Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
Eric Rescorla <ekr@rtfm.com> Sat, 22 February 2014 20:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F39871A016C for <tls@ietfa.amsl.com>; Sat, 22 Feb 2014 12:24:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.078
X-Spam-Level:
X-Spam-Status: No, score=-0.078 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HdY2TqcpA-u for <tls@ietfa.amsl.com>; Sat, 22 Feb 2014 12:24:25 -0800 (PST)
Received: from mail-ve0-f176.google.com (mail-ve0-f176.google.com [209.85.128.176]) by ietfa.amsl.com (Postfix) with ESMTP id 5E3FE1A0133 for <tls@ietf.org>; Sat, 22 Feb 2014 12:24:25 -0800 (PST)
Received: by mail-ve0-f176.google.com with SMTP id jx11so4425572veb.7 for <tls@ietf.org>; Sat, 22 Feb 2014 12:24:20 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=VXKz8jDmONKVr6jyHUOXW9lPSVqtgHQvMzXBZI5emRg=; b=YGLyKBU/sB8t4/s0GKYlorzwVt6xYNJU07761u8+2wHtqHwPkgRYdyxRHH6LpvPlhy 7lR6hZxK6vL77zQlFG8ZIjD5kqlNBiBPdkVf33ZV9GZADvfoC5VW8x23RHVMwf/JwQYE +USjX6q6GLkz1qE67WFALQS5c5n151zYtmwpLiaHBBHXh5vqBNxPR4LICXzZFbIDRXuc HenU1hRum4sI90dNhOhciTGIO7xjbPpGqHGSrOvheaLOvI/Gs7Qw1BCB3A9hQOlQu9od XpfrbJY8TWbDH0XTFlvV+5hpTPgPBYxzzMMBLXncvgZHPNOQ+HJDb2ApdZpsf+BV+32r K8cA==
X-Gm-Message-State: ALoCoQmr08eAFsh4l8kfU2/21kx42Lb5t7w4RFMKZkWtvIPFU17F+HMUrMmREphiaU+PfFD3YwTM
X-Received: by 10.220.188.70 with SMTP id cz6mr8507257vcb.59.1393100660494; Sat, 22 Feb 2014 12:24:20 -0800 (PST)
MIME-Version: 1.0
Received: by 10.58.198.12 with HTTP; Sat, 22 Feb 2014 12:23:35 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <CA+cU71=XALidHzaW_k5U+ubzVrZM+TGm16HsT724zx_K57pvCg@mail.gmail.com>
References: <CABcZeBNUjg_Y3MKtRrAMmYAeYFLM1QyHvr1DCbOfA6MB2tJOYQ@mail.gmail.com> <CA+cU71=XALidHzaW_k5U+ubzVrZM+TGm16HsT724zx_K57pvCg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 22 Feb 2014 12:23:35 -0800
Message-ID: <CABcZeBN1gGx=tpPrqVSE+YsWneVH6GtN0SiAgm+XzkRokNLm3Q@mail.gmail.com>
To: Tom Ritter <tom@ritter.vg>
Content-Type: multipart/alternative; boundary="089e0129512604461d04f30486e7"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/7Hug1tE8ojr0asE5UXpYfiJk8Q4
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] New draft: draft-rescorla-tls13-new-flows-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Feb 2014 20:24:28 -0000
Tom, Thanks for your comments. On Sat, Feb 22, 2014 at 8:38 AM, Tom Ritter <tom@ritter.vg> wrote: > On 19 February 2014 15:40, Eric Rescorla <ekr@rtfm.com> wrote: > > even if those are not the only modes. However, that > > means that if we want to have non-SNI protecting modes, they are > > additional complexity. > > But not so much with this. TLS has suffered from the multitude of > options and the complexity choosing them provides. If at all possible, > I lean away from accommodating more modes in favor of fewer much more > secure, but perhaps slightly more complicated modes. > Can you unpack this a little for me? Are you saying we should always protect SNI or something else? > Thanks and comments welcome > > Random: > > --------------------------------------------- > On replays > > " o Once the client and server have communicated once, they can > establish an anti-replay token which can be used by the client to > do a 0-RTT handshake with the server in future. This is shown in > Figure 5." > > This confused me, because from this paragraph alone, it seemed like > the server was providing the client with a nonce, storing it, and when > the client used it again, the server forgot it and thus invalidated > it. This does prevent replay - but it's not what the draft actually > describes. I would try and rephrase this. > > "Generally all of them require the server to give > the client some identifier which is later replayed to the server to > help it recover state and detect replays." > > I don't think this is accurate wording either. It implies a session > resumption. I would describe all of them as "the client remembers the > server's preferred parameters (ciphersuites, groups, orbit), and may > include something unique the server is expected to remember and use to > reject replays". > > Two techniques I'm aware of for rejecting replays are relatively simple. > The first is the same as snap start, I'll mention that it's used by > mixmaster. The server stores identifiers, and discards any message > that has the same identifier or a timestamp older than X hours; > discarding state older than X hours as well. > The other is used by mixminion, and does not require roughly > synchronized clocks. The server stores the packet identifiers, and > rotates its keys every X hours, discarding the state and the keys upon > rotate. The server can detect replayed packets using it's state up > until discard and after discard, cannot decrypt any replayed packets > at all. This also removes the need for an orbit. > Yeah, this section is badly written. I was trying to characterize all the possible options with a single description and ended up characterizing them all in a confusing way. Once we select a design, we can just remove all the generic text and in the meantime I will try to clean this up. > On the topic of 0-RT and PFS. It adds complexity, but I can envision > an inline key exchange happening alongside the first few application > data packets. I think this is what you mention on line 458, but I'm > not sure I understand why you say it's too expensive on a regular > basis? The client is doing two DH operations, the server similarly > does two. Normal PFS handshakes today require a RSA decryption and a > DH. A resumption is much cheaper, yes. Is this what you meant or did > I miss it? > This is old text. When I wrote it it seemed to me that two DHs was a big deal, but I'm less sure now. Still, it's a nonzero cost and the WG should probably discuss it before we just decide to impose the cost. RE: No SNI and the issue on line 657 - I suspect, but testing would > need to be done, that nearly all major sites and most in general will > serve a valid default certificate if SNI is omitted. I suspect this > would not be a difficult test for someone with a SSL scanning setup to > run Agreed. I'll see if I can get someone to do that... Thanks, -Ekr
- [TLS] New draft: draft-rescorla-tls13-new-flows-01 Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Kurt Roeckx
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Martin Thomson
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Kurt Roeckx
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Nikos Mavrogiannopoulos
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Tom Ritter
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Tom Ritter
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Hovav Shacham
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Eric Rescorla
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Stephen Checkoway
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Watson Ladd
- Re: [TLS] New draft: draft-rescorla-tls13-new-flo… Stephen Checkoway