IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Eric Rescorla <ekr@rtfm.com> Fri, 23 June 2017 17:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5B20127333 for <tls@ietfa.amsl.com>; Fri, 23 Jun 2017 10:44:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-DMh-5SBjy8 for <tls@ietfa.amsl.com>; Fri, 23 Jun 2017 10:44:42 -0700 (PDT)
Received: from mail-yw0-x229.google.com (mail-yw0-x229.google.com [IPv6:2607:f8b0:4002:c05::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5AA5126DCA for <tls@ietf.org>; Fri, 23 Jun 2017 10:44:41 -0700 (PDT)
Received: by mail-yw0-x229.google.com with SMTP id v7so19646459ywc.2 for <tls@ietf.org>; Fri, 23 Jun 2017 10:44:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+GNhYEM2NnOfwVOqa6tbNu2AEIXPm4RKs6Y0CJFzHcM=; b=N9zYXsZqUIrxZSbS41UEieRyB2ZoOoqBVkINET+R2TWyj//YIQsDkke1Y7ID9SN5cy 2A3h3i0mQHgMC8lsc77IuVfn7PIayU8+/PMyCbcPXyjyTlu6MlAid6pLzfG7EkLwiFSB L201wFlZAESN9KfpQstzI/EchSfHAAN7Stx3u27+1V6v5EBMWKzFX+8BRSZN0e4/SeFs Ek43okPVtgC+OGik1jKcquNwxCFzYcj3k8QfReLsqbeg49B5x4LiMSBlOSMZ+LJzAh/h aoFOWxuZOiJvLIK02vlfGA4iKQa1ujBPkTboEk1sj7fGjo9Jm3NO8WFL4H6kLZRDV2xY Co3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+GNhYEM2NnOfwVOqa6tbNu2AEIXPm4RKs6Y0CJFzHcM=; b=Qc4psA0TyGlUycOdZgUldPlhIq0ngWsoJTn6+95n1+6+5NwtHXbOKGBccYNRwof2xZ ARMrnZbqJT7Nk9EdHiybuLL6qy+XMWPN6gnxBb07jR30HTNpAeFEthqc2FodCJ5dT0Fu iCLY1ISEqusk1OJbKZ797FFAh07dmcMqH2wjiLth/lzCGrifLX0HxVx3VU7iW/3/VuEq 6igghoSJoY6u0PaVGMaoai71Q2RT+iOfTLKkj2cEPjSKH2QfYM3Le4w3HCk1oKYSvQh1 6e2s4YnTlOzF8cje2WJ+vH0bbiNxf2REJ/vijv4qt6j5oCeiwZxdSNHfKhoQRsofPQAz DXog==
X-Gm-Message-State: AKS2vOwgDCybls1aymU+RM1pOP+36m6UVwiMvVPu6zaSI+QEpD/nbTUS CGV+q0BrryIzMtnWhPl9cA+duNIKEe+hfz3Uqg==
X-Received: by 10.129.109.17 with SMTP id i17mr7070656ywc.3.1498239880938; Fri, 23 Jun 2017 10:44:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Fri, 23 Jun 2017 10:44:00 -0700 (PDT)
In-Reply-To: <CAOgPGoAmo1p9BwfxyeA=iWbOpVtbxJsVpdN0TzVuV=bVyFiWEA@mail.gmail.com>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com> <20170613113232.GC8983@LK-Perkele-V2.elisa-laajakaista.fi> <CAH9QtQG0uk+eUozJxxMRwvcROO7x5FhKd5zDbwpCKuXj9zrecQ@mail.gmail.com> <20170613205113.GA13223@LK-Perkele-V2.elisa-laajakaista.fi> <CAH9QtQFez=tUVJOd7ztBaWFtVs5dAAojg8JrixGqjwqN5go+8A@mail.gmail.com> <20170614174531.GA17930@LK-Perkele-V2.elisa-laajakaista.fi> <CAOgPGoAmo1p9BwfxyeA=iWbOpVtbxJsVpdN0TzVuV=bVyFiWEA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Jun 2017 10:44:00 -0700
Message-ID: <CABcZeBPw94Pn9J2LDLBSijs+aZhhOsTiGKHj0wgBq0Ev8kf=xA@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114dd50ee480b60552a4271f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/HluqBE4z1vm0MXcE_aG0fzfmip8>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2017 17:44:45 -0000

PR up:
https://github.com/tlswg/tls13-spec/pull/1034


On Fri, Jun 23, 2017 at 9:21 AM, Joseph Salowey <joe@salowey.net> wrote:

> Hi Ekr,
>
> Discussion on this topic is dying down, can you post a PR so we can see
> the proposed text.  There is still some discussion on the API thread so
> there may be some additional modifications coming in that area.
>
>
> On Wed, Jun 14, 2017 at 10:45 AM, Ilari Liusvaara <
> ilariliusvaara@welho.com> wrote:
>
>> On Tue, Jun 13, 2017 at 03:24:24PM -0700, Bill Cox wrote:
>> > On Tue, Jun 13, 2017 at 1:51 PM, Ilari Liusvaara <
>> ilariliusvaara@welho.com>
>> > wrote:
>> >
>> > > >   - Note that 0-RTT exporters are not safe for authentication on
>> servers
>> > > > that do not enforce single-use tickets, or for clients that do not
>> > > > recompute authentication signatures on retransmission of early data.
>> > >
>> > > "Single-use tickets" imply global anti-replay.
>> > >
>> >
>> > I assumed "gobal anti-replay" meant there would be a globally
>> synchronized
>> > cache of valid single-use tickets.  It sounds like you mean "global
>> > anti-replay" includes schemes using orbit/metro/server bound tickets,
>> since
>> > they can support single-use tickets.  In that case, I agree with you,
>> but I
>> > think the phrase "single-use tickets" may be less confusing.  Maybe just
>> > say "anti-replay" instead of "global anti-replay"?
>>
>> IMO, "anti-replay" also includes per-server anti-replay, which archives
>> "at most N replays" in global scale.
>>
>> Of course, the ticket scope of server can be wider than the 0-RTT scope
>> (the server accepts tickets but rejects 0-RTT from any ticket in
>> between).
>>
>> > And the latter part is way too obscure. I have no idea how it is
>> > > trying to fix ClientHello replay resulting the same exporter
>> > > output.
>> > >
>> >
>> > I don't know what you mean by "resulting the same exporter output."
>> Auth
>> > signatures in a 1-RTT fallback need to be recomputed using the 1-RTT
>> > exporter to avoid having the same signature accepted twice.  Maybe this
>> is
>> > too specific and should be left out.
>>
>> If you replay ClientHello and it gets accepted twice, including to
>> different servers, both connections have the same 0-RTT exporter values.
>>
>> The 1-RTT exporter values will not be the same, but this is not helpful
>> for 0-RTT data, or for that matter any 1-RTT data unless exporters are
>> switched mid-stream.
>>
>> > > Even this is only partially true.  Anti-replay can be built above the
>> TLS
>> > > > layer.  I'm considering doing token-binding replay defense in the
>> > > > authentication backend, to help ensure the token-binding guarantee:
>> that
>> > > > auth tokens taken from one device cannot be used from another device
>> > > > without continued access to the first device's signing oracle.
>> > > > Unfortunately, 0-RTT master resumption secrets are a new kind of
>> auth
>> > > > bearer token, and the token binding spec does not cover them.
>> > >
>> > > Doing stuff like this gets more and more complicated and fragile as
>> > > one moves up the layer stack.
>> > >
>> >
>> > It depends on the task.  Moving channel ID from the TLS layer to token
>> > binding in the HTTP layer should simplify the TLS state machine enough
>> to
>> > justify the change.
>>
>> Implementing such thing without some TLS support at application layer is
>> just crazy.
>>
>> IMO, the only reason token binding concerns itself at all with TLS is
>> that "0.5 RTT" (a TLS 1.3 feature) and HTTP/2 was not available when
>> token binding was started. Those (together with exporters) would have
>> enabled token binding in HTTPS without having to mess with TLS.
>>
>> (The messing with TLS in token binding seems to be solely about saving
>> round-trips!)
>>
>> > Anti-replay in the TLS layer would be good for 0-RTT
>> > token binding, but the cost and complexity of running the whole
>> user-facing
>> > fleet of servers with anti-replay caches is huge, many times higher than
>> > the cost of token-binding anti-replay in the backend.  Also, the
>> > authentication backend is where bound tokens are currently verified, so
>> > putting the anti-replay there seems like the appropriate layer.
>>
>> That greatly depends on the implementation and deployment. That's why it
>> is more fragile.
>>
>> E.g. run more than one authentication backend for 0-RTT scope, and
>> your application layer anti-replay breaks. And I'm not convinced the
>> scale of anti-replay cache would be much smaller at application layer, in
>> fact, it could be even biger.
>>
>> > I'm still not sure this scheme is worth implementing, but without it, I
>> do
>> > not think we can support client certificates or token binding over
>> 0-RTT.
>> > It doesn't really matter for the TLS 1.3 spec.  I'm just pointing out
>> that
>> > the statement "0-RTT auth is insecure without anti-replay defense" is
>> not
>> > 100% accurate.  There are other ways to improve the security.
>>
>> Well, client certificates are currently forbidden for connections with
>> 0-RTT data (indirectly, but it is still forbidden). It could become
>> possible
>> in the future.
>>
>>
>>
>>
>>
>> -Ilari
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>

v2.23.0 | Report a Bug | By Email