IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Colm MacCárthaigh <colm@allcosts.net> Wed, 03 May 2017 23:16 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1C398127876 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 16:16:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ymgZPgij4LVc for <tls@ietfa.amsl.com>; Wed, 3 May 2017 16:16:51 -0700 (PDT)
Received: from mail-yw0-x231.google.com (mail-yw0-x231.google.com [IPv6:2607:f8b0:4002:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3989D12778E for <tls@ietf.org>; Wed, 3 May 2017 16:16:51 -0700 (PDT)
Received: by mail-yw0-x231.google.com with SMTP id k11so2131517ywb.1 for <tls@ietf.org>; Wed, 03 May 2017 16:16:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=t+CKmUbc4qrobXqzCTbHyw0KC+1HMvAKv6hDzSj9pVs=; b=K7Bd8L02jXKGoF/zzAGEmPgtDmyzwzpvAnwdlv2X38XnoUyJNX5yfmZXW1s9Rqg/2d BGucdKey+Cgtge00NRD5V38l67uJR8+A+L0CmumEsKcKyk+JIy3ugaBjQvETUrEfi4R9 HZ2x0Zo7WShl0N4lXDK5f028i55lSbve2nTiXvShNCh+gaml8Fmxl925eV9P/J0jsFqL w4AoxR6ZF9L2Ib0nqyjZSWmTgCy5sauUwTRfZds+SvQvvdpwZqc2woZmWB3yW5gE6YDz pbNd18q/44l5UI/O4F9O/x4oBoeheQHKhv6KVifCNQbVhmqaIii7RZrB+QOjjmScb+j+ QX4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=t+CKmUbc4qrobXqzCTbHyw0KC+1HMvAKv6hDzSj9pVs=; b=gkzyu5IjJ7XywlsZnrL7d8+iWAm0zXDV66/mB8ojzpdZyaJ4NKd3hsN8PpCgRA6ZTR NRQjEl4hPXvO/4Wh80TMSpzT8lrnDQy/yEmqMI60LfyoACCAuNAploR9XNAyiUiWI5Rr 3qsILwGC8EOSdBeFLg+TyC9wWZwwhZD1DHAVwTzH86ceFV3kgDbwhNdnZY4nR9yuwfJ2 AaoWRYKmmLtgEIXSDVH3ITSFUjMhatVIRImalPbo9KGHpFp15yxHiwGrxFdmOuriGTWZ fpZBo6mx5bDGMdZhvgNWHBz+ugwNXARrSNxNrxbkaA7kGlAy0R2h20iSTNGw2wD4lfOH /hFw==
X-Gm-Message-State: AN3rC/7jWjc+3oYaIwr0AiZ9pDtKiZ7Av5hKwI5N9W73d8A1V2KvYIvF 5LCkQRz2TT0BzyVefCTNv5eS7Mlmbw==
X-Received: by 10.129.157.142 with SMTP id u136mr3529194ywg.323.1493853410466; Wed, 03 May 2017 16:16:50 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Wed, 3 May 2017 16:16:49 -0700 (PDT)
In-Reply-To: <CABkgnnUwTe627vY=hoLTRv1qmFQLf8ba64X8xHwYdtw7WYn5jw@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <cb518e35-c214-d11d-a068-c454b2e7ea6a@gmx.net> <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <CABkgnnUwTe627vY=hoLTRv1qmFQLf8ba64X8xHwYdtw7WYn5jw@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 03 May 2017 16:16:49 -0700
Message-ID: <CAAF6GDcnrQwQ7dE59pYV3YFLJD9zsQEqmPrFRKgyxSwj7UFCkA@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c0b68aae0ee93054ea6d9c7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Kzl4vyHUvyCC4TsP2LxuDKu14Z8>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 23:16:53 -0000

On Wed, May 3, 2017 at 3:56 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 3 May 2017 at 22:45, Colm MacCárthaigh <colm@allcosts.net> wrote:
> > This is easy to say; the TLS layer is the right place. It is not
> practical
> > for applications to defend themselves, especially from timing attacks.
>
> If you care about these attacks as much as it appears, then you can't
> reasonably take this position.


An analogy may help here. TLS has always offered anti-replay, it is one of
our core security guarantees, and the assumption that it is there is subtly
baked in to many applications.

Suppose we wanted to remove a different security guarantee: integrity
protection/tamper-proofing. Suppose we decided to offer a fast "No MAC"
mode for streamed uploads, it is faster, more stream-y (no need to wait for
each record to be complete), and TLS is really mostly about secrecy. But to
be "safe" we decide that it's only on optionally and sometimes, and we
always have to tell the application which data may have been tampered with.

The application can use its own MACing, or FECing, or whatever, and really
it should have been doing this from the days of plaintext HTTP, right!?
It's all the application's responsibility - we say, they can deal with it
[*]

Except MACing is hard, and they run in to Lucky13 all over again, or just
use MD5 because they don't know any better, and so on.  Or worst of all: a
middle box decides to enable it on the front-end, with no knowledge to the
backend about what's happening.

In my view, this arrangement would plainly be crazy. We wouldn't consider
it. Instead, we provide protection for them using layering principles, and
TLS provides protections that TLS experts are good at.

And yet we do consider all of this for replay. I think it's because
collectively we haven't seen just how hard a problem idempotency and
application-level side-effects are and we are less familiar with the risks.
In the review, I've included 5 real attacks to illustrate that problems are
real. Several of them I can't see how to mitigate them at application
level, and I've been checking with experts on distributed systems. How
would you mitigate the throttling problem (attack 3) or the timing problem
(attack 4) on say a JVM object cache?


> We've historically done a lot to
> secure applications at a single point, and we're almost at the end of
> what we can reasonably do for them at this layer.  We need to think
> more hollistically and acknowledge that applications need to take some
> responsibility for their own security.
>

No we don't. Servers can prevent replay.

-- 
Colm

v2.23.0 | Report a Bug | By Email