IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Eric Rescorla <ekr@rtfm.com> Thu, 04 May 2017 03:14 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19C45129AD0 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 20:14:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id L7c8_Ax-c5Yi for <tls@ietfa.amsl.com>; Wed, 3 May 2017 20:14:02 -0700 (PDT)
Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FC4412957A for <tls@ietf.org>; Wed, 3 May 2017 20:14:02 -0700 (PDT)
Received: by mail-yb0-x233.google.com with SMTP id s22so366154ybe.3 for <tls@ietf.org>; Wed, 03 May 2017 20:14:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Vn3o0v18ecwI5+ze5Yz2dBaJ3/57+Ku6idXxEk1x9Nk=; b=cQcBK/09tAsfz9b2F3UfjZvLIG3HCmL6bySyF5NAdKqA52rKLqH32M3Tv1sM2oSGvd Ci6V32fJriA5vAOQepj13mtEI7kw59fpzYJVDmcGg3f1G260KvpvVsW+qRZAS/q19emt h4Z5BWE3VZdtlyQeACF+iE2InWG1dyp0FfW1Y8wOL6aH4JQFu7nWcXWTfaONpbQL1yXm L+T5oO36M96oJVuW5HKiwTy4OQSqrSYbvmkaWdsVcyIPLzfg0VHW7N2S/eTwUaemCXm5 d7j1CgDZEeIG5OrqUME0+C7oT8KaNfECU/Je6JSywaBi8wJzomsiNXMu7FGFLR3ynKjP bP/w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Vn3o0v18ecwI5+ze5Yz2dBaJ3/57+Ku6idXxEk1x9Nk=; b=KaV9tVQK1mCwnNlyVM6kZmCten91o0cfevE1+Fy+xOnYI+QspKNDuqkwAS2WlxDMJm L45wblneymvG5xMwB6ZR1wXdifxM1/IukuNNBoZQ5lMWXxcgSNfXq4UQ3Ji5Ls4LGj9l OBjh5Tk92U6SdqYjJebwljiOb5TlR2GoRBpvCbn7MDCvJfbo9yWeK9+AhcbmrNVDgLxX 7vwbAphBxSHW1U6YVFJ3qfhEaEr+NZ+jejcy8UCcfM9p5NseLKuYmXQ7sNWDW3uw3b3s oUdCPYTlqw7NIOgeMUQCivv8/JSNLP3jnOfycsr8N3YWRLdmB6uC32aTs2dyGSQrYoYS vjNQ==
X-Gm-Message-State: AN3rC/7quo4E5KROFjsLdUYQDWuAIa7F8/UPja4mm40Y7RiXGO+R1BDO NQ5FaXqS8e/HsdAFf1y94zjlAPNDXbIyKSE=
X-Received: by 10.37.174.24 with SMTP id a24mr32678532ybj.50.1493867641771; Wed, 03 May 2017 20:14:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Wed, 3 May 2017 20:13:20 -0700 (PDT)
In-Reply-To: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 03 May 2017 20:13:20 -0700
Message-ID: <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045da3582136b7054eaa2ae9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BMwp3MJ_UfdyjKTIBIMWmbs8h64>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 03:14:05 -0000

[Deliberately responding to the OP rather than to anyone in particular]

Hi folks,

I'm seeing a lot of back and forth about general philosophy and the
wisdom of 0-RTT but I think it would be useful if we focused on what
changes, if any, we need to make to the draft.

I made some proposals yesterday
(https://www.ietf.org/mail-archive/web/tls/current/msg23088.html).

Specifically:
1. A SHOULD-level requirement for server-side 0-RTT defense, explaining
both session-cache and strike register styles and the merits of each.

2. Document 0-RTT greasing in draft-ietf-tls-grease

3. Adopt PR#448 (or some variant) so that session-id style implementations
provide PFS.

4. I would add to this that we recommend that proxy/CDN implementations
signal which data is 0-RTT and which is 1-RTT to the back-end (this was in
Colm's original message).

Based on Colm's response, I think these largely hits the points he made
in his original message.

There's already a PR for #3 and I'll have PRs for #1 and #4 tomorrow.
What would be most helpful to me as Editor would be if people could review
these PRs and/or suggest other specific changes that we should make
to the document.

Thanks,
-Ekr




On Tue, May 2, 2017 at 7:44 AM, Colm MacCárthaigh <colm@allcosts.net> wrote:

> On Sunday at the TLS:DIV workshop I presented a summary of findings of a
> security review we did on TLS1.3 0-RTT, as part of implementing 1.3 in s2n.
> Thanks to feedback in the room I've now tightened up the findings from the
> review and posted them as an issue on the draft GitHub repo:
>
> https://github.com/tlswg/tls13-spec/issues/1001
>
> I'll summarize the summary: Naturally the focus was on forward secrecy and
> replay. On forward secrecy the main finding was that it's not necessary to
> trade off Forward Secrecy and 0-RTT. A single-use session cache can provide
> it, and with the modification that ekr has created in
> https://github.com/tlswg/tls13-spec/pull/998 , such a cache works for
> both pre-auth and post-auth tickets, and it allows clients to build up
> pools of meaningfully distinct tickets.
>
> There's also an observation there that it should really be that clients
> "MUST" use tickets only once. Any re-use likely discloses the obfuscated
> ticket age, which is intended to be secret. Right now it's a "SHOULD".
>
> On replay, the main finding is that what's in the draft is not workably
> secure, and the review includes 5 different attacks against 0-RTT data to
> illustrate that. Attacks 1 and 2 show that the kind of replay permitted by
> the draft is very different from the kind of replay permitted by dkg's
> existing downgrade-and-retry attack. I also go over why it very very
> difficult to many applications to achieve that idempotency, and why one
> idempotency pattern actually relies on non-replayable messages.
>
> Attack 3 shows that idempotency is not sufficient, applications must also
> be free of measurable side-effects, which is not practical.  Attack 4 shows
> that 0-RTT breaks a common security mechanism: spoofing-resistant
> throttles. Attack 5 shows that 0-RTT replay-ability enables an additional
> form of traffic analysis.
>
> The recommendation in the review is that implementations "MUST" prevent
> replays of 0-RTT section, with some additional discussion about why the
> existing advice is unlikely to be followed, and why consistent
> interoperability matters here.
>
> Unfortunately, I wasn't aware until Friday that this review would be
> coming so late in the TLD1.3 draft process, and my apologies for that. I am
> now planning to attend the future WG in-person meetings and look forward to
> seeing many of you there.
>
> --
> Colm
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email