Re: [TLS] 0-RTT and Anti-Replay

Watson Ladd <watsonbladd@gmail.com> Tue, 07 April 2015 05:38 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32AD71B3175 for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 22:38:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8bZiFoLnPWlr for <tls@ietfa.amsl.com>; Mon, 6 Apr 2015 22:38:20 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 396431B3174 for <tls@ietf.org>; Mon, 6 Apr 2015 22:38:20 -0700 (PDT)
Received: by wiun10 with SMTP id n10so4649571wiu.1 for <tls@ietf.org>; Mon, 06 Apr 2015 22:38:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5bRtDsoF2ftglSWuZW/puO5fwM1helskQJyKuTsrqOI=; b=xa6sq+9++N8MO16/IHvif1duDwUpIOuHVJb4/A3NvGMJXAvuApPgMtILN3oIQDPyea FDYuItx+86OHxoKXQAit8f2wA7GTSHdgP7GN5jDkZ9lqGC7qD+OseT/tGs6Drm+Tl+ne 62ISExvb8dFbKLaKcQsHm6wc8H7iOCI6TC2oOj2pVdgcARzSpYG9ZgcT+bBksjoNWIZx ycsFkRjrDAUK2w4KoFD86SOWqwoXen2LmkYTaiOZ9qMccbl0nzBcMt0Yjaq57amkN7nt a/NreHmG1lA0ZKKlQ6rHru6lkBqDH07kKhQDEJTQVkk/OMd2uD+AJ1hq1QMzgMzVsXxp MmtQ==
MIME-Version: 1.0
X-Received: by 10.180.75.212 with SMTP id e20mr1330440wiw.26.1428385099000; Mon, 06 Apr 2015 22:38:19 -0700 (PDT)
Received: by 10.194.136.233 with HTTP; Mon, 6 Apr 2015 22:38:18 -0700 (PDT)
In-Reply-To: <20150406120554.GA23058@LK-Perkele-VII>
References: <CABcZeBP9LaGhDVETsJeecnAtSPUj=Kv37rb_2esDi3YaGk9b4w@mail.gmail.com> <20150406120554.GA23058@LK-Perkele-VII>
Date: Mon, 6 Apr 2015 22:38:18 -0700
Message-ID: <CACsn0c=wDP4hUGB73rSuHY5zsw8pOXvYgMOr6GW5ew_m7eCiAg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_8RIVZboW7AFtZ8smBkcFBmJdMU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT and Anti-Replay
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2015 05:38:22 -0000

On Mon, Apr 6, 2015 at 5:05 AM, Ilari Liusvaara
<ilari.liusvaara@elisanet.fi>; wrote:
> On Sun, Mar 22, 2015 at 02:49:28PM -0700, Eric Rescorla wrote:
>> In the interim in Seattle, we had an extensive discussion of 0-RTT
>> anti-replay in which DKG observed that all the proposed anti-replay
>> mechanisms provide limited protection. The underlying problem is the
>> desire to present a uniform interface in which the calling application
>> can count on reliable delivery of the data it provides in the first
>> flight, thus requiring the TLS stack to retransmit it automatically.
>
> [...]
>
>> The other two options clearly require a separate API to handle this
>> special first-flight data and would require applications to handle it
>> separately. So, for instance, in option 2, you would have something
>> like:
>>
>>     c = new TLSConnection(...)
>>     c.setReplayable0RTTData("GET /....")
>>     c.connect();
>
> This is on client side, but how about server side?
>
> 1)
>
> - Server app indicates to TLS stack if it supports 0RTT.
> - If no support or 0RTT fails, 0RTT is refused and retransmitted
>   data is prefixed into connection data.
> - If supported and 0RTT transmission succeeds, app can read 0RTT
>   data using separate call.
>
> Problem: 0RTT supported but failing (e.g. wrong keys) is a special
> case for serverside.
>
>
> 2)
>
> - Server app indicates to TLS stack if it supports 0RTT.
> - If no support, this is signaled to client.
> - If supported but fails, this is signaled to client.
> - 0RTT data (original or retransmit) is read using separate
>   interface.
>
> Problems: 0RTT supported/not supported is two different cases
> for the client. Retransmit would need to be flagged specially.
>
>
> 3)
>
> - If 0RTT fails or not supported, it is refused.
> - Just prefix 0RTT data into connection data.
>
> Prolem: Server can't tell apart 0RTT data from normal data.
>
>
>
> Also, regarding security considerations due to replayability, would
> "MUST NOT authenticate in 0RTT data" (which e.g. means cookies that are
> possibly authenticating can't be sent)  be useful consideration?

Only if we don't guarantee that the person who sent the 0-RTT data is
the same person who carries out the rest of the connection. This seems
possible, but I don't know what the right definition is.

>
>
>
> -Ilari
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Man is born free, but everywhere he is in chains".
--Rousseau.