Re: [TLS] One stream to rule them all (was Re: Security review of TLS1.3 0-RTT)
Colm MacCárthaigh <colm@allcosts.net> Thu, 04 May 2017 04:00 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 990FB129B43 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 21:00:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WEX66cfB2C9T for <tls@ietfa.amsl.com>; Wed, 3 May 2017 21:00:05 -0700 (PDT)
Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 879DE129B49 for <tls@ietf.org>; Wed, 3 May 2017 21:00:04 -0700 (PDT)
Received: by mail-yb0-x229.google.com with SMTP id j17so531264ybj.0 for <tls@ietf.org>; Wed, 03 May 2017 21:00:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=K+wVRFo4enygCnauWyVnN7ZlriT3ogmd9XfpyjKBqKY=; b=iWbNQ0imCgPrTGCQ7YpOWv4OBN+a0x+s3mCJcuSOiaFn8PvLiHGO28UZQ/WW5Hkm3z fkuC6nXLVJ4ZY4byPiz3MG2hOhoIwQrXk8zVT3KIApDavrmLS10FJUk8EwV8RRMeP5Q9 zOBP46InFlNql733zBh0kiJcyHCqHGS0fFmp1GXILT8lq9mXXHnBSBEoTsbvioWdWHxR IEwCYjUW0IQROPwsPAQIkxgXPlnxcOu0wUosUUr5D89emvmxEVP7jpoL7gCTn+UOxNY9 pfT1CvgWUyYzimSt1t7uaqNT95xS7yz7tijKPqz0ig/AlFXQZwPC0CDyxP+q7S4s0XJh Z0SQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=K+wVRFo4enygCnauWyVnN7ZlriT3ogmd9XfpyjKBqKY=; b=O8JbNByCKjsiOnvc2U3Btz6bu/sGDkRqN8cnVP96tKshwB74Cp9PCx19T90EeAmQQj fpT0Io8nzYzI0Avv4hqQr8DzIbOUYsDqW8lz/TTDiMrx/o18iAEpj4cCWSX9Wdeewx1v 92vupxlrAkkePzJiTenwb9Pg8z3EoNdCWQfz3/YTIgtDIgpgkLptxqJinFP3ImviyLA4 dS8y6LszKSkq0CslEEnviBjNjTy2swbfLMemFfuYSj9FGYwVN+i+ojo7POnSDpSRSxst dfCoAfXCjD8AJqkvZ+4diKsvs2itI8OIfAHhcvInB2HEjR3tL7ZdINGn4qTmbRmwoLiF Ym8Q==
X-Gm-Message-State: AN3rC/5F2DwHAOnrtWyd87NvkaqAchWz/2Zbuc40zcw7EuEOMW1sx0Qm 5cDCCtpzzwTCgT55t9SV7Rlf4PfMgg==
X-Received: by 10.37.163.195 with SMTP id e61mr17541221ybi.13.1493870403582; Wed, 03 May 2017 21:00:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Wed, 3 May 2017 21:00:03 -0700 (PDT)
In-Reply-To: <CABkgnnUuxv1WbwiudOKxkjesrGH+DCJOYqThfUa0t6K0oFSv=A@mail.gmail.com>
References: <CABkgnnWseFHVLu_Qmn7AkdJVYHGdOAZfPP=Trz_3MbQV5H5Wcw@mail.gmail.com> <74c5b8f9c44149dda3b26ed833588eed@ustx2ex-dag1mb1.msg.corp.akamai.com> <5242af630cb14f29847455c2de6ceb81@ustx2ex-dag1mb1.msg.corp.akamai.com> <CABkgnnUuxv1WbwiudOKxkjesrGH+DCJOYqThfUa0t6K0oFSv=A@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 03 May 2017 21:00:03 -0700
Message-ID: <CAAF6GDfDfkTTGWKt68quJ5jhr7sV_LuAa5A2jC+OY_wOZWn8Kw@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c05f8bf315a054eaaced7"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_Rz_5huUZr5LF7EhKu2xna-G9Ig>
Subject: Re: [TLS] One stream to rule them all (was Re: Security review of TLS1.3 0-RTT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 04:00:08 -0000
On Wed, May 3, 2017 at 7:31 PM, Martin Thomson <martin.thomson@gmail.com> wrote: > A clear delineation of security properties exists, if the handshake is > done, then you are in the clear. Otherwise, beware. The separation > of the streams doesn't help if you consider the possibility that 0-RTT > data can be retroactively blessed. > > I agree that it's complicated and we'll need to learn more. I fully > appreciate that you want to be conservative in how to implement this > feature. As a predominantly client stack with far fewer consumers, I > guess we are taking a few more liberties. Are we not both entitled to > our own approaches in this regard? > I just wanted to chime in on this thread too and this: I think that single-stream is the way to go .. if servers prevent 0-RTT replays. That does leave the DKG attack, but I think that's ok. That might seem like a contradictory view from me, so here's my nuanced take: * The DKG attack is real and does cause the client to repeat a request. * It's basically impossible for the server to do anything about it. The ticket isn't re-used, so clever tricks like CloudFlare's X- header don't work here. I thought for a while that the server could maybe fingerprint the plaintext, but even that doesn't work, because a client might repeat it intentionally. * Thankfully this doesn't have to be a show-stopper. The failure mode is, I think, identical to existing time outs. The client knows that the request may have succeeded, or may have failed. At that point it's up to the client what to do. Browsers retry, makes sense for them. Other clients don't, good for them. But they get to choose; and it's compatible with today's behavior. From the server's perspective, the same is true - the server knows that the original client may not have received any response, because that connection fails. * So in broad terms, existing client and server behavior should cover us here; all of this happens when connections time out today - and an attacker can already cause that to happen. It's not a big ecosystem change to the layering we have already. * If the above logic holds; then the whole "needs a profile" stuff and signaling early data and application data to applications separately is needless complexity IMO. Probably more harm than good, and seems to be getting ignored anyway. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- Colm
- [TLS] One stream to rule them all (was Re: Securi… Martin Thomson
- Re: [TLS] One stream to rule them all (was Re: Se… Benjamin Kaduk
- Re: [TLS] One stream to rule them all (was Re: Se… Martin Thomson
- Re: [TLS] One stream to rule them all (was Re: Se… Salz, Rich
- Re: [TLS] One stream to rule them all (was Re: Se… Martin Thomson
- Re: [TLS] One stream to rule them all (was Re: Se… Colm MacCárthaigh