IETF Logo Mail Archive

Re: [TLS] The case for a single stream of data

Colm MacCárthaigh <colm@allcosts.net> Tue, 09 May 2017 17:35 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E88B129536 for <tls@ietfa.amsl.com>; Tue, 9 May 2017 10:35:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jwb7LwxJ4YlI for <tls@ietfa.amsl.com>; Tue, 9 May 2017 10:35:38 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B67CF129511 for <tls@ietf.org>; Tue, 9 May 2017 10:35:38 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id 203so4113441ywe.0 for <tls@ietf.org>; Tue, 09 May 2017 10:35:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uuOYRXRjpGGZuoi3EAk/fo9/Svk3WnB6d7h97ondEKc=; b=XOkoD+W7sMPtXoEqWRkMT/3a9+qfaHVb9XEK4cavaJ7OLp7qATO0TW8HvN2k3LVUUR 33JICUC1XIaxheVFc5sImPv5h6kOvrKeBt+BIpHJsUs4CS21WX5GWPKvfeOp/D6u0a9o jJWb+eICbs1/nj80kk6+Kuszx58PzV7lhMYR1syhycDF3+hcBX/COkB37dHmZUlQJKJU rLIUypFQTZM+hXr/b8MhUrOh86ZnKD5wQNXIvceQznizHzwOhfk2VEAq7j66DwWUEudU OZjZloth8hr0Je/n64Y2jZvc0Q+097Lxbezd9bZEq9J6qUdzUmZi3b1/xp3wvrM4n+2t meVA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uuOYRXRjpGGZuoi3EAk/fo9/Svk3WnB6d7h97ondEKc=; b=aQQcesttc7S+FpoKpA1XpjcwZ/9TV17qnDYd3GOTBa2aS98HSQBFcXYB8gIFjRhXs8 BydiAC6yK04j4YgTKX9s8LyOttS9fvI7ypxhYsXWxaniMOmTybRyYCPg8GSpxFexKFD/ bKCdt4LCqipPKf89ir9nAgfrCXGmatixdq/a6+GpuDcUgg2yTanuHrEIr5BCkqDHtsbc Bryc5xnyDVHmGYedfw3hxhKwLrDD6gDcadA7Ukf6oqmIhVeiRexO4tVjxM1DZbzEgvhm /PII+MVv2x+kgSsjQX1n+/WNUaLm76VK8wBQLJ/fQg8brMjUceZVmkSyjpEbgM454+hq V3Sg==
X-Gm-Message-State: AODbwcBchEoSw9YKSuskFIwpVUrY4YlISs2yGH9LwFxC73pjNYZGHBSt vk/tVCQB2AIKz5C5hYSRBkT+FP0x9Q==
X-Received: by 10.129.56.11 with SMTP id f11mr1080723ywa.241.1494351337934; Tue, 09 May 2017 10:35:37 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Tue, 9 May 2017 10:35:37 -0700 (PDT)
In-Reply-To: <6ce1dc8757fa4f6693263c8e4f06f277@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <CAAF6GDfm=voTt_=JrdGtiaYby1JG8ySU2s6myjjpHKeGvi0bMg@mail.gmail.com> <9f5858c8d86742b9aa82bdac46590c92@usma1ex-dag1mb1.msg.corp.akamai.com> <CAAF6GDcGQ0YTYFFD+HVD71O9GCW7V3r_UNce1LQsHF1Zs9aBLQ@mail.gmail.com> <6ce1dc8757fa4f6693263c8e4f06f277@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Tue, 09 May 2017 10:35:37 -0700
Message-ID: <CAAF6GDd5jnuSHw3JLTuCCKWjwKHcW=nfNac=w5UprM-gPJocQw@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11483b10ab0b85054f1ac8a1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AAR60KE96FtY9xzGlER2NwUtgA4>
Subject: Re: [TLS] The case for a single stream of data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 17:35:40 -0000

On Tue, May 9, 2017 at 9:41 AM, Salz, Rich <rsalz@akamai.com> wrote:

> > It's actually impossible because a 0RTT request may be retried as a 1RTT
> request and there's no way to correlate the two. So when the 1RTT request
> shows up, we can't go "This might be a repeat" - for example the X- header
> trick doesn't work in this case. It's subtle, which makes it even more
> likely to trip on it.
>
> That also assumes that the 0RTT data will be a completely self-contained
> request.  I share the concern that Kyle and others have pointed out, that a
> single request will span the boundaries.
>

True; though I think the partial request case it's ok ... I think it's just
orphaned data. The mechanisms that prevent 0-RTT insertion across different
connections do seem robust.


> > I think the only approach that actually rigorously works is the
> client-side one
>
> Attackers will not use well-behaved clients; does your approach still work?
>

Yes; it's about signaling to the client that "Your data may or may not have
been received". This is an ordinary failure mode for TCP and TLS and
something many clients have careful reasoning around. The difference with
0-RTT is now there's a bigger window of time during which that request may
get received, but that's it really. If the attacker replays, then it can be
received; and the attacker can use any client, but it doesn't change the
original well-behaved client's reasoning.

>The second problem is that middle-boxes can break any signaling. For
> example a CDN or TLS accelerator may enable 0-RTT towards the back-end
> origin without enabling it to the original client. In this model, the
> client has *no* way to reason about retries or replay.
>
> A CDN is not a middlebox.  As far as the client is concerned a CDN *is*
> the origin.


No I don't think this works in transactional systems. For example; suppose
the client performs an update or write "through" the CDN, and 0-RTT is
being used on both sides. In the 0-RTT world, the CDN might be subject to
replay between the CDN and the Origin. But as defined, the actual client
gets no visibility of that. That breaks careful clients.  For example they
may get a 500 back and assume that the request failed, without knowing that
the request may be replayed any time in the next 10 seconds and therefore
succeed.

This can all be made workable though; with a careful consideration of how
the signaling propagates; that's not in the draft at this time though.


> > That's really very broken and a serious violation of the transport layer
> contract.
>
> Only if you believe CDN is a middlebox.  The transport layer contract is
> overridden by legal contracts or EULA :)
>

Of course, but I think this is a predictable security problem. The
implications are very subtle and may be exploited by attackers, while
people unknowingly enable the behavior. I realize I'm in dark corner cases
here; but I think we should approach all of this with the same rigor we
treat the TLS state machine and crypto proofs.
-- 
Colm

v2.23.0 | Report a Bug | By Email