IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 02 May 2017 17:37 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D1112EC4E for <tls@ietfa.amsl.com>; Tue, 2 May 2017 10:37:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KqLmIVNtJZGs for <tls@ietfa.amsl.com>; Tue, 2 May 2017 10:37:01 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6772F131495 for <tls@ietf.org>; Tue, 2 May 2017 10:33:39 -0700 (PDT)
Received: from vpro.lan (cpe-74-71-8-253.nyc.res.rr.com [74.71.8.253]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 2DA4E7A32F1; Tue, 2 May 2017 17:33:38 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com>
Date: Tue, 02 May 2017 13:33:37 -0400
Reply-To: TLS WG <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <C29356B3-6D71-4088-9AB3-4954327F1E7B@dukhovni.org>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dF2ev_D9iyJNqhHV2Wqm4NyDAZc>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 17:37:04 -0000

> On May 2, 2017, at 10:44 AM, Colm MacCárthaigh <colm@allcosts.net> wrote:
> 
> https://github.com/tlswg/tls13-spec/issues/1001
> 
> I'll summarize the summary: Naturally the focus was on forward secrecy and replay. On forward secrecy the main finding was that it's not necessary to trade off Forward Secrecy and 0-RTT. A single-use session cache can provide it, and with the modification that ekr has created in https://github.com/tlswg/tls13-spec/pull/998 , such a cache works for both pre-auth and post-auth tickets, and it allows clients to build up pools of meaningfully distinct tickets.
> 
> There's also an observation there that it should really be that clients "MUST" use tickets only once. Any re-use likely discloses the obfuscated ticket age, which is intended to be secret. Right now it's a "SHOULD".

Well, just a few days ago there was a discussion of ticket re-use, and
I was re-assured that ticket re-use was likely to going to work just fine...

   https://www.ietf.org/mail-archive/web/tls/current/threads.html#23035

TLS is a general-purpose protocol, used broadly beyond just the browser space.
With TLS in SMTP there's no demand or need for 0-RTT and server resources are
often more constrained than you'd find on a CDN server farm.  Repeat connections
are spaced further apart, and session lifetimes are longer (Postfix defaults to
an hour).

For Postfix, going back to a server-side session *increases* risk of loss of
forward secrecy, because bulky server-side session objections are written out
an on disk database, and e.g. with LMDB (a COW database) may take a long time
to be deleted.  By contrast session ticket encryption keys (STEKs) are small,
kept in memory, and are overrwritten and freed after ~2 hours.

Going back to server-side sessions would reduce resumption security for Postfix,
and would make servers more susceptible to DoS through cache exhaustion.

On the client side, non-reusable tickets would require substantially more complex
cache designs, and probably significant changes in the session APIs and internals
of TLS toolkits rather late in the evolution of the TLS 1.3 support code.

I am far from convinced that the effort would not be better spent improving STEK
key management in TLS server farms, which will need to support TLS 1.2 in parallel
with TLS 1.3 for quite a long time (likely a decade or more).

I believe that the proposed change is well intentioned but counter-productive.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email