IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Victor Vasiliev <vasilvv@google.com> Thu, 01 June 2017 20:51 UTC

Return-Path: <vasilvv@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A96FF127444 for <tls@ietfa.amsl.com>; Thu, 1 Jun 2017 13:51:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GMa0pSGNqCJ3 for <tls@ietfa.amsl.com>; Thu, 1 Jun 2017 13:51:03 -0700 (PDT)
Received: from mail-qt0-x232.google.com (mail-qt0-x232.google.com [IPv6:2607:f8b0:400d:c0d::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98B1B1200C5 for <tls@ietf.org>; Thu, 1 Jun 2017 13:50:56 -0700 (PDT)
Received: by mail-qt0-x232.google.com with SMTP id f55so46025217qta.3 for <tls@ietf.org>; Thu, 01 Jun 2017 13:50:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6xy0aaqU7AXa5gLjzhGUmU9Lli9caNCv1aK5r2y4SJY=; b=fE9aycc82qVWBlu0Sd9orTKdXEz+c1kkMo19QBnXI+/VC6E0Gr+vipoZWLY6J1qWmY j85KS2nSVxfDdZ0+8zhr6puOalTF2h9me7TqU99BzkdaqZvAlzIPacmwuDaAzb0GI1sS 6LfALozkUwl9KFQOiq1e75xAHdOycu1XAmPpF055x70uhHBiGANM5POxBqglrcX8Il6z K5SC1JyuOaY/njF09mRuY7xq40zDOgYNPi2KwLMo4THg0Z3NCwW9gb9EeXzB0uSCpZNE zp2w9nfABUODlpnPBNaylQXbZxN9gnoDGBH0DYmw810ZLJOdQYa65kEotRDnH8Tmlrs/ q4rw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6xy0aaqU7AXa5gLjzhGUmU9Lli9caNCv1aK5r2y4SJY=; b=JHR5pdfqtcRRuQ4KipE/+5WDSs/vbPwap43Ip9dwDr6w4Z9TmUkYZsVGq9qKLy2dlQ QmKHnz8SS4Hj5Ms9ByC41EGI70SGfHtRcr/wNgsP5Y7i6V36ijA5nBaKNZVANMU6PM9T QMhUuZIQaYTFHe69TzmqktZe0tf0w0rxDNsqpGyRuCq6wwPhNgGmU/NLmIo7f+hWnuMT D0S7sGpie1czKw8LAie2MwHGr+qWv29UUHhFj5ib1NWlboW2zT7pt1By2R1UaY9PHGlr qVksCqomq2jftfbj4rFDkwKO3YDMVqpA5mpRxYzBsX7GERFKtb9nAJ7/GTto7szRuop3 r/lw==
X-Gm-Message-State: AODbwcBfEYLAjDXpjtueYluBuqvZcs4QER5LnQYbR0WQaGq8+EvG7VxA fux4WByJu77e5/RUwmZp2gp+BmxFhS47VFZ0YA==
X-Received: by 10.237.61.39 with SMTP id g36mr4322644qtf.60.1496350255532; Thu, 01 Jun 2017 13:50:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.46.65 with HTTP; Thu, 1 Jun 2017 13:50:54 -0700 (PDT)
In-Reply-To: <CAAF6GDesLzMDN_LVYr6sFU8Z04jpXhFZphOAet-0JPsFF56Oig@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CAAZdMacpJ-qoQt2pDBjTq6ADwmRKOHXTHDyDTzb+g2gYPvtZzQ@mail.gmail.com> <CAAF6GDdobkQh9_iqX1oU_BO9O2aK2_7Cbaper0AY4qEGYXAcvA@mail.gmail.com> <CAAZdMaeTdcgdCj26kVuq6-0EX1nmehvJJCq+YzB-4r84aRjhuA@mail.gmail.com> <CAAF6GDesLzMDN_LVYr6sFU8Z04jpXhFZphOAet-0JPsFF56Oig@mail.gmail.com>
From: Victor Vasiliev <vasilvv@google.com>
Date: Thu, 01 Jun 2017 16:50:54 -0400
Message-ID: <CAAZdMadDctG0sMyDV49+8UUiagqQpi0bSehtQuKPELMU-+Gg5g@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11432b707120730550ec3130"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Qwsu9mqBCWy7671WGzryXrJ_PYs>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Jun 2017 20:51:07 -0000

On Wed, May 31, 2017 at 4:52 PM, Colm MacCárthaigh <colm@allcosts.net>
wrote:
>
> On Wed, May 31, 2017 at 12:49 PM, Victor Vasiliev <vasilvv@google.com>
> wrote:
>
>> I think I am not getting my key point across here clearly.  I am not
>> arguing
>> that they are inconvenient, I am arguing that the guarantee you are
>> trying to
>> provide is impossible.
>>
>> I wholeheartedly agree that if it is possible to provide guarantee B (zero
>> replays), we really should provide it.  The problem is, we cannot.  Since
>> 0-RTT
>> is by its very design declinable, there will be always a possibility for
>> at
>> least one retry.
>>
>
> This is the part we agree on; but as I've said before, the kinds of
> attacks enabled by these kinds of client-initiated retries, and by
> attacker-initiated replays are fundamentally different.
>

I am not sure I agree with this distinction.  I can accept the difference in
terms of how much attacker can retry -- but we've already agreed that
bounding
that number is a good idea.  I don't see any meaningful distinction in other
regards.

>
>
>> Once you concede you can have at least one replay, the difference between
>> one
>> replay and N replays (for all N > 0) is not that large, which is why I
>> refer to
>> this as "nebulous bound" (guarantee C).
>>
>
> There's a very big difference and it leads to real-world attacks. With
> many replays, all sorts of side-channel analyses become possible, and I've
> provided examples. It's particularly nasty that the replays can be
> out-of-bound and to arbitrary nodes of the attacker's choosing, which makes
> the attacks even more effective.
>

Sure, but this is just an argument for making N small.  Also, retrys can
also
be directed to arbitrary nodes.


>
>> Your applications already have to
>> contend with replays, it's now just the matter of preventing side-channel
>> amplification.
>>
>
> Yes; applications using 0-RTT do have to make themselves retry-tolerant,
>  as they already must in many scenarios (e.g. a browser driven application).
>

I am glad we agree on that point.


> What concerns me most here is that people are clearly being confused by
> the TLS 1.3 draft into mis-understanding how this interacts with 0-RTT. For
> example the X-header trick, to derive an idempotency token from the binder,
> that one experimental deployment innovated doesn't actually work because it
> doesn't protect against the DKG attack. We're walking into rakes here.
>

Of course it doesn't protect against the DKG attack, but nothing at that
layer
actually does.

This sounds like an issue with the current wording of the draft.  As I
mentioned, I believe we should be very clear on what the developers should
and
should not expect from TLS.


> So, in other words, since we're now just bargaining about the value of N,
>> operational concerns are a fair game.
>>
>
> They're still not fair game imo, because there's a big difference between
> permitting exactly
> one duplicate, associated with a client-driven retry, and permitting huge
> volumes of replays. They enable different kinds of attacks.
>
>
Sure, but there's a space between "one" and "huge amount".


> I keep forgetting about forward secrecy in all of this, but it's worth
> noting that your argument for globally resumable sessions also implies that
> we shouldn't really shoot for  FS for some of the most critical user data.
> I also find that bizarre.
>
> To clarify, I am not suggesting that two streams would help.  I completely
>> agree with you that two streams is not going to mitigate the DKG attack or
>> others.  What I meant is that 0-RTT inherently has slightly different
>> properties from 1-RTT and must be used with that in mind.  Specifically, I
>> meant that it will not be enabled for applications by default, and HTTP
>> clients
>> would only allow it for methods that RFC 7231 defines as safe.
>>
>
> Well in the real world, I think it'll be pervasive, and I even think it
> /should/ be. We should make 0-RTT that safe and remove the sharp edges.
>

Are you arguing that non-safe requests should be allowed to be sent via
0-RTT?
Because that actually violates reasonable expectations of security
guarantees
for TLS, and I do not believe that is acceptable.


>> I do not believe that this to be the case.  The DKG attack is an attack
>> that allows
>> for a replay.
>>
>
> It's not. It permits a retry. The difference here is that the client is in
> full control. It can decide to delay, to change a unique request ID, or
> even not to retry at all. But the legitimate client generated the first
> attempt, it can be signaled that it wasn't accepted, and then it generates
> the second attempt. If it really really needs to it can even reason about
> the complicated semantics of the earlier request being possibly
> re-submitted later by an attacker.
>

That's already not acceptable for a lot of applications -- and by enabling
0-RTT for non-safe HTTP requests, we would be pulling the rug from under
them.

Replays are different though; the attacker just literally copies the data
> and can resend and resend as desired. As I've shown; this breaks real-world
> things like authenticated throttling systems, and leads to side-channel and
> cache analysis; where only very rarely is one attempt sufficient to
> exploit.
>

Sure, but all of those are either:
 (a) side channel attacks covered by guarantee C, or
 (b) a violation of semantic contract between TLS and the application.


> [snip]
>
>
>> But, as you describe, this enables some interesting side channels. Now,
>> these
>> side channels exist even without 0-RTT.  Attackers already can measure
>> response
>> times, probe and groom caches, direct traffic, etc.  *But*, with unlimited
>> 0-RTT replay, the attacker can repeat the experiment unboundedly and
>> amplify
>> the side channel.
>>
>
> Exactly :) but also ... what about the attack on the throttling
> infrastructure? or other resource exhaustion? 0-RTT replay seems like a
> really big problem here and it seems like the most realistic kind of attack
> too; booters and trouble-makers trying to lock each other out of systems.
>

Throttling POST requests is fine -- they shouldn't go over 0-RTT, since they
are not idempotent.  Throttling GET requests in this manner goes at odds
with
RFC 7231:

   Request methods are considered "safe" if their defined semantics are
   essentially read-only; i.e., the client does not request, and does
   not expect, any state change on the origin server as a result of
   applying a safe method to a target resource.  Likewise, reasonable
   use of a safe method is not expected to cause any harm, loss of
   property, or unusual burden on the origin server.

   This definition of safe methods does not prevent an implementation
   from including behavior that is potentially harmful, that is not
   entirely read-only, or that causes side effects while invoking a safe
   method.  What is important, however, is that the client did not
   request that additional behavior and cannot be held accountable for
   it. [...]

Incidentally, guarantee C does solve the throttling problem -- if you get N
replays, you get promise of 1/(N+1) throttled resource available to you.
Deployments which do this with GETs may want to deploy the measures to make
N
very small.  Also, since they already keep track of the state for throttling
purposes, they might add a strike register on top of that.

>
> Thus, A is problematic.  I think we both believe this and both agree then
>> that
>> the current text is unsatisfactory.  So the question is what to replace it
>> with.  Whatever we provide, it should be a clear security guarantee
>> between the
>> application and TLS (depending on what guarantee we chose, some of your
>> other
>> attacks may or may not just be invalid uses of TLS).  B is obviously
>> preferable, but as it is impossible per DKG, I think we should set the
>> contract
>> at C (bounded replay protection).  This is a guarantee that is not
>> fundamentally impossible and also successfully mitigates your side channel
>> amplification attacks.
>>
>
> I'm all for bounded replay protection, with the bounds being 1 ;-)
>

Why not 2?  What is the difference between 1 and 2?  2 and 3?  3 and 24?
None
of the proposed attacks distinguishes 1 replay and N replays in qualitative
ways (as opposed to giant semantic leap between 0 and 1 replay); only in how
much damage you can do, or how much information you can extract from the
side
channel.

  -- Victor.

v2.23.0 | Report a Bug | By Email