IETF Logo Mail Archive

Re: [TLS] Remove EncryptedExtensions from 0-RTT

David Benjamin <davidben@chromium.org> Thu, 23 June 2016 14:47 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50D20128E18 for <tls@ietfa.amsl.com>; Thu, 23 Jun 2016 07:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id buLjWIbmKDcs for <tls@ietfa.amsl.com>; Thu, 23 Jun 2016 07:47:45 -0700 (PDT)
Received: from mail-io0-x231.google.com (mail-io0-x231.google.com [IPv6:2607:f8b0:4001:c06::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5957B12B00E for <tls@ietf.org>; Thu, 23 Jun 2016 07:39:34 -0700 (PDT)
Received: by mail-io0-x231.google.com with SMTP id s63so69387749ioi.3 for <tls@ietf.org>; Thu, 23 Jun 2016 07:39:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=MfBltjJqCnRtGl32I2pr+/SfEz5brdz2GWow4K/2z5k=; b=JC5w46W/lDq98MhhOebYWj4MeKVmvajB/sH1lIo5/xZ3uQa3Bk9dZI9WsDUTC3p6Ld C02R/xV4kPiOb7nOehKubljhc05fshCWJgRUtNfR2iRf2BW89RUZKeOdidx+380MLcHz WCHJ2eMdhoPKEMkzM3xNKEB/1QphcA9P8DnMw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=MfBltjJqCnRtGl32I2pr+/SfEz5brdz2GWow4K/2z5k=; b=HDDmpZM7b7B1USMANj/elH5Imaba4kEYZnbg3nqx8/NnDnRiJN/v7e1Ir72b9ykfbJ +5C2DmV4MsoLPWqovd/QUXcntJjJFeLMgUahIasgf+JiyenhfT582ffnBRvL5O9ypSfR q2KaX1+BdYQnviaQSqdWUpQg87WrOOtt/9aOeKFmgh1u440oNlk2Gp3MaN8tFZP5dxr3 Udm6R8KRnxUxAYZ6SaRdvoK1ZE7JCtKxwOLX2BavfTdl2Cdg6ipPU8xYrFjJdFbNsXhp qWQX1xVcdrhlohufVjia4UzMIr8YL9gp3D+9qIdOMnBP477hOh15PAJFNNfeYt+/7I6E NQKg==
X-Gm-Message-State: ALyK8tKaJO/67yYnLs7r87ym0EF5CEFaceF6j0Z8p1oDHvRn/UYM4ZaofRVq9q+4rY91qe70F4NwJwvonfyMHKZT
X-Received: by 10.107.29.80 with SMTP id d77mr1268136iod.97.1466692773365; Thu, 23 Jun 2016 07:39:33 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnVFg2iCc8eWX40+25ATE=dAw3WmndReO0ky2j1K_soLPQ@mail.gmail.com> <20160623103546.GA5287@LK-Perkele-V2.elisa-laajakaista.fi>
In-Reply-To: <20160623103546.GA5287@LK-Perkele-V2.elisa-laajakaista.fi>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 23 Jun 2016 14:39:22 +0000
Message-ID: <CAF8qwaB6EiP-O3s+pCw9wGHvAH1iFZRQ_GbNJOXwiO2LW4iCvg@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>, Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11408bf2c0a9b30535f305cb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PtB5p5a0a5MuVkdvY2ECDCEGnhU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Remove EncryptedExtensions from 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Jun 2016 14:47:48 -0000

On Thu, Jun 23, 2016 at 6:35 AM Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Thu, Jun 23, 2016 at 01:37:14PM +1000, Martin Thomson wrote:
> > When implementing 0-RTT, an in particular the ticket_age extension, we
> > discovered that this greatly increases the complexity of the server
> > state machine.
> >
> > David Benjamin rather flippantly described a solution to this problem:
> > XOR the ticket age value with something that is either derived from
> > the old session keys or was included in the NewSessionTicket message.
> >
> > I propose we take David's solution.  After all, simple is better:
> >
> >   https://github.com/tlswg/tls13-spec/pull/503
>
> I don't see a warning that reusing a ticket with that scheme causes
> the "masking" to break (the classic "multiple time pad" broken scheme).
>

Probably worth expanding on in the text, but the assumption here is that
EncryptedExtensions' only purpose in life was to defeat correlation. That
is, if we didn't care about that, we'd put it in the clear like other
ClientHello fields. (Which means integrity is provided by handshake
transcript, as with other ClientHello fields.)

To that end, if you were reusing a ticket, you've already leaked a more fun
correlator (the ticket) and must not have cared about leaking the
ticket_age either.

If something more heavyweight is wanted, probably better to derive some
extra key off the session key material + stuff (ought to include
client_random if worried about ticket reuse) and toss it into the cipher's
AEAD or something. It didn't seem we needed any of it, so I "flippantly"
proposed the dumbest possible thing that might work. :-)

David

v2.23.0 | Report a Bug | By Email