IETF Logo Mail Archive

Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety

Andrei Popov <Andrei.Popov@microsoft.com> Mon, 28 March 2016 21:47 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74F8212D116 for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 14:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.012
X-Spam-Level:
X-Spam-Status: No, score=-0.012 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XV0MwY9txbTK for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 14:47:44 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0768.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::768]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD45012D0C1 for <tls@ietf.org>; Mon, 28 Mar 2016 14:47:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=cN4wUYgYyCgw7/DOV/uzYOirzO4BqXlPNMk86x7dZJo=; b=ecL5cHpZGHGPEaa971tiUgbHwZjQoZn5dGI1Orhxe11G8IW2vYcs//b1fqP1Jli3FCB9lmrvvaDA+gGnFr6VVj31O947cpskkLvXzyPo5ebjcQkdojtpxkfWRI8JArKw8Eka3zb6e9Y8ifoIm31lfEGd6Da9tWzbwyxr6JWXP8E=
Received: from BLUPR03MB1396.namprd03.prod.outlook.com (10.163.81.142) by BLUPR03MB1394.namprd03.prod.outlook.com (10.163.81.140) with Microsoft SMTP Server (TLS) id 15.1.447.15; Mon, 28 Mar 2016 21:47:23 +0000
Received: from BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) by BLUPR03MB1396.namprd03.prod.outlook.com ([10.163.81.142]) with mapi id 15.01.0434.023; Mon, 28 Mar 2016 21:47:23 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: "karthik@messengeruser.com" <karthik.bhargavan@gmail.com>
Thread-Topic: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
Thread-Index: AQHRiSN2YMohgneox0CkzrCuSxAXNJ9vTzyAgAANb+CAAAMzgIAAAvyA
Date: Mon, 28 Mar 2016 21:47:23 +0000
Message-ID: <BLUPR03MB139671E889569CAD5E65E27D8C860@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CAAF6GDeLshxG0o2_a9vPBTMtNHLNf9tynJaPPnAm2ZrAca19iw@mail.gmail.com> <7B4301E9-0282-47A3-8824-5ACC2C61910F@gmail.com> <BLUPR03MB139612FBF6332AFD3E74AB658C860@BLUPR03MB1396.namprd03.prod.outlook.com> <535576C4-F808-4937-946C-B53661F0645D@gmail.com>
In-Reply-To: <535576C4-F808-4937-946C-B53661F0645D@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8::1d2]
x-ms-office365-filtering-correlation-id: 1e0d0e5c-b462-4f94-a922-08d357528c21
x-microsoft-exchange-diagnostics: 1; BLUPR03MB1394; 5:ffP4Nkrbx+zx3UawZfKfV1fneSiDhGd+wUsrYBGtzcfZUiHwF71OARW+4PRMdkzsaq9V/nuaoslXqdf5EIkDLwi3ZrrRkGshQgBiZpF7j4OhMsPmJ4oIwWlKkX7wRy3QDrNYLNleXeJzP3t1I/CxkQ==; 24:FgPNIWyPb02uFMbOKR++xwEtLBbk/Zj6eIWYUFvaQvvZWNFuPViIDqH1NIbIqIEmlaO8KyaXVT/Xg+QuP30J1ImPlYySpyRwo6F3d611tY8=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR03MB1394;
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-microsoft-antispam-prvs: <BLUPR03MB1394DCCB125C6BC69F2A60CD8C860@BLUPR03MB1394.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(61426038)(61427038); SRVR:BLUPR03MB1394; BCL:0; PCL:0; RULEID:; SRVR:BLUPR03MB1394;
x-forefront-prvs: 0895DF8FFD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(54094003)(2950100001)(2900100001)(92566002)(81166005)(19580395003)(19580405001)(77096005)(11100500001)(16236675004)(19609705001)(15975445007)(4326007)(122556002)(2906002)(110136002)(5004730100002)(5002640100001)(74316001)(5008740100001)(86362001)(86612001)(5003600100002)(102836003)(790700001)(6116002)(1220700001)(19300405004)(1096002)(189998001)(586003)(76176999)(19617315012)(10290500002)(19625215002)(106116001)(5005710100001)(10400500002)(54356999)(99286002)(33656002)(93886004)(2351001)(10090500001)(87936001)(50986999)(3280700002)(3660700001)(76576001)(3826002)(491001); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR03MB1394; H:BLUPR03MB1396.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BLUPR03MB139671E889569CAD5E65E27D8C860BLUPR03MB1396namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2016 21:47:23.8229 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR03MB1394
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/G09tq_qGY6HSlFKnfOS93XOAD9A>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 21:47:46 -0000

Not sending cookies/authz headers in 0-RTT would solve a part of the problem, but will browser vendors go for that? I could be wrong, but there seems to be considerable interest in 0-RTT Token Binding…. so folks must be planning on sending tokens☺.

From: Karthikeyan Bhargavan [mailto:karthik.bhargavan@gmail.com]
Sent: Monday, March 28, 2016 2:31 PM
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Colm MacCárthaigh <colm@allcosts.net>; tls@ietf.org
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety

>  … because secrecy is in the control of the client, who can choose to send or not send sensitive data…
Generally, how can a browser distinguish sensitive data?

By not sending cookies or authorization headers, for example?


Cheers,

Andrei

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Karthikeyan Bhargavan
Sent: Monday, March 28, 2016 1:31 PM
To: Colm MacCárthaigh <colm@allcosts.net<mailto:colm@allcosts.net>>
Cc: tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety

Let me try to understand the concerns here.



Resumption and Forward Secrecy

PSK_ECDHE in TLS 1.3 does provide forward secrecy for 1-RTT data, yes?
This is already better than TLS 1.2 where we had no way to do forward-secret resumption.
In that case, the concern is mainly for 0-RTT, which I agree is harder to get right.



0RTT and Safety
I see at least three different challenges with 0RTT as defined. The first is a general and high level one: we seem to willing to accept a "lower" level of security for 0RTT data (e.g. no FS, even if the rest of the session has it). Why? What is it we think is special about this data that it is "less" worth protecting? surely there are very sensitive things in urls, surely there are potential oracles and other things in there too? It just seems super strange to me.

I wonder if the QUIC folks have an answer to this question? It would be good to gather “typical” intended use cases of 0-RTT data.
In any case, it is good to distinguish this forward secrecy concern from replay, because secrecy is in the control of the client, who can choose to send or not send sensitive data, but replay detection is in the hands of the server.



The second challenge is that the replayability of the 0RTT poses a cryptographic safety challenge. Take Lucky13 - which is a brilliant attack and is stunningly effective against DTLS because it is so easy to replay over and over; barely needing to change any parameters - and let the server do the work. 0RTT looks very similar. It doesn't seem wise to let cipher text manipulators take as many cracks at the whip as they'd like.
The third challenge is that the 0RTT plaintext data itself may not be safe to replay; that is that it might trigger some kind of non-idempotent action. Idempotence is really really hard, it isn't safe to simply plug in a replayable section to existing protocols. There's also a huge difference between being tolerant to a small number of replays, and a large unbounded number. For example: a large unbounded number may be used to generate DOS attacks against  throttles and quotas.

Yes, detecting and preventing replays by default would be good.
However, I wouldn’t tie this in with the session mechanism.
Wouldn’t we want to prevent replay of DH 0-RTT requests?

Best,
Karthik





The third challenge is that the 0RTT plaintext data itself may not be safe to replay; that is that it might trigger some kind of non-idempotent action. Idempotence is really really hard, it isn't safe to simply plug in a replayable section to existing protocols. There's also a huge difference between being tolerant to a small number of replays, and a large unbounded number. For example: a large unbounded number may be used to generate DOS attacks against  throttles and quotas.

Tying things together
Short of some kind of transactional locking protocol during TLS handshakes, I don't think there is a scheme that can perfectly prevent replay. Bill Cox' analysis is a really good one here. But I'd like to observe that the sort of single-use-session-id cache outlined above has a nice property that it makes for a sort of strike register. Since the server-side implementor is incentivized to evict entries, or at least mark them as used, so that the slot is available for re-use; that can be doubled-up as a "we've seen this already" signal. This reduces the replay window to the time period for that signal to propagate (e.g. for an eviction to happen from the cache).

So 0RTT data could be encrypted under the resumption session id. That creates the challenge that the session might not be there any more, so the server may not be able to decrypt the 0RTT data. I actually think this is a plus, and lines up with a separate important change I think is necessary - the 0RTT data shouldn't be application data. It should be a separate, optional, stream. I find it helpful to think of it as a hint, so it could be called "replayable_hint". Instead of breaking apart an existing protocol and putting some of it in the early data and some in the application data transparently (a disaster in waiting), the client and server would have to formally agree on the kind of data that could be in a "replayable_hint". This goes a long way to mitigating many protocol level idempotency concerns, and has no impact on the kind of pre-fetching people want to do for HTTP and other protocols. At a bare minimum, I think we should make this change.

Lastly, and this is a little crazy but I haven't let that stop me before ... to guard against the smaller replay window and idempotency problems at the application levels,clients should occasionally send duplicate and unrelated hints, just opportunistically. This keeps the server side application "on notice" that that kind of craziness can occur, and better to have it happen a little all of the time in a controlled way, than rarely by attackers.

Summary
A common theme in the above is that it makes things more expensive for server-side implementors, and that sucks - but I don't see another way to avoid some of the pitfalls here; and I'm unhappy with the state of tickets today. If I'm on my own on that, I'd be interested in what kinds of data people might kind convincing. My own impressions come from being an Apache httpd developer and assisting people with configurations and running workshops at conferences. It's not scientific, but the prevalence of non-rotation is so severe in my sample set that I'm convinced it's the norm.

--
Colm
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c88d384e16d794a23be0c08d35750543d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=IU9aYW%2b6Gt0pnbIVXnT2yGNzOCGfmvvg%2fY5yFhiKlYY%3d>

v2.23.0 | Report a Bug | By Email