IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Bill Cox <waywardgeek@google.com> Sun, 04 June 2017 19:09 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5AB3912009C for <tls@ietfa.amsl.com>; Sun, 4 Jun 2017 12:09:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.801
X-Spam-Level:
X-Spam-Status: No, score=-0.801 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4JkaZnu3Z0ub for <tls@ietfa.amsl.com>; Sun, 4 Jun 2017 12:09:00 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C5BF129C4E for <tls@ietf.org>; Sun, 4 Jun 2017 12:09:00 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id l14so47311118ywk.1 for <tls@ietf.org>; Sun, 04 Jun 2017 12:09:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=mefLaNqynDh9u6EFgg3wLg4Tj8b8bjg6lSHx2D34Eec=; b=dNczVYbfaWySOPHhi119ANdgCS4U5pl3UgO/riXSGEt7Z3MS9Yn2SGKamoxJZqJnRF O56MQq3Q25mafTcVgBrNF/1sfCKimXqmFYrftgpSHwjCrLnTXlLujzQKDng6ED7+85gB 7Zdkhe2tYCNYlfFFwyfbkrzfVUjXT/wVfjvfyoPvL5fj4+x1kgTfmk7o+AHFgE+o/WRB mWyCImva3m1VXlxUaBN/t2aWb6kBlHSm4xdbbUfCyDMEKh/RVuCvqZPwTRAG0vnZgA0z h1UskZ5ehBv3WXRdMcrIV8dw86aCdXIpvjtNkXm8khIzTvVQotW0zUO+fQ0BbVpOlaRT iUzA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=mefLaNqynDh9u6EFgg3wLg4Tj8b8bjg6lSHx2D34Eec=; b=Da7Qt/Ed0tro5EeUKZpVGdqf+GziVkMLIjV368LrOlvcQp3RsmtJsAPpL46G3IjBQM +doGzsIUi23Wbkjzz4o5faddtA9jVGbZwNsr7qz8JyTMWwOG6a7dI6gL8oM6YvAEWRQb s3myfIBBgJWOTDBquB5ApLysLglB5ETKOwnYpacpqTEmbFOPWGv8Mjjc6qbDQ4n2w5iR v0I0wuLoBNo0opC2ehGY51px1zKMHW5W1xCS1IoYNwFAfr3fR5dmVVBjbBgbWyYD3fBX NoZmpWjeFce8IquSMYxXLA/F5G/Sf/03A9TL3kf8IctSqTA3e26nWRkeE3xyCk1Tu9qM C0Xg==
X-Gm-Message-State: AODbwcD2BooKe4D7XiE2ItaC//ml5iHzV4KiypuvieD+dJgPre/ScR0Y pIM16rY0fbR6rcsSzG1WNmmD3AVyPmEL
X-Received: by 10.13.242.132 with SMTP id b126mr12560913ywf.95.1496603339650; Sun, 04 Jun 2017 12:08:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.222.67 with HTTP; Sun, 4 Jun 2017 12:08:58 -0700 (PDT)
In-Reply-To: <CAAZdMacwnX2-eu5Ts_XEbiq7bx=XttpM95tZb7qJeBf7BsrYog@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CAAZdMacpJ-qoQt2pDBjTq6ADwmRKOHXTHDyDTzb+g2gYPvtZzQ@mail.gmail.com> <CAAF6GDdobkQh9_iqX1oU_BO9O2aK2_7Cbaper0AY4qEGYXAcvA@mail.gmail.com> <CAAZdMaeTdcgdCj26kVuq6-0EX1nmehvJJCq+YzB-4r84aRjhuA@mail.gmail.com> <CAAF6GDesLzMDN_LVYr6sFU8Z04jpXhFZphOAet-0JPsFF56Oig@mail.gmail.com> <CAAZdMadDctG0sMyDV49+8UUiagqQpi0bSehtQuKPELMU-+Gg5g@mail.gmail.com> <CAAF6GDfZr_zEuttf2zQhJ9vv2T-e1Mzb3G09_auLReftSJveeg@mail.gmail.com> <CAAZdMacwnX2-eu5Ts_XEbiq7bx=XttpM95tZb7qJeBf7BsrYog@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
Date: Sun, 04 Jun 2017 12:08:58 -0700
Message-ID: <CAH9QtQET_1WzdHfgO1DbeM5yYKYORyimCy3Kbz5yjGNmBF63Jg@mail.gmail.com>
To: Victor Vasiliev <vasilvv@google.com>
Cc: Colm MacCárthaigh <colm@allcosts.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c035a406e6d3f0551271e58"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XhyGnHwcH9dco5xkc6BBdSWSxvk>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 04 Jun 2017 19:09:02 -0000

On Fri, Jun 2, 2017 at 2:39 PM, Victor Vasiliev <vasilvv@google.com> wrote:

>
> Now, imagine the following attack:
>
>   a) Between (1) and (2), the attacker resets the TCP connection, after
>      the client got the response and the session ticket.
>   b) Since the client has the ticket, it 0-RTTs the POST to take out a
>      lock.
>   c) Attacker redirects the client to another datacenter, which cannot
>      accept 0-RTT, so it switches to 1-RTT.
>   d) During (b) and (c), the attacker records a transcript of 0-RTT
>      request to take out a lock.
>   d) The rest of (2)-(6) proceed in normal fashion via client talking to
>      the distant datacenter.
>   e) Attacker replays the lock being taken out in the datacenter where
>      0-RTT would succeed; the lock now is in place, and the client has
>      no idea about it.
>
> Because the application layer cannot reasonably assume that such
> reordering can happen, it is not acceptable to 0-RTT the POST in #2.
>

A simpler attack over TLS 1.2 that has the same result:

a) An active attacker waits until she sees what she believes is a lock POST
request.  This can happen at any time during the connection, and the flight
is identified by metadata since it is encrypted.
b) The attacker holds the lock request, and keeps the connection to the
server alive by transmitting a byte to it every minute or so, and
terminates the client connection.
c) The client reconnects, and proceeds with steps 2-6
d) Attacker sends the request to obtain the lock, and now the resource is
locked.

For browsers, this attack seems simpler (no redirect to another data
center), and more powerful (can attack at any point in the stream).  It
obtains the same result (locked resource), and I do not see any simple
mitigation, other than to force clients to make all state changes
transactional.  I realize this attack requires browser retransmition, not
just TLS re-transmission, so it is fundamentally different.  However, isn't
the result the same or worse?

My feeling is that when talking to stateless 0-RTT servers, browsers should
send only idempotent HTTP requests, and accept less-than-perfect FS.  I
also feel they should avoid attempts at client auth over 0-RTT.  However,
when talking to servers that prevent replay (but not re-transmission) I
think browsers should be free to send any HTTP requests over 0-RTT, and
also attempt client auth.  The security properties of 0-RTT data are still
different, but for browsers, where it does not matter whether the
re-transmission is in the browser or TLS layer, the security seems
equivalent to me.

Bill

v2.23.0 | Report a Bug | By Email