IETF Logo Mail Archive

Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)

Colm MacCárthaigh <colm@allcosts.net> Fri, 25 March 2016 18:27 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C2D112D627 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 11:27:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id b1wcxce6pfc1 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 11:27:35 -0700 (PDT)
Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27BE312D622 for <tls@ietf.org>; Fri, 25 Mar 2016 11:27:30 -0700 (PDT)
Received: by mail-qk0-x22d.google.com with SMTP id p130so36343252qke.1 for <tls@ietf.org>; Fri, 25 Mar 2016 11:27:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=+RDDqaN2RTLIH7ijwwcHqD/vn9/7of0p1kdqYENbuLU=; b=z1FqNcOiX+xPzm0e7V9Vgpwu7pP99VKLEqvvnkm3dFZhQHT7YvfUK7wi0rjgsGL0CW glpVlZ6jSvKobQw1f52ni9+NqVqz456537tAxGi/cN1/pU0lN36S8WWFgUc4fzLs0DNb CSM9AQzALeIpQMxJIAxHBrdliiCt4JHlDqG6tqvIQraC/c0bnSFDJpkJkOt/7KYydY1D H7jhxSfljFX0eItMQUc4eq67d43fLttmrKFP8L6fQ9apeGJkXoeitycUX8EXHeVhn4PA yoWnAckJ50XAPUTdRQWmT7xAEOHKDwkfSK+7qfk97UkE0NLPcFsxFWpmn6iFwSo/IYXa 98Bg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=+RDDqaN2RTLIH7ijwwcHqD/vn9/7of0p1kdqYENbuLU=; b=Xbg6PfaaQV4IATX2fM026OC2CITggvaPpL+6N0rsrErZtZcmpYSaLWRMtYj32TF3IX I7iQ4hmCVLsDfjxQ41flah7DGxFhOvIAqx+oj68efvKy5SBnPKH+8msspaDTIEwbR4Yi kToDkEGLFU2OwjpbThD3UGSAil2DxIhP0r6Naw4aFDsI0GWsarYD+2h2xMjA0cLv72op UK6dBp4GIXmcsJtiyjLpsdfPYQ77zHW/EGlmZIiKz5fH/aRczm3z6c6AWQvR106Z6VfX wh+C2ImiyunxIw3mEIyHeJghk7bXOupSRlwMyKZGeX0qisn9amaawblwc9gSD3rhbcJu N0Dw==
X-Gm-Message-State: AD7BkJJNF3dxWJH+UScACNy5Pa20flRkaxmWBLtkf97LQHmiGXYjYPPCSCE1+Xg9TqmEim87sYADSWn4tx94cA==
MIME-Version: 1.0
X-Received: by 10.13.192.5 with SMTP id b5mr8226271ywd.114.1458930449210; Fri, 25 Mar 2016 11:27:29 -0700 (PDT)
Received: by 10.129.88.137 with HTTP; Fri, 25 Mar 2016 11:27:29 -0700 (PDT)
In-Reply-To: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr>
Date: Fri, 25 Mar 2016 11:27:29 -0700
Message-ID: <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
To: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
Content-Type: multipart/alternative; boundary="001a114e3f982db1ac052ee3b751"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/_fg5gEVxVDrl_k8Lxn9BroY3BP0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 18:27:40 -0000

On Fri, Mar 25, 2016 at 2:29 AM, Karthik Bhargavan <
karthikeyan.bhargavan@inria.fr> wrote:

> There has been much discussion on 0-RTT replay and here’s a quick summary
> of my understanding.
> We already knew that an active attacker, or a lossy network, or an
> overzealous web browser could
> and would cause 0-RTT (and even 1-RTT) data to be replayed to the server.
> This can already happen
> in TLS 1.2, in QUIC, and so we accepted it as a given in TLS 1.3.
>

TLS is used by more than web browsers, so this unfortunately isn't the
case. In particular:

* There are applications and protocols built on top of TLS that do not
retry, because they are not replay safe. It's legitimate to prefer
bossiness over duplication, and to rely on TLS for anti-replay at the
transport layer.

* More commonly; there are many applications and protocols that are
tolerant of a small number of retries and even duplicates, but  suffer
severe harm in the face of a large or unbounded number of duplicates.

As a result of these new concerns, I would say that TLS 1.3 should
> recommend that all servers SHOULD
> implement a replay cache, and those that cannot should clearly signal this
> to the client, so that the client
> can adjust its 0-RTT use case and its expectations accordingly.
>

+1 but I think we can go further here and specify 0RTT in such a way that
it only works when the server maintains state, and so that any given 0RTT
ticket may only be used once (to preserve forward secrecy as much as
possible within the constrains of 0RTT).

-- 
Colm

v2.23.0 | Report a Bug | By Email