IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 24 May 2017 14:30 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D1E129B46 for <tls@ietfa.amsl.com>; Wed, 24 May 2017 07:30:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6kAa6uf885W for <tls@ietfa.amsl.com>; Wed, 24 May 2017 07:30:47 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id C1927129B64 for <tls@ietf.org>; Wed, 24 May 2017 07:30:46 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 1E1D621775; Wed, 24 May 2017 17:30:45 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id Dam_-_yBxJEr; Wed, 24 May 2017 17:30:44 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id BCEBB21C; Wed, 24 May 2017 17:30:44 +0300 (EEST)
Date: Wed, 24 May 2017 17:30:42 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170524143042.GA31858@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <CAAF6GDe1_ih1aUShrzAHUuTzbLx6+0BdVexpGnq90RZsST8GvA@mail.gmail.com> <CABcZeBOX5NXuhgfap2S0naO9PFXv+K-+fZVPbgck6yciVnrYbQ@mail.gmail.com> <CABcZeBPuOupLTNKOtuCgOjYNdiuw571HM-pq1vNZz_8x-XX5mg@mail.gmail.com> <CABcZeBMqALJ10cU7FMUhv8k5Q=tw3yu1-5pdrKzOBM3=g5PHJw@mail.gmail.com> <20170519095316.GA30080@LK-Perkele-V2.elisa-laajakaista.fi> <CAAF6GDeuRMZx9MRynrxMp1fCvRS2jjr0vcqt0R89cJEkD6u=rQ@mail.gmail.com> <20170520101616.GC32428@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNj_X4qbXrH4732kQiAHrBpPZhW1nmn4Xnp-pm0gv1Psg@mail.gmail.com> <071fb4df-56e6-d82a-87de-3db084235021@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <071fb4df-56e6-d82a-87de-3db084235021@akamai.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MOr5p1COOQYpq8RPYAOfswx1oyw>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 May 2017 14:30:49 -0000

On Wed, May 24, 2017 at 08:50:07AM -0500, Benjamin Kaduk wrote:
> On 05/21/2017 05:47 PM, Eric Rescorla wrote:
> >
> >
> > On Sat, May 20, 2017 at 6:16 AM, Ilari Liusvaara
> > <ilariliusvaara@welho.com <mailto:ilariliusvaara@welho.com>> wrote:
> >
> >     On Fri, May 19, 2017 at 09:59:57AM -0700, Colm MacCárthaigh wrote:
> >      
> >
> >     - Clients MUST NOT use the same ticket multiple times for 0-RTT.
> >
> >
> > I don't understand the purpose of this requirement. As you note below,
> > servers are ultimately responsible for enforcing it, and it's not clear to
> > me why clients obeying it makes life easier for the server.
> >
> 
> I think it's just an attempt to make clear what the client behavior
> should be.  It's like when we say that implementations MUST NOT put more
> than one extension of the same type in a given extension block.  The
> peer has to validate received messages, but the local implementation has
> to know to not generate them, either.

There's also quite a bit of difference between:

- MUST NOT do X
- MUST NOT do X, MUST abort with Y if X is done.

As the second requires receiver to detect X, which can be hard. E.g.,
detecting arbitrary duplicated extension is definitely not trivial.
 
E.g., for duplicate extensions, my implementation only validates the
known extensions. As consequence, unknown extensions in offers can
appear multiple times without detection (e.g., two copies of extension
35 in ClientHello). It is done that way to limit resource usage:
Checking a small list of extensions is easy, checking 64k of those is
less so.

> >
> >     - Servers MUST NOT accept the same ticket with the same binder
> >     multiple
> >       times for 0-RTT (if any part of ClientHello covered by binder is
> >       different, one can assume binders are different). This holds even
> >       across servers (i.e., if server1 accepts 0-RTT with ticket X and
> >       binder Y, then server2 can not accept 0-RTT with ticket X and binder
> >       Y).
> >
> >
> > I assume that what you have in mind here is that the server would know
> > which tickets it was authoritative for anti-replay and would simply reject
> > 0-RTT if it wasn't authoritative? This seems like it would
> > significantly cut
> > down on mass replays, though it would of course still make
> > application-level
> > replay a problem.
> >
> 
> Right, this would bring replays down from the millions hypothesized for
> the weak time-based thing to more like tens, which is kind of in the
> regime that we are currently in with (at least some) application behavior.

Actually, even tens of replays at TLS level is quite dangerous,
especially if to different servers (bad information leaks via cache
attacks).

> > I'm happy to write this up as part of the first two techniques. I'd be 
> > interested in hearing from others in the WG what they think about:
> >
> 
> I think it's worth writing up the most-secure scheme(s) we know of, to
> give us some concrete text to digest and decide if we can live with.

However, every scheme that isn't the most-secure (tied 1st place) that
has been proposed so far is too insecure.

> > 1. Requiring it.
> > 2. Whether they still want to retain the stateless technique.
> >
> 
> If we think we can require it and have it actually stick, that seems
> like the safest plan.  The results of this discussion leave me uneasy
> with a scheme that permits millions of replays, even if there is not
> something concrete that I definitely object to.  As DKG (almost) said,
> "we're designing a security protocol, not an easy-to-implement
> protocol". 

There is major difference about how hard TLS 1.3 is to _implement_, and
how hard it is to _use_.

Most serious TLS 1.3 implementations will be written by experts.
Additionally, the protocol avoids using constructs that are almost
impossible to implement properly (e.g., good riddance TLS blockmode).

Whereas most applications using TLS will not be written by security
experts. And the protocols they implement are not designed for side-
channel resistance in implementations.

> Another crazy idea would be to just say that servers MUST limit the use
> of a single binder to at most 100 times, with the usual case being just
> once, to allow for alternative designs that have weaker distributed
> consensus requirements (but still describe these current two methods as
> examples of ways to do so).

You actually need strong distributed consensus about all accepted
0-RTT here.


-Ilari

v2.23.0 | Report a Bug | By Email