Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
Benjamin Kaduk <bkaduk@akamai.com> Mon, 28 March 2016 16:11 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3018512D99E for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 09:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.73
X-Spam-Level:
X-Spam-Status: No, score=-2.73 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DemiF0ACFRhy for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 09:11:06 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id 1110512DB65 for <tls@ietf.org>; Mon, 28 Mar 2016 09:11:04 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 08A0143346A; Mon, 28 Mar 2016 16:11:04 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id E65ED4DE70; Mon, 28 Mar 2016 16:11:03 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1459181463; bh=PP1ZxjuVBhX6GTjnzdAx7N4QoAK2HMbUEoOGrUJNBhs=; l=6415; h=To:References:Cc:From:Date:In-Reply-To:From; b=YtINp9h3H7ywtEIgXkz1hkT3pUTHGN0UEAiMPuEb0dQH7MI0sLttHakm1dNUMJ6vc BcG+0VyqkWv3EhtO+rX/vh+7lhBllc4TuxzzhcCtZe++PS3ZDTi1LlgUE7/UrEDK1Q QZApwVpBkT9jkKTAIjITYc0Tge2KFhI3a1gkTpUE=
Received: from [172.19.0.25] (bos-lpczi.kendall.corp.akamai.com [172.19.0.25]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id BA4881FC86; Mon, 28 Mar 2016 16:11:03 +0000 (GMT)
To: Colm MacCárthaigh <colm@allcosts.net>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com> <4B85487A-850B-4347-80A7-A3A4D92593E6@inria.fr> <CAAF6GDcW9aP6eYZMLCDBz=XYTOky0r+WiYWnY_Q+GVetojv0AQ@mail.gmail.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <56F95797.2070206@akamai.com>
Date: Mon, 28 Mar 2016 11:11:03 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
MIME-Version: 1.0
In-Reply-To: <CAAF6GDcW9aP6eYZMLCDBz=XYTOky0r+WiYWnY_Q+GVetojv0AQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------040905020606050501030604"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/74SkjhOuCygICre3sACbaPn8G5o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 16:11:09 -0000
On 03/25/2016 02:41 PM, Colm MacCárthaigh wrote: > On Fri, Mar 25, 2016 at 12:02 PM, Karthik Bhargavan > <karthikeyan.bhargavan@inria.fr > <mailto:karthikeyan.bhargavan@inria.fr>> wrote: > > > +1 but I think we can go further here and specify 0RTT in such a way that it only works when the server > maintains state, and so that any given 0RTT ticket may only be > used once (to preserve forward secrecy as much as possible within > the constrains of 0RTT). > > Do you envision clients only having one resumption handshake at a > time? I was under the impression that TLS 1.2 clients typically > open multiple > resumption handshakes in parallel, and that TLS 1.3 clients would > want to do the same. > > > It is common for existing clients to re-use the same ticket for many > connections. This is at-odds with forward secrecy though :/ Clients > could have many resumption tokens at a time though; e.g. they could > ask for 10 and use each one once. It's just that each token is used > once. So parallel resumptions could be supported. > I understand there are good reasons to want to make the default behavior of a single-physical-server TLS server as secure as possible, but I think it's also well-understood that the more "exciting" portions of 0-RTT happen in a distributed setup, where there are different physical (well, maybe virtual) machines sharing a session ticket key, potentially in different data centers. I don't think we've seen a real description of how this proposal for "single-use" session tickets would behave in the distributed setup yet. Are you proposing to require a distributed replay cache shared by all machines sharing the session-ticket key? I expect a lot of pushback from operators in that case, since distributed replay caches are really annoying to get right, let alone performant. So then the "single-use" property would come with a caveat, that it's only "single use" per replay cache instance, and some limited number of replays become possible. Can you say more about how you envision your proposal working for these distributed environments? In a more general sense, it's starting to seem like we should consider the spectrum from "actually no replays possible" to "some small number of replays possible [on the order of the number of machines sharing the session ticket key]" and ending at "nearly unlimited (millions+) of replays possible". I think avoiding the last case is a reasonable goal, but I'm as-yet unconvinced that the first case is achievable. Perhaps the middle ground is good enough... -Ben
- [TLS] Cleaning up 0-RTT Signaling (ciphersuites, … Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Bill Cox
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Benjamin Kaduk
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh