Re: [TLS] Requiring that (EC)DHE public values be fresh
Eric Rescorla <ekr@rtfm.com> Thu, 29 December 2016 18:39 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 736CB129880 for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 10:39:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rfppSwn6raI9 for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 10:39:36 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBB9112963E for <tls@ietf.org>; Thu, 29 Dec 2016 10:39:35 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id t125so212051250ywc.1 for <tls@ietf.org>; Thu, 29 Dec 2016 10:39:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=vkSZ/Yl/Ejj9mTuDpNJaZd5ZKzXjuHMC6PP3Eaa7srs=; b=YmWjBszUv03LZdUDlYCOKi6GmJoxPpvnX3MqcVHNoPxr8fvDZbYqbPaC/6ZSHPy9xE GG4elTiFs8aGHGLRYv1TM/AQYatFId46YiiRLzgyLsu1mdMPx/36pgKSRNMTEn8Ehbqn h9S6p8EZVPotGyfSkRRoX0Bp5PsceYZzc1j64vv/yIKS5St5qrfqK6KKHMoKk/eOaqho 8rKi2iWUnGH9visgfST4an9ytSNT04e3XCpQlQFBfz6vnJ9VYVwhkaQKCQMOIr7luLPh lhL4zd5Pb+Shn9kzC/MjQcBKUFUhAmfjOKED1v4ZZ3NRMEfNq2mDlifFTRx6f7eTrZVw ckkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=vkSZ/Yl/Ejj9mTuDpNJaZd5ZKzXjuHMC6PP3Eaa7srs=; b=UlgTyFlQzGUcyi4f6B8O0saFo1LUJ8V1bJ5Sz4WQ9B0r6fMoL3hulAQsg9fKJgAF8Z SQqK0+FCwhabTKWHTbzEsZc0aS3Is5kx1cpdhoslNJ2ouAQEbfFIK9JusYx23xN4ja8U 3FgbdMZ5Gytp9R9kYWV1TEfBYf5UBNfbnyoBwH7W1+U4xqfgm4tpnlIS8wekRoDOJ2Zu d+aTvjHH3iaWO0vCLgPypxYzSCNtJ9xZuTA+nxViWt6u4r6No7hmIFVomk2UJ/f+2CQt JQdvXNREzgAr5lBkiwzt9tntw+OBLiPD/3rdDCxMtg42cCf+t+yh1cXBdEGTY/7CO1Ze vqJA==
X-Gm-Message-State: AIkVDXJIWt+OUO22AM0Xr2prdlfG/rgeQ4gRZkvoH8sHI0kEfOpB6gw6h0glowqWJ60WkO2N3CJjc4f+yB9TFQ==
X-Received: by 10.129.59.9 with SMTP id i9mr40743952ywa.79.1483036775198; Thu, 29 Dec 2016 10:39:35 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.164.210 with HTTP; Thu, 29 Dec 2016 10:38:54 -0800 (PST)
In-Reply-To: <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 29 Dec 2016 10:38:54 -0800
Message-ID: <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="001a114325bc2cf39d0544d06897"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/PuQY68_LEnthuK3rIo--VYXj31U>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 18:39:38 -0000
On Thu, Dec 29, 2016 at 10:15 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie > wrote: > > Hiya, > > On 29/12/16 17:37, Adam Langley wrote: > > https://github.com/tlswg/tls13-spec/pull/840 is a pull request that > > specifies that (EC)DH values must be fresh for both parties in TLS > > 1.3. > > > > For clients, this is standard practice (as far as I'm aware) so should > > make no difference. For servers, this is not always the case: > > > > Springall, Durumeric & Halderman note[1] that with TLS 1.2: > > ∙ 4.4% of the Alexa Top 1M reuse DHE values and 1.3% do so for more > > than a day. > > ∙ 14.4% of the Top 1M reuse ECDHE values, 3.4% for more than a day. > ... > > As an individual, I'd be in favour of this change but reading > over [1], section 5, I wondered if we'd analysed the effects of > 0rtt/replayable-data with that kind of cross-domain re-use in mind? > The situation being where session ID based caches or session ticket > equivalents in tls1.3 are shared over multiple domains. > > I don't recall this being explicitly considered, but maybe that's > just me forgetting. And hopefully the analysis is that such re-use > doesn't enable broader replay of early data, but there may be > something worth a mention in the tls1.3 spec, e.g. that there may > be linkages between the duration for which entries are maintained > in resumption and replay detection caches. > This question seems essentially orthogonal to the question of ECDHE key reuse because even if you use the same ECDHE key in perpetuity you get unique traffic keying material for each connection. -Ekr > Cheers, > S. > > > > > [1] “Measuring the Security Harm of TLS Crypto Shortcuts”, IMC 2016, > > pages 33–47, section 4.4. https://dl.acm.org/citation.cfm?id=2987480 > > [2] https://datatracker.ietf.org/doc/draft-green-tls-static-dh-in-tls13/ > > > > > > Cheers > > > > AGL > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx