IETF Logo Mail Archive

Re: [TLS] Call for consensus: Removing 0-RTT client auth

Bill Cox <waywardgeek@google.com> Thu, 07 April 2016 15:35 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A21FC12D4FD for <tls@ietfa.amsl.com>; Thu, 7 Apr 2016 08:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5lTRtCwm1OHZ for <tls@ietfa.amsl.com>; Thu, 7 Apr 2016 08:35:27 -0700 (PDT)
Received: from mail-vk0-x22f.google.com (mail-vk0-x22f.google.com [IPv6:2607:f8b0:400c:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D4C12D119 for <tls@ietf.org>; Thu, 7 Apr 2016 08:32:46 -0700 (PDT)
Received: by mail-vk0-x22f.google.com with SMTP id t129so17526727vkg.2 for <tls@ietf.org>; Thu, 07 Apr 2016 08:32:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=XLxG/hhea9j9ZgI2DbEUU7JoKR3VDLmS8GT2JBnjZCU=; b=cxU8Lqembm0rgN/CkdfwVAcerptK0koXVLw8/Yvo1wnEHOpq2TkJp//O+2jVLWl63U BU9LlmpWkqE/DkKFkqXojS1OZ9IUYFenXXISUcD1DPT3zZL8tuN8er30fUBpe+0p8JQV Xks6MOR8wNyrxMmZnpxWsbbAP/4ckwXYTNNGjslwrJWdNvrFuYlEubL88DBQ6E5WAuKF ULk8qBDASYCwke29KsSx9EvdoBSfsUzu8wmK3FqcA+1ce40bQU4gUo9W2EPDXAmjcIpl XQe9A7cnRYwNAp8m3FEf4nJqWB98gbvQXnFKY+bIIJQ6qI6qxqRnwIeTwxGcx3EAlLHP pyhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=XLxG/hhea9j9ZgI2DbEUU7JoKR3VDLmS8GT2JBnjZCU=; b=k6gnU6oFunAZ84eFdN/1Bd4dRcI5Rza17RMl1F9G9c6VuhZb21aMytOJb4BKpvCyfR XspBuofCOtVMaSv0y559C/VEKSdvGfyiPx0tlMwo9nk7w9FodTmlkVCKWhyHduW/M8gV 7tR4N/RYsSdNcOW0oXl4z1UzC0jGvJO4AlcTYEtU3MvboIjwnn27BdJWn3ihpymDte7N JMUaXXGCYqvcJy4uBua+XosQ4F55iOtAG9xDGGNxT0mQrjL4sun1Z63vN303eq0kMrFq agfwyWJzWpHrsB5DpHRQWjJQSqzUfWMlXvmtEZslgEawObveljhbklSj5XYCoBdwEdOu FMIQ==
X-Gm-Message-State: AD7BkJKsItf7dobvLdJlwRIe8vFBsp3J6Wc+flaXx0JEpesVmiQ/CuaI7Yso+5TMYBxqVBWlL6jxq/oM6GxwCP/Q
MIME-Version: 1.0
X-Received: by 10.159.38.15 with SMTP id 15mr1740559uag.34.1460043165296; Thu, 07 Apr 2016 08:32:45 -0700 (PDT)
Received: by 10.31.179.1 with HTTP; Thu, 7 Apr 2016 08:32:45 -0700 (PDT)
In-Reply-To: <974CF78E8475CD4CA398B1FCA21C8E995650125D@PRN-MBX01-4.TheFacebook.com>
References: <AABACDA8-6A12-4023-A971-1254CED4893F@sn3rd.com> <9d1de55db58e33f7e564a03bc140cb49.squirrel@www.trepanning.net> <974CF78E8475CD4CA398B1FCA21C8E995650125D@PRN-MBX01-4.TheFacebook.com>
Date: Thu, 07 Apr 2016 08:32:45 -0700
Message-ID: <CAH9QtQE20ihfhP=onKSuD1Rs4vMez3OmPy8hZo1EkS=hJM8CWg@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Subodh Iyengar <subodh@fb.com>
Content-Type: multipart/alternative; boundary="001a113e334e39c7fa052fe6ca79"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/YL1lMZFOXzfHdliZ2Z4JvIsWoFA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing 0-RTT client auth
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2016 15:35:29 -0000

I've been reviewing this issue because I want to help figure out how to do
token binding over TLS 1.3 PKS 0-RTT.  When the server emulates a session
cache, then the RMS is unique on every PSK 0-RTT resumption.  That means
the client handshake hash is also unique, and it therefore becomes an
attractive value for the purpose of signing.  If we allow client auth in
this mode, we gain some security.  In particular, without access to the
client cert private key, an attacker cannot resume a session, even if they
have the RMS.

Give this possible mode of operation, we may want to consider keeping
client auth as an option in 0-RTT PSK resumption.

Bill

v2.23.0 | Report a Bug | By Email