[TLS] Do we actually need semi-static DHE-based 0-RTT?
Eric Rescorla <ekr@rtfm.com> Fri, 19 February 2016 01:04 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F7E1A871E for <tls@ietfa.amsl.com>; Thu, 18 Feb 2016 17:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xxj0UtaRYRRy for <tls@ietfa.amsl.com>; Thu, 18 Feb 2016 17:04:45 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9950E1A871B for <tls@ietf.org>; Thu, 18 Feb 2016 17:04:45 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id g127so56006942ywf.2 for <tls@ietf.org>; Thu, 18 Feb 2016 17:04:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:content-type; bh=E7KZCaKsrxIRdYo0NOiqLFhVRMo17zFm+ycC/EiB1TA=; b=FniVcWrhlqpndsOeDyuNT44en3K62iSrAZJUrPDFcx8p5R/M9jtSE6O3NruEpwm7jS bjnf1v83BtY94U+15VAuospCoV2YwfOta1yi6SEKfdioKkjr54cyfYnFliNo9f13zeQ6 1KHcxOsi32AXV8MmTMaLYYqfCUKw3tCegrhrhkAUkrWjdUAeYk8LRfYlzk64nrpqzQ0A v7amKIOI39ClIjHXpItbsFwFHCh7E23TERes4x/CJyUV6LnrbENGXOAS4HEc8nV6HJAd miZqebMkmg/GzjorZ9lm31/MYileQ4iIEfaJOcypU8a4SBgT9+EAxVodazM6QZnkoLdL EiPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=E7KZCaKsrxIRdYo0NOiqLFhVRMo17zFm+ycC/EiB1TA=; b=jMN15KLL+bCaVOF9+rJ6WjYcWgzJ8hLYQuI1gdcVBZJPWP5ePe9WYUBfldTh5Lq2dg yNEwmgUdGqJpVBas81dUPXbps/frWhkCSxvXdya/gnIV/ZJaJ/HkVu1LJfzHIVaueeZq tA/bhQw7z0do90mlBs6AljmNUn1Yrb7TwiefdoC13sLjSVWS1TJfX0JlP+nNICw6jUeR FryramprZOCVc0E8OmFxfgCmvE/ZBG+ymgT640wy7NmAYf+xHoPfBdVoSB4u7tA5EWTt eYfv1viZgxe965ksM/zZlEhpjMv511zgvSTEL3+Ab0+6BeUfvdLE/vQjatULjBviQvyV Iq4Q==
X-Gm-Message-State: AG10YOREtPRU/PWQLDWltaF8qyUhSSmr6Ezq3Sp/5M0BR3gKrYaJwcERYMUOMIT8tdYgJ3lik8ENPMVi//GlCQ==
X-Received: by 10.129.79.209 with SMTP id d200mr5966787ywb.115.1455843884916; Thu, 18 Feb 2016 17:04:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Thu, 18 Feb 2016 17:04:05 -0800 (PST)
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 18 Feb 2016 18:04:05 -0700
Message-ID: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114bbc969c10b4052c1511b8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/c43zNQH9vGeHVnXhAb_D3cpIAIw>
Subject: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 01:04:47 -0000
TL;DR. Should we remove the semi-static DHE 0-RTT mode and just leave the PSK and PSK-DHE 0-RTT modes? DETAIL This is the last in the series of messages about changes to consider. TLS 1.3 currently supports two 0-RTT modes: - A semi-static Diffie-Hellman mode in which the server provides a long-term DH share and the data is protected under the client's ephemeral DH share and the server's long-term DH share. - A PSK mode in which the client and server establish a shared key in handshake #1 and then they use that to encrypt 0-RTT data in handshake #2. And of course you can use tickets. [Note that this isn't as completely specified as one might like, but as there is agreement that this should work, we need to fully specify it. I'm working on implementing it now and this should help flush out issues.] A number of people have independently observed that semi-static DHE for 0-RTT is not clearly better than DHE-PSK for 0-RTT and suggested that we limit 0-RTT to PSK and DHE-PSK [0], so I figured it was something we should disuss. Obviously this is a significant simplification, while still a big improvement over TLS 1.2-style resumption because it allows PFS and 0-RTT. Aside from simplicity, there are two major other considerations here: PFS and public "priming". PFS In the semi-static mode, the 0-RTT client data is encrypted under g^xs and the server's application data and any 1-RTT client app data is encrypted under both g^xy and g^xs, so you get PFS for any 1-RTT data but not for 0-RTT data, because as long as the server has s floating around, there is a risk that the attacker can attack the server, recover s, and decrypt any of the 0-RTT data. In PSK-DHE mode, the 0-RTT data is encrypted under the shared resumption master secret (r) and then the 1-RTT data is encrypted under both r and g^xy, so you get PFS for any 1-RTT data but not for 0-RTT data, because as long as the server has s floating around, there is a risk that the attacker can attack the server, recover s, and decrypt any of the 0-RTT data. If we assume that the server uses tickets, then r isn't stored but encrypted under some master key m. They key point is that in both cases the server has a long-term key floating around which is a risk to PFS. But the concerns are basically the same for m and s, so you can pretty much keep them around with the same kind of lifetime. As Adam Langley points out, the *client* has to store a long-term secret (r) in the DHE-PSK mode and if that is compromised, then an attacker can decrypt the 0-RTT data and potentially mount an active attack on future connections. This is a pretty qualitatively lower risk from compromise of the server's long-term DHE key. PUBLISHED CONFIGURATIONS The semi-static mode in principle allows the server to publish its configuration (i.e., it's semi-static key), e.g., via DNS, which the client can then use for 0-RTT handshakes on first contact. However, recent conversations (especially with the guys from Cloudflare) have convinced me that this probably isn't useful: DNS TXT record penetration rates are really bad and all the other proposed mechanisms are also pretty problematic. For the few protocols where I was thinking that this sort of priming was attractive, it turns out not to work well or to have other easier workarounds. WHAT ARE THE OPTIONS 1. Simply leave things as-is. 2. Just remove 0-RTT semi-static DHE 3. Remove 0-RTT semi-static DHE *and* 0-RTT client auth (on the theory that tickets let you carry it across connections). Obviously #3 is the biggest change, but also the biggest simplification. Both #2 and #3 are basically subsets of the existing protocol. In addition, if we decide to make this change, we should probably consider having some way for the client to indicate 0-RTT PSK-DHE but force the server to do a signature (thus proving possession of the signature key). I can think of a number of ways to design this easily, however. In terms of the way forward, if we can agree on a general strategy, I'll work up proposed text. Thanks, -Ekr [0] I've heard this suggested at one time or another by Watson Ladd, Cloudflare, and the INRIA/MSR Cambridge group.
- [TLS] Do we actually need semi-static DHE-based 0… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Bill Cox
- Re: [TLS] Do we actually need semi-static DHE-bas… Salz, Rich
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Scott Fluhrer (sfluhrer)
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- [TLS] Mass 0RTT of subresources with no prior kno… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Martin Thomson
- Re: [TLS] Mass 0RTT of subresources with no prior… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Eric Rescorla
- Re: [TLS] Mass 0RTT of subresources with no prior… Ilari Liusvaara
- Re: [TLS] Do we actually need semi-static DHE-bas… Nick Sullivan