IETF Logo Mail Archive

Re: [TLS] 0-RTT security considerations (was OPTLS)

Eric Rescorla <ekr@rtfm.com> Wed, 19 November 2014 19:24 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AAE01A1F70 for <tls@ietfa.amsl.com>; Wed, 19 Nov 2014 11:24:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OZpHeAfvZquE for <tls@ietfa.amsl.com>; Wed, 19 Nov 2014 11:23:58 -0800 (PST)
Received: from mail-wg0-f49.google.com (mail-wg0-f49.google.com [74.125.82.49]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB7A61A1BE9 for <tls@ietf.org>; Wed, 19 Nov 2014 11:23:57 -0800 (PST)
Received: by mail-wg0-f49.google.com with SMTP id x12so1669414wgg.36 for <tls@ietf.org>; Wed, 19 Nov 2014 11:23:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=XVVfgFSKJnF8xHNTXlDEs9Sj6idT05R6SR01RmhcMvM=; b=aawBR3PLQhWIwNqgKdkZGfId9obsr40H1EML321oFPnubJ4lm7EmNTfAH3b+LZxW5z xr6VDTuzyBWdfhRC482qDKZvzqFr4dP827eplc6pWawQRRMDhGEyMzvAR40ovb+oTbV4 +piH92StI+q2+OLOFopa/RmwUWPh2TeVVwxs34uKW9S4cvqSV+Sda0cHeJzC5z3+gVvR b460L45ELc5xUfOEX8ogSjgW2UP6YmfYedA9ZDJki3ODBvnH/VJZ55bqgwSceuEgmRsl RAJtcyREmdgDJzWubM2bGTLo5LcIgWktUifIqj8gdZ+6N1TCmaM9dSPeJXE2RO8kjvvP lmIA==
X-Gm-Message-State: ALoCoQmadRIC1M/QTXH5JQOgEfIpkG/If+FcRTOSX7SzqR2AkVnunGUQLdvY9DR87DhKhwbXW6cd
X-Received: by 10.194.176.198 with SMTP id ck6mr59385597wjc.25.1416425036590; Wed, 19 Nov 2014 11:23:56 -0800 (PST)
MIME-Version: 1.0
Received: by 10.27.130.34 with HTTP; Wed, 19 Nov 2014 11:23:16 -0800 (PST)
In-Reply-To: <20141119004543.GC20758@localhost>
References: <20141118234608.GA20721@localhost> <CABcZeBN7ErepGC0Y5_xiYspJG-i3z6kA=STMk0mnnu+oQNCZqA@mail.gmail.com> <20141119004543.GC20758@localhost>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 19 Nov 2014 11:23:16 -0800
Message-ID: <CABcZeBNru1qEcuxLm96HH-R=yU2S4PzSPeUUwjVY4jHkh0Aq-A@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="089e013d191628396c05083b2722"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/9Mws3hWNdDWimrrhoVjkAnJxnWg
Cc: kitten <kitten@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT security considerations (was OPTLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 19:24:00 -0000

On Tue, Nov 18, 2014 at 4:45 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Tue, Nov 18, 2014 at 04:04:10PM -0800, Eric Rescorla wrote:
> > On Tue, Nov 18, 2014 at 3:46 PM, Nico Williams <nico@cryptonector.com>
> > wrote:
> > >  - Replay protection (use replay cache or defer protection)
> > >    [...]
> >
> > Yes, I agree that this doesn't make sense. The server needs to provide
> > anti-replay as part of the TLS stack using some sort of server-side
> state.
> > Servers which don't want to do that should not offer 0-RTT.
>
> But how would the client know the first time?  Perhaps it shouldn't
> matter.  The server should just hold back before delivering the data.
> Still, in order to do this without a replay cache the handshake has to
> have two more messages after the one where the client is prot_ready and
> the client has to confirm the early messages.  So this has to be part of
> the protocol.


I'm not following. The idea here is that the server indicates to the
client that it is in principle prepared to do 0-RTT and provides a key
that can be used for that. If the client attempts it and it doesn't work
out (e.g., because the server has lost the key), you fall back to a
1-RTT handshake, so the server can just discard the data rather
than holding it.



> >  - Client authentication state
> > >
> > >    Imagine a handshake where the client is not authenticated until the
> > >    second round trip, but we have key material for 0-RTT.  The server
> > >    cannot authorize any application protocol commands at this stage
> >
> > Every proposal I have ever seen for 0-RTT has the client delivering
> > client auth in the first flight for exactly this reason.
>
> Even ones where the client is afforded confidentiality for its ID? I

can certainly imagine protocols where that wouldn't be the case.


If you can send encrypted data to the server, you can also
encrypt the client's certificate. Yes, it's possible to design protocols
where that doesn't work, but it's also possible to design ones where
it does.


>  - Symmetric session key non-reuse depends entirely on the client and
> > >    its RNG.  E.g., in the resumption and PSK cases.
> > >
> > >    When using cipher modes where key/IV reuse is disastrous this could
> > >    be a serious problem.
> > >
> >
> > The conventional way to address this (as in snap start) is to use an
> > anti-replay mechanism which ensures uniqueness of the client random,
> > thus providing key uniqueness.
>
> By the time the server can check this it's too late: the client sent the
> bad ciphertext.


Good point. I agree that the client needs a strong PRNG.

-Ekr

v2.23.0 | Report a Bug | By Email