Re: [TLS] #445: Enhanced New Session Ticket
Eric Rescorla <ekr@rtfm.com> Thu, 28 April 2016 22:12 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEB2F12B018 for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 15:12:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qqbqdPh8EPpq for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 15:12:30 -0700 (PDT)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51EDF12D88C for <tls@ietf.org>; Thu, 28 Apr 2016 15:12:30 -0700 (PDT)
Received: by mail-yw0-x22c.google.com with SMTP id g133so131249058ywb.2 for <tls@ietf.org>; Thu, 28 Apr 2016 15:12:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nwFBtRmup654XTP8F7gJa2s3WxnX0oB1mTBYgq4KFUw=; b=jekimdiZwjucCRfDUYXmjUGR31SkOXDPItwvzKlNxJ9ydahDQs9rKxYYW0jKz5l6o+ A75Y5auVLgDpaLvL2MIkXac4enCimNGYSuxpvwRwMWLNIoVWR2I0WUKl2aAGC/VlOSey 7lSC2B+0vP6enOE3tf3fCh7gAfzRWIjmuOCzaNPtAJ+Atl+wwwcsqAHJLoEMm66ZG6wO QeJu0xXkvwfgBpAnSNTChIkhGvmkcerkG2F0sjJ8kwKsTIlwrn++pUff8CYCk8BiZQ8J y7xfz1i5ZIxI3ZJ7y8K9jrD/25sRHoLxznFawihHrgI6uni8OQQRYoiMWp2n4YdrgP8s 88WA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nwFBtRmup654XTP8F7gJa2s3WxnX0oB1mTBYgq4KFUw=; b=X5HF60qyB7uaPaKVnTV3Evx8ydShsTVDUGTpDqJr3S7sZYUgbejc5B2wwhzTb+xuOG yOqAN2MD1Mar7LkssUGy3MlGBClvN5+BYKPei/+ePSbKkTn1hJ0xkO0Kf9SlfNeUOE+r vvm4mEL9GbyGKhKi3O9lwlSLGOeUFAx1yzXsbp6FAEvk1pPDYSEJR1Smsg+KzxDkPnsj jZCAOzdB5TgsyiU1jB+oDsvnCfe4as7SitDkNidKwgv0Ssq5Zp9xn9I83S5NmIlMTBdb BvVYGywqW5b2DmoeVnO0gVP11IyB+Ozoli/8hrFRFkUTceMzSl9BUH+ewI8MOkfomf2K EmGQ==
X-Gm-Message-State: AOPr4FUCpTvAe7cmPVBKsTyNwcNnrg0Ye7mfmYzmoj2aW1yKxl2zmSjwPkqWmjbZVKOrtLTgPUwuxqhBh5wo2A==
X-Received: by 10.13.222.1 with SMTP id h1mr10984401ywe.171.1461881549572; Thu, 28 Apr 2016 15:12:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Thu, 28 Apr 2016 15:11:50 -0700 (PDT)
In-Reply-To: <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com> <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 28 Apr 2016 15:11:50 -0700
Message-ID: <CABcZeBMFg4iC-EN9DocqTpmjp46EYrTBdfi-G5nNMKN_xiHxVA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c07c412777cb5053192d2e8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/aCnxhLIrGUC1WTCK8_EPCMiaOm0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 22:12:32 -0000
On Thu, Apr 28, 2016 at 2:40 PM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Thu, Apr 28, 2016 at 01:43:41PM -0700, Eric Rescorla wrote: > > On Thu, Apr 28, 2016 at 12:32 PM, Ilari Liusvaara < > ilariliusvaara@welho.com> > > wrote: > > > > > > > - I presume 0-RTT used in retried ClientHello uses (and for the verify > > > mechanism to work, that needs to be allowed!) uses ClientHello1... > > > ClientHello2 as its base hash? > > > > > > > I don't think I understand what you are asking. Can you rephrase. > > Client sends ClientHello with 0RTT data, gets HelloRetryRequest back and > resends ClientHello. For hash continuation to work, the new ClientHello > needs to contain the EarlyData extension, which would imply there is > 0RTT data following that too. > No, I don't think you need to have the extension. Either the server is keeping state and there's no problem or the server is offloading state in a cookie (mechanism TBD) and in either case it just needs the state as of the beginning of the new ClientHello. > > - Server can send CertificateRequest in GDHE-PSK or PSK mode??? > > > > > > > Is there a reason that's undesirable? Note that it can always do > > post-handshake > > authentication, so we need to ensure that this is secure. My > understanding > > is > > that because it covers the server's Finished, it therefore builds in the > PSK > > value (per the analyis from Scott et al.). Do you have a concern with > this. > > Note that carelessly doing post-handshake auth can lead to nasty issues > (fortunately it is not allowed for HTTP/2!). > I expect that post-handshake client auth will be allowed for HTTP/2. Can you elaborate on your concern. And wonder what it would do to the handshake state machine to have the > possibility of the CertificateRequest message (you need state machine to > avoid all sorts of attacks). Well note that the EncryptedExtensions. > > - What are 'etc' for parameters for 0-RTT data? Use the present > > > extension list here and have any future extensions that matter here > > > explicitly define their interaction. > > > > > > > The list is an example. The operative word is "all". > > And what is "all" with current extensions (defined as whatever is in > registry currently + whatever TLS 1.3 base defines)? I think ciphersuite > (apporiately transformed) and ALPN. Are there others? > Yes, that's what I meant. > > > - 1 RTT server context presumably ends in CertificateRequest, not > > > CertificateVerify (the Certificate and CertificateVerify are > > > impiled). > > > > > > > I'm not sure which section of the draft you're referring too here. > > The table of authentication block (Certificate+CertificateVerify+Finished > sequences) base keys and hashes (section 6.3.4 in current Editor's Copy). > Thanks, I've fixed this > - You might want flag for if server promises replay protection or > > > not in NST. > > > > > > > We discussed this in BE and the consensus was that it was not clear how > > the server implemented this and so it was unwise to promise it. > > You can replay-cache on ClientHello hash. > Unfortunately this does not work perfectly in distributed systems, which is the original source of the concern. > > > - You might want to specify that allow_dhe_resumption doesn't > > > change key exchange, only authentication (so DHE_CERT becomes > > > DHE_PSK and ECDHE_CERT becomes ECDHE_PSK). > > > > I'm not sure I follow. It changes key exchange. If we want to have > > a resumption mode that has the server sign, we'll need a different > > indicator here. > > Can ciphersuite C02B (ECDHE_ECDSA/...) become 00AA (DHE_PSK/...) > upon use of the created PSK? Ah, I see. I thought about whether we should prohibit that and decided against it. But I could be convinced the other way. > > [1] There are many extensions that are not relevant because those > > > control server authentication (e.g. status_request, status_request_v2, > > > signed_certificate_timestamp, server_certificate_type). And some that > > > are low-level connection control (e.g. max_fragment_length) > > > > Yes, I am being conservative here because false positives don't seem like > > they will happen a lot. > > False positives? Try implementation errors. > Well, it seems like there are two concerns here re: implementation errors. 1. That servers will bungle this check and reject 0-RTT when they should accept it [false positive] 2. That servers will bungle this check and accept 0-RTT when they should reject it (and that we'll be relying on that). Is your concern the first or the second? > ALPN is special here tho: It needs to match the impiled 0-RTT ALPN > > > (does one want that extension in 0-RTT case anyway?). > > > > > > > Yes, you absolutely need ALPN for early data. > > I mean do you need explicit indication, as opposed to taking the > protocol the accepted 0-RTT data was for and not signaling it. > Well, the current draft does not have explicit indication. All of the 0-RTT context is tied to the ticket. -Ekr > Otherwise you need MUST abort requirement for the client. > > > -Ilari >
- [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara