IETF Logo Mail Archive

Re: [TLS] cross-domain cache sharing and 0rtt (was: Re: Requiring that (EC)DHE public values be fresh)

Adam Langley <agl@imperialviolet.org> Thu, 29 December 2016 22:46 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8494A129475 for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 14:46:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsdFLOV2_2ty for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 14:46:01 -0800 (PST)
Received: from mail-io0-x233.google.com (mail-io0-x233.google.com [IPv6:2607:f8b0:4001:c06::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BB1F912940D for <tls@ietf.org>; Thu, 29 Dec 2016 14:46:01 -0800 (PST)
Received: by mail-io0-x233.google.com with SMTP id n85so128026797ioi.2 for <tls@ietf.org>; Thu, 29 Dec 2016 14:46:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=zbw960EPdI4IsMHmdSjdN8ApKEAJLKIYiIqQGjksnbI=; b=pf27F145ao1jCoLVxR4RzR0VW68pkeINqf9n/rOgOVckkW31L+PdNlQVZyxT0I+p9v QY44Sw9QDZ1CbjyY36jnyWgpI3FvlBs8o2/9XD8pVzsx19fvrjSXvqOIWmmN5i4bSh8g LIjI7pKS6/S1z/eExi1QAfr4rYTKY7OBetFuYJdlRKiSrvEMx/9mQWU5SI9Zr8twOdnq RJvqkXTNatF74Tz8QQ6sKOYokSkRi4C8r44UEMv/XAb5srlf2YwR1xjx8nk/6XKTt+qc D5mx9/iVptFeQaKLPBzRKC+Ev1ubwAWrnyBmgZQCkSBRAVDOuaEJuhuhuxKWWv3z6qMs mF8g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=zbw960EPdI4IsMHmdSjdN8ApKEAJLKIYiIqQGjksnbI=; b=mWJ7+mSphwn67EEWP/H/MvDLQb5qQZQV+s13DU5OysJOCeE8CKVysrVCa3AZar61HH qVeurQIe3wF0aQm1BI/W/jujM99tNr0AiCYJ1BjBipXG1GGsBh/TxS1EDnGP/LSvLD+s +RiAe2jfUZo9+SQWMk5LVKEgUpXWT5wD32PV/W0eSmhq58exLdk9tDxKAew1CS3a11cc uoOKifhv7UR8JN21TbgoqDF0rCJTzZTcxAA0eMcbGN8b893VaklVuqRXvO/sEfeC1ffZ QDQkK0rr+ZZxLyoG5P8zOaMzKvjwmRiZ8uXU5hKpvqgDbjcn79jNOnUiXKm4EiK/pUK0 rSmw==
X-Gm-Message-State: AIkVDXLIQGB8vaTW9GtTPt+6nnJ8+cL5Q3b0nHd0cEEPtF6Y+1yg9lFGLspTZwxJ2d4qklz9kmXhNl6kT3Py2w==
X-Received: by 10.107.134.131 with SMTP id q3mr25140440ioi.168.1483051554046; Thu, 29 Dec 2016 14:45:54 -0800 (PST)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.36.22.83 with HTTP; Thu, 29 Dec 2016 14:45:53 -0800 (PST)
In-Reply-To: <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie> <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com> <582703ab-4340-35e7-a3d2-45dd606f10a1@cs.tcd.ie> <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com>
From: Adam Langley <agl@imperialviolet.org>
Date: Thu, 29 Dec 2016 14:45:53 -0800
X-Google-Sender-Auth: pFqI23DYCIVZR40jpFOwSe4z4_Y
Message-ID: <CAMfhd9Xt400wyOqvREWMXPL2_gsAJsZRqmRAFLq9tKzOKuqnjA@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MofokgiGjT8u_t3rMpMBy92S8Aw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cross-domain cache sharing and 0rtt (was: Re: Requiring that (EC)DHE public values be fresh)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 22:46:03 -0000

On Thu, Dec 29, 2016 at 11:08 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> >> As an individual, I'd be in favour of this change but reading
>> >> over [1], section 5, I wondered if we'd analysed the effects of
>> >> 0rtt/replayable-data with that kind of cross-domain re-use in mind?
>> >> The situation being where session ID based caches or session ticket
>> >> equivalents in tls1.3 are shared over multiple domains.

I think there is the following interaction:

Given two servers, S1 and S2, which are nominally s1.example.com and
s2.example.com, but which both have a *.example.com cert and share
ticket keys:

An attacker could redirect a 0-RTT handshake that was destined to S1
and feed it to S2. If S2 ignores the SNI value (common) it could
accept and process the 0-RTT data even though it was destined for S1.

However, in that case TLS 1.2 is probably also affected because S2
would likely process a 1.2 handshake that was destined to S1 as well.
(Even without a shared ticket key or session cache.) See
http://antoine.delignat-lavaud.fr/doc/www15.pdf for more.


Cheers

AGL

v2.23.0 | Report a Bug | By Email