Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 01 April 2016 22:47 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F0112D5C8 for <tls@ietfa.amsl.com>; Fri, 1 Apr 2016 15:47:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wkScQJ872QNj for <tls@ietfa.amsl.com>; Fri, 1 Apr 2016 15:47:28 -0700 (PDT)
Received: from mail-lf0-x232.google.com (mail-lf0-x232.google.com [IPv6:2a00:1450:4010:c07::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E37F212D5AB for <tls@ietf.org>; Fri, 1 Apr 2016 15:47:27 -0700 (PDT)
Received: by mail-lf0-x232.google.com with SMTP id p188so64418560lfd.0 for <tls@ietf.org>; Fri, 01 Apr 2016 15:47:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=aintNYOtcjXMr2mFcXsT63vXO+hsU7hJsFCOLSw8Wts=; b=KFFDoSAfgBwHGomtUJKKpyQZKAH/4zDKIulgfytPkutS77gbceVCmj0g8QAL5NC9R8 MQ6WgBUwD2VHQ7OcN77Bo25PjbMtDtBIZijAI1MsyXApKw9dw268I7xckWGRYNZ5JI+1 RMa0Xrhnwxgf7M/u0tRjVpnX5NXwvCZQpB9sQ7/HuDEebmfLilK7PehYqjHBrql44wNQ CF5sZpPswJe3nUQNFSt4HR3TXrgrRQd1la5Ci8tu4YNptVTB4ADN+l9XZEVTCfnneqia sIw5406BeIg8gdlgqS34ASdE41mrDwsvuPgsk7JNutGRDnMiH36H/4eDjB0txZcwRxgS 3Tfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=aintNYOtcjXMr2mFcXsT63vXO+hsU7hJsFCOLSw8Wts=; b=LtGuoaeDJAsxwNGgmdQykFxCLe1tjFfnGqciH1hShRBhugdHGRQDNIGURjmMkScesp BP5xmGFZyMYbI69S8Jt8dvkFoI3RnJWh+RunRkoiU+a9swGzNiFShk5ZL8s3/tWLgb95 n11PVfLRJyrnBif/MAOJJEfedyhl/pCpSCsUBYNcaWa11nQN5EU03UVp8SPanTn3Z45d to5WvFc/2iimgh3pJN4ttlqi/qcCLHB7hgKz6+/W78I/jsAQftxDqFDCoOMDfU821fKb QkwhM66kBa6gG3K0i+SlA4jKT9kFPeLnk1c2sbZKnQrDTfEsn9CPGlYMy6T9cHAQP8yX 86+Q==
X-Gm-Message-State: AD7BkJIxE9FLdkwSTNJpELtKZzIDirh9WhxqEptNpgMT1CkUbtTDwF2toZbhj40UnUJpQaibDFxUJ3oSF37rOA==
X-Received: by 10.25.136.139 with SMTP id k133mr2836786lfd.157.1459550846083; Fri, 01 Apr 2016 15:47:26 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.31.6 with HTTP; Fri, 1 Apr 2016 15:46:56 -0700 (PDT)
In-Reply-To: <CABcZeBNnNOcqVVJyxg2ip+y4EuWGrkkqevb5L=mdkD2ALctMPA@mail.gmail.com>
References: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com> <CADi0yUNTXynz-8FfN_U+h3MhvWvaKAfZspkWVNR+YxRCAm9w1w@mail.gmail.com> <CABcZeBNnNOcqVVJyxg2ip+y4EuWGrkkqevb5L=mdkD2ALctMPA@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Fri, 01 Apr 2016 18:46:56 -0400
X-Google-Sender-Auth: Vi_s0Yg_3mm9D7Nk4cqmWrVpzm4
Message-ID: <CADi0yUMxVPP-_GTtwTnmtUrJYw1TSuzBMt86HHo_ASePzM5FoA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="001a113f3894b66a88052f742958"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/H-xSKs3rq2MYy-04_DaXcapKdxc>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2016 22:47:31 -0000
On Thu, Mar 31, 2016 at 11:49 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > > On Thu, Mar 31, 2016 at 8:39 PM, Hugo Krawczyk <hugo@ee.technion.ac.il> > wrote: > >> >> >> On Tue, Mar 29, 2016 at 9:11 AM, Sean Turner <sean@sn3rd.com> wrote: >> >>> All, >>> >>> To make sure we’ve got a clear way forward coming out of our BA >>> sessions, we need to make sure there’s consensus on a couple of outstanding >>> issues. So... >>> >>> There also seems to be (rougher) consensus not to support 0-RTT via DHE >>> (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT mode >>> as PSK. The security properties of PSK-based 0-RTT and DHE-based 0-RTT are >>> almost identical, >> >> >> I am not offering an opinion about what the WG should decide regarding >> keeping >> DHE-based 0-RTT in the base TLS 1.3 document, but just wanted to note >> that the >> above claim "The security properties of PSK-based 0-RTT and DHE-based >> 0-RTT are >> almost identical" is not quite right (nothing I say here is new, I just >> felt >> that I had to "object" to this statement as written). >> >> There are some significant differences - in some cases even "fundamental >> differences" - between keeping secret state (in the PSK case) and keeping >> non-secret state (in the DHE case) or even not keeping state at all (in >> the >> DHE case) and retrieving the server key g^s from some external source >> (with >> integrity but not secrecy). In addition, using DHE 0-RTT would require >> the >> client to send a key share g^x leading to a PFS 1-RTT exchange while with >> PSK >> it may be "tempting" to omit PFS. >> > > The current plan of record is to allow the server to specify which cipher > suites it is > willing to accept, so it could refuse this > > I was just wondering if this is what will happen in practice. But I should have separated this consideration (and the next) from the more fundamental point of public vs secret state. > > > Moreover, if the server's configuration >> key g^s is refreshed often (say each 5 minutes) then the g^xs key used by >> the >> client to protect its 0-RTT data already has some good level of forward >> secrecy (the attacker has a 5 minute window to find s and after that >> forward >> security is guaranteed). The latter point touches on an important aspect >> which is the key management complexity of ticket encryption/decryption >> keys >> (as needed in the PSK case) vs managing secret DH key s (in the DHE >> case). >> I am not sure what would be done better (more secure) in practice. >> > > Can you expand on the difference here? Say that the server implements > tickets > by storing a DH private key and then encrypting the ticket under the > corresponding > public key. How does this provide different PFS properties? > It doesn't. And you don't need a public key for this. If the server rotates the ticket encrypting key often (say each 5 minutes as in the example) then you get the same effect. The point was about which case, g^s or symmetric ticket encryption key will be managed better in practice. I don't have an answer. Hugo > -Ekr > > >> But really it seems that the discussion boils down to identifying cases of >> enough interest where avoiding the original 1-RTT trip for establishing a >> session ticket is important. I am puzzled by the fact that the Google team >> seems ok with something that essentially voids the main feature and design >> basis of of QUIC. >> >> Hugo >> >> >> >>> but 0-RTT PSK has better performance properties and is simpler to >>> specify and implement. Note that this does not permanently preclude >>> supporting DHE-based 0-RTT in a future extension, but it would not be in >>> the initial TLS 1.3 RFC. >>> >>> If you think that we should keep DHE-based 0-RTT please indicate so now >>> and provide your rationale. >>> >>> J&S >>> >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> >
- [TLS] Call for consensus: Removing DHE-based 0-RTT Sean Turner
- Re: [TLS] Call for consensus: Removing DHE-based … Bill Cox
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Ryan Hamilton
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Ilari Liusvaara
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Martin Thomson
- Re: [TLS] Call for consensus: Removing DHE-based … Wan-Teh Chang
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hannes Tschofenig
- Re: [TLS] Call for consensus: Removing DHE-based … Hugo Krawczyk
- Re: [TLS] Call for consensus: Removing DHE-based … Eric Rescorla
- Re: [TLS] Call for consensus: Removing DHE-based … Hugo Krawczyk
- Re: [TLS] Call for consensus: Removing DHE-based … Martin Thomson
- Re: [TLS] Call for consensus: Removing DHE-based … Joseph Salowey