IETF Logo Mail Archive

Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)

Bill Cox <waywardgeek@google.com> Fri, 25 March 2016 15:33 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E12A12DB83 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 08:33:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9P3ISAMe0wAY for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 08:33:21 -0700 (PDT)
Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 43FF312DB22 for <tls@ietf.org>; Fri, 25 Mar 2016 08:33:21 -0700 (PDT)
Received: by mail-vk0-x235.google.com with SMTP id k1so94668661vkb.0 for <tls@ietf.org>; Fri, 25 Mar 2016 08:33:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=KxDrzIVadfyxXtqme2VuQuHjNFPTOS04uL2sAOBgcHI=; b=UWHuS44fVa4B6IteNsQr0KN6c0p3QFrJw5WTNBFdn/fwGFCKLg6r0JxasZ0GaLgMyt /NRaSnZqyI9s2EduDmXEILcgfCLskXa5FwZTorVWXjWxM1+fCvQPkZmRTBeKcX1BYOZj COrInjR5Hn3fxNKar5MgBapd3pYz+3xwK+bTS8OMV9XBpUUMS6r2gbg+7hcbPxJ/xgO2 uu0uxDCJ8ddkFMjIjQOvq1zZGqDTmDc2wO4yd0Z7vfhgNrNfJZFmz9MyzSOYHlHw7LCh IB1H9xl/NUkvopjZpUJnhErzUa8qGvdVo/M96Qno+9L2cKk7g9Qz5niYqyBmoEtw/Cg5 H8LQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=KxDrzIVadfyxXtqme2VuQuHjNFPTOS04uL2sAOBgcHI=; b=TibhP6Nh1utqEJilHHfhlEO64b/i6LHGDEtOV6LoZN53w8pt7/3KqIJxffmcWAI1sK qwWXauGCtTPZaRMkW6e2NPgJ39hatxWt30seLazCPFOdN3BOUrMbnhei39wxJK/weBmL kJR6fFBDcV5whZh4qujSwht5vkgSNvbIoDtC8cD7Os+pI4FMR7cuzlKTzAZgYDKrES/c /++tUbLq98ay/REMM0luaUyvl/6EyaJlwVX5SechlavxCq5sNqbIolhKs2YWIm1xNONW hjAbyJS0GAG/ZuWtjGNXqCI8L34UfMpmVfnPsVzCziPrjYI/Tmf1khAsNlCZM0l5W8pW e+cw==
X-Gm-Message-State: AD7BkJIo1xtXsf7F+g3janIYti5YH55sqMjlK47JVzTc5WOswo0RE/fiHr0emApWXsT7KAuS1O76SiDRKGJ6ev6b
MIME-Version: 1.0
X-Received: by 10.31.150.215 with SMTP id y206mr7338185vkd.63.1458920000212; Fri, 25 Mar 2016 08:33:20 -0700 (PDT)
Received: by 10.31.179.1 with HTTP; Fri, 25 Mar 2016 08:33:20 -0700 (PDT)
In-Reply-To: <68AC2856-70B5-4B4C-80E8-B8AD1512199A@inria.fr>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <20160325115343.GA13213@LK-Perkele-V2.elisa-laajakaista.fi> <68AC2856-70B5-4B4C-80E8-B8AD1512199A@inria.fr>
Date: Fri, 25 Mar 2016 08:33:20 -0700
Message-ID: <CAH9QtQFkaGZjc85vRuK0vB5g4--5od8vRmrBU0ejp+k+KWUmJg@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: multipart/alternative; boundary="001a1140fdd85ea58c052ee14873"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/S-tdsxWNdNR7UEikubd96G9wswk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 15:33:23 -0000

Adding 1 byte EarlyDataType seems like a good idea.

As for the CipherSuite, assuming DH-0RTT goes away, would it be simpler to
require that the cipher suite negotiated from the original 1-RTT connection
be used?

For channel binding, the only mode that seems to work with 0-RTT is when we
issue new tickets on each 0-RTT connection to emulate a single session like
we have in TLS 1.2, and use a replay cache on the server.  The only valid
proof-of-possession the server can do with the client before processing
application requests is the one done on the 1-RTT connection, so this
single proof needs to secure the entire chain of 0-RTT connections.  The
master resumption secret becomes a bearer token and needs to be protected
accordingly.

The Export Key Material API also needs to be updated.  The simplest
implementation where keys are derived from the current ephemeral secrets
will cause the exported keys to be different whenever new keys are
negotiated.  This will probably cause bugs at the application layer.  We
may need to have an EKM API that depends only on the original PSK, and
another one for generating ephemeral EKM material.

Bill

v2.23.0 | Report a Bug | By Email