Re: [TLS] Security review of TLS1.3 0-RTT

Eric Rescorla <ekr@rtfm.com> Thu, 04 May 2017 21:14 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 460A2126DC2 for <tls@ietfa.amsl.com>; Thu, 4 May 2017 14:14:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id icpw53XWhPHz for <tls@ietfa.amsl.com>; Thu, 4 May 2017 14:14:01 -0700 (PDT)
Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08A7D126E64 for <tls@ietf.org>; Thu, 4 May 2017 14:14:01 -0700 (PDT)
Received: by mail-yb0-x233.google.com with SMTP id 8so6754763ybw.1 for <tls@ietf.org>; Thu, 04 May 2017 14:14:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vNe7Kc04+iyoc/NcRKimLum+JLDYJQVxfUrqlZHf1F8=; b=buJNIYqXbRAidwsUbh9oS8DgZaSYBs4ASuDDI20Z5pm27u0oNw7vG3nJlHptGfkrqS u5J5bjwOKsM0Apc78WlOXT4DwSKdQ82Vw67T0Aw8m7cH4/G3FLFom84IcwN6Ue7lff53 gB+2zET0PuMWoqiPvP38QwnIL+tA0qUf9cl/dUgLUHYcY0Ftvgmg4FuY9Omh5SP7cmsa 1qVkN6z5DMQ299I0fexIy3Wux2YgyoZzefhNGptftyXRKBpMC12ubTPaRByb/0H08DYj gwZnmoV9EFliMDFbfmEFpSXUf1Er5PfCAHPwF3acHZFIqlttYKGtC9BB8gmd+wYw+9MN Figw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vNe7Kc04+iyoc/NcRKimLum+JLDYJQVxfUrqlZHf1F8=; b=LFmI8lw5Q77uFLCnPUFVR9Eenvk76NW73YAMbiph9r83PiSPfzbv3vXa5is6JLkQBP cia2dV36Pd7VFydYch9fpNH12hOHfloB6Y5M+5/4bTKmQSzXBC+znUI0iutIQO2Ef8i1 vQSVJV2ru/9PDn39D1p/hI2mwPsc4b/VZPMwpfPLBgjwVZ7odlJJSt9/NVgFvHxUuB+H x2MZvBgwxzDsaRFmKCwAgHNRf499SXRxM+5q4k7YNLCX4pvY85qm5WNCe3mbgdv2VMNC HO2RaJRMZ6c2zzpr5DTozpzzgNskBdPmd5UBeRCk6+xoIbjPsOLBDt+rms8uVzdx8pTS Y6sw==
X-Gm-Message-State: AN3rC/7fsxi2aPy9uTLIHVC5pBgLmLGB4VLtXvZz+wMFzu4Y6M5yUaIy 4/vKOXH8M0fmE+ZjOJhNTf2gmdMS/4gKPtU=
X-Received: by 10.37.174.24 with SMTP id a24mr36492941ybj.50.1493932440282; Thu, 04 May 2017 14:14:00 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Thu, 4 May 2017 14:13:19 -0700 (PDT)
In-Reply-To: <CABcZeBOX5NXuhgfap2S0naO9PFXv+K-+fZVPbgck6yciVnrYbQ@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <CAAF6GDe1_ih1aUShrzAHUuTzbLx6+0BdVexpGnq90RZsST8GvA@mail.gmail.com> <CABcZeBOX5NXuhgfap2S0naO9PFXv+K-+fZVPbgck6yciVnrYbQ@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 04 May 2017 14:13:19 -0700
Message-ID: <CABcZeBPuOupLTNKOtuCgOjYNdiuw571HM-pq1vNZz_8x-XX5mg@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045da3586bfdc2054eb94035"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DLR4hFCWoVHYV-HK-u5osZ6JAaQ>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 21:14:03 -0000

As promised:
https://github.com/tlswg/tls13-spec/pull/1005

Note: I may have to do a little post-landing cleanup, but I wanted to get
people's senses of the text ASAP.

Comments welcome.
-Ekr


On Wed, May 3, 2017 at 8:21 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
>
> On Wed, May 3, 2017 at 8:20 PM, Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>
>>
>>
>> On Wed, May 3, 2017 at 8:13 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>>
>>> I made some proposals yesterday
>>> (https://www.ietf.org/mail-archive/web/tls/current/msg23088.html).
>>>
>>> Specifically:
>>> 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining
>>> both session-cache and strike register styles and the merits of each.
>>>
>>> 2. Document 0-RTT greasing in draft-ietf-tls-grease
>>>
>>> 3. Adopt PR#448 (or some variant) so that session-id style
>>> implementations
>>> provide PFS.
>>>
>>> 4. I would add to this that we recommend that proxy/CDN implementations
>>> signal which data is 0-RTT and which is 1-RTT to the back-end (this was
>>> in
>>> Colm's original message).
>>>
>>
>> This all sounds great to me. I'm not sure that we need (4.) if we have
>> (1.).  I think with (1.) - recombobulating to a single stream might even be
>> best overall, to reduce application complexity, and it seems to be what
>> most implementors are actually doing.
>>
>> I know that leaves the DKG attack, but from a client and servers
>> perspective that attack is basically identical to a server timeout, and
>> it's something that systems likely have some fault tolerance around. It's
>> not /new/ broken-ness.
>>
>
> Heh. Always happy to do less writing.
>
> Thanks,
> -Ekr
>
>
>>
>>
>>> Based on Colm's response, I think these largely hits the points he made
>>> in his original message.
>>>
>>> There's already a PR for #3 and I'll have PRs for #1 and #4 tomorrow.
>>> What would be most helpful to me as Editor would be if people could
>>> review
>>> these PRs and/or suggest other specific changes that we should make
>>> to the document.
>>>
>>
>> Will do! Many thanks.
>>
>> --
>> Colm
>>
>
>