IETF Logo Mail Archive

Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?

Dave Garrett <davemgarrett@gmail.com> Fri, 19 February 2016 23:15 UTC

Return-Path: <davemgarrett@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FEA41B3625 for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 15:15:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KL69raRpJFOu for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 15:15:12 -0800 (PST)
Received: from mail-yw0-x22a.google.com (mail-yw0-x22a.google.com [IPv6:2607:f8b0:4002:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A48431B3623 for <tls@ietf.org>; Fri, 19 Feb 2016 15:15:12 -0800 (PST)
Received: by mail-yw0-x22a.google.com with SMTP id e63so79206416ywc.3 for <tls@ietf.org>; Fri, 19 Feb 2016 15:15:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:to:subject:date:user-agent:cc:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=HLpWK/6E6EilM5odBmPn2n2l3S4UPWL2WxXp/toy6ko=; b=VuJbyqxqIPKnEtz1mbUegME9cVHP33E8Cl+39bMhevOfa+G8Dlm/aQTSD3dVkxLti6 kQA8k9FBHG292D+kef+k+zlt0SrUXPXSQtyic2wC1C+ivP4mBPjH0dxxDO2+V55Ka2ly ILUbnJ9ro4cd/aWE7c0MWFW1ViuIuVDVfas45DvDRF/Z3Ystb+wGw1M0NNoyBkPY1Jvk mWzRIHVhGdpb2hVolurebasqi5NcpvqGR+NUQv/tJQXR+p2ZXhr/Uzvqu8ns4dWtgfec 9Grz8+6w7U+7P0Xh/xJkz1qTwRMbHNtblfLuqe8uliZnyliAc5D8DZvGygfEcmXrrI+0 +KFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:user-agent:cc:references :in-reply-to:mime-version:content-type:content-transfer-encoding :message-id; bh=HLpWK/6E6EilM5odBmPn2n2l3S4UPWL2WxXp/toy6ko=; b=iS6RodbUwExf8y2xA3tm3j1SpPKosMLeMUZlOGI5UxLNGMi854F8rnW3jnjhssnm+i yuMh00JeyeNPHkePBPNGscJEcpzB7fAeMvDYvAHOk+xnO1xK0WepSnR0uLHQ38g6blbF KmRDEzrsIjwmbd0EZws8tZM+t/i+ZOtjMi81gP0pMUJ6owDURQapl7VKHtT2zz3fafIL m+4IDY3t2BzxGn7I0/amEu4r/3uwEqc++RlgwcW3oFFsGFfa0Usb5ojuDTfCDW6pvuyK 0EDkTGJL4mqhvwJXPuU/AGIJBiByu2krxHNn+OG5lVdqNku5jT/58yAFMRlR+1CaKZr2 E5HA==
X-Gm-Message-State: AG10YORv9F55v/Gpzy0G1PVCK0yt7raudO2xcTOrOhoEYblxsd0bxVWlS2FN0MOkvH13Aw==
X-Received: by 10.129.44.194 with SMTP id s185mr8713347yws.34.1455923711850; Fri, 19 Feb 2016 15:15:11 -0800 (PST)
Received: from dave-laptop.localnet (pool-71-175-20-227.phlapa.fios.verizon.net. [71.175.20.227]) by smtp.gmail.com with ESMTPSA id g128sm10350491ywg.33.2016.02.19.15.15.11 (version=TLS1 cipher=AES128-SHA bits=128/128); Fri, 19 Feb 2016 15:15:11 -0800 (PST)
From: Dave Garrett <davemgarrett@gmail.com>
To: Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Date: Fri, 19 Feb 2016 18:15:09 -0500
User-Agent: KMail/1.13.5 (Linux/2.6.32-74-generic-pae; KDE/4.4.5; i686; ; )
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com> <201602191708.20869.davemgarrett@gmail.com> <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com>
In-Reply-To: <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Message-Id: <201602191815.10375.davemgarrett@gmail.com>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/bxQB3WtnLNuyLccsK_lgRu9HFLk>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 23:15:14 -0000

On Friday, February 19, 2016 05:24:25 pm Eric Rescorla wrote:
> My impression is exactly the opposite. All the infrastructure to PSK-resumption and
> hence PSK-0RTT is already in place for TLS 1.2. And of course PSK-resumption
> is also much faster.

That's good to hear. The perf advantage is why I'm not advocating dropping it; merely saying that I too would prefer a single method if it didn't loose capability. Dropping PSK resumption drops less than dropping DHE 0RTT, but keeping both seems like the best option at the moment.

> On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <davemgarrett@gmail.com> wrote:
> > It would mean that TLS only has 0RTT resumption and not actually have any 0RTT sessions.
> 
> Why do you think that this makes a material difference?

One of the fundamental complaints about TLS, performance-wise, is the added round trip time over plaintext. That's why the WG made a point to focus on adding 0RTT in the first place. Someone considering upgrading from HTTP to HTTPS generally has this concern (or any other protocol to a variant over TLS). With only PSK resumption, we can still always have a 1RTT hit on first connection, and revert to that after the session is considered expired. With DHE 0RTT we have a longer term config that could allow for more generic caching and distribution and thus not have to get that 1RTT hit in many scenarios.

The lack of a current ability to easily distribute a new config system should not be used as evidence against creating a new config system that we would want to create a way to easily distribute. Even dumping the top few dozen sites' 0RTT DHE config into a static file in a client update would be a noticeable improvement over not doing so. Coming up with a better method can come next.

People should be using TLS or encryption in general as a matter of responsibility, but they don't. Softening *all* barriers to them upgrading is very necessary to get more to switch. 0RTT PSK only gets rid of a delay in continuing a session, which in some use-cases might be minimally noticeable. 0RTT DHE allows for a first-connect with comparable speed to plaintext (in scenarios where 0RTT data is safe, namely most HTTP). Within the context of HTTP, which is singled out as a focus in the TLS WG charter, 0RTT DHE will provide a more noticeable latency reduction in comparison to 0RTT PSK only.

Another issue is that of privacy with session resumption. If the only way to get 0RTT is to keep sessions alive, then clearing that cache on the client side costs a future 1RTT. You can, however, cache 0RTT DHE configs safely for a longer time because they are not specific to the user agent. (we should probably narrow the spec to state that configs SHOULD NOT be per-client) In order to reliably get 0RTT without DHE configs, applications/services would need to cache PSK resumption sessions for as long as possible, which leaves a distinct per-user marker on both the client and server. Anyone trying to optimize away the 1RTT hit of first-connect will be required to maintain a system that keeps more user identifiable information than we should want.


Dave

v2.23.0 | Report a Bug | By Email