[TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)

Michael D'Errico <mike-list@pobox.com> Wed, 30 September 2020 05:11 UTC

Return-Path: <mike-list@pobox.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B67A53A1208 for <tls@ietfa.amsl.com>; Tue, 29 Sep 2020 22:11:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pobox.com header.b=BFoHAlvy; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=d7auK6aP
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uvSBjyfa1pMH for <tls@ietfa.amsl.com>; Tue, 29 Sep 2020 22:11:47 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 533513A1209 for <tls@ietf.org>; Tue, 29 Sep 2020 22:11:46 -0700 (PDT)
Received: from compute7.internal (compute7.nyi.internal [10.202.2.47]) by mailout.west.internal (Postfix) with ESMTP id 25A0F54C for <tls@ietf.org>; Wed, 30 Sep 2020 01:11:46 -0400 (EDT)
Received: from imap21 ([10.202.2.71]) by compute7.internal (MEProxy); Wed, 30 Sep 2020 01:11:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pobox.com; h= mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm1; bh=TfxfS STBk2YZgsC4ejNW5PVG0dJLpRw58qgklzJ6cbE=; b=BFoHAlvyPNi9F4B5MShql 9fBk06wZR75G+TemRPfHTY8H2GRR8u9Gg5xCtM2dr0pPyeFRKC1d19Spe7cXodzV BBIcdmSzq682cgDoBWJBuua3D0f2MjQLfXXNmeFTva8wZNsIpFIoi9Xcwnvfeq1j aGp+T4Uu1N7cvA4rnYKnmi5luYuuUeJE0ljaSDU+X/oG4sjimHCVUMPRt/3WsY+1 GI6z6TeRUzIHJ40QoAeaQtBzPhv5BMEBCw4xSaOlEaxE/fTBTwuVb98ZWspPGniN 64BwrNfClMcoinbM/mWfRcvv0Z8pjXqGK8l4O1lvMSY+gDpDjpSLGdE8kozSIQpO w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=TfxfSSTBk2YZgsC4ejNW5PVG0dJLpRw58qgklzJ6c bE=; b=d7auK6aPsm+JcgDVhKUL4J/lZVmrcFZAhTBuCS9eFgbMgEdlpdkYXn7Mg a55/Ay361F1q7L4THv568B4o0lnE4QL7oh38jjMRXkaNxCx/UDJ7+5V2Y90Y+G1/ HKQz+PuNJS9sMCsFHG4hoWi0HbjW+ISgoFulz6+gdQehKIQ4uSG9ugJr5KhOlIyM HT4vgmwzSg75iXkwYC68c1q/hLSRmUv6mhEjF5PF7a437MkaXcvmSLqcLCzF4mkJ h86oSg3LdllMsnkwoSrnVn+7sc4YG55cm7IC5+j/t77Gs5NmOr/eY8YaPG3ob3VD LHdybkDdX1RgCZ720hVAcuUwPdxiw==
X-ME-Sender: <xms:kRN0X1x3oarkv_yMBDVvCM5-1IvEpZc9MUCHCK2gI6bP7w1Sz2eXjg> <xme:kRN0X1SWwtCQCyLWjyrU9Y2vvJtPi2ZfJJZB7Zyri2lZqi9Ln20MZCZu7jqsew6_3 va4kqfXh-K5GuUKcg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrfedtgdeludcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfofhitghhrggvlhcuffdkgfhrrhhitghofdcuoehmihhk vgdqlhhishhtsehpohgsohigrdgtohhmqeenucggtffrrghtthgvrhhnpedutedtkeegle etveeufeeuheejleduvdehheduudethefffeehkeeuueeugfffueenucevlhhushhtvghr ufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehmihhkvgdqlhhishhtsehpoh gsohigrdgtohhm
X-ME-Proxy: <xmx:kRN0X_XRuRpfi9QWrVJkLsBXti_-ao414zTpG846RLt1ymJxG_6Y5Q> <xmx:kRN0X3jvf5wKBB-RjMHjYTe8lWmm2Hv9EyWEqF-FC2yY1CkXppObgw> <xmx:kRN0X3CKgqJlJFXKvNHMfqZwFCLAnzVwl2LYto90Wz4nUQ5fH-ROYQ> <xmx:kRN0X6Pxjjiq6jFXq2jVqwN-o6wHnvMkn2LjLj4WS_DqHbM7tyIZ8A>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 30A4F660069; Wed, 30 Sep 2020 01:11:37 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-382-ge235179-fm-20200928.002-ge2351794
Mime-Version: 1.0
Message-Id: <3b48fa2d-f923-40ee-a93f-e0896a96fc1b@www.fastmail.com>
In-Reply-To: <24f5cd7e-4fff-ce47-f9d9-840dff3f23aa@pobox.com>
References: <0c31f2d6-5f8e-2fd6-9a1a-08b7902dd135@pobox.com> <AM0PR08MB37164F2D0E0CE5FB6D62D461FA350@AM0PR08MB3716.eurprd08.prod.outlook.com> <1c7e2f31-8a9e-4bd8-9e80-ab18ebeb609f@www.fastmail.com> <CACsn0cmbDz3ML8o5moAacqfXqYQo-Hqi53XQL6UoGYcZBwy-Mg@mail.gmail.com> <96777977-7707-4311-9876-ca3d53f57f3e@www.fastmail.com> <9b2bb784-5895-bc8a-fae5-1c2056972f97@pobox.com> <eaace566-4fe2-4e86-8382-e0583ce43435@www.fastmail.com> <24f5cd7e-4fff-ce47-f9d9-840dff3f23aa@pobox.com>
Date: Wed, 30 Sep 2020 01:11:20 -0400
From: "Michael D'Errico" <mike-list@pobox.com>
To: tls@ietf.org
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dNxkb39UU71vLaVm42vp5Xxd268>
Subject: [TLS] Is stateless HelloRetryRequest worthwhile? (was Re: TLS 1.3 Problem?)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Sep 2020 05:11:49 -0000

[I'm resending this with a more appropriate Subject line. --Mike]

On 9/29/20 19:51, Martin Thomson wrote:
> It's symmetric crypto[1]. Hardly worth noting.
> [1] Mostly.  NSS wraps the symmetric key with an asymmetric key so that server clusters can share session ticket encryption keys without needing interconnects.  But encryption or decryption only happens once per instance.

Well, you also need a MAC, right? (encrypt-then-mac)
This requires another key and a bunch of computation.

Then you have to decode the cookie back into the server
state, and then check whether the new ClientHello (CH)
matches the original from the cookie, with possible
changes, making sure that the key_share supplied in
the new CH was in the original CH, checking that the
list of PSK's was not tampered with in invalid ways, etc.
Much of this is required of any handshake involving HRR
even if not stateless.

Seems worth noting.  Have you measured?

And how do you prevent someone from sending an old
cookie back?  If the server is truly stateless....

Did you (or a client) actually have a data center full of
memory-bound servers which are now handling many
more connections using the stateless HRR feature?

I'm not trying to be unkind, I genuinely don't understand
how stateless HRR can be beneficial.

Mike