IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Colm MacCárthaigh <colm@allcosts.net> Thu, 04 May 2017 01:03 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19B58129481 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 18:03:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2rO2YzuotSY for <tls@ietfa.amsl.com>; Wed, 3 May 2017 18:03:30 -0700 (PDT)
Received: from mail-yb0-x22e.google.com (mail-yb0-x22e.google.com [IPv6:2607:f8b0:4002:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3D1012949E for <tls@ietf.org>; Wed, 3 May 2017 18:03:25 -0700 (PDT)
Received: by mail-yb0-x22e.google.com with SMTP id j17so1506998ybj.0 for <tls@ietf.org>; Wed, 03 May 2017 18:03:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=44kaQbixVvo7/LtpJsZPQcc7VO3Zv+kWi1pdc7KUrYg=; b=mTmKZyhxsJnNuMtN61/CnSpmmcN3EtDYISc8n6/XZ7BZrpV7UGscFWDNKES0yD/WHi 5Gha/r6VdpnElLCh3dZpoq19cQlTJICjATn2d4VAAIC1gafHhG7/GLiFijOrmYUfvDj6 CYF25S46Yx3nmSBLfNt19ucHElrhXvg/8Dc7j8OOAJFMRwd0W6ZkRuYausWbhCIbXejh ZBgWDheicMIpXzzT/RQnt6ezc+ESib9lh0HR/hP89PJ3t0oUuIvz2u59Co3hKtewc6dc NA5c2vp0YwNW6dM8qh6f/AWIV7hW+uTV5tkbeqwnZ2TgLHJFvSqGmVkhNoxzxyoKkrog z1eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=44kaQbixVvo7/LtpJsZPQcc7VO3Zv+kWi1pdc7KUrYg=; b=ePNlfqXOw06D1Ko5onfIc45lVKp6SFAEB0eDllD49NEAcJi5MM96ekHBXnsIVGgbR4 yNT+pqBUcv1y2RLq7YNrcYKM5u+feRq/7tFnWH+9L9HcVXd/dFK1coEyVEuAF3xeqth9 lyUhOP6YIzipNr0DDkBAQqjr++4K5LI6qgwwzPjMF1Z581oXD6/BWr4Vih+oJL1et7Av X5SvUwXWdxLMb/9ayhGoXPr0qNJKhY7FZl8OuSRF8IvAdnUIBlVSTOAzrmBFSk9wZHUC XnB9bZLpEU89tGg3rpUMi1txjc1yyei9C926lRw7FQVrGNrgOJhVeMyh9/ITBqW/Eklu w9nQ==
X-Gm-Message-State: AN3rC/6WkpEdw0/cYwVBtYnk5oo26eTJUKQdbYuwcZizj/JaidaTBDo8 7RT1dOsEr2vF1r7SKAGmjfv+0C05yh1I
X-Received: by 10.37.16.212 with SMTP id 203mr18835545ybq.90.1493859804794; Wed, 03 May 2017 18:03:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Wed, 3 May 2017 18:03:23 -0700 (PDT)
In-Reply-To: <BF1DC9D8-7E39-4415-A9F9-C1C1995B20C5@dukhovni.org>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <cb518e35-c214-d11d-a068-c454b2e7ea6a@gmx.net> <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org> <CAAF6GDdpq8DgLx5Fo6apoTHgwQsbdn6hb=ozi1+JP9VMxPw6sA@mail.gmail.com> <539D071B-7DDD-4820-A9E4-EC178400B7B2@dukhovni.org> <420471d6016a41ecbcdf9562be303f62@ustx2ex-dag1mb1.msg.corp.akamai.com> <17414FC2-15BB-4A03-8673-7F8299E5428E@dukhovni.org> <20170503182955.GR10188@localhost> <CAAF6GDf_5tuU=L8vCv5f1wgwy8NxvDcJb9TjJ+iHcNOqETASoQ@mail.gmail.com> <7573B494-A1C1-4897-B064-14237B5FB525@dukhovni.org> <CAAF6GDfiLtLT5-NZwFaSHmz35MRiNSqSjQt=MmNoQ04vBDPPTg@mail.gmail.com> <658E74AE-39BC-4518-B11D-92D7AC7F1BD4@dukhovni.org> <CAAF6GDf-aJEu8Usss7r9m94YXSVgHq8OB9+=i8-uk=Cv_QtrwA@mail.gmail.com> <BF1DC9D8-7E39-4415-A9F9-C1C1995B20C5@dukhovni.org>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 03 May 2017 18:03:23 -0700
Message-ID: <CAAF6GDeAE9DW-8vG++sDT4wA6U4h+w4aTP2pRLWG4Ez3jYP7Ew@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c0ff04027045054ea857c0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WoBNOVG27LoMp-kLBUzt5Ph0I8w>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 01:03:32 -0000

On Wed, May 3, 2017 at 5:51 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:
>
> > On May 3, 2017, at 6:29 PM, Colm MacCárthaigh <colm@allcosts.net> wrote:
> >
> > Pervasive forward secrecy is one of the central security goals of modern
> > cryptography,
>
> Sure, given a sensible definition of forward-secrecy.  And near instanenous
> deletion of session keys is not part of such a definition.
>

I want to re-run DH for every bit transferred! of course I'm kidding, and
take your point. There's a balance to strike.


> > STEKs aren't compatible with this goal. They may be acceptable
> operationally
> > today, but I think they must be borrowed time if the central goal is
> meaningful.
>
> We need to recall what thread-model is behind the desire for
> forward-secrecy.
> It is I think not controversial to say that forward is concerned with
> limiting
> the damage from end-point (especially server end-point) compromise, in
> which
> confidentiality of long-term keys (still held on the endpoint) is lost.
>

In the case of STEKs, the key may also be compromised without compromising
the endpoint. With multiple endpoints, there is usually some kind of
central STEK distribution system to synchronize the keys. And they key may
also be compromised due to weak crypto on the tickets themselves. So we
have to add those too to the threat model. But caches have similar
challenges, which might even be harder.


> Consider the fact that such compromise is unlikely to be detected and
> remediated
> instantaneously.  Indeed not only will the adversary have access for some
> time
> to sessions initiated post-compromise, he will also be able to impersonate
> the
> real server after the server is "secured" because certificate revocation
> will
> take days (or until the certificate expires) to take effect and more
> sessions
> can be compromised via MiTM attacks after the keys stolen.
>
> The incremental exposure of some fraction of a hour of sessions shortly
> before
> compromise pales in comparison with the much longer post-compromise
> exposure
> before the service is again secure.
>
> STEKs are simpler to design and secure than a complex session cache. This
> simplicity has security benefits.  Properly implemented STEKS have a
> lifetime
> that is much shorter than any plausible compromise exposure time window.
> Given
> this, it makes sense to not consider potential STEK compromise as loss of
> forward
> secrecy.
>
> Forward secrecy guards against disclosure of truly long-term key material,
> with
> a lifetime of weeks to years.  Once we get down to hours or minutes, it is
> quite
> sensible to take a coarser view of time, with similar exposure for sessions
> "just before" and "just after" compromise.
>
> Maximally sensitive traffic can take the penalty of avoiding session
> caching
> of any kind.
>

That does all makes sense, it just hasn't really been how TLS is deployed.

-- 
Colm

v2.23.0 | Report a Bug | By Email