Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
Tom Ritter <tom@ritter.vg> Sat, 22 February 2014 16:39 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FD221A012E for <tls@ietfa.amsl.com>; Sat, 22 Feb 2014 08:39:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.021
X-Spam-Level:
X-Spam-Status: No, score=0.021 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxgmsoMrggx8 for <tls@ietfa.amsl.com>; Sat, 22 Feb 2014 08:38:59 -0800 (PST)
Received: from mail-pb0-x232.google.com (mail-pb0-x232.google.com [IPv6:2607:f8b0:400e:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 6699B1A0127 for <tls@ietf.org>; Sat, 22 Feb 2014 08:38:59 -0800 (PST)
Received: by mail-pb0-f50.google.com with SMTP id rq2so4742339pbb.37 for <tls@ietf.org>; Sat, 22 Feb 2014 08:38:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=Qb2KN1mzYcPM0O1WYYY7mGJaOYy6QfxxRJNcEKYBVCI=; b=0M9AyfnZH/YMk93EBeS+7CgmE1OGUWvfX06KDwJUO9oJWdtgNke1ESGr79+nzVCqtF eZ9hhVOuMAFjP/XMS3C4TdaBqsll6iucF4D5bpEBt3jqZC+c+StS07NvQHd1VsfghVMt NzfllBa3orD3KP4jISLuTI7+FxW25saRl8tVg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=Qb2KN1mzYcPM0O1WYYY7mGJaOYy6QfxxRJNcEKYBVCI=; b=fdjc76vCcgc8iVtZTKlRDtu0JyilJ2QDExttxIMxMsIPvAx6aDOFzfDQecPAWjL6FG 4RryYc3GdXzIU8Cf+cRR3Sqq/5kNrFX7UKh+94MdDjhG9yLcp/Kh54vSJyUiQidwCpJw YtQZHFpSM1Gg9ebwjA1w5/yEUrdJYjaTI1Y28toKkhKLl0R9nr8M/zSP1grmtZuhfAEm xrCVe4SyF7WPrPb+q4JuOgFXtP9zHvKpyBIgMOKmvvpbNNGeYeV9O0Hk3k/ezVBm5MGB WLwYRJQ89UHTIL24P5VgUfXmEO+OG6CDhjAsRVSdrDIVPefLTeOVMkLJ99vNGIeS0fCb VNSg==
X-Gm-Message-State: ALoCoQlUn+haWRDC7MuTaEDTl1ClYXLdya1UuGk2AU9da2x9ndUOBkNbYYaPM0zbnoYE26YLT+0i
X-Received: by 10.68.96.99 with SMTP id dr3mr4323923pbb.40.1393087135025; Sat, 22 Feb 2014 08:38:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.68.198.68 with HTTP; Sat, 22 Feb 2014 08:38:34 -0800 (PST)
In-Reply-To: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Sat, 22 Feb 2014 11:38:34 -0500
Message-ID: <CA+cU71=XALidHzaW_k5U+ubzVrZM+TGm16HsT724zx_K57pvCg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="ISO-8859-1"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/59TRxnru1M6DfA2Hm8afpbwmlc4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2014 16:39:01 -0000
On 19 February 2014 15:40, Eric Rescorla <ekr@rtfm.com> wrote: > Folks, > > I have prepared a new version of the TLS 1.3 flows document which > should appear in the repository shortly and in the meantime can be > found at: > > https://github.com/tlswg/tls13-spec/blob/master/draft-rescorla-tls-1.3.txt Thanks Eric! > I think the high order bit here is whether we want to have > encrypted SNI, because that dictates the position of the DHE > exchanges with respect to the server's messages. > > There are three options here: > > - Never > - Sometimes > - Always > > The flows in this draft take the position of "Always" which is > simple. "Never" is actually simpler. "Sometimes" is the most > complicated. There are two cases where we could shave off latency if > we were willing to disclose the SNI to passive attackers (and in cases > where the client and server have never talked before.) My sense of > recent discussion is that people feel it's important to have modes > that protect SNI I agree with this. > even if those are not the only modes. However, that > means that if we want to have non-SNI protecting modes, they are > additional complexity. But not so much with this. TLS has suffered from the multitude of options and the complexity choosing them provides. If at all possible, I lean away from accommodating more modes in favor of fewer much more secure, but perhaps slightly more complicated modes. > Thanks and comments welcome Random: --------------------------------------------- On replays " o Once the client and server have communicated once, they can establish an anti-replay token which can be used by the client to do a 0-RTT handshake with the server in future. This is shown in Figure 5." This confused me, because from this paragraph alone, it seemed like the server was providing the client with a nonce, storing it, and when the client used it again, the server forgot it and thus invalidated it. This does prevent replay - but it's not what the draft actually describes. I would try and rephrase this. "Generally all of them require the server to give the client some identifier which is later replayed to the server to help it recover state and detect replays." I don't think this is accurate wording either. It implies a session resumption. I would describe all of them as "the client remembers the server's preferred parameters (ciphersuites, groups, orbit), and may include something unique the server is expected to remember and use to reject replays". Two techniques I'm aware of for rejecting replays are relatively simple. The first is the same as snap start, I'll mention that it's used by mixmaster. The server stores identifiers, and discards any message that has the same identifier or a timestamp older than X hours; discarding state older than X hours as well. The other is used by mixminion, and does not require roughly synchronized clocks. The server stores the packet identifiers, and rotates its keys every X hours, discarding the state and the keys upon rotate. The server can detect replayed packets using it's state up until discard and after discard, cannot decrypt any replayed packets at all. This also removes the need for an orbit. On the topic of 0-RT and PFS. It adds complexity, but I can envision an inline key exchange happening alongside the first few application data packets. I think this is what you mention on line 458, but I'm not sure I understand why you say it's too expensive on a regular basis? The client is doing two DH operations, the server similarly does two. Normal PFS handshakes today require a RSA decryption and a DH. A resumption is much cheaper, yes. Is this what you meant or did I miss it? --------------------------------------------- RE: No SNI and the issue on line 657 - I suspect, but testing would need to be done, that nearly all major sites and most in general will serve a valid default certificate if SNI is omitted. I suspect this would not be a difficult test for someone with a SSL scanning setup to run. -tom
- [TLS] New draft: draft-rescorla-tls13-new-flows-01 Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Kurt Roeckx
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Martin Thomson
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Kurt Roeckx
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Nikos Mavrogiannopoulos
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Tom Ritter
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Tom Ritter
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Hovav Shacham
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Stephen Checkoway
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Stephen Checkoway