Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00

Watson Ladd <watsonbladd@gmail.com> Tue, 22 October 2013 17:52 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93A6211E8210 for <tls@ietfa.amsl.com>; Tue, 22 Oct 2013 10:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.525
X-Spam-Level:
X-Spam-Status: No, score=-2.525 tagged_above=-999 required=5 tests=[AWL=0.075, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tWbE3UdMSUbl for <tls@ietfa.amsl.com>; Tue, 22 Oct 2013 10:52:23 -0700 (PDT)
Received: from mail-we0-x22c.google.com (mail-we0-x22c.google.com [IPv6:2a00:1450:400c:c03::22c]) by ietfa.amsl.com (Postfix) with ESMTP id E32EC11E84D8 for <tls@ietf.org>; Tue, 22 Oct 2013 10:52:11 -0700 (PDT)
Received: by mail-we0-f172.google.com with SMTP id q58so8660964wes.3 for <tls@ietf.org>; Tue, 22 Oct 2013 10:52:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ydstNfc/JzS9T2vcP5cp/TpLEr3vQrQ9wqkwkVaDB50=; b=UzMQ0cA6j34Nu2+E3Z2TB3H1QiNSzSMXSzYHU7rYR+4GBtynroWFyInS0ZdeWZ8bnh sJhrpjILwi3INnwuuzv856FPZ4KYO+BwNg3uZTkt6J9EHp8lg/4i8R0/kv4YhHEkuoUY h9Ohi+yLI0zvj3KVQzFZXYsUpf+7fD8PGfkyesAgx2I3tnmUPUxcvwKnr1ey0y8Q0yF0 RF0Xb7dS4DZeHvVFpFLhYzgBVfln5kpCTczZE+nZ+3D6vn7R819qxjjZHRjk67JZc9xI 2r3yPI4zDDthg57VR+hnOJydP1AGM/HM5aarPfn15Uzj+f5ABblX63/lD0gHSzsj43Rn bDqw==
MIME-Version: 1.0
X-Received: by 10.194.143.100 with SMTP id sd4mr3003593wjb.69.1382464331164; Tue, 22 Oct 2013 10:52:11 -0700 (PDT)
Received: by 10.194.242.131 with HTTP; Tue, 22 Oct 2013 10:52:11 -0700 (PDT)
In-Reply-To: <CAL9PXLxdAGK2E5577xHJGexQpEWwrbC_Y+otEQmWfv2pV211HQ@mail.gmail.com>
References: <CACsn0cnzTuyezaCj0AmxtV_-6a04TZeAJtbBovAUQQfy16ua7w@mail.gmail.com> <CAL9PXLxdAGK2E5577xHJGexQpEWwrbC_Y+otEQmWfv2pV211HQ@mail.gmail.com>
Date: Tue, 22 Oct 2013 10:52:11 -0700
Message-ID: <CACsn0c=4HHw3PfCsRxnuHf+Rca1GrOSi60OjJQ4qoJKGcP60Pw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Adam Langley <agl@google.com>
Content-Type: text/plain; charset=UTF-8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Channel ID and server load: comment on draft-balfanz-tls-channelid-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 17:52:24 -0000

On Tue, Oct 22, 2013 at 8:14 AM, Adam Langley <agl@google.com>; wrote:
> On Mon, Oct 21, 2013 at 9:11 PM, Watson Ladd <watsonbladd@gmail.com>; wrote:
>> Why could Channel ID identifiers not get stolen when the resumption
>> tickets are? Is there a reasonable threat model in which a client so
>> compromised as to lose resumption tickets has a meaningful benefit
>> from Channel ID?
>
> Because ChannelIDs have a public and private part, the private part
> can be much better protected. For example, by moving it out of the
> browser process completely, even on standard machines, and even under
> hardware-protection, where such capability exists.
Completely spurious: hardware (or a separate process) does not know
whether it is being asked to provide
the ChannelID for a request that is genuine or one that the attacker
provided after subverting the browser process.
There also is a replay attack: a signature of a static string provides
no liveness, contrary to assumptions made here.
As a result disclosure of a ChannelID for a web server provides the
ability to falsely authenticate a connection.
>
>> Why P256 and ECDSA? These choices prevent batch verification on the
>> server, increasing the workload significantly. They do not have major
>> security advantages, or performance advantages over Ed25519.
>
> Why can't one batch verify ECDSA signatures?
Because of a stupid missing bit, you don't know which of two points
lead to the r value. If you did know this bit, you could
make the verification equation an identity in the curve and apply the
Bos-Coster trick Ed25519 does. I've not come up with
a way around this issue. Guess and check isn't worth it: it ends up
costing more than verifying one at a time.
>
> The major issue with batch verification is latency: in order to build
> a batch one has to wait for enough ChannelID connections (64 for the
> batch speeds advertised for Ed25519) to be in the handshake stage. But
> for HTTPS, latency is very important and we can't delay connections
> for that long in normal processing.
>
> That's not to say that batch processing is useless in all situations,
> but it not always applicable.
Fair enough: I assume P256 is performant enough for the applications
being imagined, but given
the constant kvetching about performance, I'm not sure everyone shares
that. (Then again, they
kvetch while using interpreted languages...)

The argument for batch signatures to reduce latency is as follows: so
long as connections are coming in at a rate slow enough for us to deal
with them, all is good. But when connections come in faster than we
can process, we can grind through the queue faster.

I personally think TLS 1.3 should use a client key and server key to
derive a forward-secure channel, and then carry out whatever proofs or
verifications (certificate presentations, etc) are required within it.
Done right this can be fast in latency and CPU terms. Done wrong we
have what we have now.
>
> The goal of wanting to put the private key into hardware protection
> also motivated the choice of signing primitive since we get what we're
> given with hardware. I did come close to adding signature primitive
> negotiation to ChannelID recently but, due to bugs in old F5
> firmwares, we cannot currently afford any extra bytes in the
> ClientHello until we have workarounds in place. It may still appear in
> the future.
Options have burned us in the past: there was a recent email
describing a case of deployments with incompatible cipher suites
leading
to interesting results.
>
>> When browsers implement Channel ID, what separations between different
>> websites are required? Cross-site request forgery has long been the
>> bane of web authentication technologies: does Channel ID provide
>> additional benefits here?
>
> Dirk deals with the higher levels of the stack, so I'll pass on that question.
>
>
> Cheers
>
> AGL

Sincerely,
Watson Ladd