IETF Logo Mail Archive

Re: [TLS] 0.5 RTT

Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 23 February 2016 21:25 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B96E01B334D for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 13:25:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T5kjPwv1Lg1k for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 13:25:05 -0800 (PST)
Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FF7B1B3349 for <tls@ietf.org>; Tue, 23 Feb 2016 13:25:04 -0800 (PST)
Received: by mail-lf0-x233.google.com with SMTP id l143so124271263lfe.2 for <tls@ietf.org>; Tue, 23 Feb 2016 13:25:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=COjdTfzaET0sBC2v5bOKzwog45KYLUswpm36IaeSAyw=; b=ae8eotztN3tvdjP0KoGY86YnrL2ec10hG9/tMoF4FcFoJO2UEkD66USRDJ/tuwGeTv jvqUVP8V99iSOPE85ZXGmkDs3Y0GlBjCImu78DV7KGyu9kt9N+W5e90NLrHLB8EpX0ZK J58ziEfHKy0kB+DcH7+m2DubAvTH6hZSoXh4n3YJHwRLISnOwjGpgb0kwVBUvP5/NNDR rf01sIZ7tn0Tp43SJgWtKtphoBsPsHWSJrUIErVrVoSf64D3+d4M2CJP2c95O6KmYexL M0yu0IGgN5IhMx0kZVftiagfe1IJD8KGT3D/fOr2RfLrkWibEkqQ1a7K8/RLSbi6+1K2 tfyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=COjdTfzaET0sBC2v5bOKzwog45KYLUswpm36IaeSAyw=; b=D4AWUpgoVs5isUw6hLlBWLkPzi9iyzJOkoiamLWZ7wqwLjUlniZF4CAx50bCpoMIaY YtbYTASRklkYtled+34GN8LjnsEhYD1WKlI1TWVvz2eVhNd3zlSPO8EsKtX9QAzR8Qo1 Vta+pf1GPnXveAp+KzsQ/dE+9yn48eyrhN7WiRYlMEwfFZkj5504oxZZ/Ai8pjeEpV87 Fj3rpwg1GKh+mu99UQUiuH+S2jlNIiaMJ6WWg7zfrILP2uPtUlGgozRz1Yi7dTZOpInd kbWhLbCpGRwX6VelYJAititRV9Hkna8O3VDxEsFOY6/HJlS7CTxXQRNHW6RUEMX0mpCd r/6Q==
X-Gm-Message-State: AG10YOR3J9R1kn4+uSo5AnTTOvkk1GZi90q1k8Kx36pN3bOf1B65Zc7IeqIFdSRaHxMFy2TECK6VZKkKywQfqw==
X-Received: by 10.25.21.90 with SMTP id l87mr12984477lfi.64.1456262702766; Tue, 23 Feb 2016 13:25:02 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.31.18 with HTTP; Tue, 23 Feb 2016 13:24:33 -0800 (PST)
In-Reply-To: <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com>
References: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com> <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 23 Feb 2016 16:24:33 -0500
X-Google-Sender-Auth: pTR4lhOQztK7Bkyf4mKiOKK8J68
Message-ID: <CADi0yUPOEL++R+_Nhy4NTfhzsA6UjbVbMAEiPx1Qg9+vPPHt7g@mail.gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: multipart/alternative; boundary="001a113d9b54191f82052c76959b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/d3Ao60q3Ht4w98gM4xfztSfkrJc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 21:25:07 -0000

On Tue, Feb 23, 2016 at 3:49 PM, Karthikeyan Bhargavan <
karthik.bhargavan@gmail.com> wrote:

> There are some fears about 0.5-RTT data that do not necessarily apply to
> post-client authentication, at which point at least both parties have sent
> their Finished messages.
>
> When the server is sending 0.5-RTT data, this is effectively false-start;
> the client hasn’t confirmed its choice of ciphersuites yet, and downgrade
> attacks may become possible.
> To be principled, we should look at the current browser best practices for
> false start and  make sure that 0.5-RTT data abides by them.
> For example, one may argue that 0.5-RTT is actually a bit worse than
> false-start in TLS 1.2  where at least the peer’s presence and DH key has
> been authenticated before false start data is sent.
> There is no such guarantee in 0.5-RTT.
>
> The question is whether this is just a server-side concern, or does the
> client need to be aware of 0.5-RTT.
> I don’t know the answer to that, but if we wanted to setup a 0.5-RTT rule,
> I would say that it should *only*
> be sent during PSK-resumption handshakes, because the PSK authenticates
> the peer, and because
> the server is likely responding to some 0-RTT data sent by the client/
>
> Again maybe this breaks some server push scenarios that I am not aware of.
>
> Best,
> Karthik
>
> PS: The OPTLS proof does not require ClientFinished, but they do not
> consider downgrades or client auth.
>

​That's right, we do not consider downgrades or client authentication but
Martin's suggestion explicitly only applies to the case​ where the server
does not require client authentication so the analysis holds in that case.
As for downgrades, this will be discovered by the server when receiving the
client's Finished message. So the only problem I see is that the server
might have been "tricked" to send the 0.5-RTT data with less protection
than intended by the (honest) client. But for that there is no need for
downgrade. The attacker could have generated the exchange with the weaker
ciphersuite by himself (acting as a client). If the server accepts that
ciphersuite it means he is willing to send that particular data with that
level of security to *anyone*. That is the meaning of not requiring client
authentication.

​One useful feature of client's finished is to catch 0-RTT replays. But
even then I am not sure what damage can be done to the 0.5 data. Either the
attacker knows the client's keying material (say PSK) and can generate the
client finished by himself or he doesn't know that keying material but then
it cannot decrypt 0.5 data.

Am I missing something on these particular points?



       On the whole, cryptographers including the authors of OPTLS would be
> happier with 0.5-RTT keys
>        not being the same as 1-RTT keys. Again, so far, this is a matter
> of taste and proof modularity.
>


​Agreed.

Hugo

​


> > On 23 Feb 2016, at 11:27, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> >
> > Karthik raised some concerns here, and I think that we have some
> > thinking to do.  But I don't think that it is intractable, nor even
> > hard, to reason about this problem.
> >
> > The only thing that the client's second flight provides is
> > authentication.  The Finished isn't needed if there is no client auth
> > [P].  Hugo's presentation at TRON did not include a client Finished in
> > the earlier, simpler examples.
> >
> > Thus, based on Watson's observation that the client authentication is
> > removable, we might conclude that the handshake is complete from the
> > perspective of a server that does not require client authentication.
> > There are still reasons we might like to keep the client
> > authentication in the handshake, but those are decisions we can make
> > on engineering grounds.
> >
> > If post-handshake client authentication is OK, then 0.5 RTT is equally
> > OK [X].  I would assert that any decision about changing keys after
> > the client Finished applies to post-handshake client auth (or vice
> > versa).
> >
> > If that logic is sound, then I see no reason we can't have some very
> > simple advice:
> >
> >  1. if the server does not request client authentication, it can send
> > application data immediately following its Finished
> >
> >  2. if the server requests client authentication, it MUST NOT send
> > application data until it receives and validates the client's first
> > flight.  UNLESS the server is certain that the data it sends does not
> > depend on the client's identity (that is, it would send this
> > application data to anyone).
> >
> >> From an API perspective, I believe that we should recommend that there
> > be a separate function for sending in condition 2, just as we are
> > going to recommend that there is a separate function for sending 0-RTT
> > data (as well as there being one to receive on the server end).
> >
> > Based on this, we should recommend different points in time for the
> > server API to report that the handshake is "complete" at a server.  In
> > condition 1, the handshake is complete after the server Finished is
> > sent; in condition 2, the handshake is complete after the client
> > Finished is received.
> >
> >
> > [P] Note that a client Finished does confirm a PSK.  Though you might
> > reasonably argue that successfully generating valid application data
> > works equally well in that regard.
> > [X] Post-handshake client authentication has only been analyzed very
> > lightly, so we have to caveat that statement too.
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email