Re: [TLS] Let's remove gmt_unix_time from TLS

Wan-Teh Chang <wtc@google.com> Fri, 06 December 2013 19:59 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2E5F1AE06F for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 11:59:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.38
X-Spam-Level:
X-Spam-Status: No, score=-1.38 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Gdgkq1lGarZ for <tls@ietfa.amsl.com>; Fri, 6 Dec 2013 11:59:24 -0800 (PST)
Received: from mail-vc0-x230.google.com (mail-vc0-x230.google.com [IPv6:2607:f8b0:400c:c03::230]) by ietfa.amsl.com (Postfix) with ESMTP id C21BA1AE074 for <tls@ietf.org>; Fri, 6 Dec 2013 11:59:24 -0800 (PST)
Received: by mail-vc0-f176.google.com with SMTP id lf12so1209673vcb.21 for <tls@ietf.org>; Fri, 06 Dec 2013 11:59:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=ECj0VQq7ynqIw0yP2Nf9wV82PFwMjDTQN5mph9zXfBk=; b=k8vMVo1Og5dbcAnqR1iTcmmmxba1+9K0QgGe0QlDpF5cMN58bZsLx57eLIX33T8P+9 0I1NQyzR+jr4P5U1vlOJDxt2nJ8H54wSI6iCDhuY01w2ui8zVlLW8DY1tvVfTS9qSZz/ 9ZWfvHgn1JlqpeK9hN2jpmnFRvcWDlzbqYKo1i5LgS44CB0Y/0LRKGzcdv5PBpr0D2dZ NiirsUmR0TdhxAk5Bp39oNHsYYaeTExrelrsvAElyzgIfNcy6SCXGHMtdd/L4W2gCAu1 bKoKx7fh4UeW/L3BkKXAZTWKemFwemgZolT/GJiBca+Eswa9Q/oifK+5Zck8vhxgCplI DG2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=ECj0VQq7ynqIw0yP2Nf9wV82PFwMjDTQN5mph9zXfBk=; b=RAMV3qZZrLa54smL41f/oWkV1htAkUDUpqxmpnPA9nN2lF1HIkdEvZbKTqQ/8RBR73 PIB4AbL5C7xDH/H0HiboWt7mdhM9oCwju/eJZGF/cBmy/IRNbPVyI5bkO67RDEk/1Po4 2BVORvwAgnfcsp53z1upSuBYkM8xnWQ4ZuxK6/lWMwiftfB1mvv+LtY0t1GihjZwRXqf weZmPPnHIfcaQT7yIgMivaMQqDa1g+AhKHduwJGV3d2SD8s7AwqsG/ICBQ6EUnof62CQ IZCj8dKInu7SzGi33VU4eDMLZMB8L93EUnIATbNbQG10Owbl+pcCoGLW66FiuWtAMhRf EidA==
X-Gm-Message-State: ALoCoQk7SlFJG0zlol/K/LaMZ8TxU9YGZnWi9aQXZGILDCU0SpArLVfmRLb7qGYXJDiwfQ5j2MkWs3AspbgjNwPMYiSBNLTxdY5XyrY2mWHVbc2yzQLPH53LOdPDqaS6f05XK4hZPjTdW1jc4FL+bNWgH2YUmN3CMXNImUqieYscB5ZmTH3l5s+gl5kF9DNtWWhIvfLm4DBB
MIME-Version: 1.0
X-Received: by 10.52.249.3 with SMTP id yq3mr2634425vdc.55.1386359960690; Fri, 06 Dec 2013 11:59:20 -0800 (PST)
Received: by 10.52.167.10 with HTTP; Fri, 6 Dec 2013 11:59:20 -0800 (PST)
In-Reply-To: <CAKDKvuw240Ug4xB3zi2w0y7pUvCwSe0nNFZ2XP2vL-tbtKT0tg@mail.gmail.com>
References: <CAKDKvuw240Ug4xB3zi2w0y7pUvCwSe0nNFZ2XP2vL-tbtKT0tg@mail.gmail.com>
Date: Fri, 6 Dec 2013 11:59:20 -0800
Message-ID: <CALTJjxHGFqH+-C_9+Mr09zcNZ9HuW6XeeDNk4f+8vnMP0Tg5KA@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: Nick Mathewson <nickm@torproject.org>, Adam Langley <agl@google.com>, Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Let's remove gmt_unix_time from TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Dec 2013 19:59:27 -0000

Sorry about my late reply. I am a programmer working on the NSS crypto
libraries. While reviewing recent changes to NSS, I noticed that
Nick's proposal 1 has been implemented in the OpenSSL and NSS source
code repositories, which led me to this old email thread.

The only protocol feature I know of that uses the gmt_unix_time field
of ClientHello.random is Adam Langley's TLS Snap Start Internet-Draft
[1]. See Section 3 of Adam's draft. This method is one of the
anti-reply mechanisms being considered in Eric Rescorla's TLS 1.3 new
handshake flows Internet-Draft [2], and is being used in the QUIC
protocol.

So, I'd like to offer another proposal:

PROPOSAL 4:

Add a random clock skew to the current time. For example, generate a
random signed integer in the interval [-512, 511] (inclusive) and add
it to the return value of time(). This adds roughly a +/-8.5 minutes
skew to the current time.

If this proposal is an acceptable solution to the client
fingerprinting problem, then gmt_unix_time in ClientHello.random will
remain viable as part of an anti-reply mechanism for TLS 1.3 new
handshake flows.

Wan-Teh Chang

[1] http://tools.ietf.org/html/draft-agl-tls-snapstart-00
[2] http://tools.ietf.org/html/draft-rescorla-tls13-new-flows-00