Re: [TLS] Enforcing Protocol Invariants

Kyle Nekritz <> Thu, 14 June 2018 17:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8AAEA130E54 for <>; Thu, 14 Jun 2018 10:13:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.73
X-Spam-Status: No, score=-0.73 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=ovj9u3Zk; dkim=pass (1024-bit key) header.b=AavRQUtI
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id RAQKYOyJEws4 for <>; Thu, 14 Jun 2018 10:13:24 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DB842130E52 for <>; Thu, 14 Jun 2018 10:13:23 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id w5EHDJ4B016888; Thu, 14 Jun 2018 10:13:21 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=JcKmkdggAst+LwPcZFnPTt3m9vw/yIkEgfZs6I0C40w=; b=ovj9u3ZksyLxw/MepgTSDc2qqDQyjkozeFtuqBG10DzTaWnpoTtumt/DxlIodlRatsMi pKncwWDRqwokc6WxWmv5m0JeM+DOjBDEYIs0nEHetfcKbhl3Ip4NAINPA8uKKVynkhUH t+C+qUc4H09xCTFNtxY8EaEFnnH9IoHd2UI=
Received: from ([]) by with ESMTP id 2jkvfd80qj-4 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 14 Jun 2018 10:13:21 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 14 Jun 2018 10:13:09 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=JcKmkdggAst+LwPcZFnPTt3m9vw/yIkEgfZs6I0C40w=; b=AavRQUtIsHthsz2ycymF09k8TcpH9KGkkcyllIb4E205afTZW+MdP1hNPEszAG7MTpxAZAAJu83RWwC6QReqBoPbkSJXpeMrLBSGTxd6LTupzsLwuxnoKLTWmeAVu2afEJj5xeT5V0x8CqFwuJSFbBVR9GtOedR3kbs1w4e73Co=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.16; Thu, 14 Jun 2018 17:13:05 +0000
Received: from ([fe80::d0b7:5e1e:5350:41d2]) by ([fe80::d0b7:5e1e:5350:41d2%3]) with mapi id 15.20.0863.016; Thu, 14 Jun 2018 17:13:05 +0000
From: Kyle Nekritz <>
To: Steven Valdez <>
CC: David Benjamin <>, "<>" <>
Thread-Topic: [TLS] Enforcing Protocol Invariants
Thread-Index: AQHUAmp+oLBw1HEpZU66EQxShrOpCaRe31FAgAD1tQCAAAf20A==
Date: Thu, 14 Jun 2018 17:13:05 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2620:10d:c091:200::1:45d4]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1645; 7:IoLdxL2sB8zg8ej74m4j7dAeyyL27VdlAdRCVqo6g5d3sdVqJYr2rWUi0C6ts5NYshgjIJrWa0FmChBn03NBiCphS6Wpos2iYXHYF/eQlnPg0y3ZscR+WVwZuXz4GiAHbQ9+sctOXjZvV5TcdRj1mxQZfYg3cYDJ/V89D7MG1926WQIgIqdFw+GbXvC9PpG0IXTTevWhEVrjjmFFJ7rH2BAHWTvsu7tfqIljWPOmOj4su+afG1I3V9m4Ia7WmMD7; 20:/G1FsgBPnSZ3QzqGFWnGtXL8JyswwqWHfHjsmyNH+nI21/V5EWIGOQt4gsgzdQAar6c0kMqlLIZOGsWKt8szLRTWXONaziNsiNHVQQQn8w9ZDtq//IBr9HvCbt0M3AEA4vAmUF02nZaA0HAqdh9A3wfZ1DShgT5hLbXpAAP3xUY=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d1e12749-4125-4e58-9805-08d5d21a17f9
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(5600026)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1645;
x-ms-traffictypediagnostic: MWHPR15MB1645:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(10436049006162)(788757137089)(67672495146484)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231254)(11241501184)(944501410)(52105095)(93006095)(93001095)(3002001)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123558120)(20161123564045)(6072148)(201708071742011)(7699016); SRVR:MWHPR15MB1645; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1645;
x-forefront-prvs: 0703B549E4
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(39380400002)(396003)(376002)(366004)(189003)(199004)(53754006)(81156014)(790700001)(6116002)(6916009)(5250100002)(9686003)(6306002)(236005)(54896002)(105586002)(33656002)(19609705001)(6246003)(966005)(478600001)(14454004)(5660300001)(316002)(106356001)(25786009)(53936002)(4326008)(8676002)(8936002)(81166006)(54906003)(7736002)(3280700002)(46003)(6436002)(68736007)(7696005)(76176011)(6506007)(99286004)(186003)(486006)(59450400001)(2906002)(11346002)(606006)(86362001)(102836004)(446003)(74316002)(3660700001)(476003)(97736004)(2900100001)(229853002)(55016002)(53546011); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1645;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: tmcXPoG1FprcORAAEUKrA5EMVwBOzknGEewqXRz1txts+83Q0zgMdoSQFcwlnBecgFZj1469YI75qDyzlIS1mnK6ytvS9W23edf+qrL3/nyI3VHGu+qa3QS9qc06/9P7YJWGd5D501rhHlz1ISfXM7F1sQTnuTsqGONazC57l9tdHGmMi7W3HfgUusSYYyrN
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB15049038BE121821DC4E399AAF7D0MWHPR15MB1504namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d1e12749-4125-4e58-9805-08d5d21a17f9
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jun 2018 17:13:05.4267 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1645
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-14_07:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <>
Subject: Re: [TLS] Enforcing Protocol Invariants
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 14 Jun 2018 17:13:28 -0000

That’s definitely a possibility if using a single key that never changes. With periodically rolling new keys, I’m not sure the risk is much different than with periodically rolling new versions. Ossifying on updated versions of either requires the middlebox to take a hard dependency on having the updated version available. Updating for arbitrary changes in the protocol is more complex than just updating a config for an encryption key, but I suspect we could also roll out an updated key mapping much faster than a new version that required TLS library code changes.

Using a negotiated key from a previous connection completely avoids that issue (for example the server sends an encrypted extension with identifier X and key Y, which the client remembers for future connections).

From: Steven Valdez <>
Sent: Thursday, June 14, 2018 10:35 AM
To: Kyle Nekritz <>
Cc: David Benjamin <>; <> <>
Subject: Re: [TLS] Enforcing Protocol Invariants

This scheme probably isn't sufficient by itself, since a middlebox just has to be aware of the anti-ossification extension and can parse the server's response by decrypting it with the known mapping (either from the RFC or fetching the latest updated mapping), and then ossifying on the contents of the 'real' ServerHello. To keep the ServerHello from ossifying, you'll need to change the serialization and codepoints of the ServerHello at each rolling version.

On Wed, Jun 13, 2018 at 8:29 PM Kyle Nekritz <<>> wrote:
I think there may be lower overhead ways (that don’t require frequent TLS library code changes) to prevent ossification of the ServerHello using a mechanism similar to the cleartext cipher in quic. For example, a client could offer an “anti-ossification” extension containing an identifier that corresponds to a particular key. The identifier->key mapping can be established using a couple of mechanisms, depending on the level of defense desired against implementations that know about this extension:
* static mapping defined in RFC
* periodically updated mapping shared among implementations
* negotiated on a previous connection to the server, similar to a PSK
This key can then be used to “encrypt” the ServerHello such that it is impossible for a middlebox without the key to read (though would not add actual confidentiality and would probably involve aead nonce-reuse). There’s a couple of options to do this:
* Simply replace the plaintext record layer for the ServerHello with an encrypted record layer, using this key (this would not be compatible with existing middleboxes that have caused us trouble)
* Put a “real” encrypted ServerHello in an extension in the “outer” plaintext ServerHello
* Send a fake ServerHello (similar to how we encapsulate HelloRetryRequest in a ServerHello), and then send a real ServerHello in a following encrypted record
All of these would allow a server to either use this mechanism or negotiate standard TLS 1.3 (and the client to easily tell which one is in use).

With the small exception of potentially updating the identifier->key mapping, this would not require any TLS library changes (once implemented in the first place), and I believe would still provide almost all of the benefits.

From: TLS <<>> On Behalf Of David Benjamin
Sent: Tuesday, June 12, 2018 12:28 PM
To: <<>> <<>>
Subject: [TLS] Enforcing Protocol Invariants

Hi all,

Now that TLS 1.3 is about done, perhaps it is time to reflect on the ossification problems.

TLS is an extensible protocol. TLS 1.3 is backwards-compatible and may be incrementally rolled out in an existing compliant TLS 1.2 deployment. Yet we had problems. Widespread non-compliant servers broke on the TLS 1.3 ClientHello, so versioning moved to supported_versions. Widespread non-compliant middleboxes attempted to parse someone else’s ServerHellos, so the protocol was further hacked to weave through their many defects.

I think I can speak for the working group that we do not want to repeat this adventure again. In general, I think the response to ossification is two-fold:

1. It’s already happened, so how do we progress today?
2. How do we avoid more of this tomorrow?

The workarounds only answer the first question. For the second, TLS 1.3 has a section which spells out a few protocol invariants<>. It is all corollaries of existing TLS specification text, but hopefully documenting it explicitly will help. But experience has shown specification text is only necessary, not sufficient.

For extensibility problems in servers, we have GREASE<>. This enforces the key rule in ClientHello processing: ignore unrecognized parameters. GREASE enforces this by filling the ecosystem with them. TLS 1.3’s middlebox woes were different. The key rule is: if you did not produce a ClientHello, you cannot assume that you can parse the response. Analogously, we should fill the ecosystem with such responses. We have an idea, but it is more involved than GREASE, so we are very interested in the TLS community’s feedback.

In short, we plan to regularly mint new TLS versions (and likely other sensitive parameters such as extensions), roughly every six weeks matching Chrome’s release cycle. Chrome, Google servers, and any other deployment that wishes to participate, would support two (or more) versions of TLS 1.3: the standard stable 0x0304, and a rolling alternate version. Every six weeks, we would randomly pick a new code point. These versions will otherwise be identical to TLS 1.3, save maybe minor details to separate keys and exercise allowed syntax changes. The goal is to pave the way for future versions of TLS by simulating them (“draft negative one”).

Of course, this scheme has some risk. It grabs code points everywhere. Code points are plentiful, but we do sometimes have collisions (e.g. 26 and 40). The entire point is to serve and maintain TLS’s extensibility, so we certainly do not wish to hamper it! Thus we have some safeguards in mind:

* We will document every code point we use and what it refers to. (If the volume is fine, we can email them to the list each time.) New allocations can always avoid the lost numbers. At a rate of one every 6 weeks, it will take over 7,000 years to exhaust everything.

* We will avoid picking numbers that the IETF is likely to allocate, to reduce the chance of collision. Rolling versions will not start with 0x03, rolling cipher suites or extensions will not be contiguous with existing blocks, etc.

* BoringSSL will not enable this by default. We will only enable it where we can shut it back off. On our servers, we of course regularly deploy changes. Chrome is also regularly updated and, moreover, we will gate it on our server-controlled field trials<> mechanism. We hope that, in practice, only the last several code points will be in use at a time.

* Our clients would only support the most recent set of rolling parameters, and our servers the last handful. As each value will be short-lived, the ecosystem is unlikely to rely on them as de facto standards. Conversely, like other extensions, implementations without them will still interoperate fine. We would never offer a rolling parameter without the corresponding stable one.

* If this ultimately does not work, we can stop at any time and only have wasted a small portion of code points.

* Finally, if the working group is open to it, these values could be summarized in regular documents to reserve them, so that they are ultimately reflected in the registries. A new document every six weeks is probably impractical, but we can batch them up.

We are interested in the community’s feedback on this proposal—anyone who might participate, better safeguards, or thoughts on the mechanism as a whole. We hope it will help the working group evolve its protocols more smoothly in the future.


TLS mailing list<><>