IETF Logo Mail Archive

[TLS] Do we actually need semi-static DHE-based 0-RTT?

Eric Rescorla <ekr@rtfm.com> Fri, 19 February 2016 01:04 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4F7E1A871E for <tls@ietfa.amsl.com>; Thu, 18 Feb 2016 17:04:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, J_CHICKENPOX_12=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xxj0UtaRYRRy for <tls@ietfa.amsl.com>; Thu, 18 Feb 2016 17:04:45 -0800 (PST)
Received: from mail-yw0-x234.google.com (mail-yw0-x234.google.com [IPv6:2607:f8b0:4002:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9950E1A871B for <tls@ietf.org>; Thu, 18 Feb 2016 17:04:45 -0800 (PST)
Received: by mail-yw0-x234.google.com with SMTP id g127so56006942ywf.2 for <tls@ietf.org>; Thu, 18 Feb 2016 17:04:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to:content-type; bh=E7KZCaKsrxIRdYo0NOiqLFhVRMo17zFm+ycC/EiB1TA=; b=FniVcWrhlqpndsOeDyuNT44en3K62iSrAZJUrPDFcx8p5R/M9jtSE6O3NruEpwm7jS bjnf1v83BtY94U+15VAuospCoV2YwfOta1yi6SEKfdioKkjr54cyfYnFliNo9f13zeQ6 1KHcxOsi32AXV8MmTMaLYYqfCUKw3tCegrhrhkAUkrWjdUAeYk8LRfYlzk64nrpqzQ0A v7amKIOI39ClIjHXpItbsFwFHCh7E23TERes4x/CJyUV6LnrbENGXOAS4HEc8nV6HJAd miZqebMkmg/GzjorZ9lm31/MYileQ4iIEfaJOcypU8a4SBgT9+EAxVodazM6QZnkoLdL EiPA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=E7KZCaKsrxIRdYo0NOiqLFhVRMo17zFm+ycC/EiB1TA=; b=jMN15KLL+bCaVOF9+rJ6WjYcWgzJ8hLYQuI1gdcVBZJPWP5ePe9WYUBfldTh5Lq2dg yNEwmgUdGqJpVBas81dUPXbps/frWhkCSxvXdya/gnIV/ZJaJ/HkVu1LJfzHIVaueeZq tA/bhQw7z0do90mlBs6AljmNUn1Yrb7TwiefdoC13sLjSVWS1TJfX0JlP+nNICw6jUeR FryramprZOCVc0E8OmFxfgCmvE/ZBG+ymgT640wy7NmAYf+xHoPfBdVoSB4u7tA5EWTt eYfv1viZgxe965ksM/zZlEhpjMv511zgvSTEL3+Ab0+6BeUfvdLE/vQjatULjBviQvyV Iq4Q==
X-Gm-Message-State: AG10YOREtPRU/PWQLDWltaF8qyUhSSmr6Ezq3Sp/5M0BR3gKrYaJwcERYMUOMIT8tdYgJ3lik8ENPMVi//GlCQ==
X-Received: by 10.129.79.209 with SMTP id d200mr5966787ywb.115.1455843884916; Thu, 18 Feb 2016 17:04:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Thu, 18 Feb 2016 17:04:05 -0800 (PST)
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 18 Feb 2016 18:04:05 -0700
Message-ID: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114bbc969c10b4052c1511b8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/c43zNQH9vGeHVnXhAb_D3cpIAIw>
Subject: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 01:04:47 -0000

TL;DR.
Should we remove the semi-static DHE 0-RTT mode and just leave
the PSK and PSK-DHE 0-RTT modes?


DETAIL
This is the last in the series of messages about changes to consider.

TLS 1.3 currently supports two 0-RTT modes:

- A semi-static Diffie-Hellman mode in which the server provides
  a long-term DH share and the data is protected under the client's
  ephemeral DH share and the server's long-term DH share.

- A PSK mode in which the client and server establish a shared
  key in handshake #1 and then they use that to encrypt 0-RTT
  data in handshake #2. And of course you can use tickets.
  [Note that this isn't as completely specified as one might
  like, but as there is agreement that this should work, we
  need to fully specify it. I'm working on implementing it now
  and this should help flush out issues.]

A number of people have independently observed that semi-static DHE
for 0-RTT is not clearly better than DHE-PSK for 0-RTT and suggested
that we limit 0-RTT to PSK and DHE-PSK [0], so I figured it was
something we should disuss. Obviously this is a significant
simplification, while still a big improvement over TLS 1.2-style
resumption because it allows PFS and 0-RTT.


Aside from simplicity, there are two major other considerations
here: PFS and public "priming".

PFS
In the semi-static mode, the 0-RTT client data is encrypted under g^xs
and the server's application data and any 1-RTT client app data is
encrypted under both g^xy and g^xs, so you get PFS for any 1-RTT data
but not for 0-RTT data, because as long as the server has s floating
around, there is a risk that the attacker can attack the server,
recover s, and decrypt any of the 0-RTT data.

In PSK-DHE mode, the 0-RTT data is encrypted under the shared
resumption master secret (r) and then the 1-RTT data is encrypted
under both r and g^xy, so you get PFS for any 1-RTT data
but not for 0-RTT data, because as long as the server has s floating
around, there is a risk that the attacker can attack the server,
recover s, and decrypt any of the 0-RTT data. If we assume that
the server uses tickets, then r isn't stored but encrypted under
some master key m.

They key point is that in both cases the server has a long-term key
floating around which is a risk to PFS. But the concerns are basically
the same for m and s, so you can pretty much keep them around with the
same kind of lifetime.

As Adam Langley points out, the *client* has to store a long-term
secret (r) in the DHE-PSK mode and if that is compromised, then an
attacker can decrypt the 0-RTT data and potentially mount an active
attack on future connections. This is a pretty qualitatively lower
risk from compromise of the server's long-term DHE key.


PUBLISHED CONFIGURATIONS
The semi-static mode in principle allows the server to publish its
configuration (i.e., it's semi-static key), e.g., via DNS, which the
client can then use for 0-RTT handshakes on first contact. However,
recent conversations (especially with the guys from Cloudflare) have
convinced me that this probably isn't useful: DNS TXT record
penetration rates are really bad and all the other proposed mechanisms
are also pretty problematic. For the few protocols where I was
thinking that this sort of priming was attractive, it turns out not to
work well or to have other easier workarounds.


WHAT ARE THE OPTIONS
1. Simply leave things as-is.
2. Just remove 0-RTT semi-static DHE
3. Remove 0-RTT semi-static DHE *and* 0-RTT client auth
   (on the theory that tickets let you carry it across connections).

Obviously #3 is the biggest change, but also the biggest simplification.
Both #2 and #3 are basically subsets of the existing protocol.

In addition, if we decide to make this change, we should probably
consider having some way for the client to indicate 0-RTT PSK-DHE but
force the server to do a signature (thus proving possession of the
signature key). I can think of a number of ways to design this easily,
however.

In terms of the way forward, if we can agree on a general strategy,
I'll work up proposed text.

Thanks,
-Ekr


[0] I've heard this suggested at one time or another by
Watson Ladd, Cloudflare, and the INRIA/MSR Cambridge group.

v2.23.0 | Report a Bug | By Email