IETF Logo Mail Archive

Re: [TLS] cross-domain cache sharing and 0rtt

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 30 December 2016 14:44 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05D31294B3 for <tls@ietfa.amsl.com>; Fri, 30 Dec 2016 06:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DfFDJpRGnARS for <tls@ietfa.amsl.com>; Fri, 30 Dec 2016 06:44:05 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91654124281 for <tls@ietf.org>; Fri, 30 Dec 2016 06:44:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0EBFEBE2E; Fri, 30 Dec 2016 14:44:03 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jV6Etc-iU_i; Fri, 30 Dec 2016 14:43:56 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 62F6CBDF9; Fri, 30 Dec 2016 14:43:55 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1483109035; bh=BaeKmhyudASDFEDUcHhqWFQkrE4yqJfFMCCMe1yaiq4=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=2Sxjh2qs8gaW06LITKByftSNl54yhH9vWL8dCjGKYg6mR6z+PMQhrdzisRIXB6WFL 7eMFrySdkn3s3luD755YdqimjWFr2CjsHp6MbkfMb7XhIMIn2W9AbCMWLdmWdIwYP3 GXwL1NtZ3Coubx2xLmgkr4DopD5vCiY6D55PFvuA=
To: Eric Rescorla <ekr@rtfm.com>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie> <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com> <582703ab-4340-35e7-a3d2-45dd606f10a1@cs.tcd.ie> <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <96ff5e9c-8d13-0a97-50e4-370df680b40a@cs.tcd.ie>
Date: Fri, 30 Dec 2016 14:43:55 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms080202040309080308050606"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K6grm_W3kt8X--grrx0x3XZnAjA>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cross-domain cache sharing and 0rtt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2016 14:44:08 -0000

Hiya,

On 29/12/16 19:08, Eric Rescorla wrote:
> On Thu, Dec 29, 2016 at 10:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie
>> wrote:
> 
>>
>>
>> On 29/12/16 18:38, Eric Rescorla wrote:
>>> On Thu, Dec 29, 2016 at 10:15 AM, Stephen Farrell <
>> stephen.farrell@cs.tcd.ie
>>>> wrote:
>>>
>>>>
>>>> Hiya,
>>>>
>>>> On 29/12/16 17:37, Adam Langley wrote:
>>>>> https://github.com/tlswg/tls13-spec/pull/840 is a pull request that
>>>>> specifies that (EC)DH values must be fresh for both parties in TLS
>>>>> 1.3.
>>>>>
>>>>> For clients, this is standard practice (as far as I'm aware) so should
>>>>> make no difference. For servers, this is not always the case:
>>>>>
>>>>> Springall, Durumeric & Halderman note[1] that with TLS 1.2:
>>>>>   ∙ 4.4% of the Alexa Top 1M reuse DHE values and 1.3% do so for more
>>>>>     than a day.
>>>>>   ∙ 14.4% of the Top 1M reuse ECDHE values, 3.4% for more than a day.
>>>> ...
>>>>
>>>> As an individual, I'd be in favour of this change but reading
>>>> over [1], section 5, I wondered if we'd analysed the effects of
>>>> 0rtt/replayable-data with that kind of cross-domain re-use in mind?
>>>> The situation being where session ID based caches or session ticket
>>>> equivalents in tls1.3 are shared over multiple domains.
>>>>
>>>> I don't recall this being explicitly considered, but maybe that's
>>>> just me forgetting. And hopefully the analysis is that such re-use
>>>> doesn't enable broader replay of early data, but there may be
>>>> something worth a mention in the tls1.3 spec, e.g. that there may
>>>> be linkages between the duration for which entries are maintained
>>>> in resumption and replay detection caches.
>>>>
>>>
>>> This question seems essentially orthogonal to the question of ECDHE key
>>> reuse
>>> because even if you use the same ECDHE key in perpetuity you get unique
>>> traffic keying material for each connection.
>>
>> Fair enough, I probably should've started a new thread so have
>> done that now.
>>
> 
> Currently TLS 1.3 forbids *both* 0-RTT and resumption if the SNI changes:
> https://tlswg.github.io/tls13-spec/#NewSessionTicket

What I'm wondering is if we're maybe missing a server-side check
on that, with the possible attempted attack of a 0rtt replay in
mind. E.g. a MUST check for the server that SNI is the same as for
initial h/s before processing early data, (as is done for ALPN now)
and/or some guidance about what might not be an obvious relationship
between any 0rtt replay detection mechanisms and session ticket
equivalents.

> 
> "Any ticket MUST only be resumed with a cipher suite that has the same KDF
> hash as that used to establish the original connection, and only if the
> client provides the same SNI value as in the original connection, as
> described in Section 3 of [RFC6066]
> <https://tlswg.github.io/tls13-spec/#RFC6066>."
> 
> We have discussed relaxing that restriction, specifically to allow the
> following case:
> 
> - Client connects to server with SNI=A and the server supplies a cert with
> SNI=A, B
> - Client reconnects to server and tries to resume with SNI=B
> 
> See PR: https://github.com/tlswg/tls13-spec/pull/777.

I'd wonder if that optimisation is really worthwhile, esp if it
opens the door wider to 0rtt replay. (And it seems like it'd be
somewhat complex to take advantage of the optimisation anyway.)

> 
> However, the general consensus was to leave this out of the base spec,

Seems right.

Cheers,
S.

> though we
> might supply an enhancement for that later (and potentially slightly soften
> the above
> language to foreshadow such an enhancement).
> 
> -Ekr
> 
> 
> 
>> S
>>
>>>
>>> -Ekr
>>>
>>>
>>>> Cheers,
>>>> S.
>>>>
>>>>>
>>>>> [1] “Measuring the Security Harm of TLS Crypto Shortcuts”, IMC 2016,
>>>>> pages 33–47, section 4.4. https://dl.acm.org/citation.cfm?id=2987480
>>>>> [2] https://datatracker.ietf.org/doc/draft-green-tls-static-dh-
>> in-tls13/
>>>>>
>>>>>
>>>>> Cheers
>>>>>
>>>>> AGL
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>>
>>>
>>
>>
>

v2.23.0 | Report a Bug | By Email