IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Benjamin Kaduk <bkaduk@akamai.com> Fri, 30 June 2017 17:00 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60F11131442 for <tls@ietfa.amsl.com>; Fri, 30 Jun 2017 10:00:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.011
X-Spam-Level:
X-Spam-Status: No, score=-0.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yGLbE4Fk2b79 for <tls@ietfa.amsl.com>; Fri, 30 Jun 2017 10:00:19 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7815A129B10 for <tls@ietf.org>; Fri, 30 Jun 2017 10:00:19 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v5UGvaBL032624; Fri, 30 Jun 2017 18:00:15 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type; s=jan2016.eng; bh=jMdx1ZeuB7dAMnSiqftuKsAY0B2ZuFQ1h26c3T6QqI8=; b=mzWTwPFkK17tOuNX+M9CHnVTBzP9h5Cn42PMBDl5S//IXNwfSBAqADNiKg9Pyl9JV8c1 plNqlN+0Rx2+gDM+B6I75mEL47gfcz3UriTdDWgPhsjMMVK5Ivp/3YqyToR1SBLWz8oX PKJC/TxSUdIslG0+S4pPw95spSqDs6JdGXLkidYrdBWYvjDBRj2yU27Fh/EsfMzFgzWb i18bQctLl9YxOrGtd2P4a8OTR6LH99Zbe8VpEJDPKFMErbQdB5Z0WwXf5jcHQRi0cq2z fp1d2JTyvC5YJbkJEO9X+SGmSojp3ODR70BRs0PiQkdtKmFemYJluBI5WM0QxIoA6liO yA==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050096.ppops.net-00190b01. with ESMTP id 2bd3nyp89f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 30 Jun 2017 18:00:06 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v5UGtcaY015944; Fri, 30 Jun 2017 13:00:00 -0400
Received: from prod-mail-relay15.akamai.com ([172.27.17.40]) by prod-mail-ppoint4.akamai.com with ESMTP id 2b9kdv4tp9-1; Fri, 30 Jun 2017 13:00:00 -0400
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay15.akamai.com (Postfix) with ESMTP id DF85E20068; Fri, 30 Jun 2017 10:59:59 -0600 (MDT)
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>, "Nygren, Erik" <nygren@akamai.com>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com> <CABcZeBNtcvATyd=jhm4GxeyY9xP5CTUp0MLUf9c-ApBFVNvWoQ@mail.gmail.com> <7b5b28f1-60d5-0979-f789-0471df33dba9@akamai.com> <CABcZeBN0B8G3UZrLsfRakO0Vuhg=6w+aHsht4Co5pMLMWsy5-Q@mail.gmail.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <983f5c59-47a1-af05-bf4c-146d68a617a5@akamai.com>
Date: Fri, 30 Jun 2017 11:59:59 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBN0B8G3UZrLsfRakO0Vuhg=6w+aHsht4Co5pMLMWsy5-Q@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------616DF0D5FFD8046B94A0BE41"
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-06-30_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1706300266
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-06-30_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1703280000 definitions=main-1706300266
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JFB-ZtZdYm_mWm-8d0cglhWxlWc>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jun 2017 17:00:21 -0000

On 06/30/2017 11:53 AM, Eric Rescorla wrote:
>
> On Fri, Jun 30, 2017 at 9:32 AM, Benjamin Kaduk <bkaduk@akamai.com
> <mailto:bkaduk@akamai.com>> wrote:
>
>
>
>     The pull request also has some text:
>
>     +If the expected arrival time is in the window, then the server
>     +checks to see if it has recorded a matching ClientHello. It
>     +either aborts the handshake with an "illegal_parameter" alert
>     +or accepts the PSK but reject 0-RTT. If no matching ClientHello
>     +is found, then it accepts 0-RTT and then stores the ClientHello for
>     +as long as the expected_arrival_time is inside the window.
>     +Servers MAY also implement data stores with false positives, such as
>     +Bloom filters, in which case they MUST respond to apparent replay by
>     +rejecting 0-RTT but MUST NOT abort the handshake.
>
>     I am not sure why we are giving servers a choice between aborting
>     and accepting the PSK but rejecting 0-RTT (if a matching
>     ClientHello is found), especially not without giving guidance as
>     to why they might choose one or the other.  My natural inclination
>     would be to have the expected behavior be to abort and only fall
>     back to the other behavior if using a scheme with false positives,
>     but Ekr thinks Erik Nygren was in support of just continuing on
>     with 1-RTT.  It looks like this was
>     https://github.com/tlswg/tls13-spec/pull/1005#discussion_r114924733
>     <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_tlswg_tls13-2Dspec_pull_1005-23discussion-5Fr114924733&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=qIhheftV5IdrTjjQ2fnsyL7mpbxBb7pw2MXevyQDsAs&s=zakCTxTGwP_fbyNl2IETAkdWTkuorAi0cTV9ap91MRM&e=>
>     , where I ... took the opposite position from what I just said my
>     "natural inclination" was, amusingly enough.  But still, why does
>     this need to be a choice?  Rejecting 0-RTT and continuing on to
>     1-RTT seems like it would be reasonable in all the cases mentioned
>     so far.
>
>
> Well, my reason for not wanting to do that is that it's a clear replay
> and so should
> be a hard failure. So, I'd be happy to mandate abort the handshake,
> but if we can't
> agree on that, I'd rather have a choice.
>

Would you be willing to add some discussion about how aborting might
give an information channel to an attacker maliciously replaying packets
even though it is clearly an error that should be rejected (eventually)?

-Ben

v2.23.0 | Report a Bug | By Email