I suspect, but testing would
need to be done, that nearly all major sites and most in general will
serve a valid default certificate if SNI is omitted.  I suspect this
would not be a difficult test for someone with a SSL scanning setup to
run.

-tom

v2.23.0 | Report a Bug | By Email