Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Colm MacCárthaigh <> Mon, 19 February 2018 19:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D8A77126C0F for <>; Mon, 19 Feb 2018 11:13:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DCCaqICSr7Pr for <>; Mon, 19 Feb 2018 11:13:46 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E0E09124BFA for <>; Mon, 19 Feb 2018 11:13:45 -0800 (PST)
Received: by with SMTP id v135-v6so3169706ybe.2 for <>; Mon, 19 Feb 2018 11:13:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=lrJQsq/53eA9bboOiOJoG0W6KaoIUstIZBShcmDqPu4=; b=lRmgnvLYP31Er5h4j2a8uwxQDt65IjqbMAiR6Riwf/bI9lZlNPOC6Tf7h9RATSCIcS NsEdNyRrnFCJVD+X9LVYazvDqnrs7B5BlcItAK6aSoUzRggGw3s7bep2wP56vWGsklj7 DkwOCPb0qNMhsLZIzdisXdtayjqeIHBsyvEaNU2Lt6w0R+SS6MWtJY4XB9YSiUykGIIT PpBzhkBI1koUt900jNnP+i9YEzCKOHJawtobXJF1tvbJ2ZzNdKrjbiodou+b5eZRW823 py6tVXKru/Ef8Ho2g3mL6jZrZSxrqjJBsptqua2z/+1qcSPQGw/YLO/AVuFzmG4G1cg3 Klpw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=lrJQsq/53eA9bboOiOJoG0W6KaoIUstIZBShcmDqPu4=; b=H2sL8XQnGimZks1hRIRe+FzuOjKHPCOvlpUkNlA9+L3/GGOwQW9U08qc3nMfOMhNwC 9BbMaBkOeJEp3iL7ZH9Gq2Jgmu18XpPWWReSI0N5HVtAxC54ZzdDeJsjR/b8hpld0GKP FLrzgyPmLvqjEJPVT4/UzBtsSf6gTC/gvinF5S89VuhTc03/9dThRPmkomJAHZv0a2rx 0LX3knKXcMPMhr1y9hKESnOAb+cJjivryKjiF3eG+fzuKM1Cx9h4UUkOjYYUojeNN/4m VbATrO6a3zSo1Xa07lHYe71PeKgZYaF1ZiKSH98/LPBW0kfca7+CAgMIVZ0EhFzna4YH TtNQ==
X-Gm-Message-State: APf1xPBvFKRl2s2o/nykszUadwEbRkM7Gtmckadwlu2S7KYseBHU3USt RYeTFMCc8A40soyl+C3h1hYgBwCOf323P/82yXjhVA==
X-Google-Smtp-Source: AH8x225MJQmpu7uq/DCFAita+CRlWs7Ih+LBQ6TM+Fh0fyF3i4ozbeA/b886MX/jP708ODRMxoDsLo8Rqca+81xz6zE=
X-Received: by with SMTP id g28mr7501521ybe.269.1519067624880; Mon, 19 Feb 2018 11:13:44 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 19 Feb 2018 11:13:44 -0800 (PST)
In-Reply-To: <>
References: <>
From: Colm MacCárthaigh <>
Date: Mon, 19 Feb 2018 11:13:44 -0800
Message-ID: <>
To: Kathleen Moriarty <>
Cc: Yuhong Bao <>, "" <>, "" <>, "" <>, IETF-Announce <>, "" <>
Content-Type: multipart/alternative; boundary="f403045ecde02bd3b80565957eaa"
Archived-At: <>
Subject: Re: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 19 Feb 2018 19:13:49 -0000

Since this IETF-LC/IESG process is a good chance to get a sanity check, I'd
like to boil down what I think are the nits and risks with 0-RTT, and if
others want to weigh in they can. I'll state my own position at the bottom.

Broadly, I think there are three issues with 0-RTT:

   1) The TLS 1.3 draft allows for 0-RTT data, including things like
requests and headers, to be replayed by attackers.

   2) 0-RTT data, again including requests and headers, has no
cryptographic guarantee of forward-secrecy and will likely be protected by
symmetric session ticket encryption keys (STEK) that can be used quite
broadly with no limits on re-use, rotation, and rely on vendors being able
to share and revoke keys frequently and securely. Basically: If a vendors
STEK is compromised, than an unbounded number of end-user requests and
headers can be decrypted. This obviously defeats the goal of achieving
forward secrecy.

  3) While no working attack has been found, some cryptographers and
protocol experts believe that the 0-RTT exchange is overly-complex and a
source of risk. Kenny Paterson made the most prominent statement (
), but I've heard it echoed at several IACR events. It is definitely true
that 0-RTT resumption complicates the TLS state machine and creates unusual
conditions such as needing to restart messaging sequences.

The TLS-WG was chartered with "aiming for one roundtrip for a full
handshake and one or zero roundtrip for repeated handshakes. The aim is
also to maintain current security features" (  But with these 3 issues,
there is a clearly a trade-off between security (the S in TLS) and speed.

Issue 3 is matter of judgment; my personal judgement is that we will see
implementation bugs due to state machine complexity, but there's no
evidence that the cryptographic and protocol semantics are not robust.

With regards to issues 1, and 2, the latest TLS draft makes it possible to
achieve both of these aims. Through the use of single-use session tickets,
it is possible to provide anti-replay and forward-secrecy properties for
0-RTT data. I'm grateful for the changes that were introduced for this.

At the same time though, most vendors have stated that they don't plan to
do that and instead have designed around limited replay time windows,
non-transactional strike registers, and non-forward secure tickets. This is
what I expect to see deployed, and already see with some TLS1.3 deployment
experiments.  TLS1.3 could be more restrictive here; limiting the size of
session tickets to smaller than the size of session state would effectively
forbid any kind of session encoding which would force the issue, but
several vendors are against it because it doesn't align with current
practices and it incurs the cost of server-size caching. For balance, in
the last year I have heard from most vendors that they do plan to implement
some anti-replay mitigation though, beyond the simple time-windowing, which
goes a way to protecting users from throttle limits.

I am disappointed by the unfortunate preference for cost-saving over robust
security. Good cryptography usually costs money, or else we'd still be
using RC4. I do think that we will see security and correctness issues due
to replays interacting with non-idempotent services and throttling
configurations. While it's true that browsers can be made to replay
requests already, there are many web and non-HTTP services that are
certainly not tolerant of replays. Secondly, I think that it is inevitable
that vendor security compromises will disclose troves of user requests,
passwords, credit cards to decryption; but this is perhaps more of a
nation-state-adversary level risk. Some more detail on attacks related to
issues 1/ and 2/ is available in the security review of 0-RTT data: .

After all of that, here's my own position:

I strongly support the current TLS1.3 draft progressing to RFC status. I
work at Amazon, where one of our leadership principles is "Disagree and
Commit" ( the idea is that it's
important to make yourself heard, but also to move forward and not be
endlessly bogged down. I've been vocal about 0-RTT risks, and certainly
heard and understood, and those concerns have been reflected in generous
changes to the draft. I'm happy that it's possible to build a
forward-secret, non-repayable 0-RTT implementation and that's what I'm
doing. I wish everyone else would too, but that's not consensus; others
have a different weighting for the trade-offs between speed, security and
cost and those views are also legitimate.

But my more important reason for supporting is that overall TLS1.3 is much
much better than TLS1.2, including in regards to forward-secrecy, which is
now guaranteed for all non-0RTT data. I still believe that it will
meaningfully increase the overall security posture for the internet, and
I'm super excited to get it out and for users to be getting the benefits.
TLS has always been a bit of a mess, it's not as clean as something
designed by a single voice focused on modern cryptographic best-practices,
but 1.3 does a lot of good cleaning up. Shipping 1.3 doesn't mean things
can't be improved further, and delay inflicts 1.2 and lower versions on
users for even longer. So let's go!

On Mon, Feb 19, 2018 at 7:58 AM, Kathleen Moriarty <> wrote:

> Dear Yuhong,
> As the sponsoring Area Director, my job is to take the draft forward
> as was determined by working group consensus.  Like Stephen, I'm also
> not particularly happy about the choice to leave in 0-RTT, but I have
> to support it as a WG decision.  Whatever the version number in the
> ServerHello decision is from the WG, I will support that decision.
> The ServerHello decision doesn't really fall into the, "arms race" as
> you put it.  More on that in another thread.
> Best regards,
> Kathleen
> On Thu, Feb 15, 2018 at 9:04 PM, Yuhong Bao <>
> wrote:
> > I wonder what is IESG's opinion on the TLS arms race with middleboxes.
> > Yes, I am talking about moving the version number in the ServerHello.
> >
> > ________________________________________
> > From: TLS <> on behalf of The IESG <
> > Sent: Thursday, February 15, 2018 1:13:48 PM
> > To: IETF-Announce
> > Cc:;;
> > Subject: [TLS] Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport
> Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
> >
> >
> > The IESG has received a request from the Transport Layer Security WG
> (tls) to
> > consider the following document: - 'The Transport Layer Security (TLS)
> > Protocol Version 1.3'
> >   <draft-ietf-tls-tls13-24.txt> as Proposed Standard
> >
> > The IESG plans to make a decision in the next few weeks, and solicits
> final
> > comments on this action. Please send substantive comments to the
> > mailing lists by 2018-03-01. Exceptionally, comments may
> be
> > sent to instead. In either case, please retain the
> beginning of
> > the Subject line to allow automated sorting.
> >
> > Abstract
> >
> >
> >    This document specifies version 1.3 of the Transport Layer Security
> >    (TLS) protocol.  TLS allows client/server applications to communicate
> >    over the Internet in a way that is designed to prevent eavesdropping,
> >    tampering, and message forgery.
> >
> >
> >
> >
> > The file can be obtained via
> >
> >
> > IESG discussion can be tracked via
> >
> >
> > The following IPR Declarations may be related to this I-D:
> >
> >
> >
> >
> >
> > The document contains these normative downward references.
> > See RFC 3967 for additional information:
> >     rfc8017: PKCS #1: RSA Cryptography Specifications Version 2.2
> (Informational - IETF stream)
> >
> >
> >
> > _______________________________________________
> > TLS mailing list
> >
> >
> >
> > _______________________________________________
> > TLS mailing list
> >
> >
> --
> Best regards,
> Kathleen