Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
Eric Rescorla <ekr@rtfm.com> Mon, 02 January 2017 17:12 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACADA1296D6 for <tls@ietfa.amsl.com>; Mon, 2 Jan 2017 09:12:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VqapUh1CSQ3X for <tls@ietfa.amsl.com>; Mon, 2 Jan 2017 09:12:48 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83CF41296D2 for <tls@ietf.org>; Mon, 2 Jan 2017 09:12:48 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id t125so271266923ywc.1 for <tls@ietf.org>; Mon, 02 Jan 2017 09:12:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=FVpbYGcChhFwXZUHWQZ4j49GPdXoTnpRXIUSoGB5miw=; b=VFxUZjN2eQreEMau4e7So/qB8kZyVvdvIvpBHri3q3sIyQ+LtkqrLJfhGrq7tyQ+mu 59RHA1+11l0q4eU9Ure2Zi2i+wqh97yki4p8aW7U+MZCoTTU8yQd7PhqBeQ53/reTWmY 7RleUwV8vX9Kw7600Db2gCKkW6ntImzAshaotYJyUpiVxhIKFJCW/dGvzKtegLS0cGG3 g8+tycwneVj7fJ4EBmt2LdW+iKfvt2Zg/CnFaaxOZ4rq6k7U4XFuPGQoY7EDGcMt96J3 63C9aWDQ2wOpuXUl5oZqx6h53AIvHR5AHnUdnensuRoluwlZDpWg+vz8v9gX/2go6fQS zH7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=FVpbYGcChhFwXZUHWQZ4j49GPdXoTnpRXIUSoGB5miw=; b=YyuNKY7y+0wA/NjW/DlJo+2Ohz9wm/n7djyVKNgqKPMHh3ClKCH2N0K72Tx27zXH0M s3LipfuXHgO4mVwAOAyL0o3UC/kNDUlbxd9xhqvRdIn8XFI9QgryZy6EWl9fONPoZc6T PiwTNMd2jkNBtMxfC7gK0dJ9a/fetQb5+iDsriZwrTJSPxccijkMiLGcANsoq/Y3fAKM dlQkN1vYep4tsA2nhxhK1DLLhPia1Ag5asD+fWNI2it2pIJAEgSvTgEIleeHWKaNvkyF yTwUIKiApK6upvCNJiTiXw31TR7qby/amwegcGfJiS5sh1yEOi/nmVkaCR9Yr5vT0FeW lm4Q==
X-Gm-Message-State: AIkVDXL1RZtxYYJZOhbcuALkBVZmrBVfc/KK3Z5yF2zR+OcwTqgVDFka+j0REl2Aef4XXfRdYb/+S8c5EMQ7bw==
X-Received: by 10.129.121.1 with SMTP id u1mr54409985ywc.146.1483377167793; Mon, 02 Jan 2017 09:12:47 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.164.210 with HTTP; Mon, 2 Jan 2017 09:12:07 -0800 (PST)
In-Reply-To: <5542029D-293A-44F5-9A11-62F5C47A4BA5@gmail.com>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <CAFewVt44xm3rgm=n8PpEcqbTvC-Ei2EvoJciL=+m2UnQ-fUm2A@mail.gmail.com> <CAMfhd9Xq4RA6XBqLZtsbWSnMk4SnvZLC9V3_gCH-FzyVBMg4xg@mail.gmail.com> <CADi0yUPSkBhyuX7utW1tsVkkbDc6YgBLie41qWPwbo+X6CpuZA@mail.gmail.com> <1483330131409.25713@cs.auckland.ac.nz> <5542029D-293A-44F5-9A11-62F5C47A4BA5@gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 02 Jan 2017 09:12:07 -0800
Message-ID: <CABcZeBNt1a5E=0JiP=AACyoNDUq1xtBaGRaMbVzCj_23SeF8uQ@mail.gmail.com>
To: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c0a8f8227b25705451fa918"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9nsXhZFx43YnjPh3NfeE4WmhT_o>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jan 2017 17:12:50 -0000
Yoav, Thanks for pointing to this PR. Clearly we're only going to land one of these. One thing I wanted to note, as discussed in the comments on that PR, is that at least some of the proofs of security of TLS 1.3 assume that both sides use fresh DH shares. In TLS 1.3, of course, the nonces provide freshness [0], so intuitively reuse of DH shares should only threaten FS, however, an claims that that's actually the case should come with some analytic support. If reuse is forbidden than no such support is needed. -Ekr [0] See SIGMA page 24 for a bit more on this topic. On Mon, Jan 2, 2017 at 8:58 AM, Yoav Nir <ynir.ietf@gmail.com> wrote: > On 31 Dec 2016, at 20:36, Adam Langley <agl@imperialviolet.org> wrote: > > Consider the motivations here: > > 1) We know that some implementations have gotten this wrong with TLS > 1.2 and cached values for far too long. Presumably if they were to be > naively extended to TLS 1.3 this issue would carry over. > > 2) We probably disagree with this banking industry desire to be able > to backdoor their TLS connections, but we're not the police and fixing > DH values is probably how they would do it. If it's going to be A > Thing then it's much more likely that things will get misconfigured > and it'll be enabled in places where it shouldn't be. If we have no > detection mechanism then what we'll probably end up with is a Blackhat > talk in a few years time about how x% of banks botched forward > security at their frontends. > > Say that a value of an hour makes sense for some device and we feel > that an hour's forward-security window is reasonable for security. The > issue is that it significantly diminishes our detection ability > because clients need to remember more than an hour's worth of values > and I don't know if we can dedicate that amount of storage to this. > > Since I think the utility of this falls off as a reciprocal, I'll try > making a concrete suggestion for a time limit: 10 seconds. > > > I like this number, because that’s the number I chose when I implemented > ECDH caching in Check Point’s TLS library. It makes key generation rare > enough that it makes no difference for server load in any normal hardware, > and frequent enough that if you destroy the keys after they are last used > then attackers have a very narrow window of opportunity to get your keys. > Especially if they need to get a warrant. IoT may be abnormal hardware in > that regard. > > Still, if we want to accommodate the banking industry (or whatever part of > it we’ve talked to in Seoul), then they need to be able to tell based on a > timestamp which private key was used for that handshake. With 60 seconds > key changes are rare enough that there are at most two possibilities which > I think is manageable. With 10 seconds clock skew can ruin your system. > But I realize I’m bike shedding here. > > On 2 Jan 2017, at 6:09, Peter Gutmann <pgut001@cs.auckland.ac.nz> wrote: > > Hugo Krawczyk <hugo@ee.technion.ac.il> writes: > > there may be applications with legitimate reasons not to use FS. > > > It's not so much reasons not to use FS (well, there are some specialised > cases > where people want to do that as well), it's reasons to reuse (EC)DH values. > This isn't something that was ever mentioned in the spec, it's what > developers > have implemented themselves in order to deal with high-load conditions. > This > also means that no matter what the spec might say in the future, if you've > got > a developer facing a situation where they need 480% of available CPU to > service requests then they're going to do things like cache (EC)DH, > regardless > of what the spec says. So making it a MUST NOT will end up as what > someone on > PKIX once described as "workgroup posturing". Better to include an > advisory > note on using it, > > > Well, it just so happens… > https://github.com/tlswg/tls13-spec/pull/768/files > > Yoav > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx