Re: [TLS] The case for a single stream of data
Colm MacCárthaigh <colm@allcosts.net> Tue, 09 May 2017 16:27 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26A4A129C1E for <tls@ietfa.amsl.com>; Tue, 9 May 2017 09:27:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0
X-Spam-Level:
X-Spam-Status: No, score=0 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6veR4QCSELKv for <tls@ietfa.amsl.com>; Tue, 9 May 2017 09:27:39 -0700 (PDT)
Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E7C112948B for <tls@ietf.org>; Tue, 9 May 2017 09:27:39 -0700 (PDT)
Received: by mail-yb0-x229.google.com with SMTP id p143so1570983yba.2 for <tls@ietf.org>; Tue, 09 May 2017 09:27:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=3jnYuC+eXzN+ENNaH5mTkVjlvZMOfq1U2VKOp+lAiV8=; b=NLjshpvv33wO04XGJpvGCpFtkkDfBo2H3oTFv3ulS/X0JhiF9m9Jp4JaDBPsK4mQkV +l90QhOlc7VrvITn645a+bvYEQHKiQkh15z/NVMvY5lgH5m0US9fojVeguhm1kOZTKBg 2KnCQLOvjiFw8fKamAuEA0zSVi3DOxuu5AVFNeusHT4iJu0BiNNvUMOVYY2B4iifPuST p7O6tSS1uiQKPkDoOJ6sDSJyv9xxmwnYFSkqEYAcY6lxGlhfNOwqwf8nHJoE6e5EhrAO X4ZoESbDxV3KHE2854T+52Fz1qnsJf1julU9bGIuT049NDITGQH/L6Ax88SMSziMKezR iluA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=3jnYuC+eXzN+ENNaH5mTkVjlvZMOfq1U2VKOp+lAiV8=; b=HykJzeRQiadt2qTXhwgYyWPSDdWGesudsNMnTOgiFaUJ3dt6SRuCyBYIE2yJIhhkm+ yQHX65VVzkdbiTJDXjDAUTLsXLETf6WrkCYaIvfUl8vfKwNVyx/layr4BTmQZdwq8Zpz 4mZvgyrZ30KHclaEzJBArCoy5dUF3KHkNk6LLHR6xnLyF0lCX4v4L0+hCkH80IoMu76q 2i07DhYSxMbMm+nu0LHfw3iCQD2IglbK56C/e3fbkkUqRCe2eElxGwRCsF12Os2IooGq /D3fa8NOuVvCTd+8bVLu4ZI45lt7KTXOBgdAJLn2Iv+fm25uIBaHQ3N+2pfvgXdBbaaV QN8w==
X-Gm-Message-State: AODbwcDfI5fvQHkFRy7Af3V7Rv/D6gBmMV9e9syHKwBqjbQLcjPXo11J HQQASEvWVmsKfFIzSJFseImiRdPtkA==
X-Received: by 10.37.16.212 with SMTP id 203mr897340ybq.90.1494347258345; Tue, 09 May 2017 09:27:38 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Tue, 9 May 2017 09:27:37 -0700 (PDT)
In-Reply-To: <9f5858c8d86742b9aa82bdac46590c92@usma1ex-dag1mb1.msg.corp.akamai.com>
References: <CAAF6GDfm=voTt_=JrdGtiaYby1JG8ySU2s6myjjpHKeGvi0bMg@mail.gmail.com> <9f5858c8d86742b9aa82bdac46590c92@usma1ex-dag1mb1.msg.corp.akamai.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Tue, 09 May 2017 09:27:37 -0700
Message-ID: <CAAF6GDcGQ0YTYFFD+HVD71O9GCW7V3r_UNce1LQsHF1Zs9aBLQ@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c0ff0481c5b4054f19d514"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KtSFVDfr08k5TTJNGogyR6v3mf4>
Subject: Re: [TLS] The case for a single stream of data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 May 2017 16:27:41 -0000
On Tue, May 9, 2017 at 9:00 AM, Salz, Rich <rsalz@akamai.com> wrote: > To me, the argument against this comes down to this: The 0RTT data has > different security properties than the post-handshake data, and TLS > implementations should not hide that difference from applications. > I absolutely agree with sentiment, but the first problem is that we've been concentrating on the server side, where it's actually impossible. It's actually impossible because a 0RTT request may be retried as a 1RTT request and there's no way to correlate the two. So when the 1RTT request shows up, we can't go "This might be a repeat" - for example the X- header trick doesn't work in this case. It's subtle, which makes it even more likely to trip on it. I think the only approach that actually rigorously works is the client-side one, that I outlined. That approach isn't very relevant to browsers, who plan to retry aggressively anyway, but I think it's the only approach that would work for a careful client. Interestingly, it doesn't really need separate streams for the signaling to work. Though it'd be great to see a formal proof in something like F*, Coq or TLA+. The second problem is that middle-boxes can break any signaling. For example a CDN or TLS accelerator may enable 0-RTT towards the back-end origin without enabling it to the original client. In this model, the client has *no* way to reason about retries or replay. That's really very broken and a serious violation of the transport layer contract. I think we should be more prescriptive here and say that if there are to be these kinds of middle-boxes, then they need to honor maximum replay windows, and they need to only enable 0-RTT from the client back. (e.g. client enabled, but origin disabled is actually ok, but not the other way around). In going through all of this, I'm assuming that the server at least has a robust mitigation against 0-RTT replay, because not doing so is clearly broken and I'm even entertaining how it can be supported. That stateless form of mitigation is insecure and should die. If there's a notion that server side signaling should be kept to facilitate stateless mitigation (which permits millions of replays) ... we shouldn't have any time for that, because no-one has a proposal for how the secrecy attacks can be mitigated. -- Colm
- [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Kyle Rose
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Kyle Rose
- Re: [TLS] The case for a single stream of data Eric Rescorla
- Re: [TLS] The case for a single stream of data Benjamin Kaduk
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Benjamin Kaduk
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Viktor Dukhovni
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Salz, Rich
- Re: [TLS] The case for a single stream of data Andrei Popov
- Re: [TLS] The case for a single stream of data Roland Zink
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Benjamin Kaduk
- Re: [TLS] The case for a single stream of data Colm MacCárthaigh
- Re: [TLS] The case for a single stream of data Ilari Liusvaara
- Re: [TLS] The case for a single stream of data Ilari Liusvaara