IETF Logo Mail Archive

Re: [TLS] Pull request for 1RTT Handshake

Watson Ladd <watsonbladd@gmail.com> Fri, 04 July 2014 04:42 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A85141B2BCB for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 21:42:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dNWpLi2Mqt-Y for <tls@ietfa.amsl.com>; Thu, 3 Jul 2014 21:42:03 -0700 (PDT)
Received: from mail-we0-x22e.google.com (mail-we0-x22e.google.com [IPv6:2a00:1450:400c:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D9071B2BD4 for <tls@ietf.org>; Thu, 3 Jul 2014 21:41:58 -0700 (PDT)
Received: by mail-we0-f174.google.com with SMTP id u57so1099786wes.5 for <tls@ietf.org>; Thu, 03 Jul 2014 21:41:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=JSfYKJZWtjAYvVwwVHMn1NJLaeKgvMjYC5hpz/dvvFU=; b=KL0uF/U7tR8x8BZWpQrBDLDH4poQ4MJKcHU1i+4RUffIDuFqIIEXXr5YNkqhrsoacU 00+hDbE+gBvjhojsZGxWCtoYDT1CrtJzRLeQkstFBp7uja2HQFaB3u2beyoj/90SemC5 s2RCW08mv/s+Lu38wqZ2nGARNF65YMvomxqJQQHPNPK753K75Nk6FP8R2KKpzoUKgtBT 6qhr7GQqXBdaDrY5MwDiCgRCqLpPReENI1BUfJkzlf98WeaVzz4bj++yvuJGy6la3lHJ 4LpFiPgRqEke8lirCdBwpP8EyPZc4zK8d/fJdEdnONH87PFqFL7ZIsx5jSylCCNUEhFm +UWQ==
MIME-Version: 1.0
X-Received: by 10.181.13.80 with SMTP id ew16mr15050251wid.51.1404448916720; Thu, 03 Jul 2014 21:41:56 -0700 (PDT)
Received: by 10.194.21.69 with HTTP; Thu, 3 Jul 2014 21:41:56 -0700 (PDT)
In-Reply-To: <CABcZeBNoycR_PCKarK+PkK8rHs0LeO=_9h7_h-GYftOvzZfLKA@mail.gmail.com>
References: <CABcZeBNTJZo+ua6eV8H1Pwb2MqzD=o20=s+XkiQUL9fftspJrQ@mail.gmail.com> <CACsn0c=2pFnjt2FWryH+N=kLAL7rnWswnqZbH8C4Q1aNM=qsLg@mail.gmail.com> <CABcZeBNoycR_PCKarK+PkK8rHs0LeO=_9h7_h-GYftOvzZfLKA@mail.gmail.com>
Date: Thu, 03 Jul 2014 21:41:56 -0700
Message-ID: <CACsn0c=ANxuR50RtuQPwS-sz9XGHyPW7o9SDRH3YL_yQfZdiqQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_p2NGYW4Q_DqMmEotfkw9Fh4DEY
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Pull request for 1RTT Handshake
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 04:42:05 -0000

On Thu, Jul 3, 2014 at 9:00 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>
>
> On Thu, Jul 3, 2014 at 7:29 PM, Watson Ladd <watsonbladd@gmail.com> wrote:
>>
>> On Thu, Jul 3, 2014 at 7:54 AM, Eric Rescorla <ekr@rtfm.com> wrote:
>> > I've just put up a pull request that makes the first cut changes from
>> > the consensus from Denver for 1-RTT handshake without SNI
>> > protection. As we discussed, I'm leaving the door open for SNI
>> > protection, but since these are separable work items, and this is
>> > already a fairly signficant change I wanted to get the 1-RTT stuff
>> > down first.
>> >
>> > The PR can be found at:
>> >
>> >   https://github.com/tlswg/tls13-spec/pull/52
>> >
>> > It's still kind of rough and there are a bunch of open issues (and
>> > most likely several mistakes) but I think it's clear what direction
>> > it's going in.
>> >
>> > I wanted to explicitly called out some known open issues in the draft,
>> > both so I can get feedback/discussion on these and so that people know
>> > they haven't been forgotten:
>> >
>> > - Based on the mailing list and interim discussion and a bunch of
>> >   private conversations, I wrote this up as requiring named DHE groups
>> >   (and assuming we will want named ECDHE groups). This makes things
>> >   quite a bit simpler and seemed like a good idea anyway. I recognize
>> >   that I'm a bit ahead of the list consensus here, but my sense is
>> >   that this was the emerging consensus.  If there are major objections
>> >   to this change, I can rework things otherwise, but I believe it will
>> >   make things more confusing.
>> >
>> > - I have partly removed dh_rsa and dh_dss because they get in the way
>> >   of having a common handshake pattern and nobody seemed to want
>> >   them. Assuming nobody screams I will do a separate PR to remove them
>> >   entirely.
>> >
>> > - We need to take care that we don't introduce a downgrade issue in
>> >   the 2-RTT flow (Figure 2) where the server tells the client he has
>> >   sent an incorrect CKE. There are some open issues noted in the draft
>> >   about how to do this exactly. Comments welcome.
>> >
>> > - MT convinced me that the client should be able to make multiple
>> >   ClientKeyExchange offers for different parameter sets, so I did
>> >   that.
>>
>> So I don't why a client would change their Client Hello in response to
>> a Server Hello, and hence
>> why there can be a downgrade.
>> The client says "here are my capabilities, and some early guesses as
>> to what you want to see"
>> If those guesses are incorrect, there is no need for another Hello:
>> the server already knows what
>> the client wants to tell it, and the client knows what the server would
>> see.
>>
>> There is no state machine issue, because the server knows if it got
>> the data or not, and
>> the client will know if the negotiated curve and suite were among the
>> guesses.
>
>
> I'm not saying that the client should change it's ClientHello, but since
> there
> are two messages, it could in principle do so, right?
>
> The draft currently requires that the client not do so, in S 7.4.1.2:
>
>       When a client first connects to a server, it is required to send
>       the ClientHello as its first message.  The client can also send a
>       ClientHello in response to a HelloRequest or on its own initiative
>       in order to renegotiate the security parameters in an existing
>       connection.  Finally, the client will send a ClientHello when the
>       server has responded to its ClientHello with a ServerHello that
>       selects cryptographic parameters that don't match the client's
>       ClientKeyExchange.  In that case, the client MUST send the same
>       ClientHello (without modification) along with the new
>       ClientKeyExchange.
>
> Does that seem problematic to you?

Why send two messages when one will do? In particular the server can
send a Server Key Exchange,
and a Certificate, CertificateVerify message in response to the Client Hello.

Once the client receives this, it's ready to send data after its CKE
and such messages.

Restarting the protocol the way we have now introduces another round trip.

In fact, it might be worth ditching the current client psyc approach
in favor of this one: less complex,
backwards compatibility by signalling an extension, and gets client
authentication in one round trip also.

This of course assumes a minor change to the protocol's calculation of
keys, and makes 0-RTT more of a jump.

>
>
>>
>> Another misfeature is the Finished message ordering: it slows down one
>> side or another.
>> If we fix Triple Handshake the right way, it's safe to send data
>> before receiving the other
>> Finished message.
>
>
> I'm not following your analysis here as to why this slows things down:
>
> 1. The client can't safely send data before it receives the server's
> Certificate and CertificateVerify, since that's the first thing that
> authenticates the server. These messages are sent in the same flight as the
> Finished, so will arrive at more or less the same time.
>
> 2. If the server doesn't want client authentication for the data, it can
> send data as soon as it receives the client's first flight. If not, then it
> needs to wait for the client's Certificate and CertificateVerify, which
> again is sent with the client's Finished. [0]
>
> Why does the Finished slow things down in this case? What am I
> missing?

I was a bit confused about what exactly Finished protects, and why we
need to wait for it.

>
>
>>
>> > - The EarlyData mechanism is a bit overgeneral as opposed to an
>> >   explicit ClientKeyExchange extension, but it seems like it's going
>> >   to be useful when we do SNI encryption and 0-RTT.
>>
>> Are we ever going to be able to turn it off? Clients initially will
>> use only it for compatibility. Servers will develop bugs
>> because clients all use it. Lather, rinse, reiterate.
>
>
> Obviously, that's a potential problem, but it also seems pretty clear
> that any extra data has to go in an extension for compatibility.

Have you read the hello-pading draft? Or heard people complain about
Java interop with things not RC4?
Vendors are not adequately testing their ability to deal with legal
but unused corners of the spec, and virtually none of them are doing
adversarial fuzzing.

Sincerely,
Watson Ladd
>
> Best,
> -Ekr
>
>
> [0] DKG points out that the rules might be relaxable if the
> server wants authentication for the client's data but might be willing
> to send some data, such as a banner message, without client
> auth, but let's deal with that later.
>

-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email