Re: [TLS] 0-RTT security considerations (was OPTLS)
Nico Williams <nico@cryptonector.com> Wed, 19 November 2014 00:45 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 058531A8A64; Tue, 18 Nov 2014 16:45:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Up44oVIrt7Ik; Tue, 18 Nov 2014 16:45:46 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id B91051A8734; Tue, 18 Nov 2014 16:45:46 -0800 (PST)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 3D19D36006B; Tue, 18 Nov 2014 16:45:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=qqEGj5jbqoipyM alsNFxjveQaXY=; b=ZaDmNO2an2WXtfjXpBCMX3E+CbYp9Nsqee6xAT/CayeFqg +AVN06PW+Y84Ny2kBLRuhWMwW/lzWkzreCWhb5JVIO6KyXMnpaJNhW5ulnR0swPZ Q34Ezmqd0DwVfuJlRIAqLqglsbvcCKK+u/buX9IvkBrFUlZJUIcpZAoBTpjMs=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPA id D122536005C; Tue, 18 Nov 2014 16:45:45 -0800 (PST)
Date: Tue, 18 Nov 2014 18:45:45 -0600
From: Nico Williams <nico@cryptonector.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20141119004543.GC20758@localhost>
References: <20141118234608.GA20721@localhost> <CABcZeBN7ErepGC0Y5_xiYspJG-i3z6kA=STMk0mnnu+oQNCZqA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CABcZeBN7ErepGC0Y5_xiYspJG-i3z6kA=STMk0mnnu+oQNCZqA@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BweKEm4QpUOgyRGH5-OVsmYZjrQ
Cc: kitten@ietf.org, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT security considerations (was OPTLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 00:45:48 -0000
On Tue, Nov 18, 2014 at 04:04:10PM -0800, Eric Rescorla wrote: > On Tue, Nov 18, 2014 at 3:46 PM, Nico Williams <nico@cryptonector.com> > wrote: > > - Replay protection (use replay cache or defer protection) > > [...] > > Yes, I agree that this doesn't make sense. The server needs to provide > anti-replay as part of the TLS stack using some sort of server-side state. > Servers which don't want to do that should not offer 0-RTT. But how would the client know the first time? Perhaps it shouldn't matter. The server should just hold back before delivering the data. Still, in order to do this without a replay cache the handshake has to have two more messages after the one where the client is prot_ready and the client has to confirm the early messages. So this has to be part of the protocol. > - Server authentication state > > > > Even in the 0-RTT case the client must check that the server's pubkey > > hasn't been revoked, of course, but either it won't be able to until > > it receives the server's Hello (where stapled OCSP should be found), > > or it will have to check certificate status out of band (which has > > privacy considerations). > > > > The problem here is that any application data sent before receiving > > the server's Hello will be compromised if the server's private key > > was compromised (even if the cert was revoked). > > > > For HTTP(S) this is a problem: the HTTP request may or may not be > > sensitive, but the HTTP client implementation and TLS can't know > > if it is -- only the application can know. This might mean that XHR, > > HTML, need extensions for specifying this. > > > > I'm not following this. Generally, server 0-RTT keys will probably be fairly > short-lived by comparison to OCSP-stapled responses, so you can just > continue to use the key within the OCSP window. Remember that if the > key is compromised within the OCSP window, then the attacker can > attack you with 1-RTT as well as 0-RTT. Again, this is also an issue > with resumption. Yes, this is a general problem that can only really be addressed via key freshness. > - Client authentication state > > > > Imagine a handshake where the client is not authenticated until the > > second round trip, but we have key material for 0-RTT. The server > > cannot authorize any application protocol commands at this stage > > Every proposal I have ever seen for 0-RTT has the client delivering > client auth in the first flight for exactly this reason. Even ones where the client is afforded confidentiality for its ID? I can certainly imagine protocols where that wouldn't be the case. > - Symmetric session key non-reuse depends entirely on the client and > > its RNG. E.g., in the resumption and PSK cases. > > > > When using cipher modes where key/IV reuse is disastrous this could > > be a serious problem. > > > > The conventional way to address this (as in snap start) is to use an > anti-replay mechanism which ensures uniqueness of the client random, > thus providing key uniqueness. By the time the server can check this it's too late: the client sent the bad ciphertext. Nico --
- [TLS] 0-RTT security considerations (was OPTLS) Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Eric Rescorla
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Eric Rescorla
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Eric Rescorla
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Watson Ladd
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams