Re: [TLS] Limiting replay time frame of 0-RTT data

Eric Rescorla <ekr@rtfm.com> Tue, 15 March 2016 01:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D36BE12D53E for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 18:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bf1clfHWCMdS for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 18:44:33 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81B2212D857 for <tls@ietf.org>; Mon, 14 Mar 2016 18:44:26 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id d65so3717253ywb.0 for <tls@ietf.org>; Mon, 14 Mar 2016 18:44:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tMoAunR9O7vu92U/Cy6eaAODrk0YPD+CiSiBZ7ulgS0=; b=L/cyZ22d5MCxDmAg3BhafW8FC06tc29wIIv453ZzNHgySC7RnPOOBp866o3PVLIr+s S59RbyB61bimfhbQjJH9g2qEe7+Ej/oMdNwPkK8o1ENbM6b/4XiuMoaFpSaRotPZ2gLU X4Myw39u3U1ikiiHZ4R4PAKHR4COTrCslY4zI3YMuUT+cZ3ZcgTZc6ddBVnC6R7hrDHR S39BNjui3PRrPi0+Uw7Sl+cku56P7GBe2XcLoV13LBZvYnTKIU/8Q8YZmGtAVDhoUlo2 cjzGuZWTxojb2YGhky76+6DEFKpSja+8ujn5vEDI/M+oN7n4ag6HkqHgf0G7eKJ2S53K M11Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tMoAunR9O7vu92U/Cy6eaAODrk0YPD+CiSiBZ7ulgS0=; b=QblTXmXGNTn3eQRdSAJla8w5OzrwPCpeFCiJ0UATKY/YWG2GNcuJWFkVagT4pmkbBO VCDGp7KDLjwGUa70VLU4jorZrWK/adopHJhukmC1GbcjpE/+Ed+80VM3u420jmpWj1se KRu6p9XO0FfHu3okoyeqU/Y/FDcteomIlI5j+rxzlr8kHwbqZCvC8nBh88Avtt/jbtZ4 XuYrbdHy77rVHnE7fgoWYe23jud10oq3VeGZ1d3mx9LbJB5+KiZLdGk14/IggSSMzHsP v8OMI/EWzWS24ftbHZyH7d7n6EgLhswGQqgZSeFJERJSZyWqDALSDDHFmjauNRwrHrck ldBA==
X-Gm-Message-State: AD7BkJIn2F4KRr8Q59tTPd3rLtfm6a0p5BT6mQuzF0zPyD2m0NibXqlHylx7d8uU+lJ6Siwx5moHPiScD00zYA==
X-Received: by 10.129.80.69 with SMTP id e66mr15826863ywb.231.1458006265804; Mon, 14 Mar 2016 18:44:25 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Mon, 14 Mar 2016 18:43:46 -0700 (PDT)
In-Reply-To: <CAJ_4DfQ5FD0ajn0sKudCQTQZZeUdVnjxu54Sypw-o62p==7VGw@mail.gmail.com>
References: <8A79BFEDF6986C46996566F91BB63C860D64EA3F@PRN-MBX02-1.TheFacebook.com> <CABcZeBPxMZEuG4KehxyhNafeQ4-HO9O-9ORn+BiQP0n3LJA_xw@mail.gmail.com> <911B10A5-12F5-4094-A832-3FA06834862B@gmail.com> <CAH8yC8nwyTf7N1y=NqmkVoY1tW6Kh4weFFLEFn6w3vLwoEMRSA@mail.gmail.com> <CAJ_4DfR1dhX7KHB2MQF9YKxrnKGmY9YvhqOyr=6+FbsTJFFqFA@mail.gmail.com> <CAAF6GDe_Hk8DPm3_vVnmgM56NkoN8SDSA4+c_VdmQwNxfxbwtQ@mail.gmail.com> <CAJ_4DfQ5FD0ajn0sKudCQTQZZeUdVnjxu54Sypw-o62p==7VGw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 14 Mar 2016 18:43:46 -0700
Message-ID: <CABcZeBOxQwFaTUkjDi4cewNKr1O2Qw4ZFLUX5V5NFZ19DCaJGw@mail.gmail.com>
To: Ryan Hamilton <rch@google.com>
Content-Type: multipart/alternative; boundary="001a1147f0788debe2052e0c89ce"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/N30UD7bsVLmq-fmD_nxVNfgsXCA>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 01:44:37 -0000

On Mon, Mar 14, 2016 at 5:44 PM, Ryan Hamilton <rch@google.com> wrote:

> ​On Mon, Mar 14, 2016 at 2:04 PM, Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>
>> On Mon, Mar 14, 2016 at 3:15 PM, Ryan Hamilton <rch@google.com> wrote:
>>>
>>> On Sun, Mar 13, 2016 at 4:36 PM, Jeffrey Walton <noloader@gmail.com>
>>> wrote:
>>>
>>>> 0-RTT seems to be a solution looking for a problem.
>>>>
>>>
>>> ​Google has been using 0-RTT as part of the QUIC transport for quite a
>>> while now. In April of last year, we posted about the performance
>>> benefits we're seeing from QUIC
>>> <http://blog.chromium.org/2015/04/a-quic-update-on-googles-experimental.html>.
>>> Among other things, that post said:
>>>
>>> Even on a well-optimized site like Google Search, where connections are
>>> often pre-established, we still see a 3% improvement in mean page load time
>>> with QUIC.
>>>
>>>
>>> From the browser side of things, 0-RTT is a solution to a very real
>>> problem. We are excited about TLS 1.3 supporting 0-RTT (or 0-RTT
>>> resumption) and converting QUIC to use the TLS 1.3 handshake as a result.
>>>
>>
>> Are you sacrificing forward secrecy in this case? For a concrete example:
>> suppose $oppressive_government is collecting all traffic as a routine
>> matter of course, and then later a remote-ex, memory-disclosure, or
>> decrypt-oracle  (like the recent DROWN) came along on the server side:
>> could it be used to decrypt all of $worthy_dissident's requests? how long
>> for, how do you manage that trade-off?
>>
>
> ​My understanding is that QUIC's current 0-RTT scheme provides effectively
> the same protection as TLS with perfect forward security, at least assuming
> that session resumption is enabled. This is because, as I understand it,
> even with PFS connections, and attacker who is able to compromise the
> server and access the session resumption key can do bad things. In our QUIC
> deployments, we limit the lifetime of the QUIC 0-RTT static secret to
> roughly the lifetime of our session resumption key.
>

This is, I think, more or less true.

In general, against complete compromise of the server at time X, the
security is limited to whatever
long-term key was used to protect that data. Generally, this means that
tickets and static DHE
are comparable against server key compromise [0], so for this kind of
attack tickets and semi-static
DH are roughly comparable (indeed, you could imagine having the
configuration ID be an
encryption of the semi-static DH key under the ticket key making them
strictly comparable) [1].
The situation is obviously more complicated with attacks where you don't
have control of
the server (e.g., oracle-type stuff) and I suspect depends on the details
of the attack.

-Ekr


[0] As AGL points out, client key compromise is somewhat different.
[1] If you decide to instead store keying material on the server rather
than use tickets,
then TLS 1.3 PSK 0-RTT actually has somewhat better properties because you
can negotiate
a new key with each connection and establish a new "ticket", so the result
is that compromise
of the server is a future secrecy threat but not a threat to past
connections.