IETF Logo Mail Archive

Re: [TLS] TLS 1.3 draft-07 sneak peek

Eric Rescorla <ekr@rtfm.com> Wed, 01 July 2015 05:34 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABD311ACE1E for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 22:34:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMx_qARw9L4J for <tls@ietfa.amsl.com>; Tue, 30 Jun 2015 22:34:04 -0700 (PDT)
Received: from mail-wi0-f171.google.com (mail-wi0-f171.google.com [209.85.212.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F0431ACE1D for <tls@ietf.org>; Tue, 30 Jun 2015 22:34:04 -0700 (PDT)
Received: by wiga1 with SMTP id a1so115242561wig.0 for <tls@ietf.org>; Tue, 30 Jun 2015 22:34:03 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=du50E/uV8FeOGnrRb4ySMHm3J2IXUv6DsugVCTyYYj4=; b=cXCC9sHHQuJd/frhKFUuYrB48QtUdHWb78iofa0Wy+Y1xTrPuGAMurA/bOBuCwYvrd KbczF87K5rNFRlV5Qk52JnUq5cc/r+eb3Lp/Gu5nHRBOUdyh1djoYQCeOY50gp2x9wO+ kpbGseZ4fGANpzRYnhdScbq1+JvjKyb4LEt2Nq0TTmxg7G4ClsWEA0rjQwQsDJGfn45c 9KSm9+zSjObFA+4Y9GZ0jZCKOdou4gEq8yiGT4/7fhImBiHg3Yj/lthhwZGns1X/WyxY dJUSaP0p/FUZ+o3sw47hGyPA7f5Ew8DIA3ab5HF21Kqj0YtcyF29HJeqAzBQecybVTVk dITQ==
X-Gm-Message-State: ALoCoQl2naSHX7sOM94UKqQhD+LpRtJjCdQ/oDw+1Kr3qCnusknFaKsth4nCwFqh+wKKWDxklv1a
X-Received: by 10.180.99.39 with SMTP id en7mr40770410wib.31.1435728843262; Tue, 30 Jun 2015 22:34:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.27.95.211 with HTTP; Tue, 30 Jun 2015 22:33:23 -0700 (PDT)
In-Reply-To: <20150701052255.GB24615@LK-Perkele-VII>
References: <CABcZeBOWK_WnHAefsZUBr4UyEkyiZqi1mhoZH8ZeGFftdOqTTw@mail.gmail.com> <20150701052255.GB24615@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 30 Jun 2015 22:33:23 -0700
Message-ID: <CABcZeBOF-_fTsWJZjyue2nPzh-LpNDjmZMaJgOTadGowOc=Gpw@mail.gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: multipart/alternative; boundary="f46d04182808b260050519c9ab95"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/UW_9S6omYedgz6ihjwIoZc8xmaU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 draft-07 sneak peek
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Jul 2015 05:34:07 -0000

On Tue, Jun 30, 2015 at 10:22 PM, Ilari Liusvaara <
ilari.liusvaara@elisanet.fi> wrote:

> On Tue, Jun 30, 2015 at 03:23:18PM -0700, Eric Rescorla wrote:
> >
> > OPEN ISSUES
> > There are still a number of known open issues to discuss:
> >
> > 1. The present known_configuration mechanism allows the client to
> > resurrect the handshake parameters (though not the keys) which were
> > negotiated in a previous handshake, but this is done implicitly,
> > i.e., the server provides a label and the client returns it on
> > the next connection. This has the advantage of keeping things short
> > but the disadvantage the it means that you can't have a static
> > configuration ID for everyone (instead, the server has to somehow
> > embed the properties in the configuration ID). There are (at least)
> > three potential alternative designs:
> >
> >    (a) Have the client indicate in his first flight "these are the
> >        parameters I expect you to negotiate", along with the
> >        configuration identifier, based on what the server
> >        negotiated the previous time. [Optionally, the server
> >        can run the same negotiation locally and abort on mismatch.]
> >
> >    (b) As in (a) but with no indication of the expected parameters,
> >        just the configuration ID, and the client just preemptively
> >        uses the parameters from the last time and if the negotiation
> >        ends up differently, all the data is undecryptable
> >        (ugh) and you somehow fall back.
> >
> >    (c) Have the server provide a preference list in his
> >        ServerConfiguration (this can be the same as in the
> >        ClientHello) and have the client do the negotiation based on
> >        that rather than the server (as in QUIC). This is a little odd
> >        in that it means that sometimes the server selects the
> >        parameters and sometimes the client does, but it's not that
> >        hard to make this code symmetrical.
> >
> > As I think this through, I am leaning towards (a) but other people's
> > opinions on this topic would be welcome.
>
> I think that there should be capability for server to fail decrypting
> the 0RTT data but still proceed with handshake (informing client of
> this fact).
>

What I had in mind here was that you would be able to fail to decrypt
the 0-RTT data and you fell back to an ordinary 1-RTT handshake
(i.e., if there was client auth, it went in the second flight).


Are parameters here things like symmetric ciphersuite used for 0RTT
> encryption? Or something else? I think that even if one uses supported
> symmetric ciphers, one could still get decrypt failures.
>
> Or is this the "PSK + 0RTT" vs "DHE + 0RTT" problem (the one remaked
> in #3)?
>

Sorry, I'm not quite following this. Can you rephrase?



> Undecryptable 0RTT becomes practicularly fun when considering how
> that would interact with handshake transcripts.


That's why I'm thinking that the above is the simpler approach.



> > 2. Should we require that PSK cipher suites where the PSK is used for
> > resumption use compatible ciphers? This is the way it was in TLS 1.2
> > and below for resumption and tickets, but once you have a PSK, that's
> > not really necessary [0]. So, for instance, if you had the following
> > cipher list order:
> >
> >     ECDHE + AES-GCM
> >     ECDHE + ChaCha/Poly
> >     PSK + ChaCha/Poly
> >     PSK + AES-GCM
> >
> > You could potentially negotiate one connection with GCM, use it
> > to establish a shared key, and then reconnect with ChaCha/Poly.
> > This seems like it probably should be something we avoid, though
> > I'm not sure we have a concrete reason why, and it means a
> > weird special case for PSK. Note that this issue might be
> > ameliorated some (though not completely) with a la carte negotiation.
>
> I would place stuff like this into "client sending odd stuff and
> getting odd behaviour in response". And with the negotiation the
> way it is, I don't see security problem here.
>

Thanks.


Also, I noted that there isn't EncryptedExtensions for resumption.
> Is that message optional (it isn't marked so), or is it just omitted
> in pure-PSK case (tho I note that pure-PSK might want to use
> extensions that use EncryptedExtensions).


That's just error on my part. My intent was to make resumption-as-PSK as
much like ordinary handshakes as possible.


-Ekr

v2.23.0 | Report a Bug | By Email