Re: [TLS] Forward secrecy with resumption, and 0-RTT security

Eric Rescorla <ekr@rtfm.com> Sun, 06 December 2015 19:39 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 570E11A88BA for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 11:39:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buW8_MyzyrWQ for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 11:39:55 -0800 (PST)
Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5D6D1A88AD for <TLS@ietf.org>; Sun, 6 Dec 2015 11:39:54 -0800 (PST)
Received: by ykba77 with SMTP id a77so173833510ykb.2 for <TLS@ietf.org>; Sun, 06 Dec 2015 11:39:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=8R8UxwUjH4QyEW9syGuqrisd2RNpq1TKBsj5zEGqg0M=; b=ZkObdoNI5YF8SgXlUDQaVGM/+U65kEXoo3X9O6WeCgH/hbc5RcFPvAYa9Bhh6XSmef zcnuqvC/eCKKxh0r3MNMMDawtlEYIt4nGKOjQ27b57ZaciZxgk/sMWLqCz797PsKa76g LD7LWv6kiM9gxhfXeLe2zyk/hcXcbZq/nhVS+pnf68J5VZ75M1JLW+R9XvZfi9ELcb92 q5YWgJ7pu88ErhQcVO0nLwZqfAyNWpiLNm//oWTc3lj5wVa41TmYwpoSQaufApLv+3DI WARPNSNdO6gOzA1UEbO9gCskKwdwVCQIuRQujZ2MnZjig5Oa3LF5lsjCSq4oN4z/Lkrd 3B6w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8R8UxwUjH4QyEW9syGuqrisd2RNpq1TKBsj5zEGqg0M=; b=NfV30+NgBLSgK5tc7mBVuuvpUmJiIN41DTOPwdZGna4KHtcW8GWV4pla5iFFAG4Sxc c5sgPY/VSTd4BJEuouqV5jdzpxCCD9BcUJCPQE2OuHResjEGZeeSMaNjdGP7HQyJoJLz lbStquFv+xslYZFTWxmNhNrn1Q9LAVsfRNt0IXIkPZ2Ru6yML0Frp80dUc7rGiV6hjmy R7UO6KnFSrJk7ApCXslv3S8HI17+qF0PxTznwid1ZAmp4XOunxs677rgaTG08ypWARyw UagHpNjyYsu4o8a4PnqnLcu7+3fPi3y3wdd5voaoFiX+DJmVrrxhEYi3HGPFJVQvq+of 28GQ==
X-Gm-Message-State: ALoCoQl0E4n0Fg5irIrqmzwZIbZ0pEHmlXQAF+g7i0dGIfDV9bXc6y91e1PyphGEoiF7aMmbB2Z7
X-Received: by 10.13.236.10 with SMTP id v10mr22609889ywe.231.1449430794081; Sun, 06 Dec 2015 11:39:54 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Sun, 6 Dec 2015 11:39:14 -0800 (PST)
In-Reply-To: <CAH9QtQHaXNJPyUJ_2GaCAp4J2rhs84juwBqjV=RZ+rOe35RAFw@mail.gmail.com>
References: <CAH9QtQEMcVkZAwOS5xCWFCw0uBvQd+Q+Wsj7fXtm3_p6XHk_pA@mail.gmail.com> <CABcZeBPLtB3YZsEpm9+xhm9p2H7q__68JS8Vx=Lw1Ae-5e94Kg@mail.gmail.com> <CAH9QtQHaXNJPyUJ_2GaCAp4J2rhs84juwBqjV=RZ+rOe35RAFw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sun, 6 Dec 2015 11:39:14 -0800
Message-ID: <CABcZeBMNDD5JMSY+4w=mvDFMW9VcdLtfNs0C71zV6g-Yjz=o9Q@mail.gmail.com>
To: Bill Cox <waywardgeek@google.com>
Content-Type: multipart/alternative; boundary=94eb2c0889dc9bcd2905263fe75b
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/HpAltiVJ8k7pei1BAtZK0-2fKQw>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Forward secrecy with resumption, and 0-RTT security
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 19:39:58 -0000

On Sun, Dec 6, 2015 at 8:17 AM, Bill Cox <waywardgeek@google.com> wrote:

> On Sun, Dec 6, 2015 at 7:12 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> On Sun, Dec 6, 2015 at 6:50 AM, Bill Cox <waywardgeek@google.com> wrote:
>>
>>> AFAIK, there has never been a session resumed with forward secrecy.  Is
>>> this correct?
>>>
>>
>> Yes, session resumption does not have PFS. Though note that with 1.3 that
>> will
>> no longer be true, because you can do PSK-DHE.
>>
>
> With PSK-DHE over 0-RTT, would we use the static DHE server share for the
> first resume flight?
>

No. In All PSK-DHE modes, the PSK is used as SS.


> To have strict forward secrecy, given that the server already has to have
>>> server-side state (the pre-shared key), I find the old session ID scheme
>>> more palatable than the new tickets.  The main point of session tickets was
>>> to eliminate the server-side session cache, wasn't it?
>>>
>>
>> The current ticket scheme is compatible with either a server-side
>> database *or* having self-contained
>> tickets which are encrypted with a server-side key. (This was also true
>> for tickets, it's just that
>> you didn't bother with tickets if that is what you wanted). If you want a
>> database, you just use
>> an identifier as the key name. The point is to have a mechanism which
>> accomodates either
>> design.
>>
>
> I think this is a very cool aspect of TLS 1.3.  Inefficiencies always bug
> me, though.  It is somewhat painful transmitting 0's in the SessionID
> field, when we could use that to lookup saved server-side state, reducing
> or eliminating the ticket while still supporting 0-RTT resume.  However, I
> lean pretty far on the side of efficiency.  Microseconds and bytes matter,
> IMO.
>

You're talking about the single byte that indicates an empty session id?
That doesn't seem like
it's a big source of inefficiency.



> I haven't thought this through in as much detail as I've thought through
>> the
>> non-PSK 0-RTT case, but I don't believe that PSK-resumption solves the
>> problems with replay. The basic issue is the same: what happens when
>> a server gets a connection attached to state which it doesn't have. So,
>> what the attacker would do duplicate the ClientHello + PSK and send one
>> copy to the true datacenter and one to another datacenter that doesn't
>> have
>> state. The right datacenter will process the 0-RTT handshake and the
>> wrong one will reject it, causing the client to fall back to 1-RTT and
>> retransmit
>> the request. So, you still get replay.
>>
>> -Ekr
>>
>
> Correct.  PSK does not solve this replay issue.  It only defends against
> replay to the same data center. This increases the complexity of the attack
> and limits the number of times a packet can be replayed, but does not solve
> the replay issue.  Further mitigation steps, such as making all requests
> idempotent (regardless of 0-RTT or 1-RTT), should be taken above the TLS
> layer, at the application layer.  Datacenter bound PSK 0-RTT does solve the
> uniqueness problem with ClientVerify signatures.  There would be at most
> one accepted flight of packets per signing operation, even in your attack
> scenario.
>
> IMO, ClientVerify should only be supported if this weaker form of replay
> protection is in place.  Here's a threat model:
>
> A woman enters a hotel lobby, desperate for access to an online computer.
> She uses a computer in the "business center" to access her online account,
> which requires her to insert her security key containing her client
> certificate.  When she's done with her work, she logs out, removes the
> security key, and just to be safe smashes the computer into useless bits.
>
> The attacker who previously installed malware on the computer now is able
> to make a large number of new authenticated connections over several days,
> with many connections in parallel, even though he no longer has access to
> the security key to act as a signing oracle.
>

Yes, assuming the malware captures the client's DHE share.  I've updated
the draft to make this
point clear.

To be clear, the original issue with replay would still apply here as well,
since the client
would just sign twice.


Another thing: resumption in TLS 1.2 breaks this security key scenario as
> well.  Malware simply exports the session state and resumption ticket, and
> the attacker then resumes authenticated connections without access to the
> security key.  To fix this, there needs to be a new PoP per connection, not
> just once on the initial handshake.
>

Yes, that's one reason that people require fresh signatures on subsequent
connections
in systems like FIDO, even though they have a token that demonstrates
continuity of
the client (though typically that token is a cokie).


I guess another question is: Do we care about strong client authentication
> enough to support it in a 0-RTT world?  The default solution when using TLS
> 1.3 is for companies that use security keys to never use 0-RTT
> authentication.  That's not the end of the world, but I imagine that having
> to support 0-RTT for regular users, and forcing 1-RTT for employees and
> users who choose a higher level of security is going to be a complication.
>

Yes, I think it's important, especially for WebRTC.


>
> I still think some more text describing 0-RTT implementation techniques
> would be a good thing.  It really does read as if the spec is saying that
> servers SHOULD NOT support 0-RTT.  I've never read a security warning like
> that which did not have a SHOULD NOT associated with it.  Of course, I
> haven't read that many IETF specs yet :)
>

I'll but it on my TODO list but I would definitely welcome a PR here.

Thanks,
-Ekr




> Bill
>
> On Sun, Dec 6, 2015 at 7:12 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>> On Sun, Dec 6, 2015 at 6:50 AM, Bill Cox <waywardgeek@google.com> wrote:
>>
>>> AFAIK, there has never been a session resumed with forward secrecy.  Is
>>> this correct?
>>>
>>
>> Yes, session resumption does not have PFS. Though note that with 1.3 that
>> will
>> no longer be true, because you can do PSK-DHE.
>>
>>
>>
>>
>>> In the past, there were two cases: resumption using session IDs, and
>>> resumption with session tickets.  Using session IDs loses forward secrecy,
>>> because the server always has session keys in a session cache, which could
>>> be used to decrypt the prior sessions.  Using tickets did not work either,
>>> because the server always kept a ticket decryption key which could be used
>>> to decrypt all resumed sessions since the key was last rotated.
>>>
>>
>> Well, the server could in principle delete the keys from the session
>> cache and (at more
>> cost) the decryption key But yes.
>>
>>
>>
>>
>>> To have forward secrecy under the strict definition using the new PSK
>>> scheme, we need to use what the new name implies: pre _shared_ keys.  The
>>> new name implies that the server remembers a unique shared key for the
>>> connection, which is server-side state per resumable connection.  If we
>>> only store the PSK in the ticket, and go stateless on the server, then the
>>> server-side ticket decryption key again defeats strict forward secrecy.
>>> With a remembered server-side pre-shared secret, we can have a 0-RTT resume
>>> with strict forward secrecy.  Is this already implied in the spec?  If so,
>>> the spec could be improved, by stating this explicitly.  However, the
>>> current statement that 0-RTT does not provide forward secrecy seems to be
>>> wrong in the case that we resume a 0-RTT connections with a
>>> server-remembered PSK.
>>>
>>> To have strict forward secrecy, given that the server already has to
>>> have server-side state (the pre-shared key), I find the old session ID
>>> scheme more palatable than the new tickets.  The main point of session
>>> tickets was to eliminate the server-side session cache, wasn't it?
>>>
>>
>> The current ticket scheme is compatible with either a server-side
>> database *or* having self-contained
>> tickets which are encrypted with a server-side key. (This was also true
>> for tickets, it's just that
>> you didn't bother with tickets if that is what you wanted). If you want a
>> database, you just use
>> an identifier as the key name. The point is to have a mechanism which
>> accomodates either
>> design.
>>
>>
>> I think the current spec does not describe well enough how to implement
>>> secure 0-RTT infrastructure.  Instead, it seems to recommend against using
>>> 0-RTT, with a pretty dire warning about the insecurity of 0-RTT.
>>>
>>
>> Well, the primary purpose of this warning isn't to warn about PFS. It's
>> really to warn
>> about the replay issue, which is unique to 0-RTT and which can't really
>> be fixed
>> by proper implementation. The issue isn't that it's not possible to have
>> anti-replay
>> if you're willing to store server side state, but rather how you respond
>> to server-side state
>> loss. Moreover, the problems exist whether or not you use
>> certificate-based
>> client authentication.
>>
>> I haven't thought this through in as much detail as I've thought through
>> the
>> non-PSK 0-RTT case, but I don't believe that PSK-resumption solves the
>> problems with replay. The basic issue is the same: what happens when
>> a server gets a connection attached to state which it doesn't have. So,
>> what the attacker would do duplicate the ClientHello + PSK and send one
>> copy to the true datacenter and one to another datacenter that doesn't
>> have
>> state. The right datacenter will process the 0-RTT handshake and the
>> wrong one will reject it, causing the client to fall back to 1-RTT and
>> retransmit
>> the request. So, you still get replay.
>>
>> -Ekr
>>
>>
>>
>