Re: [TLS] Fwd: New Version Notification for draft-tiloca-tls-dos-handshake-00.txt

Eric Rescorla <> Sun, 09 July 2017 13:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F3DD313144E for <>; Sun, 9 Jul 2017 06:33:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4u0X2FRWaTYT for <>; Sun, 9 Jul 2017 06:33:45 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 08C9512F3D3 for <>; Sun, 9 Jul 2017 06:33:45 -0700 (PDT)
Received: by with SMTP id 84so21563401ybe.0 for <>; Sun, 09 Jul 2017 06:33:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=t7Uo/c2TDDpaKux9G0fEMegzBPSQBR79+sjiFQGhcKg=; b=WHtGfy1JDqD7oaW3y3JfOc2xYrzf6EE014j7YDsFn7I5fHDWBUM/O/nexknFgQrBXn e4rq2vvU9NmevEZS3hKUMOJdziYOj40X8PkJWE/yF9NugA+ScQffLp4sX8/+NSodqWLl KJ0lgUEgyA9HKDAcN/OHKRrvolV7b05xPzgS8bctq4yS+D6JmXc4bkJJxFlMf33lBDs2 kygSpuUy/8jkRbzyW00Bf+tqQX8rN1p6t/YWIUuT9WOmaEh8d+ZV43c9Aajw6NG+T/bM SpF/te76jywhL/Nj6sduUENRYeBUlKklwU4ss39nEr58qeb4S1Q1ciSdQTcWJVu6sKDl CgGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=t7Uo/c2TDDpaKux9G0fEMegzBPSQBR79+sjiFQGhcKg=; b=gh5IswWbzwN66PQq5RAX6Tk6ZnJ9J4JPhL77VcuWU5xsTD+6iBIcleETgnZKFKguxC 5D+lUgfBYmeTLWmimRCwPBev3P2zbnXxftltIxsFjCizovWYdjapc90g77WwRlFWrOdA skxjXJoiPcXC5qphPsh+hXzesm96jMF9gBD9csp4Gx8+wsUPy1PYlajgquEDC7MaICuG RgxhUO+t2GZ2eou9KnOnSwUGYWE/uJOsBtkiMoKoKA12X8Wjlla3yxmHC4Nbz/b1LPdq vIOLdYyBvCauDoRmUMXX4Mo7zgxFZ3eVXDmzqeGW/jE/f/NajxE+EkkOID4ZnsiCqZH8 JZqg==
X-Gm-Message-State: AIVw113p8ED03C4OD3JeQurPHGHOSNbzJbHc0kwugmbfyXgvA9lnZTtp T/W+I83SkINEi87lN1jUVA8xLXntzVUse0A=
X-Received: by with SMTP id q10mr11870003ybq.71.1499607224161; Sun, 09 Jul 2017 06:33:44 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Sun, 9 Jul 2017 06:33:03 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <>
From: Eric Rescorla <>
Date: Sun, 9 Jul 2017 06:33:03 -0700
Message-ID: <>
To: Marco Tiloca <>
Cc: "" <>
Content-Type: multipart/alternative; boundary="001a11440108e6361a0553e283d0"
Archived-At: <>
Subject: Re: [TLS] Fwd: New Version Notification for draft-tiloca-tls-dos-handshake-00.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 09 Jul 2017 13:33:48 -0000

On Sun, Jul 9, 2017 at 2:44 AM, Marco Tiloca <>; wrote:

> Hello Eric,
> Thanks for your good comments!
> Please, see my answers inline.
> Best,
> /Marco
> On 2017-07-08 16:45, Eric Rescorla wrote:
> Document: draft-tiloca-tls-dos-handshake-00.txt
> I'm trying to understand the threat model and operating model this
> is designed for. Let's start with the threat model. The anti-DoS
> mechanisms in DTLS are specifically oriented towards attackers
> who are not on-path, because on-path attackers can, as you
> say, obtain the HRR/HVR.
> You say:
>    DTLS 1.2 as well as both TLS 1.3 and DTLS 1.3 provide the optional
>    Cookie exchange as possible solution to mitigate this Denial of
>    Service attack.  While this makes the attack more complicated to
>    mount, a well determined and resourceful adversary able to spoof
>    valid IP addresses can still successfully perform it, by intercepting
>    the possible server response including the Cookie and then echoing it
>    in the second ClientHello.  This is particularly doable in case the
>    handshake is not based on Pre-Shared Key exchange modes.
> I take from this that your assumed threat model is an attacker who is
> minimally a man-on-the-side (i.e., able to read traffic and inject his
> own but not block) and maximally a full active attacker able to block
> data. Is that correct?
> Yes, correct.
>    Depending on the specific protocol version and the key establishment
>    mode used in the handshake, the attack impact can range from single
>    replies triggered by invalid ClientHello messages, to the server
>    performing advanced handshake steps with consequent setup of invalid
>    half-open sessions.  Especially if performed in a large-scale and
>    distributed manner, this attack can thwart performance and service
>    availability of (D)TLS servers.  Moreover, it can be particularly
>    effective in application scenarios where servers are resource-
>    constrained devices running DTLS over low-power, low bandwidth and
>    lossy networks.
> It seems like the attack you are considering is one in which the
> attacker generates DTLS handshakes and then forces the DTLS server to
> either perform computations or hold state open (e.g., by doing a
> handshake or a partial handshake and then stopping) Is that correct?
> Yes, correct.
> Assuming I am correct, the design you describe here seems much more
> complicated than necessary [0]. Consider the simpler design:
> - The client contacts the TA
> - TA generates a new value C = HMAC(k_M, N) and sends that to the
>   client
> - the client inserts C in the ClientHello.
> The major downside is that this allows an on-path attacker to steal C and
> put it in their own CH, but so what? The attacker is still rate limited
> by the number of valid clients, and (at least) a fully active attacker
> doesn't need to substitute their own handshake messages for the valid
> clients because they can force the server to perform computations
> by playing the client messages and leave the server in a half-open
> state by blocking some client messages. I suppose you could argue
> that they could negotiate cipher suites that are more expensive to
> the server, but that seems like a fairly weak attack.
> This alternative is surely simpler and good to consider, and I agree with
> your related considerations.
> I would add that the TA has still to provide also N to the client, for
> inclusion in the extension. N is in fact required by the server for
> recomputing the HMAC and perform anti-replay checks on the ClientHello as
> suggested in the draft.

Well, sort of. It needs to supply the client some opaque token. The only
semantics of this token are between the TA and the server.

The model currently described in the draft considers additional key
> material and related derivation, thinking also about session resumption
> (see also the related comment below). To this end, the design above would
> then additionally consider (consistently with the draft's description):
> - The TA deriving K_S from K_M and N; and K_MAC from K_S
> - The TA computing the HMAC using K_MAC
> - The TA sending also K_S to the client
> Just to touch briefly on resumption: why do you need this mechanism
> at all for that? The client and server already have an assocation
> so the server knows that it has a valid client without any new
> assertion from the TA.
> True, although in case of resumption it is not anymore a full assertion of
> client's validity, but it's rather about protecting from replays of valid
> resumption requests.

Sure, but you already have to keep a per-client database of resumption
(because the resumption counter is independent) and you might as well key
by the ticket and then just record clienthellos as in the guidance for TLS
0-RTT anti-replay.

Also, it considers Section of RFC 5246, i.e. the same extensions
> SHOULD be included in case of request for session resumption.
> This also led to the design in the draft (i.e., the HMAC computed by the
> client and the provisioning of a session key K_S), so that the client does
> not require to contact the TA again in case of intended session resumption.

It seems like if this is really important, the TA could just give the
client some small
number of tokens on initial contact.


> Consistently with the alternative design proposed above, in case of
> resumption request, the client can compute the HMAC itself, again only over
> the extension-related content, like considered by the TA in the main case
> for new session establishment. This would also avoid the implementation
> issues you mentioned below [0] for the current approach in (D)TLS 1.3.
> -Ekr
> [0] It also, won't work. In particular, having the client send a
> MAC over the CH leads to having to zero out portions of the CH, which
> is going to create implementation problems in two ways. First, it
> creates a circular dependency with the TLS 1.3 PSK binder, so you'll
> need to have an exception there. Second, the zero-ing out trick you
> use is actually quite annoying to implement in many TLS stacks (it
> would be so in NSS).
> I understand your concerns as to implementation complications. We can then
> build on the alternative design above to avoid them by construction.
> On Sat, Jul 8, 2017 at 4:10 AM, Marco Tiloca <>; wrote:
>> Dear all,
>> FYI, we have recently submitted a new draft proposing an extension for
>> (D)TLS 1.2/1.3.
>> The solution described in the draft addresses Denial of Service attacks
>> against the handshake protocol, allowing servers to promptly abort invalid
>> session set ups.
>> Feedback and comments are of course very welcome. Thanks a lot!
>> Best regards,
>> /Marco
>> -------- Forwarded Message --------
>> Subject: New Version Notification for draft-tiloca-tls-dos-handshake
>> -00.txt
>> Date: Wed, 28 Jun 2017 07:40:45 -0700
>> From:
>> To: Marco Tiloca <>; <>;, Ludwig Seitz
>> <>; <>;, Maarten Hoeve
>> <>; <>;
>> A new version of I-D, draft-tiloca-tls-dos-handshake-00.txt
>> has been successfully submitted by Marco Tiloca and posted to the
>> IETF repository.
>> Name:		draft-tiloca-tls-dos-handshake
>> Revision:	00
>> Title:		Extension for protecting (D)TLS handshakes against Denial of Service
>> Document date:	2017-06-28
>> Group:		Individual Submission
>> Pages:		12
>> URL:  
>> Status:
>> Htmlized:
>> Htmlized:
>> Abstract:
>>    This document describes an extension for TLS and DTLS to protect the
>>    server from Denial of Service attacks against the handshake protocol.
>>    The extension includes a Message Authentication Code (MAC) over the
>>    ClientHello message, computed by the Client through key material
>>    obtained from a Trust Anchor entity.  The server registered at the
>>    Trust Anchor derives the same key material and checks the MAC to
>>    determine whether continuing or aborting the handshake.
>> Please note that it may take a couple of minutes from the time of submission
>> until the htmlized version and diff are available at
>> The IETF Secretariat
>> _______________________________________________
>> TLS mailing list
> --
> Marco Tiloca, PhD
> Research Institutes of Sweden
> Isafjordsgatan 22 / Kistagången 16
> SE-164 40 Kista (Sweden)
> Phone: +46 (0)70 60 46 501https://www.sics.se
> The RISE institutes Innventia, SP and Swedish ICT
> have merged in order to become a stronger research
> and innovation partner for businesses and society.
> SICS Swedish ICT AB, has now changed name to RISE SICS AB.