IETF Logo Mail Archive

Re: [TLS] cross-domain cache sharing and 0rtt (was: Re: Requiring that (EC)DHE public values be fresh)

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 30 December 2016 12:44 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B62E1295C9 for <tls@ietfa.amsl.com>; Fri, 30 Dec 2016 04:44:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5
X-Spam-Level:
X-Spam-Status: No, score=-5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-3.1] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGRoATiEOeN1 for <tls@ietfa.amsl.com>; Fri, 30 Dec 2016 04:44:34 -0800 (PST)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 3E30B1295BE for <tls@ietf.org>; Fri, 30 Dec 2016 04:44:33 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id A353415A3E; Fri, 30 Dec 2016 14:44:32 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 8X2cX2UpsfEh; Fri, 30 Dec 2016 14:44:31 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 62C102310; Fri, 30 Dec 2016 14:44:31 +0200 (EET)
Date: Fri, 30 Dec 2016 14:44:20 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Adam Langley <agl@imperialviolet.org>
Message-ID: <20161230124420.GA11229@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com> <79db4a88-e435-2e5b-47a5-9048acef45e2@cs.tcd.ie> <CABcZeBObcWUjdHhysLG1K0TbJfiqN+XCERn6WaMjWzgU0XC65A@mail.gmail.com> <582703ab-4340-35e7-a3d2-45dd606f10a1@cs.tcd.ie> <CABcZeBMx3zJ07pbj0bPBMrAcrK_Q4HVDcbCx_2B1DnyCOJeE-g@mail.gmail.com> <CAMfhd9Xt400wyOqvREWMXPL2_gsAJsZRqmRAFLq9tKzOKuqnjA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMfhd9Xt400wyOqvREWMXPL2_gsAJsZRqmRAFLq9tKzOKuqnjA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YRu2vNPtWowl2L9fWBJ6WX9-QtA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] cross-domain cache sharing and 0rtt (was: Re: Requiring that (EC)DHE public values be fresh)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Dec 2016 12:44:36 -0000

On Thu, Dec 29, 2016 at 02:45:53PM -0800, Adam Langley wrote:
> On Thu, Dec 29, 2016 at 11:08 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> >> >> As an individual, I'd be in favour of this change but reading
> >> >> over [1], section 5, I wondered if we'd analysed the effects of
> >> >> 0rtt/replayable-data with that kind of cross-domain re-use in mind?
> >> >> The situation being where session ID based caches or session ticket
> >> >> equivalents in tls1.3 are shared over multiple domains.
> 
> I think there is the following interaction:
> 
> Given two servers, S1 and S2, which are nominally s1.example.com and
> s2.example.com, but which both have a *.example.com cert and share
> ticket keys:
> 
> An attacker could redirect a 0-RTT handshake that was destined to S1
> and feed it to S2. If S2 ignores the SNI value (common) it could
> accept and process the 0-RTT data even though it was destined for S1.

Sounds like standard-issue default-vhost attack (which are sadly
common security issues in https://).
 
> However, in that case TLS 1.2 is probably also affected because S2
> would likely process a 1.2 handshake that was destined to S1 as well.
> (Even without a shared ticket key or session cache.) See
> http://antoine.delignat-lavaud.fr/doc/www15.pdf for more.

You mean redirecting full handshake meant for s1.example.com to
s2.example.com? Or redirecting a TLS 1.2 resumption handshake?

Also, wonder how many servers don't check for SNI when resuming...


-Ilari

v2.23.0 | Report a Bug | By Email