Re: [TLS] No more GMT exposure in the handshake

Jacob Appelbaum <jacob@appelbaum.net> Sun, 08 June 2014 15:10 UTC

Return-Path: <jacob@appelbaum.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63B071A0423 for <tls@ietfa.amsl.com>; Sun, 8 Jun 2014 08:10:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EJILOTvPwi7z for <tls@ietfa.amsl.com>; Sun, 8 Jun 2014 08:10:47 -0700 (PDT)
Received: from mail-qg0-f50.google.com (mail-qg0-f50.google.com [209.85.192.50]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DC8D51A0420 for <tls@ietf.org>; Sun, 8 Jun 2014 08:10:46 -0700 (PDT)
Received: by mail-qg0-f50.google.com with SMTP id z60so7764098qgd.37 for <tls@ietf.org>; Sun, 08 Jun 2014 08:10:46 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=BrvemEWQRlS3D5esKIPopH0ONZXpsCZuEIfmIx3F4VA=; b=eMYZMOx2eKxPOSRCicg3/47ioVSC4G3e1NgYUE9OyMurvWJDvUX4HFw7QUMAKH0jMT bVVy68TgfLK9EbF7zJ3zc4OI83WIJiKX0pwn6Mr2pnqx3wR9+1Y2WG2mgfMlSsa9GlCl 5ndgO9kJsS0pnSTIZNDLtZdV6iYabkCozgtSNWUzMPqx+Df9gXFRF8ExUasnpXj7SUbS IL6Lem6e0VFmj+eaK9Yqyvi7xz0tzGDKj8S3DiASExachtMrsKRjLb+/qaWyB3Fr1KaR rc4C+yhUplAkhwtEc6DP/aqXEz3QZF2occtURil/sArD40eZu2WACRRZLnwksBGhMOzA 5AgA==
X-Gm-Message-State: ALoCoQmsL6LfOQDiUR763++d4oG6ELf4OkGryi0G+7RuG253hWyRBeDxioBdai7A2BYw+oHntHVM
MIME-Version: 1.0
X-Received: by 10.224.63.137 with SMTP id b9mr25924481qai.70.1402240246467; Sun, 08 Jun 2014 08:10:46 -0700 (PDT)
Received: by 10.140.100.205 with HTTP; Sun, 8 Jun 2014 08:10:46 -0700 (PDT)
X-Originating-IP: [81.4.108.61]
In-Reply-To: <20140608101721.GA6189@roeckx.be>
References: <CACsn0cm69oJX_Bxqerig4qBmSf1fcQWW5EG42jia3qJkTwe0Tw@mail.gmail.com> <53934B47.4090603@fifthhorseman.net> <CAFggDF0rn+xuFksKW0+xJMAxRkjb8y6=7qiEQcM200iwtzy-0Q@mail.gmail.com> <20140608101721.GA6189@roeckx.be>
Date: Sun, 8 Jun 2014 15:10:46 +0000
Message-ID: <CAFggDF3T33sUmEvcX643nZ6_cdXVUdmv0shrvYxn80sG3vJDRQ@mail.gmail.com>
From: Jacob Appelbaum <jacob@appelbaum.net>
To: Kurt Roeckx <kurt@roeckx.be>
Content-Type: text/plain; charset=UTF-8
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/MQKBZFMFMsaAu_OemvGRpfOpfHM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] No more GMT exposure in the handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Jun 2014 15:10:48 -0000

On 6/8/14, Kurt Roeckx <kurt@roeckx.be> wrote:
> On Sat, Jun 07, 2014 at 09:55:23PM +0000, Jacob Appelbaum wrote:
>> On 6/7/14, Daniel Kahn Gillmor <dkg@fifthhorseman.net> wrote:
>> > On 06/07/2014 10:56 AM, Watson Ladd wrote:
>> >> Putting the clock time in the TLS handshake enables fingerprinting.
>> >> It's useless cryptographically: 32 random bytes is exceedingly
>> >> unlikely to repeat.
>> >
>> > There seems to be a growing consensus on this point:
>> >
>> >   https://tools.ietf.org/html/draft-mathewson-no-gmtunixtime
>> >
>>
>> I've said as much to Nick and to Eric (in the context of working on
>> tlsdate[0]) but perhaps not on this tls list:
>>
>> I'd like to see servers provide 64bits of time resolution in the
>> ServerHello and nothing but randomness in that field in the
>> ClientHello.
>>
>> The current 32bit field isn't accurate enough for replacing NTP. If we
>> can't make the time field useful for accurate secure time exchange - I
>> hope we'll remove all network visible distinguishers, even ones that
>> are currently useful for totally bizarre reasons.
>
> Would that be in the same format as NTP, with 32 bit for the
> seconds and 32 bit for fractional second, and so a resolution
> of 0.2 nano seconds?  I'm wondering what kind of accuracy you'll
> get.
>

That sounds fine to me, sure. I admit, I haven't put a lot of thought
into the format because it seems that most of the momentum is in
removing anything meaningful from that field.

> Anyway, how do you plan to deal with checking the status of the
> certificate if you don't know what the current time is?
>

tlsdate has a bunch of options for that situation. I'd suggest
checking out how ChromeOS uses it as tlsdate is their default NTP-like
client for ChromeOS. It has short comings, of course.

With tlsdate, one may skip on checking the time and date constraints
for the first connection by setting some other constraints. As an
example, ensuring that the clock is moving forward while still having
assurances that an attacker must control specific cryptographic keys,
etc.

In any case, having 64bits of timing information from a server would
allow for a parasitic network time protocol that is as accurate as NTP
to be built on top of TLS. I haven't checked but I believe Google
still uses this to set clocks on ChromeOS.

I have a lot to say about tlsdate but it seems out of scope here.
Check out the code and please do help us to improve it!

All the best,
Jacob