Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
Eric Rescorla <ekr@rtfm.com> Mon, 28 March 2016 22:07 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 02E0312D13F for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 15:07:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.61
X-Spam-Level:
X-Spam-Status: No, score=-0.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xtfY7BP7yj-N for <tls@ietfa.amsl.com>; Mon, 28 Mar 2016 15:07:03 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7107F12D160 for <tls@ietf.org>; Mon, 28 Mar 2016 15:07:03 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id h65so99939745ywe.0 for <tls@ietf.org>; Mon, 28 Mar 2016 15:07:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=uLzr4yBbR5vT1vxhyCsSQOtin8SNiAeScSErbZE9zCI=; b=1zT3i1hnNGZbo24GRf5zoL5wj/LSAKAxi9LTtxCTbpy2xDMK08oTXsdngfj9d/t23d 3lxgO78orsIWHflom1IUbmSBYaac8PaIvWXw96k/5e2K3S0oVG+/rhjxsZz5FcCiixAX UppS4jyGU1LVrY1kLXVupY/b8wnvuIFCMu+Agg/64JzG7dZX3Q6BoVqoRImzzaeDtkXS FQzomiChoMlBgXka/hWijS+XUeDjk+qRBWWqjfA3/GhFoyO0FgM4MOOZ8+Vi9Y5EEjI9 v2rY0ZagPfJwOYiEfGrP61vuPS3mtv36yYvx0AUS4/5QmCogzLm8OI/n5C5fpY0wlstz LwvQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=uLzr4yBbR5vT1vxhyCsSQOtin8SNiAeScSErbZE9zCI=; b=mu0QBykVpUQ6r4dA00Y95tvySXUVePGLENayWQaQaLXCtdiZmp4g6HC9YQ1WCm8VOo 2GbtvqwW7x9cwFTdV/pre0YQFZ4G0lxjORyQuC4aSB4T4Sh6F6nX5GOIS41Qq0v8/BoA loMRLmcZ8traumIADUVL7TbKXVt8FpYwdOiVHS5Kwx9+83K+LLpk8RJ6daBxlwNFRLMo x4ZNv4xkurS8YQuGAf8+EVkZbvGFE6SYVHDbLoknZRG2Et8IwfvJCcvql9p7h8PC1dio 3sQ1ND4MU4D8RcLfjTnysN7Yyp0bqFe7ez74IXwbQO1RLvo1o6nk96Xm/95FkeLbmyDu lQMg==
X-Gm-Message-State: AD7BkJIgUDjHNvCI9rByfmVIzPl2WJ+tebulbXsQES845NqO3ChIfZ2B5Ce9BTfQGbDsVkC1UDFtjL7YWx7mcg==
X-Received: by 10.129.152.10 with SMTP id p10mr4632476ywg.129.1459202822601; Mon, 28 Mar 2016 15:07:02 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Mon, 28 Mar 2016 15:06:23 -0700 (PDT)
In-Reply-To: <BLUPR03MB139671E889569CAD5E65E27D8C860@BLUPR03MB1396.namprd03.prod.outlook.com>
References: <CAAF6GDeLshxG0o2_a9vPBTMtNHLNf9tynJaPPnAm2ZrAca19iw@mail.gmail.com> <7B4301E9-0282-47A3-8824-5ACC2C61910F@gmail.com> <BLUPR03MB139612FBF6332AFD3E74AB658C860@BLUPR03MB1396.namprd03.prod.outlook.com> <535576C4-F808-4937-946C-B53661F0645D@gmail.com> <BLUPR03MB139671E889569CAD5E65E27D8C860@BLUPR03MB1396.namprd03.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 28 Mar 2016 15:06:23 -0700
Message-ID: <CABcZeBOLEbWeZMbNv1He=2h7Oq+GhbZvrLik-Dr=GfsNctTxOQ@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c0bbf62e5af59052f23213a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QocwTKozspVz_2-7rPa2dvqTRRQ>
Cc: "karthik@messengeruser.com" <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Mar 2016 22:07:07 -0000
Yes, I believe that this is what people want. On Mon, Mar 28, 2016 at 2:47 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: > Not sending cookies/authz headers in 0-RTT would solve a part of the > problem, but will browser vendors go for that? I could be wrong, but there > seems to be considerable interest in 0-RTT Token Binding…. so folks must be > planning on sending tokensJ. > > > > *From:* Karthikeyan Bhargavan [mailto:karthik.bhargavan@gmail.com] > *Sent:* Monday, March 28, 2016 2:31 PM > *To:* Andrei Popov <Andrei.Popov@microsoft.com> > *Cc:* Colm MacCárthaigh <colm@allcosts.net>; tls@ietf.org > > *Subject:* Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety > > > > Ø … because secrecy is in the control of the client, who can choose to > send or not send sensitive data… > > Generally, how can a browser distinguish sensitive data? > > > > By not sending cookies or authorization headers, for example? > > > > > > Cheers, > > > > Andrei > > > > *From:* TLS [mailto:tls-bounces@ietf.org <tls-bounces@ietf.org>] *On > Behalf Of *Karthikeyan Bhargavan > *Sent:* Monday, March 28, 2016 1:31 PM > *To:* Colm MacCárthaigh <colm@allcosts.net> > *Cc:* tls@ietf.org > *Subject:* Re: [TLS] Resumption and Forward Secrecy, 0-RTT and Safety > > > > Let me try to understand the concerns here. > > > > > *Resumption and Forward Secrecy* > > > > PSK_ECDHE in TLS 1.3 does provide forward secrecy for 1-RTT data, yes? > > This is already better than TLS 1.2 where we had no way to do > forward-secret resumption. > > In that case, the concern is mainly for 0-RTT, which I agree is harder to > get right. > > > > > *0RTT and Safety* > > I see at least three different challenges with 0RTT as defined. The first > is a general and high level one: we seem to willing to accept a "lower" > level of security for 0RTT data (e.g. no FS, even if the rest of the > session has it). Why? What is it we think is special about this data that > it is "less" worth protecting? surely there are very sensitive things in > urls, surely there are potential oracles and other things in there too? It > just seems super strange to me. > > > > I wonder if the QUIC folks have an answer to this question? It would be > good to gather “typical” intended use cases of 0-RTT data. > > In any case, it is good to distinguish this forward secrecy concern from > replay, because secrecy is in the control of the client, who can choose to > send or not send sensitive data, but replay detection is in the hands of > the server. > > > > > The second challenge is that the replayability of the 0RTT poses a > cryptographic safety challenge. Take Lucky13 - which is a brilliant attack > and is stunningly effective against DTLS because it is so easy to replay > over and over; barely needing to change any parameters - and let the server > do the work. 0RTT looks very similar. It doesn't seem wise to let cipher > text manipulators take as many cracks at the whip as they'd like. > > The third challenge is that the 0RTT plaintext data itself may not be safe > to replay; that is that it might trigger some kind of non-idempotent > action. Idempotence is really really hard, it isn't safe to simply plug in > a replayable section to existing protocols. There's also a huge difference > between being tolerant to a small number of replays, and a large unbounded > number. For example: a large unbounded number may be used to generate DOS > attacks against throttles and quotas. > > > > Yes, detecting and preventing replays by default would be good. > > However, I wouldn’t tie this in with the session mechanism. > > Wouldn’t we want to prevent replay of DH 0-RTT requests? > > > > Best, > > Karthik > > > > > > > > > The third challenge is that the 0RTT plaintext data itself may not be safe > to replay; that is that it might trigger some kind of non-idempotent > action. Idempotence is really really hard, it isn't safe to simply plug in > a replayable section to existing protocols. There's also a huge difference > between being tolerant to a small number of replays, and a large unbounded > number. For example: a large unbounded number may be used to generate DOS > attacks against throttles and quotas. > > > > *Tying things together* > > Short of some kind of transactional locking protocol during TLS > handshakes, I don't think there is a scheme that can perfectly prevent > replay. Bill Cox' analysis is a really good one here. But I'd like to > observe that the sort of single-use-session-id cache outlined above has a > nice property that it makes for a sort of strike register. Since the > server-side implementor is incentivized to evict entries, or at least mark > them as used, so that the slot is available for re-use; that can be > doubled-up as a "we've seen this already" signal. This reduces the replay > window to the time period for that signal to propagate (e.g. for an > eviction to happen from the cache). > > > > So 0RTT data could be encrypted under the resumption session id. That > creates the challenge that the session might not be there any more, so the > server may not be able to decrypt the 0RTT data. I actually think this is a > plus, and lines up with a separate important change I think is necessary - > the 0RTT data shouldn't be application data. It should be a separate, > optional, stream. I find it helpful to think of it as a hint, so it could > be called "replayable_hint". Instead of breaking apart an existing protocol > and putting some of it in the early data and some in the application data > transparently (a disaster in waiting), the client and server would have to > formally agree on the kind of data that could be in a "replayable_hint". > This goes a long way to mitigating many protocol level idempotency > concerns, and has no impact on the kind of pre-fetching people want to do > for HTTP and other protocols. At a bare minimum, I think we should make > this change. > > > > Lastly, and this is a little crazy but I haven't let that stop me before > ... to guard against the smaller replay window and idempotency problems at > the application levels,clients should occasionally send duplicate and > unrelated hints, just opportunistically. This keeps the server side > application "on notice" that that kind of craziness can occur, and better > to have it happen a little all of the time in a controlled way, than rarely > by attackers. > > > > *Summary* > > A common theme in the above is that it makes things more expensive for > server-side implementors, and that sucks - but I don't see another way to > avoid some of the pitfalls here; and I'm unhappy with the state of tickets > today. If I'm on my own on that, I'd be interested in what kinds of data > people might kind convincing. My own impressions come from being an Apache > httpd developer and assisting people with configurations and running > workshops at conferences. It's not scientific, but the prevalence of > non-rotation is so severe in my sample set that I'm convinced it's the > norm. > > > > -- > > Colm > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2ftls&data=01%7c01%7cAndrei.Popov%40microsoft.com%7c88d384e16d794a23be0c08d35750543d%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=IU9aYW%2b6Gt0pnbIVXnT2yGNzOCGfmvvg%2fY5yFhiKlYY%3d> > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Resumption and Forward Secrecy, 0-RTT and S… Colm MacCárthaigh
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Tony Arcieri
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Karthikeyan Bhargavan
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Colm MacCárthaigh
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Bill Frantz
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Andrei Popov
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Karthikeyan Bhargavan
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Andrei Popov
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Eric Rescorla
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Ryan Hamilton
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Martin Thomson
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Colm MacCárthaigh
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Karthikeyan Bhargavan
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Martin Thomson
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Tony Arcieri
- Re: [TLS] Resumption and Forward Secrecy, 0-RTT a… Ryan Hamilton