Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
Colm MacCárthaigh <colm@allcosts.net> Mon, 28 March 2016 20:39 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C669C12D1A0 for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 13:39:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsetU6RpoV_R for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 13:39:05 -0700 (PDT)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 052E912D155 for <tls@ietf.org>; Mon, 28 Mar 2016 13:39:05 -0700 (PDT)
Received: by mail-qk0-x22f.google.com with SMTP id o6so129132613qkc.2 for <tls@ietf.org>; Mon, 28 Mar 2016 13:39:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=qhQU/P6vHsvEul43ZRNpBbROSMXPPgkP5CajPp4Jnhs=; b=1tY8WQDCatViZIVgeKQitzA9J+GHQ4M9BqZxqhARx8VWt4/kN76cx6/R/5+TjM3nMb cwHgfUS4Qv/jdmp/u99Y36iTOnIc0ZY5vXtBGsyXbMHve+bJ0vNQjHnMqDBvOG5x2pTy 93bC7B8TlpX3Ii2dpvGf8RSEiZ71AZWb9k6ZibTU3t2V73IYl7FJZm2MkAoHr4v/y8Pc Ndxs8QJ/8Ev4f6371R+PTRxeGi9qO80u0TzYJ4KXKMPmtpofJvsIW5t2CxyQxk2ruWJ0 P/8D4/exn6Mqgps96qUxjtEWeyJdFDlATr2DQUDuGx9gNiLIpJspVDH83h48WPCu5JOL c/tg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=qhQU/P6vHsvEul43ZRNpBbROSMXPPgkP5CajPp4Jnhs=; b=AvJcfR/PTTJ5NQtTEZ4CjI9oQpvBZ73LWVAqpqZH0FkhzTFNaeyBQRK1GYWqiiZQad 7wrI1d+bCZ5NRmsyjQuUkVmjAiS4bnBre0ezhnytynPhObOALIb2Ic0TPWP2hXZj6ngb ozwHR52Cjph0xDBhbF3//fyV97f4jdXW4TbfqLD4JRdGQjJyloe2ofqjViyC1Mza0cgX dX1XtcPzqIc4qwdTZ4MTiPt/ugB4PK69oODoM7D59aYaI64gBTf/4gnUlIaONdPyrqoa cwKkUsJeJtYUm5Ug7KIhy8rKWtRHqRogoT7Dmzafccv8FAphxprrmH47lqp4mi3Aspiu nZOQ==
X-Gm-Message-State: AD7BkJJtR4L9aEcFKGtPuHuIgjdjNs6h9h9eBDxzp4P3+XLDjBXyouBb6mHprth2K25inuz9BxR5Qr4/WQOAhw==
MIME-Version: 1.0
X-Received: by 10.37.88.215 with SMTP id m206mr14657209ybb.168.1459197544022; Mon, 28 Mar 2016 13:39:04 -0700 (PDT)
Received: by 10.129.88.137 with HTTP; Mon, 28 Mar 2016 13:39:03 -0700 (PDT)
In-Reply-To: <7B4301E9-0282-47A3-8824-5ACC2C61910F@gmail.com>
References: <CAAF6GDeLshxG0o2_a9vPBTMtNHLNf9tynJaPPnAm2ZrAca19iw@mail.gmail.com> <7B4301E9-0282-47A3-8824-5ACC2C61910F@gmail.com>
Date: Mon, 28 Mar 2016 13:39:03 -0700
Message-ID: <CAAF6GDcw-fdUAKU9ZOORh77VHaadbkZ_QxsKNHrDPJa=eAzBzw@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: multipart/alternative; boundary="001a113fcb7a451680052f21e73f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/I1Z5cGoM4tb-uTlSBBxsTt90K10>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 20:39:07 -0000
On Mon, Mar 28, 2016 at 1:31 PM, Karthikeyan Bhargavan < karthik.bhargavan@gmail.com> wrote: > *Resumption and Forward Secrecy* > > > PSK_ECDHE in TLS 1.3 does provide forward secrecy for 1-RTT data, yes? > This is already better than TLS 1.2 where we had no way to do > forward-secret resumption. > In that case, the concern is mainly for 0-RTT, which I agree is harder to > get right. > Yes ... and I left that out in the interests of clarity for the argument ... but I mean this scheme for the 0RTT data (hence the tying it together). I should have been more clear, thanks! > *0RTT and Safety* > > I see at least three different challenges with 0RTT as defined. The first > is a general and high level one: we seem to willing to accept a "lower" > level of security for 0RTT data (e.g. no FS, even if the rest of the > session has it). Why? What is it we think is special about this data that > it is "less" worth protecting? surely there are very sensitive things in > urls, surely there are potential oracles and other things in there too? It > just seems super strange to me. > > > I wonder if the QUIC folks have an answer to this question? It would be > good to gather “typical” intended use cases of 0-RTT data. > In any case, it is good to distinguish this forward secrecy concern from > replay, because secrecy is in the control of the client, who can choose to > send or not send sensitive data, but replay detection is in the hands of > the server. > A lot falls out from replay. If there are side-channels in how the server handles the 0RTT section (and we can be certain that there will be) then the ability to replay the section greatly amplifies the attackers ability to use those side-channels to determine things about the data. Where the data is a url, which can contain things like passwords, session ids, and other bearer tokens, that's a bad combo. > Yes, detecting and preventing replays by default would be good. > However, I wouldn’t tie this in with the session mechanism. > Wouldn’t we want to prevent replay of DH 0-RTT requests? > I should be more clear: I mean to replace the DH 0-RTT part with 0-RTT parts that are encrypted under separate single-use PSK states. -- Colm
- [TLS] Resumption and Forward Secrecy, 0-RTT and S… Colm MacCárthaigh
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Tony Arcieri
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Karthikeyan Bhargavan
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Colm MacCárthaigh
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Bill Frantz
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Andrei Popov
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Karthikeyan Bhargavan
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Andrei Popov
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Eric Rescorla
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Ryan Hamilton
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Martin Thomson
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Colm MacCárthaigh
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Karthikeyan Bhargavan
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Martin Thomson
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Tony Arcieri
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Ryan Hamilton