IETF Logo Mail Archive

[TLS] 0-RTT security considerations (was OPTLS)

Nico Williams <nico@cryptonector.com> Tue, 18 November 2014 23:46 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F2C2C1A876F; Tue, 18 Nov 2014 15:46:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Level:
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IbTJ3hb0v6gk; Tue, 18 Nov 2014 15:46:20 -0800 (PST)
Received: from homiemail-a67.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 157391ACDC8; Tue, 18 Nov 2014 15:46:10 -0800 (PST)
Received: from homiemail-a67.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a67.g.dreamhost.com (Postfix) with ESMTP id C802327BC065; Tue, 18 Nov 2014 15:46:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:reply-to:mime-version: content-type; s=cryptonector.com; bh=+bBtdPeYs8uQd7EBUB2zBPGC6cc =; b=W5w8dL1rZorHz/kZpIhlbGvY19W28hoQsRkOZtSs0JJKnQIvb5aq0FcTriG a3iO+KhC3KmPZoRFZSrbJ/K1OmSY/lDVBGB22LscR0ws2upi7EOdyBPlCvlcp69t As+5GZ/98gYe5etkaAx3eeNGay5IwSAH5s+tdOiOuNXVOURc=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a67.g.dreamhost.com (Postfix) with ESMTPA id 802CA27BC064; Tue, 18 Nov 2014 15:46:09 -0800 (PST)
Date: Tue, 18 Nov 2014 17:46:08 -0600
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Message-ID: <20141118234608.GA20721@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OZwGgVhySbVhU36BMX1elQ9x0GE
Cc: kitten@ietf.org
Subject: [TLS] 0-RTT security considerations (was OPTLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: kitten@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 23:46:22 -0000

Following up to the OPTLS proposal I thought it'd be interesting to
explore the security (API, and other) considerations of 0-RTT protocols.
I'm not sure[0] how much this has been done on this list before, so pardon
me if this is noisy.

My experience with 0-RTT is mostly from GSS [RFC2743] and Kerberos
[RFC4120], where the matter was given some explicit treatment treatment
many years ago.  That treatment is not complete, so this should be
relevant to KITTEN WG as well.  I'm cc'ing KITTEN WG, but we should
continue the discussion on the TLS list; Reply-To: is set.

For me the security considerations of 0-RTT have to bleed into APIs in
order to be manageable, which for many TLS apps may well be a deal
killer (and I suspect it generally is).

I.e., I think 0-RTT is generally more trouble than it's worth.

0-RTT means:

   The handshake might be two or three messages, but the client can
   send application data immediately after sending its hello, and
   the server can send application data immediately after consuming
   the client's hello.

This is not a really a new concept[1].

And this concept generalizes to longer exchanges too; the optimization
can be less good than 0-RTT but still better than full latency.

A client can do 0-RTT handshakes whenever it can obtain a usable session
key immediately upon sending the client's first[0] handshake message.

0-RTT could be made available when:

 - doing session resumption
 - the client knows the server's pubkey a priori
 - using PSK


Security considerations:

 - Replay protection (use replay cache or defer protection)

   Replay protection on the server side requires either a replay cache
   (which can more than negate the latency of one network round trip),
   or deferring replay protection availability to the end of the
   handshake.

   Deferring replay protection availability requires that the client's
   first data record(s) be held for delivery until replay protection is
   available (again, limiting the value of 0-RTT), or that the
   application be aware of the replay potential.

 - PFS (not available for 0-RTT data)

   What about PFS?  Can't be done in 0-RTT, but it can become available
   when each party learns the others' ephemeral (EC)DH key.

   Again, the application may (likely will) need to know about PFS being
   deferred, therefore this is an API consideration as well.

 - Server authentication state

   Even in the 0-RTT case the client must check that the server's pubkey
   hasn't been revoked, of course, but either it won't be able to until
   it receives the server's Hello (where stapled OCSP should be found),
   or it will have to check certificate status out of band (which has
   privacy considerations).

   The problem here is that any application data sent before receiving
   the server's Hello will be compromised if the server's private key
   was compromised (even if the cert was revoked).

   For HTTP(S) this is a problem: the HTTP request may or may not be
   sensitive, but the HTTP client implementation and TLS can't know
   if it is -- only the application can know.  This might mean that XHR,
   HTML, need extensions for specifying this.

   Again, this is an API consideration as well.

   DANE makes this consideration go away, mostly[2].

 - Client authentication state

   Imagine a handshake where the client is not authenticated until the
   second round trip, but we have key material for 0-RTT.  The server
   cannot authorize any application protocol commands at this stage.

 - Symmetric session key non-reuse depends entirely on the client and
   its RNG.  E.g., in the resumption and PSK cases.

   When using cipher modes where key/IV reuse is disastrous this could
   be a serious problem.


How to do 0-RTT in non-resumption, non-PSK handshakes:

 - with key transport (the server's static pubkey must be an encryption key)
 - with key agreement (the server's static pubkey must be an (EC)DH key)

PFS can be added, and anyways, it all looks a lot like session
resumption.


How to learn the server's pubkey prior to making the client Hello?

 - use DANE
 - recall the server's pubkey from a previous connection and use it
   optimistically (as in: it hasn't changed since last time)

The latter is the basis of Hugo Krawczyk's OPTLS proposal.

[0] I saw the thread starting at:

    https://www.ietf.org/mail-archive/web/tls/current/msg13298.html

    but the treatment of the security considerations of 0-RTT there was
    not exhaustive, unless I missed it.

[1] The GSS-API [RFC2743] has supported sending application data early,
    and has since 1997 [RFC2078].  GSS calls the "ready to send
    somewhat-protected data" state "prot_ready".  Kerberos V [RFC4120]
    effectively had it even earlier, in 1993 [RFC1510], and probably
    before then too.

[2] Provided one does not object to DANE.

Nico
--

v2.23.0 | Report a Bug | By Email