Re: [TLS] Let's remove gmt_unix_time from TLS
Nick Mathewson <nickm@torproject.org> Mon, 09 December 2013 19:04 UTC
Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FDFE1AE4AD for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 11:04:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.278
X-Spam-Level:
X-Spam-Status: No, score=-1.278 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XgFlXFy8KXuy for <tls@ietfa.amsl.com>; Mon, 9 Dec 2013 11:04:42 -0800 (PST)
Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) by ietfa.amsl.com (Postfix) with ESMTP id 17A7B1AE4AB for <tls@ietf.org>; Mon, 9 Dec 2013 11:04:41 -0800 (PST)
Received: by mail-qa0-f50.google.com with SMTP id i13so2951060qae.9 for <tls@ietf.org>; Mon, 09 Dec 2013 11:04:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=juyj+WNuwCvlL80L/bmruS3aDVp9SH1WSUmXqv6Wf9k=; b=yfLcrvogy/LSyGe2pdFJqYXQI4AAwRT5wbrYIiG+IjqaX8WiAF0Xz5sTtoznvaiKp6 w+AoCRT8G1rsSa6pqvLTckSwscSTpO8+uiNf8+/G2Nj+ZVr17QoYcMbFBBXbJM1VfHdi 180gsdMhScNR/Q0SvAoinxzUR5C7QevgfLL/fNe+yTzX1a7PdQv6XU2gwU/V/shruN3U aEMLCM6dqlDt+QY2mBo25yJNrl8fMDoQDG3hYqSXkMxE0aCy1rUwRJCRXggkVwVbvIGK jcny68tqCBB9WPGjJmEx3UA1YvcG7mMj6HFc0DJwht1+BOD6CZM3uFM4tYKCH7lgHQJT GzWQ==
MIME-Version: 1.0
X-Received: by 10.229.140.129 with SMTP id i1mr35618656qcu.13.1386615876977; Mon, 09 Dec 2013 11:04:36 -0800 (PST)
Sender: nick.a.mathewson@gmail.com
Received: by 10.140.102.82 with HTTP; Mon, 9 Dec 2013 11:04:36 -0800 (PST)
In-Reply-To: <CAFewVt4phoD-WUpV0iG0zdyBy1uqSa=meKhoGq12FOGVqXwvKw@mail.gmail.com>
References: <CAKDKvuw240Ug4xB3zi2w0y7pUvCwSe0nNFZ2XP2vL-tbtKT0tg@mail.gmail.com> <CALTJjxHGFqH+-C_9+Mr09zcNZ9HuW6XeeDNk4f+8vnMP0Tg5KA@mail.gmail.com> <CAFewVt4phoD-WUpV0iG0zdyBy1uqSa=meKhoGq12FOGVqXwvKw@mail.gmail.com>
Date: Mon, 09 Dec 2013 14:04:36 -0500
X-Google-Sender-Auth: eVZ6lnYRcIPwc9-veDjBiKGOhwI
Message-ID: <CAKDKvuyYW5GH-u+oEecj1TffV9ZmnKsdxNH8ugCGjQEKqBooqw@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: Brian Smith <brian@briansmith.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Let's remove gmt_unix_time from TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Dec 2013 19:04:43 -0000
On Fri, Dec 6, 2013 at 3:14 PM, Brian Smith <brian@briansmith.org> wrote: > On Fri, Dec 6, 2013 at 11:59 AM, Wan-Teh Chang <wtc@google.com> wrote: >> PROPOSAL 4: >> >> Add a random clock skew to the current time. For example, generate a >> random signed integer in the interval [-512, 511] (inclusive) and add >> it to the return value of time(). This adds roughly a +/-8.5 minutes >> skew to the current time. > > When the server tells the client that it supports the 0-RTT handshake > scheme, can't the server also tell the client what time the server > things it is? Then the client could calculate the offset between its > local perception of the time and the server's perception of the time, > and apply that offset to whatever timestamp it sends in its 0-RTT > handshake. This is a neat idea, and much more effective at randomization than at hiding the client's view of the current time. I believe that the QUIC crypto spec mentioned a similar idea (but dismissed it in favor of another solution): "The first of these issues could be addressed by having the clients take a clock-sync signal from the server and define a “server local time” offset for that server." One caveat here is that a server could tell different clients that it had different skew values, thereby creating yet another way to set stealth cookies. You'd need to be sure not to share your view of server-local time across anonymous sessions, while roaming in a privacy-conscious way, and so on. > Also, timestamps is only needed for the 0-RTT handshake, handshakes > that aren't attempting to be 0-RTT shouldn't include a timestamp. So, > the timestamps should probably be moved to the extension that > negotiates the 0-RTT handshake. That way, the fingerprinting risk, > whatever it is, is limited to applications that are actually trying to > use that feature, and applications/servers that are especially > sensitive to fingerprinting (e.g. the Tor Browser) may cleanly avoid > the issue by disabling 0-RTT handshake support, as a worst-case > option. I'd agree that this is an improvement over sending gmt_unix_time to everybody indiscriminately, surely, though you would (as Wan-Teh Chang notes) need to change the inputs to the KDF a bit. It doesn't seem like an insurmountable obstacle by any means, though. best wishes, -- Nick Mathewson
- [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Alfredo Pironti
- Re: [TLS] Let's remove gmt_unix_time from TLS Russ Housley
- Re: [TLS] Let's remove gmt_unix_time from TLS Eric Rescorla
- Re: [TLS] Let's remove gmt_unix_time from TLS Adam Langley
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Ryan Hurst
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Paul Wouters
- Re: [TLS] Let's remove gmt_unix_time from TLS p.j.bakker
- Re: [TLS] Let's remove gmt_unix_time from TLS Hanno Böck
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Martin Rex
- Re: [TLS] Let's remove gmt_unix_time from TLS Xiaoyong Wu
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Nick Mathewson
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Martin Rex
- Re: [TLS] Let's remove gmt_unix_time from TLS Peter Gutmann
- Re: [TLS] Let's remove gmt_unix_time from TLS Marsh Ray
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Stephen Farrell
- Re: [TLS] [perpass] Let's remove gmt_unix_time fr… Peter Gutmann
- Re: [TLS] Let's remove gmt_unix_time from TLS Wan-Teh Chang
- Re: [TLS] Let's remove gmt_unix_time from TLS Brian Smith
- Re: [TLS] Let's remove gmt_unix_time from TLS Stephen Farrell
- Re: [TLS] Let's remove gmt_unix_time from TLS Wan-Teh Chang
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Nick Mathewson
- Re: [TLS] Let's remove gmt_unix_time from TLS Martin Thomson
- Re: [TLS] Let's remove gmt_unix_time from TLS Martin Rex