Re: [TLS] cross-domain cache sharing and 0rtt
Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 30 December 2016 14:44 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F05D31294B3 for <tls@ietfa.amsl.com>; Fri, 30 Dec 2016 06:44:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.401
X-Spam-Level:
X-Spam-Status: No, score=-7.401 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DfFDJpRGnARS for <tls@ietfa.amsl.com>; Fri, 30 Dec 2016 06:44:05 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91654124281 for <tls@ietf.org>; Fri, 30 Dec 2016 06:44:04 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 0EBFEBE2E; Fri, 30 Dec 2016 14:44:03 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jV6Etc-iU_i; Fri, 30 Dec 2016 14:43:56 +0000 (GMT)
Received: from [10.87.48.210] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 62F6CBDF9; Fri, 30 Dec 2016 14:43:55 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1483109035; bh=BaeKmhyudASDFEDUcHhqWFQkrE4yqJfFMCCMe1yaiq4=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=2Sxjh2qs8gaW06LITKByftSNl54yhH9vWL8dCjGKYg6mR6z+PMQhrdzisRIXB6WFL 7eMFrySdkn3s3luD755YdqimjWFr2CjsHp6MbkfMb7XhIMIn2W9AbCMWLdmWdIwYP3 GXwL1NtZ3Coubx2xLmgkr4DopD5vCiY6D55PFvuA=
To: Eric Rescorla <ekr@rtfm.com>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie> <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com> <582703ab-4340-35e7-a3d2-45dd606f10a1@cs.tcd.ie> <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=D66EA7906F0B897FB2E97D582F3C8736805F8DA2; url=
Message-ID: <96ff5e9c-8d13-0a97-50e4-370df680b40a@cs.tcd.ie>
Date: Fri, 30 Dec 2016 14:43:55 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms080202040309080308050606"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K6grm_W3kt8X--grrx0x3XZnAjA>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cross-domain cache sharing and 0rtt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2016 14:44:08 -0000
Hiya, On 29/12/16 19:08, Eric Rescorla wrote: > On Thu, Dec 29, 2016 at 10:50 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie >> wrote: > >> >> >> On 29/12/16 18:38, Eric Rescorla wrote: >>> On Thu, Dec 29, 2016 at 10:15 AM, Stephen Farrell < >> stephen.farrell@cs.tcd.ie >>>> wrote: >>> >>>> >>>> Hiya, >>>> >>>> On 29/12/16 17:37, Adam Langley wrote: >>>>> https://github.com/tlswg/tls13-spec/pull/840 is a pull request that >>>>> specifies that (EC)DH values must be fresh for both parties in TLS >>>>> 1.3. >>>>> >>>>> For clients, this is standard practice (as far as I'm aware) so should >>>>> make no difference. For servers, this is not always the case: >>>>> >>>>> Springall, Durumeric & Halderman note[1] that with TLS 1.2: >>>>> ∙ 4.4% of the Alexa Top 1M reuse DHE values and 1.3% do so for more >>>>> than a day. >>>>> ∙ 14.4% of the Top 1M reuse ECDHE values, 3.4% for more than a day. >>>> ... >>>> >>>> As an individual, I'd be in favour of this change but reading >>>> over [1], section 5, I wondered if we'd analysed the effects of >>>> 0rtt/replayable-data with that kind of cross-domain re-use in mind? >>>> The situation being where session ID based caches or session ticket >>>> equivalents in tls1.3 are shared over multiple domains. >>>> >>>> I don't recall this being explicitly considered, but maybe that's >>>> just me forgetting. And hopefully the analysis is that such re-use >>>> doesn't enable broader replay of early data, but there may be >>>> something worth a mention in the tls1.3 spec, e.g. that there may >>>> be linkages between the duration for which entries are maintained >>>> in resumption and replay detection caches. >>>> >>> >>> This question seems essentially orthogonal to the question of ECDHE key >>> reuse >>> because even if you use the same ECDHE key in perpetuity you get unique >>> traffic keying material for each connection. >> >> Fair enough, I probably should've started a new thread so have >> done that now. >> > > Currently TLS 1.3 forbids *both* 0-RTT and resumption if the SNI changes: > https://tlswg.github.io/tls13-spec/#NewSessionTicket What I'm wondering is if we're maybe missing a server-side check on that, with the possible attempted attack of a 0rtt replay in mind. E.g. a MUST check for the server that SNI is the same as for initial h/s before processing early data, (as is done for ALPN now) and/or some guidance about what might not be an obvious relationship between any 0rtt replay detection mechanisms and session ticket equivalents. > > "Any ticket MUST only be resumed with a cipher suite that has the same KDF > hash as that used to establish the original connection, and only if the > client provides the same SNI value as in the original connection, as > described in Section 3 of [RFC6066] > <https://tlswg.github.io/tls13-spec/#RFC6066>." > > We have discussed relaxing that restriction, specifically to allow the > following case: > > - Client connects to server with SNI=A and the server supplies a cert with > SNI=A, B > - Client reconnects to server and tries to resume with SNI=B > > See PR: https://github.com/tlswg/tls13-spec/pull/777. I'd wonder if that optimisation is really worthwhile, esp if it opens the door wider to 0rtt replay. (And it seems like it'd be somewhat complex to take advantage of the optimisation anyway.) > > However, the general consensus was to leave this out of the base spec, Seems right. Cheers, S. > though we > might supply an enhancement for that later (and potentially slightly soften > the above > language to foreshadow such an enhancement). > > -Ekr > > > >> S >> >>> >>> -Ekr >>> >>> >>>> Cheers, >>>> S. >>>> >>>>> >>>>> [1] “Measuring the Security Harm of TLS Crypto Shortcuts”, IMC 2016, >>>>> pages 33–47, section 4.4. https://dl.acm.org/citation.cfm?id=2987480 >>>>> [2] https://datatracker.ietf.org/doc/draft-green-tls-static-dh- >> in-tls13/ >>>>> >>>>> >>>>> Cheers >>>>> >>>>> AGL >>>>> >>>> >>>> >>>> _______________________________________________ >>>> TLS mailing list >>>> TLS@ietf.org >>>> https://www.ietf.org/mailman/listinfo/tls >>>> >>>> >>> >> >> >
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx