IETF Logo Mail Archive

Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety

Eric Rescorla <ekr@rtfm.com> Mon, 28 March 2016 22:07 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02E0312D13F for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 15:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.61
X-Spam-Level:
X-Spam-Status: No, score=-0.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtfY7BP7yj-N for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 15:07:03 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7107F12D160 for <tls@ietf.org>; Mon, 28 Mar 2016 15:07:03 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id h65so99939745ywe.0 for <tls@ietf.org>; Mon, 28 Mar 2016 15:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uLzr4yBbR5vT1vxhyCsSQOtin8SNiAeScSErbZE9zCI=; b=1zT3i1hnNGZbo24GRf5zoL5wj/LSAKAxi9LTtxCTbpy2xDMK08oTXsdngfj9d/t23d 3lxgO78orsIWHflom1IUbmSBYaac8PaIvWXw96k/5e2K3S0oVG+/rhjxsZz5FcCiixAX UppS4jyGU1LVrY1kLXVupY/b8wnvuIFCMu+Agg/64JzG7dZX3Q6BoVqoRImzzaeDtkXS FQzomiChoMlBgXka/hWijS+XUeDjk+qRBWWqjfA3/GhFoyO0FgM4MOOZ8+Vi9Y5EEjI9 v2rY0ZagPfJwOYiEfGrP61vuPS3mtv36yYvx0AUS4/5QmCogzLm8OI/n5C5fpY0wlstz LwvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uLzr4yBbR5vT1vxhyCsSQOtin8SNiAeScSErbZE9zCI=; b=mu0QBykVpUQ6r4dA00Y95tvySXUVePGLENayWQaQaLXCtdiZmp4g6HC9YQ1WCm8VOo 2GbtvqwW7x9cwFTdV/pre0YQFZ4G0lxjORyQuC4aSB4T4Sh6F6nX5GOIS41Qq0v8/BoA loMRLmcZ8traumIADUVL7TbKXVt8FpYwdOiVHS5Kwx9+83K+LLpk8RJ6daBxlwNFRLMo x4ZNv4xkurS8YQuGAf8+EVkZbvGFE6SYVHDbLoknZRG2Et8IwfvJCcvql9p7h8PC1dio 3sQ1ND4MU4D8RcLfjTnysN7Yyp0bqFe7ez74IXwbQO1RLvo1o6nk96Xm/95FkeLbmyDu lQMg==
X-Gm-Message-State: AD7BkJIgUDjHNvCI9rByfmVIzPl2WJ+tebulbXsQES845NqO3ChIfZ2B5Ce9BTfQGbDsVkC1UDFtjL7YWx7mcg==
X-Received: by 10.129.152.10 with SMTP id p10mr4632476ywg.129.1459202822601; Mon, 28 Mar 2016 15:07:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Mon, 28 Mar 2016 15:06:23 -0700 (PDT)
In-Reply-To: <BLUPR03MB139671E889569CAD5E65E27D8C860@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CAAF6GDeLshxG0o2_a9vPBTMtNHLNf9tynJaPPnAm2ZrAca19iw@mail.gmail.com> <7B4301E9-0282-47A3-8824-5ACC2C61910F@gmail.com> <BLUPR03MB139612FBF6332AFD3E74AB658C860@BLUPR03MB1396.namprd03.prod.outlook.com> <535576C4-F808-4937-946C-B53661F0645D@gmail.com> <BLUPR03MB139671E889569CAD5E65E27D8C860@BLUPR03MB1396.namprd03.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 28 Mar 2016 15:06:23 -0700
Message-ID: <CABcZeBOLEbWeZMbNv1He=2h7Oq+GhbZvrLik-Dr=GfsNctTxOQ@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c0bbf62e5af59052f23213a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QocwTKozspVz_2-7rPa2dvqTRRQ>
Cc: "karthik@messengeruser.com" <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 22:07:07 -0000

Yes, I believe that this is what people want.

On Mon, Mar 28, 2016 at 2:47 PM, Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> Not sending cookies/authz headers in 0-RTT would solve a part of the
> problem, but will browser vendors go for that? I could be wrong, but there
> seems to be considerable interest in 0-RTT Token Binding…. so folks must be
> planning on sending tokensJ.
>
>
>
> *From:* Karthikeyan Bhargavan [mailto:karthik.bhargavan@gmail.com]
> *Sent:* Monday, March 28, 2016 2:31 PM
> *To:* Andrei Popov <Andrei.Popov@microsoft.com>
> *Cc:* Colm MacCárthaigh <colm@allcosts.net>; tls@ietf.org
>
> *Subject:* Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
>
>
>
> Ø  … because secrecy is in the control of the client, who can choose to
> send or not send sensitive data…
>
> Generally, how can a browser distinguish sensitive data?
>
>
>
> By not sending cookies or authorization headers, for example?
>
>
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
> *From:* TLS [mailto:tls-bounces@ietf.org <tls-bounces@ietf.org>] *On
> Behalf Of *Karthikeyan Bhargavan
> *Sent:* Monday, March 28, 2016 1:31 PM
> *To:* Colm MacCárthaigh <colm@allcosts.net>
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
>
>
>
> Let me try to understand the concerns here.
>
>
>
>
> *Resumption and Forward Secrecy*
>
>
>
> PSK_ECDHE in TLS 1.3 does provide forward secrecy for 1-RTT data, yes?
>
> This is already better than TLS 1.2 where we had no way to do
> forward-secret resumption.
>
> In that case, the concern is mainly for 0-RTT, which I agree is harder to
> get right.
>
>
>
>
> *0RTT and Safety*
>
> I see at least three different challenges with 0RTT as defined. The first
> is a general and high level one: we seem to willing to accept a "lower"
> level of security for 0RTT data (e.g. no FS, even if the rest of the
> session has it). Why? What is it we think is special about this data that
> it is "less" worth protecting? surely there are very sensitive things in
> urls, surely there are potential oracles and other things in there too? It
> just seems super strange to me.
>
>
>
> I wonder if the QUIC folks have an answer to this question? It would be
> good to gather “typical” intended use cases of 0-RTT data.
>
> In any case, it is good to distinguish this forward secrecy concern from
> replay, because secrecy is in the control of the client, who can choose to
> send or not send sensitive data, but replay detection is in the hands of
> the server.
>
>
>
>
> The second challenge is that the replayability of the 0RTT poses a
> cryptographic safety challenge. Take Lucky13 - which is a brilliant attack
> and is stunningly effective against DTLS because it is so easy to replay
> over and over; barely needing to change any parameters - and let the server
> do the work. 0RTT looks very similar. It doesn't seem wise to let cipher
> text manipulators take as many cracks at the whip as they'd like.
>
> The third challenge is that the 0RTT plaintext data itself may not be safe
> to replay; that is that it might trigger some kind of non-idempotent
> action. Idempotence is really really hard, it isn't safe to simply plug in
> a replayable section to existing protocols. There's also a huge difference
> between being tolerant to a small number of replays, and a large unbounded
> number. For example: a large unbounded number may be used to generate DOS
> attacks against  throttles and quotas.
>
>
>
> Yes, detecting and preventing replays by default would be good.
>
> However, I wouldn’t tie this in with the session mechanism.
>
> Wouldn’t we want to prevent replay of DH 0-RTT requests?
>
>
>
> Best,
>
> Karthik
>
>
>
>
>
>
>
>
> The third challenge is that the 0RTT plaintext data itself may not be safe
> to replay; that is that it might trigger some kind of non-idempotent
> action. Idempotence is really really hard, it isn't safe to simply plug in
> a replayable section to existing protocols. There's also a huge difference
> between being tolerant to a small number of replays, and a large unbounded
> number. For example: a large unbounded number may be used to generate DOS
> attacks against  throttles and quotas.
>
>
>
> *Tying things together*
>
> Short of some kind of transactional locking protocol during TLS
> handshakes, I don't think there is a scheme that can perfectly prevent
> replay. Bill Cox' analysis is a really good one here. But I'd like to
> observe that the sort of single-use-session-id cache outlined above has a
> nice property that it makes for a sort of strike register. Since the
> server-side implementor is incentivized to evict entries, or at least mark
> them as used, so that the slot is available for re-use; that can be
> doubled-up as a "we've seen this already" signal. This reduces the replay
> window to the time period for that signal to propagate (e.g. for an
> eviction to happen from the cache).
>
>
>
> So 0RTT data could be encrypted under the resumption session id. That
> creates the challenge that the session might not be there any more, so the
> server may not be able to decrypt the 0RTT data. I actually think this is a
> plus, and lines up with a separate important change I think is necessary -
> the 0RTT data shouldn't be application data. It should be a separate,
> optional, stream. I find it helpful to think of it as a hint, so it could
> be called "replayable_hint". Instead of breaking apart an existing protocol
> and putting some of it in the early data and some in the application data
> transparently (a disaster in waiting), the client and server would have to
> formally agree on the kind of data that could be in a "replayable_hint".
> This goes a long way to mitigating many protocol level idempotency
> concerns, and has no impact on the kind of pre-fetching people want to do
> for HTTP and other protocols. At a bare minimum, I think we should make
> this change.
>
>
>
> Lastly, and this is a little crazy but I haven't let that stop me before
> ... to guard against the smaller replay window and idempotency problems at
> the application levels,clients should occasionally send duplicate and
> unrelated hints, just opportunistically. This keeps the server side
> application "on notice" that that kind of craziness can occur, and better
> to have it happen a little all of the time in a controlled way, than rarely
> by attackers.
>
>
>
> *Summary*
>
> A common theme in the above is that it makes things more expensive for
> server-side implementors, and that sucks - but I don't see another way to
> avoid some of the pitfalls here; and I'm unhappy with the state of tickets
> today. If I'm on my own on that, I'd be interested in what kinds of data
> people might kind convincing. My own impressions come from being an Apache
> httpd developer and assisting people with configurations and running
> workshops at conferences. It's not scientific, but the prevalence of
> non-rotation is so severe in my sample set that I'm convinced it's the
> norm.
>
>
>
> --
>
> Colm
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c88d384e16d794a23be0c08d35750543d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=IU9aYW%2b6Gt0pnbIVXnT2yGNzOCGfmvvg%2fY5yFhiKlYY%3d>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email