Re: [TLS] Security review of TLS1.3 0-RTT

Nico Williams <nico@cryptonector.com> Tue, 02 May 2017 21:34 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D43F0129465 for <tls@ietfa.amsl.com>; Tue, 2 May 2017 14:34:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fk4E59pOsyg5 for <tls@ietfa.amsl.com>; Tue, 2 May 2017 14:34:32 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98379129498 for <tls@ietf.org>; Tue, 2 May 2017 14:31:10 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id 45047C086D1F; Tue, 2 May 2017 14:30:41 -0700 (PDT)
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 710E8C086D23; Tue, 2 May 2017 14:29:57 -0700 (PDT)
Date: Tue, 02 May 2017 16:29:54 -0500
From: Nico Williams <nico@cryptonector.com>
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Cc: Benjamin Kaduk <bkaduk@akamai.com>, TLS WG <tls@ietf.org>
Message-ID: <20170502212953.GK10188@localhost>
References: <20170502180049.GE10188@localhost> <CAAF6GDecd=x-Ob_eO1vSWr6cb6jAeyHBx7zf6cpX=GfxBosfLQ@mail.gmail.com> <20170502182529.GG10188@localhost> <466fad64-5acd-d888-1574-10f95b2ab7bc@akamai.com> <20170502192003.GH10188@localhost> <e313032d-2ac8-cc4e-0aa7-de869007e397@akamai.com> <20170502193145.GI10188@localhost> <42522b3c-8987-ea2a-2173-bcadaf6ff326@akamai.com> <20170502195753.GJ10188@localhost> <87a86vrnge.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <87a86vrnge.fsf@fifthhorseman.net>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7OGBwgq9DmV55rxi-0x_v-i09SU>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 21:34:34 -0000

On Tue, May 02, 2017 at 04:52:17PM -0400, Daniel Kahn Gillmor wrote:
> On Tue 2017-05-02 14:57:54 -0500, Nico Williams wrote:
> > Well, I did say that to me there's not much difference to _me_ between
> > "connections reusing the same ticket can be correlated to each other"
> > and "connections reusing the same ticket can be correlated to each other
> > and the connection whence the ticket".  Others might disagree,
> 
> I disagree, Nico! :)

Excellent.  So now consider what followed the above.  That is, that the
correct thing to do is to properly encrypt a timestamp rather than XOR
an OTP that then gets reused when the ticket gets reused.

Why on Earth are still doing improper crypto in TLS?!‽  In TLS 1.3 no
less!  Call it "janky", call it what you will.  It's broken.  Please
fix.

Nico
--