Re: [TLS] 0.5 RTT
Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 23 February 2016 22:26 UTC
Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B76F11A8749 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:26:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HifCvnT_E-zL for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:26:49 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB6231B2E8F for <tls@ietf.org>; Tue, 23 Feb 2016 14:26:48 -0800 (PST)
Received: by mail-lf0-x233.google.com with SMTP id 78so128145lfy.3 for <tls@ietf.org>; Tue, 23 Feb 2016 14:26:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=AedsG0ugumyPdKO4YvF9hzN6vymeee8THOwP4AFHRwE=; b=RuC9U10EiZmlbshyf9axkxFxZ4SQ5YRE8JjcDDEz42DTPj3wpiTYSPK7uHZnILdMuK 5efhqN5/kns03ubdMbNwdXX5FyBb+K+mCHwmKs0KuznLvMg6O9duuT5IzmNF5HLxc+Fw eVJokbpu9qBYWua+SyhCEYw2N4u5HOIq+jioSzrCXulpQ/EqZZ2D+pAw5aNx+EFyA0sG 7gXBiwB25LKlwp6dF4HK0Yxf8ME1zyNGWROOO28VjcPU6kvR91Tlp7PM8bsYBvMz5onn 0KTMojy8HP2W/Z0jd3PSfihLlPkXkTx/FrlIjgt5ahwWg9gSzzUnObDYylaN831SM+In FV3A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=AedsG0ugumyPdKO4YvF9hzN6vymeee8THOwP4AFHRwE=; b=MXCR0wEKy4omR8bNf9HthPVcpRq4t70/wBCZHF1SX8ZS6Lx4u1RxC0P/Q3TQVyeNIh G8XFsfSn4EE8IA24MDyKkC70ZnQZss/+A6bdZHYjoq1r0Vejr/T6kxv52MJ1JD1RQeNt rADOAEctEhkIQZlNt3vWppWGt0RQ364e/9bdTlszqhCtiWivXEBAM5GCzcI3HbfTsRsZ ekZphrJeddX9/LPN2HWAVTE8s/dTZngva6MrpUZ2Unvdqlugk7jgomoFfNSjfy/WpIR7 tf9GgA8tOQOjem1pS40zvO8hOzZir33T2XKwk15BAgTycJjb1dDnONMbGZXxfbTZpZDh cbnA==
X-Gm-Message-State: AG10YOS4yQZm6cImq+Tcua6v6ny1MlrlPT65D3HH/yd7p2YWdAcgfbojIMSYMfPXt3tgqezOPIS8o+iHX5+b3Q==
X-Received: by 10.25.21.90 with SMTP id l87mr13063883lfi.64.1456266406845; Tue, 23 Feb 2016 14:26:46 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.31.18 with HTTP; Tue, 23 Feb 2016 14:26:17 -0800 (PST)
In-Reply-To: <35EE1C1C-132D-47A1-ADF3-5AD3C3D5EE4D@gmail.com>
References: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com> <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com> <CADi0yUPOEL++R+_Nhy4NTfhzsA6UjbVbMAEiPx1Qg9+vPPHt7g@mail.gmail.com> <35EE1C1C-132D-47A1-ADF3-5AD3C3D5EE4D@gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 23 Feb 2016 17:26:17 -0500
X-Google-Sender-Auth: geo58GgPwDcKeymBb2JmG1S6O_k
Message-ID: <CADi0yUNKiFuAXK-qFjdOc0SBHfd1Gkp=UoEK5OxAw5Cps70Ryw@mail.gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: multipart/alternative; boundary="001a113d9b54e0e27d052c77715a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/KJ11BeDJjttXU5r6c2W7Q9jdkRM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 22:26:52 -0000
Karthik, I think that what you are pointing to are cases where the client *is* authenticated via its PSK. There is an important distinction between PSKs that have been authenticated by the client (in a previous exchange) and those that are not. Any PSK-based handshake that uses a (previously) client-authenticated PSK needs to be treated as client-authenticated and replay needs to be dealt with utmost care, including the need to validate via the client finished that the current exchange is not a replay. In the case where the PSK is client-unauthenticated (e.g. a resumption from a server-only authenticated handshake) and the server does not request client authentication then the need for client finished is less crucial. Let me be clear, I prefer a conservative design to a more liberal one so if we can do without 0.5 data then much better. Hugo On Tue, Feb 23, 2016 at 4:58 PM, Karthikeyan Bhargavan < karthik.bhargavan@gmail.com> wrote: > That's right, we do not consider downgrades or client authentication but > Martin's suggestion explicitly only applies to the case where the server > does not require client authentication so the analysis holds in that case. > As for downgrades, this will be discovered by the server when receiving the > client's Finished message. So the only problem I see is that the server > might have been "tricked" to send the 0.5-RTT data with less protection > than intended by the (honest) client. But for that there is no need for > downgrade. The attacker could have generated the exchange with the weaker > ciphersuite by himself (acting as a client). If the server accepts that > ciphersuite it means he is willing to send that particular data with that > level of security to *anyone*. That is the meaning of not requiring client > authentication. > > > Yes Hugo, you’re right that when there is no client auth, the situation is > less problematic. > > However, let’s note there may still be implicit kind of authentication, > for example, what if the client hello requests PSK-based 1-RTT with a > old-broken cipher that the real client would never use. > The server should not, in this case, send user-specific data under the > old-broken cipher until it receives the client finished. > Of course, this could be worked around by having a nice whitelist of > ciphers, or possibly other designs. > I am mainly pointing out that we need to be careful that the guarantees > for 0.5-RTT seem to be strictly weaker than that for 1-RTT. > > > One useful feature of client's finished is to catch 0-RTT replays. But > even then I am not sure what damage can be done to the 0.5 data. Either the > attacker knows the client's keying material (say PSK) and can generate the > client finished by himself or he doesn't know that keying material but then > it cannot decrypt 0.5 data. > > > Right, this is the other concern. Suppose a passive adversary records a > clients 0-RTT data (under a PSK that is bound to an authenticated client). > He can then go home and replay this 0-RTT request as many times as he > wants and record the server’s 0.5-RTT responses. > They will be encrypted, sure, but maybe even the length of those responses > may give the attacker useful dynamic information (e.g. he can tell whether > the user’s bank balance went up or down by a digit). > > Yes, this attack is always possible for a persistent passive adversary, > and we can mitigate it with length-hiding techniques, but it gives us an > example of how 0.5-RTT may provide new avenues for attacking encrypted > connections. > > Best, > Karthik > > > > Am I missing something on these particular points? > > > > On the whole, cryptographers including the authors of OPTLS would >> be happier with 0.5-RTT keys >> not being the same as 1-RTT keys. Again, so far, this is a matter >> of taste and proof modularity. >> > > > Agreed. > > Hugo > > > > >> > On 23 Feb 2016, at 11:27, Martin Thomson <martin.thomson@gmail.com> >> wrote: >> > >> > Karthik raised some concerns here, and I think that we have some >> > thinking to do. But I don't think that it is intractable, nor even >> > hard, to reason about this problem. >> > >> > The only thing that the client's second flight provides is >> > authentication. The Finished isn't needed if there is no client auth >> > [P]. Hugo's presentation at TRON did not include a client Finished in >> > the earlier, simpler examples. >> > >> > Thus, based on Watson's observation that the client authentication is >> > removable, we might conclude that the handshake is complete from the >> > perspective of a server that does not require client authentication. >> > There are still reasons we might like to keep the client >> > authentication in the handshake, but those are decisions we can make >> > on engineering grounds. >> > >> > If post-handshake client authentication is OK, then 0.5 RTT is equally >> > OK [X]. I would assert that any decision about changing keys after >> > the client Finished applies to post-handshake client auth (or vice >> > versa). >> > >> > If that logic is sound, then I see no reason we can't have some very >> > simple advice: >> > >> > 1. if the server does not request client authentication, it can send >> > application data immediately following its Finished >> > >> > 2. if the server requests client authentication, it MUST NOT send >> > application data until it receives and validates the client's first >> > flight. UNLESS the server is certain that the data it sends does not >> > depend on the client's identity (that is, it would send this >> > application data to anyone). >> > >> >> From an API perspective, I believe that we should recommend that there >> > be a separate function for sending in condition 2, just as we are >> > going to recommend that there is a separate function for sending 0-RTT >> > data (as well as there being one to receive on the server end). >> > >> > Based on this, we should recommend different points in time for the >> > server API to report that the handshake is "complete" at a server. In >> > condition 1, the handshake is complete after the server Finished is >> > sent; in condition 2, the handshake is complete after the client >> > Finished is received. >> > >> > >> > [P] Note that a client Finished does confirm a PSK. Though you might >> > reasonably argue that successfully generating valid application data >> > works equally well in that regard. >> > [X] Post-handshake client authentication has only been analyzed very >> > lightly, so we have to caveat that statement too. >> > >> > _______________________________________________ >> > TLS mailing list >> > TLS@ietf.org >> > https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> > >
- [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Stephen Farrell
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT stephen.farrell
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Rex
- Re: [TLS] 0.5 RTT Martin Rex
- Re: [TLS] 0.5 RTT Antoine Delignat-Lavaud
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Eric Rescorla
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT Hugo Krawczyk