IETF Logo Mail Archive

Re: [TLS] Gaps in specification of DTLS 1.3 state machine

Eric Rescorla <ekr@rtfm.com> Thu, 05 March 2020 14:46 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75BC83A1301 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 06:46:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W1f1ySUFVWlB for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 06:46:05 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E5573A15A8 for <tls@ietf.org>; Thu, 5 Mar 2020 06:46:05 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id f10so6356647ljn.6 for <tls@ietf.org>; Thu, 05 Mar 2020 06:46:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=GFMZF848gJzyimG1gZgxjvAmr1+iTGlQVxd/GFnZFtI=; b=uvZxR6l3NaIrn6rH+ROjXL+GWpBO5Ex8LFR95TXpKI5glQmJJMdrA6cbv1Ap2sEdJS JJcPjurVvs1qg8BJERhOib28JhPdcw4baxWHTeEKh4HIqkQuY0DToJWELb9iBCmDuMTJ jWLNBZmAuAcnf3VcFkjyUEpx/JQ1DZeqeHRL6fxyo7ci2EyaSC1Z4P5XCV3WFBhJQy+7 dJn05GnVgMPhbzyf7zT1l+Di8MOMg1+Fsgpo5nG7ay1u83ZQJIJuPltndRHKTxwf/jk1 ACGjmEcFIQ5xTB5q95I208VrDvbatLr6XMbz21bHWhU9Gka0dNS11StH0tiISTm0Yvht o3qQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=GFMZF848gJzyimG1gZgxjvAmr1+iTGlQVxd/GFnZFtI=; b=f4oiICO0nS/Kw5DO7kTtRmmWj5+oXmXtRBUg0GspK9LyI9tW7P0rZ/yYSrMSy84qet z+jCYN2htgJVbfFIeueu1QOutSrfBPI0t/pO0OQHj994PYjcdAmWA0UGtGue7TnUiq2J HGj2KTCGPotgfnGyE8KUWAUlzbH1Ajqg7dj38N4wpCaUJ+Zn+UrZ5SWfeBK4YNtr5s9p Q4ngAW8+MjlmIp3r0xyA09nQUSk0YrAM9NPDdKnycJoZ5m5bnfuRsY8NdUjXVHVUdhFI L8mAFS9PE8PTC86DuRK8EQ8y7JZjpdguxUpu9gRVEy+kY4Efp83Sg98Iko2Rd7qJzjbq inig==
X-Gm-Message-State: ANhLgQ07JXAdNMSzdPUofyLuKqEP1jDHrZ6ZUdXEkWPPXI3dJPHkO/wP r+LJFidh1U4dtDk7aRtzr/TeSfHvwAGweIueSODrnA==
X-Google-Smtp-Source: ADFU+vsnMoymHD8OEKU5HTgMFCkBxzykB1sofZhh2bjMOHJkG+Sle+/zm8EtALfaVlX5cwsjIi/4k5fx4Jp/HCkzMPQ=
X-Received: by 2002:a2e:b008:: with SMTP id y8mr5308790ljk.35.1583419563086; Thu, 05 Mar 2020 06:46:03 -0800 (PST)
MIME-Version: 1.0
References: <AM6PR08MB331811E58E80173B1D74D8349B1C0@AM6PR08MB3318.eurprd08.prod.outlook.com><0287f75a-015e-49eb-a052-cf7a53f03035@www.fastmail.com> <AM6PR08MB33182017F0D9EA53A8B247DF9BE20@AM6PR08MB3318.eurprd08.prod.outlook.com>
In-Reply-To: <AM6PR08MB33182017F0D9EA53A8B247DF9BE20@AM6PR08MB3318.eurprd08.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 05 Mar 2020 06:45:26 -0800
Message-ID: <CABcZeBMKAyTBNCpEMZksZxv5PeJZPPQzykhE7ZNeZ366zLYpYw@mail.gmail.com>
To: Hanno Becker <Hanno.Becker@arm.com>
Cc: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000096a81705a01c981e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ThVlYJh4SSRwM3MGngp4FHThqyY>
Subject: Re: [TLS] Gaps in specification of DTLS 1.3 state machine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 14:46:09 -0000

Hanno,

I do think you are overcomplicating things somewhat.

You can't process handshake messages out of sequence even if they are
received out of sequence (this is, of course, also the case in TLS,
it's just that the resequencing happens at the TCP layer). You have to
either drop out of order messages or buffer them. Yes, this is
somewhat irritating, but as you demonstrate below, it's inherent
in the design of post-handshake messages even if each side is
only allowed to initiate one transaction at a time.

It might be useful to explain this in the text, but I don't think
anything else is needed.

-Ekr

On Wed, Mar 4, 2020 at 11:00 PM Hanno Becker <Hanno.Becker@arm.com> wrote:

> Thanks Martin for your thoughts.
>
> >  It's unavoidable in any case.  If you generate your own post-handshake
> message and
> > then have to respond to post-handshake authentication, there will be two
> concurrent
> > exchanges.
>
> Yes that's an instance of the second question b) which the post didn't
> further go into.
>
> I'm not yet convinced that this situation unavoidably creates the need for
> duplicating state machines, though, and think that if possible we should
> avoid it for the sake of implementation simplicity.
>
> Moreover, even if it is acceptable that state machines should be
> duplicated, it isn't clear (to me) how to logically separate them because
> they're all tied together by the use of the same global handshake sequence
> number. This creates non-trivial ambiguities like the following:
>
> Imagine after the handshake the server requests post-handshake
> authentication while, simultaneously, the client initiates a key update.
> When the server receives the KeyUpdate, it assumes from the handshake
> sequence number that it is the reply to his CertificateRequest, and only
> when inspecting the type of the handshake message it'll notice the
> mismatch. Usually, a type mismatch would be treated as a protocol violation
> and lead to failure of the connection, while here, we'd need the server to
> drop the message or notice that it should fork a new state machine.
>
> Note that this problem already exists, albeit in less prominent form, in
> DTLS 1.2, where both sides may simultaneously trigger a renegotiation.
>
> Thinking about it, it seems that the way to make this work is to segregate
> the part of the retransmission state machine which establishes in-order
> delivery via handshake sequence numbers, and to have the duplicated
> contexts one level higher. When a handshake message comes in, it would be
> trial-fed into all existing contexts, either until one of them accepts it
> after checking type and content, or potentially leading to the forking of a
> new context.
>
> However, this asynchronous nature of handling multiple post-handshake
> messages is in conflict with the serialized nature of the handshake
> transcript used e.g. in the CertificateVerify message:
>
> Imagine a post-handshake client authentication to happen interwoven with
> another post-handshake message from client to server. When the client
> writes the CertificateVerify, that would require the transcript of the
> entire handshake up until the CertificateVerify message. Assuming this
> should include all post-handshake messages, not just those belonging to the
> client authentication, this may lead to the situation where the server
> receives a CertificateVerify message with a transcript it cannot validate
> because it hasn't yet received all other authentication-independent
> post-handshake messages that went into the transcript.
>
> Maybe I'm overcomplicating things, but as it stands it seems to me that
> the above are serious issues to be further discussed and clarified even if
> we accept state machine duplication.
>
> Happy to hear your thoughts.
>
> Cheers,
> Hanno
> ------------------------------
> *From:* TLS <tls-bounces@ietf.org> on behalf of Martin Thomson <
> mt@lowentropy.net>
> *Sent:* Wednesday, March 4, 2020 11:32 PM
> *To:* tls@ietf.org <tls@ietf.org>
> *Subject:* Re: [TLS] Gaps in specification of DTLS 1.3 state machine
>
> Option A please.  Multiple state machines.
>
> It's unavoidable in any case.  If you generate your own post-handshake
> message and then have to respond to post-handshake authentication, there
> will be two concurrent exchanges.  We already require acknowledgment for
> both request and response in a two-way exchange.  Since 2 is a member of
> the third class of numbers (0, 1, ∞), we might as well deal with the full
> implications of that.
>
> Handling this is fairly simple though.  We can recommend limiting to only
> one active transmission at a time.  And if implementations have an
> especially low tolerance for concurrency they can close connections.
>
> On Thu, Mar 5, 2020, at 01:19, Hanno Becker wrote:
> >  Hi,
> >
> > [TL;DR]
> > The DTLS 1.3 spec (draft 34) doesn't fully describe the retransmission
> state
> > machine in the case of post-handshake messages, which requires
> clarification.
> > For example, is it allowed to send multiple post-handshake messages
> without
> > waiting for ACKs for the previous ones? If so, how is the retransmission
> > state machine modeled for sender and receiver in this case?
> > I'll describe and assess a few possible options, but I don't know the
> best
> > answer, and so this post is mostly a request for discussion, hopefully
> > resulting in some common understanding and clarification of the spec.
> >
> > Details:
> >
> > The following cases need addressing:
> > a) Is it allowed to send multiple post-handshake messages (e.g.,
> > multiple session
> >  tickets) without waiting for ACKs for the previous ones? If so, how is
> > the
> >  retransmission state machine modeled for sender and receiver in this
> > case?
> > b) How should simultaneous sending/receiving of post-handshake messages
> > be handled?
> >  The current retransmission state machine doesn't allow sending and
> > receiving
> >  at the same time.
> >
> > Some thoughts on a) first:
> >
> > The spec mentions that post-handshake messages are treated as
> > single-message flights.
> > As such, the sender would enter WAITING state after sending the
> > post-handshake message,
> > and move to FINISHED on receipt of the corresponding ACK. This,
> > however, forbids sending
> > another post-handshake message in between, since sending isn't allowed
> > in WAITING state.
> >
> > Option A: Fork state machine
> >
> > One could circumvent this by 'forking' the retransmission state machine
> > for post-handshake
> > messages, i.e. declaring their semantics as if there were multiple
> > independent state machines
> > for each outstanding post-handshake message. This essentially degrades
> > the DTLS' ACK scheme
> > to a per-message acknowledgement.
> >
> > I believe that such an approach is not in the spirit of the rest of the
> > protocol and moreover
> > significantly increases complexity and thereby comes at the danger of
> > slower adoption and/or bugs.
> > Moreover, it will significantly harden efforts for formal verification,
> > which should be considered
> > in light of previous efforts on TLS 1.3.
> >
> > Option B: Don't allow multiple post-handshake messages
> >
> > Forcing implementations to await an ACK before sending the next
> > post-handshake message is a theoretical
> > option which would allow to stick to the existing state machine.
> > However, this significantly increases
> > the latency of, say, the delivery of multiple session tickets, which is
> > a valid use case. This is therefore
> > not a convincing option, either.
> >
> > Option C: Merge consecutive post-handshake messages into a single flight.
> >
> > Another approach would be to treat multiple post-handshake messages as
> > a single flight on the sender.
> > That is, when the sender is in state WAITING after sending the first
> > post-handshake message, and the
> > user request to send another one, it moves into SENDING and then back
> > into WAITING as usual, appending
> > the new post-handshake message to the (so-far single-message) flight.
> >
> > How would that be handled on the receiver side?
> >
> > That's not entirely clear because a basic property of the TLS handshake
> > that DTLS leverages now no longer
> > holds: Namely, that both sides implicitly know and agree on the bounds
> > of flights. Here, multiple post-
> > handshake messages would be treated as a single flight on the sender,
> > but the receiver doesn't know
> > when the flight is over. How should this be handled?
> >
> > This is to be explored further. One way to address this would be the
> following:
> >
> > Option D: Add an 'end-of-flight' signal to handshake messages to allow
> > dynamic-length flights.
> >
> > Recall that the handshake logic must inform the retransmission state
> > machine about when a flight
> > is over in the main handshake, allowing the state machine to transition
> > accordingly. This signal,
> > however, isn't explicitly conveyed to the receiver, because the
> > receiver can figure it out for
> > himself.
> >
> > As mentioned, this isn't true anymore for batched post-handshake
> messages.
> >
> > One simple way to deal with is to add an explicit 'end-of-flight' bit
> > in the handshake header
> > which informs the receiver about when a flight is over, in those
> > situations where it's not
> > clear from the context.
> >
> > This would allow to keep a single retransmission state-machine as-is
> > while allowing for
> > batched post-handshake messages such as multiple session tickets.
> > Moreover, such a signal
> > would be trivial to implement because it's already implicit in the main
> > handshake.
> >
> > For the wire-format, we can discuss different options, but that's an
> > orthogonal question
> > to the issue of finding the correct conceptual approach.
> >
> >
> >
> > Happy to hear everyone's thoughts. It would be great if we could come
> > up with some
> > precise description of the state machine evolution for post-handshake
> > messages that
> > is both simple and supports batched post-handshake messages.
> >
> > Best,
> > Hanno
> >  IMPORTANT NOTICE: The contents of this email and any attachments are
> > confidential and may also be privileged. If you are not the intended
> > recipient, please notify the sender immediately and do not disclose the
> > contents to any other person, use it for any purpose, or store or copy
> > the information in any medium. Thank you.
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf..org/mailman/listinfo/tls
> <https://www.ietf.org/mailman/listinfo/tls>
> >
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> IMPORTANT NOTICE: The contents of this email and any attachments are
> confidential and may also be privileged. If you are not the intended
> recipient, please notify the sender immediately and do not disclose the
> contents to any other person, use it for any purpose, or store or copy the
> information in any medium. Thank you.
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email