Re: [TLS] Requiring that (EC)DHE public values be fresh

[Brian Smith <brian@briansmith.org>]

Adam Langley <agl@imperialviolet.org> wrote:
> Since this defeats forward security, and is clearly something that
> implementations of previous versions have done, this change
> specifically calls it out as a MUST NOT. Implementations would then be
> free to detect and reject violations of this.
>
> This does have a cost because it also excludes the reasonable practice
> of amortising public value generation over all connections for a few
> seconds. The draft could attempt to specify a precise, maximum
> duration for reuse but that is more complex and no value is clearly
> optimal.

We should brainstorm the unintended negative consequences of this.

It would make self-hosting a small that can survive a spike in traffic
("slashdot effect") more difficult, thus encouraging sites to use
CDNs, which decrease the integrity, confidentiality, and privacy
properties of all connections between the client and the origin
server. Unfortunately I don't know how to quantify that.

Another unintended consequence is that it makes the PSK modes
relatively more attractive. For some very small devices doing ECDH
agreement on every connection and only doing a occasionally doing a
ECDH keygen could be at the edge of their performance/power limits,
and needing to do the ECDH keygen for every connection could easily
make using ECDH prohibitive. OTOH, we don't want these devices to use
have a fixed ECDH key burned into their ROM, or similar, either.

Another unintended consequence is that it makes resumption (formulated
as a sort of server-generated PSK in TLS 1.3) more necessary. Although
many implementations will probably implement resumption, I think there
are a lot of cases where one might prefer to avoid implementing and/or
enabling it. Also, even when it is enabled, making ECDH more expensive
relative to PSK/resumption would encourage building more complex
server software to distribute PSKs across machines. And/or the server
may choose to reuse PSKs longer. And/or the server may choose to use
the non-ECDHE form of PSK-based resumption (IIUC). Again, though, I
can't quantify the effect here.

> Also, this cost doesn't seem too high: 85.6% of servers /don't/ reuse
> values and manage fine today. The generation of (EC)DH public values
> is also a fixed-based operation and thus can be much faster than DH
> key-agreement.

According to the paper, a large majority of servers in the Alexa top
1M are reusing keys. That 14.4% number is a fraction of the 80%
servers consistently in the Alexa top 1M that use browser-trusted
certificates and that use ECDHE. IIUC, approximately 20% of servers in
the Alexa top 1M that use browser-trusted certificates are using RSA
key exchange, which means they are also reusing the same key for every
connection. Also, according to the paper, more than half of servers
aren't using TLS or aren't using browser-trusted certificates, which
means that web browser connections to them are likely using the same
NULL key.

Also, the Alexa top 1M isn't representative of every use of TLS, but
rather only one kind of application.

> Lastly, some have proposed[2] (EC)DH reuse as a mechanism for enabling
> TLS connections to be decrypted and monitored by a middlebox. TLS is
> not designed to be decrypted by third-parties—that's kind of the
> point. Thus anyone doing this should not be surprised to hit a few
> MUST NOTs and, potentially, to have to configure implementations to
> allow such a deployment.

The (presumably) accidental reuse of keys for long periods of time is
bad, and this MitM idea is even worse. But, if reuse were made a MUST
NOT, wouldn't such systems just use a different, perhaps worse, more
complex, and undetectable mechanism, like the one Dan Brown suggested
in the earlier thread? I think we should assume that while we may be
able to help prevent the former accidental badness with such a rule,
such a mechanism probably isn't going to have much effect on the
latter intentional badness.

With all this in mind, absent other information. In the case of
servers hosting websites, I do think a limit of less than a minute is
reasonable. However, I think for the small device (IoT) case, the
limit should be longer, perhaps even hours.

Cheers,
Brian
-- 
https://briansmith.org/