Re: [TLS] Simple, secure 0-RTT for the masses

Colm MacCárthaigh <colm@allcosts.net> Wed, 16 March 2016 12:13 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EE49312D928 for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 05:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZKRXS0JZOl9Z for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 05:13:37 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BABB12D942 for <TLS@ietf.org>; Wed, 16 Mar 2016 05:12:49 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id h129so58930799ywb.1 for <TLS@ietf.org>; Wed, 16 Mar 2016 05:12:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=kiQITQAKm6ZNG1Os4e3E+rNfBgsCXhAiHoiThOnqMUw=; b=s3uGzCrY1aj78eeBdfxtrL0DEInOOvdCUkA2NLwGrnonojV4DJNHEkQwX+S6QohD4i ZRHeJxiLBTHBPG/WX8Gavm6JCQLVfrydCSNZmMIfeLS5g2HL60slawzetkaLPczjG1V9 8DQjBco2XoMO4m9dkT+WuWTCdTR9mTj3gSUqDlMTUbXaRJpz4ToAfEMRYrWPJcZD6QMP ucVnPb9hmVOdFpnaOaqNZP3LQbSWf5MGjRPdbmhJ9s9VQ0XYexRkzuykldkeJHXGnVLO 6vFljgyRgyLpbucoWT78GusuqYk5p02devRQwRH8YSVzbm062ln/Z/KXcLmiaY+STv2P t29w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=kiQITQAKm6ZNG1Os4e3E+rNfBgsCXhAiHoiThOnqMUw=; b=Q295Ha3AQ6mmXO7yObSCAQ3s+k0JykaGwKejAy5yKk7jCo7Ap/lApF1B+qgMKkZf6x 2QkHyKeOrqK5JMDvqbXNqxwoJn2AJuTgwCdE2kN2MmQcW8Syn4twQkIHV8KXJahslR9B 1Zbh3aiXfpBmJdD9iyeNewtnmozxPAoGew1XlVAtZo1DtKw/a2ST/BhjNwSr0UgHzGuD N5ZTx34VHk6o4hk7azTJWuuTFbmK3fTVlewSl9973XRDRNfc/PRuVJv5YimNweVeDN76 H1mOHBis1Z+RYExjSO+/tJSpjx6BDGKNSWTqOcI6Ti61q0qhAG5DpTP/XVkbxKNLwgeu wt9w==
X-Gm-Message-State: AD7BkJLn+iwxzpMSEdU8whjm5clOvGfoTm3+6wTXPuHfdvYXXvqNYOzfW9qx2NgeulsNWMtLFUg3vaXifrNWzg==
MIME-Version: 1.0
X-Received: by 10.13.192.5 with SMTP id b5mr1578508ywd.114.1458130368186; Wed, 16 Mar 2016 05:12:48 -0700 (PDT)
Received: by 10.129.32.196 with HTTP; Wed, 16 Mar 2016 05:12:48 -0700 (PDT)
In-Reply-To: <20160316081717.GA21439@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAH9QtQGdZ9=XG-Qc5G6amM1pOnBse5jZndL0kExxArWXoQbhsQ@mail.gmail.com> <CAAF6GDegiWr3cWPpQAiVTZ5RhWFg24C-=SB=b=tKVTpaPn3V5g@mail.gmail.com> <CAH9QtQHvrz0guqGeMxD-C1ifCLOvOuADGdeqtCMHkEnRZ=y+hw@mail.gmail.com> <CAAF6GDc+Lnzpx38YT0gvgetb8E9yVsgMkLMh1SB7tu=fw_SK4A@mail.gmail.com> <CAH9QtQF02zwnB6dOGjFfWX2RLc4_RSODFpHaVLZkK_5KDf93sg@mail.gmail.com> <CAAF6GDd0h=1--pViASw3pT5nMAM4SRy2C2hzA6XF7Ba_g+oL4w@mail.gmail.com> <20160316081717.GA21439@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Wed, 16 Mar 2016 08:12:48 -0400
Message-ID: <CAAF6GDcAojmjOwuuwL-Vtk-U2VXa0JyXcqdZaDXrYmEuj=6eEA@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary=001a114e3f98a1fddb052e296ec5
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/acyAJfrg0DzA0lDynY_hixR7twQ>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Simple, secure 0-RTT for the masses
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 12:13:42 -0000

On Wed, Mar 16, 2016 at 4:17 AM, Ilari Liusvaara <ilariliusvaara@welho.com>;
wrote:

> > Benefits Forward Secrecy and Idempotence:
> >
> > * Client and server should erase the existing ticket upon use.
> >
> > (a captured early data section is mooted for replay quite quickly in the
> > default "good" case)
>
> The best that can be done w.r.t. "forward secrecy" is to erase the
> decryption-capable key used for 0-RTT on both sides, and never sending
> it on the wire, even encrypted.
>

That's why I favor resuming connections where they left off, and cranking a
PRF to generate new keys; but it's not compatible with tickets at all -
works only with some kind of session store.


> > * Make early data and application data separate record layer content
> types.
> > Make it clear that they do not form a continuous stream; you can't simply
> > concatenate them at the application level and bolt on to existing
> protocols
> > such as HTTP, SMTP, etc.
>
> You mean inner (encrypted) content type, right (outer content type would
> still be 23[TLS PROTECTED DATA]?
>

Yep, sorry.


> > * Advise that clients using 0RTT SHOULD occasionally send duplicate early
> > data handshakes. As a normal part of the protocol, a well behaved client
> > should intentionally do what an attacker might do and send the whole
> > section twice, causing the server to resolve the duplication. Keep the
> > anti-bodies strong.
>
> Such duplication does not occur in attack conditions. The duplication
> from attack conditions takes two forms:
>
> - Duplication of 0-RTT data into 1-RTT data of _different_ connection.
>

I think using a different content type solves this; the early data is
illegal in the 1-RTT phase and the content type would distinguish it.


> - Duplication of 0-RTT data into 0-RTT data of _different_ connection.
>
> In both cases, the connections are different, not the same. And this
> makes a difference if e.g. protocol banners are sent as 0-RTT (and
> such may very well be critical for latency).
>

The client would do what an attacker would; occasionally duplicate the
handshake including early data, so it would use a different connection for
it. The purpose here is to force a kind of "continuous testing in
production" that means the protocol really really does have to have
idempodence solved.

As an aside: an application protocol where latency is so sensitive that
0RTT is attractive would hardly have its own back-and-forth with banners in
the first place.

-- 
Colm