Re: [TLS] 0-RTT and Anti-Replay

Mohamad Badra <mbadra@gmail.com> Sun, 22 March 2015 22:27 UTC

Return-Path: <mbadra@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAF821A6F2A for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 15:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KNbzOxxzHEx7 for <tls@ietfa.amsl.com>; Sun, 22 Mar 2015 15:27:00 -0700 (PDT)
Received: from mail-we0-x22d.google.com (mail-we0-x22d.google.com [IPv6:2a00:1450:400c:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 097141A6F12 for <tls@ietf.org>; Sun, 22 Mar 2015 15:27:00 -0700 (PDT)
Received: by wetk59 with SMTP id k59so123912180wet.3 for <tls@ietf.org>; Sun, 22 Mar 2015 15:26:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=3ip818tprUCGoxePeKC9bJmxqMIMScLSjY/MeBtAnSw=; b=UKxcWHOWNWxRSwQ3u6EYTm8olGcYVuKEo/QfLipy29BcghxW1GEMyAt6GNcrJkaf8u 7weuLoYL3q41SsmSm3fYXB01w5oKAA/GtxkSKoTDbHxEXtwD7PhB9wcS0/5yjUbZd1d0 9TSQTkoU0Wl7jua4tu1T6YQvuk1oX/r8PAIH7E/pHD9wC96m9rEC5tdIUar6Cg8oIVAd zAs0tYHCYC5QvhCBJeLQ7HkZPocyS+Bl9leB3LcBdgZ+G8PekHs1rGK+2f1G4ftRaSOI SFHuks5lCOTXDoJi/S+yS2VmLJB5rpd/Xr3ET2b8qRdZ2KMcJ7O1H4d9PvOnzQcq8yUB cJGg==
MIME-Version: 1.0
X-Received: by 10.194.47.201 with SMTP id f9mr176306709wjn.17.1427063218821; Sun, 22 Mar 2015 15:26:58 -0700 (PDT)
Received: by 10.27.87.145 with HTTP; Sun, 22 Mar 2015 15:26:58 -0700 (PDT)
In-Reply-To: <CABcZeBP9LaGhDVETsJeecnAtSPUj=Kv37rb_2esDi3YaGk9b4w@mail.gmail.com>
References: <CABcZeBP9LaGhDVETsJeecnAtSPUj=Kv37rb_2esDi3YaGk9b4w@mail.gmail.com>
Date: Mon, 23 Mar 2015 02:26:58 +0400
Message-ID: <CAOhHAXzkWSvLCnSPhH2TQZgC4r7j-wX8TzmZf0pGnvKw2_VFcQ@mail.gmail.com>
From: Mohamad Badra <mbadra@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary=047d7b66fa5b3ae1a40511e80c9a
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/Dicv89OKtgISa-lZSBTbRR3mDE4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT and Anti-Replay
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Mar 2015 22:27:06 -0000

Hi Eric,


> Client                        Attacker                          Server
>
> ClientHello [+0-RTT] ------------>
> "POST /buy-something" ----------->
>
>                               ClientHello [+0-RTT] --------------->
>                               "POST /buy-something" -------------->
>
>                                                    [Processes purchase]
>                                  <---------- ServerHello [accept 0-RTT]
>                                                   (+ rest of handshake)
>
>
> The attacker just discards the server's response and then the server
> somehow forces the server to reboot (this is the hard part).
>
> Once the server has rebooted, the attacker re-sends the client's
> initial flight then just forwards data back and forth to the client.
>
> Client                        Attacker                          Server
>                               ClientHello [+0-RTT] --------------->
>                               "POST /buy-something" -------------->
>
>    <--------------------------------------  ServerHello [reject 0-RTT]
>                                                  (+ rest of handshake)
>
> Finished --------------------------------------------------------->
> "Post /buy-something" -------------------------------------------->
>                                                   [Processes purchase]
>
> At this point, you've mounted a successful replay attack. Obviously
> this is not that great an attack because it requires you to be able to
> force a reboot and also get in under the client's timeout window.
>


According to draft-rescorla-tls13-new-flows-01:

   The EncryptedExtensions MUST include an ART indicator that matches
   the client's ART so that the client knows that the 0-RTT handshake
   was successful and that the client's application_data was accepted.



I wonder why the Server doesn't include an indicator in his reject
(encrypted indicator) so the client will avoid sending its request again.

(BTW, based on what a server can reject after a reboot)

Best regards
Mohamad