IETF Logo Mail Archive

Re: [TLS] DTLS 1.3 replay protection of post-handshake messages?

John Mattsson <john.mattsson@ericsson.com> Thu, 28 December 2023 12:47 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF80CC1654F3 for <tls@ietfa.amsl.com>; Thu, 28 Dec 2023 04:47:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c5HE9P8bzBZB for <tls@ietfa.amsl.com>; Thu, 28 Dec 2023 04:47:32 -0800 (PST)
Received: from EUR02-VI1-obe.outbound.protection.outlook.com (mail-vi1eur02on2057.outbound.protection.outlook.com [40.107.241.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DED11C14F617 for <tls@ietf.org>; Thu, 28 Dec 2023 04:47:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fh7tHO3lnspLpAkfJKp5gMLfJG3qUABoIjQyOVwrNK0Edwaj4vXUGK/GeDDWMMPrTYkFqB+RhOOcMt2270l+JV7oBdV3lL3P7Dh7qteVXhxGHmOOZh1c+m50erI0kxmORoeDMSyzL/+k/kqsjvdfzuQp3UAEN5rBFS8HFlYE6XDClDxs/5EAaQscR+ZSHoYvVpVkbGmWUsWPWQLjptYwkMxru8SawjK0dvtQJRGs7nK6b+E6+T6Dyl80TFIuJx6E2751AfAvUaSXU1A2tWAHcgLqutiz1diAptM6o6Iir6H+en3i/xFEsnmGXi4dJ9KNmYFZgoCDSETcqey04yGArA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8Cz6WH8HwSzBvpOU//2CS+zph3MWRN6EeH8alRdsNe0=; b=DFkAuokXI0cKvMTbexegUVxWC+TXg8REMQeZErniaxywUemZHs45ybEbg5fQy/M8pTsS9ymCIAU9RWgk/1cRg8O1ZdmDPLtA6pAp8NR2o6nTPj9tl1HP4ggTkSFegtwvKnUPiObsWfunxW9gdGjuX7l7m3e0By07g/3NUL5waJ/geEF1epecmlz0K36+tcukdd5tMjhfUO/bGCXh6Ya3deXeRRfWBR7FUStE6MtMvdx9sqiSZM+JUfdU3jV/qn5VdKynfmQ2ePBcN81roRpOtIDkLXfx6MO5QC1Zd0L0I07VEt4x1adDvuKzNbqPSFIHI3hnpNrYivHGHdoPeN2mrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8Cz6WH8HwSzBvpOU//2CS+zph3MWRN6EeH8alRdsNe0=; b=q1pWcKAD59a4hTYGCzhzFTfPK400YJ5RPbgmetw6rl29bCqYU/rZcahVsTKVDaMnFqWbPxhDday8VxDtQ61dVisynHUX2ugdA8KrOLQANNawHlypteIp713gHNc0tWmJavQzEqNqTAs8bWsLb8laRIY/OhQJ7wNGRV5QhGZhm8EYgnBAalV8VqZQzbuPkKtGeCvAgAbk7biD81ZfAMPWBopdJAtwTjqbNgIFrnT4j/SJV4bz3R5Y9zL9nepC0L18+VaucfjL0InnYIfZWqcSc0bIeZM5gfJMfFpos4boMrHqbqAxo9+sbXg7WLLeHy/XTYFZihp0+NSynD2/5zlrPg==
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by DU2PR07MB8272.eurprd07.prod.outlook.com (2603:10a6:10:279::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7135.20; Thu, 28 Dec 2023 12:47:28 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5052:f515:10db:3c95]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::5052:f515:10db:3c95%3]) with mapi id 15.20.7135.019; Thu, 28 Dec 2023 12:47:28 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Martin Thomson <mt@lowentropy.net>, Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] DTLS 1.3 replay protection of post-handshake messages?
Thread-Index: AQHaHts2RyxVby9FMEiFv+FV6Gtq27CPa1L1gADz3mOAABb2gIAATmwAgC4T7+M=
Date: Thu, 28 Dec 2023 12:47:28 +0000
Message-ID: <GVXPR07MB9678B9DFEE6DDF993E4DC54C899EA@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <GVXPR07MB967839231BEA47291C4C9D8189B8A@GVXPR07MB9678.eurprd07.prod.outlook.com> <GVXPR07MB9678C7EBDFB4D194D49047C989BCA@GVXPR07MB9678.eurprd07.prod.outlook.com> <GVXPR07MB967813D3D89B1A4CB2B4FA7E89BCA@GVXPR07MB9678.eurprd07.prod.outlook.com> <CABcZeBORGgBg20KjAG4m2BQqQPzP6iMusudY+WNWdxAUW9kJBA@mail.gmail.com> <4665f0f9-5403-43db-8601-b7abc5d5c480@betaapp.fastmail.com>
In-Reply-To: <4665f0f9-5403-43db-8601-b7abc5d5c480@betaapp.fastmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|DU2PR07MB8272:EE_
x-ms-office365-filtering-correlation-id: 53e393c1-a210-4124-14f5-08dc07a32629
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XXo1NAANLNWGrS4bhBNhtPHy4VLJ39Qlo9rn4uIEVbLDMJ2q71Tkv9C11oPzzaGKP5qPxVNH7X20B2Z/1Ts0LFfSKdiJgfjU4TWDeZo2giB/WHJvhxVQ1y2POGASalvqNkpof5uoKnljFyMhw7ZeiHVCswTLb8TBqAyTfS1iD48DgJs9hGZcHjHu/quBq6VXMghm/mzKll7/mAo5kl6RNEByd8+njEBOWKSlmc+vzLUd0QqzTwR3cIFi5u/tQjsT/7CA9oVzde6Qrln9qvbZZM9Ljgth5Avd4AlA2r+BCF0Sqmh5nYq2JXByCGYl8lFwQfB8f/aMGkfs7uq55ohUqeXGWm0tSmCq5tUWv3euBZGz3nDMgvtjU+YFsmPUh33x1MBt1LUS+5dilSx8lGYqnQTaaCOV2s5vFWdDKKxGlI5NLTgUScJmEQFnQvUus3RaL/A09HRWZuXCkqixvq4FqvLNVr6KboRuLP+YUPSDt+iPOcp4wn468q9VJ9K34Q9ClOYSbFy0pFkNaPkJ3oDQQUpI/KtJbqhb3T3HXwuh+onUql/KasDG6Wm872FAv65EwZQWhjyeNd1afuv6WqDRBTh0dGYGgJJp75hwPL74b47Glpif2+rGwbC8obFoWuIIZq8j6lt/68he7mg97vfGB3VuYVJV143pUvKVDZ9ti+WNhm9UEuZWAVNU6mPxIZrcJ9ZSkav+d1tFSoZgVgbn62+jetr9ndUb+3dl+U7hyOs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(396003)(366004)(346002)(39860400002)(136003)(376002)(230922051799003)(230473577357003)(230373577357003)(186009)(64100799003)(451199024)(1800799012)(55016003)(33656002)(64756008)(6506007)(7696005)(9686003)(66446008)(76116006)(66946007)(66556008)(66476007)(86362001)(38070700009)(53546011)(966005)(166002)(82960400001)(38100700002)(122000001)(83380400001)(41300700001)(2906002)(15650500001)(5660300002)(4326008)(478600001)(71200400001)(44832011)(52536014)(110136005)(316002)(8936002)(8676002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: o2PqXz2Ehucz3MNdvM2mQIOhK8nV/WtQS7J8wTMjiLJvQML/1cJxgI24ETnIaQLbqxKrFLqbF6GdMmsN/yt7DM2aXyu+Tuq1NJUM+9ccpxjJT2EJwQJmzXxD0pbOy/Hqx0/tF99PcWxWgGWM2BcvQXOhf6tiYDdWlk79+5Q5k9dk799jR1HAo8+ZsmpY/lw3upzQxatIzOesZZPpGieUtFSTHKqZdzmwK590Nk+5SD3CDQB1lkp8m5X98UoOedkG/NLfHxgi28czAewJcP+k2dViNkuQ19gQIc32POP9RHa5TIimPaG1LpKtGaUxqKyF7MqSXQnIrPLRVlyTAmTfyLxEuI14JVphVVlo1ecgcI2yAHDpNnkSVvYTU9XpyOrqqlB6DvX424NXXfE0ept4TEd2TeBRjj7lJYBXoxp9wqCZHbeWgvcEaCqhd73p+E/YQwEl9aHc2ajbsIs1V+lOgHRe0TNyzk9yudmgC26o7651O8hjolg/BUaDXoRydtOECza4EBX6fKCX9yyuQuzZACQRXnmJn71DzT6SAOlwwKLM84Ly13lri1xegfFCxDogXLDV0NIce2/VniFSJlxgj9EsMHT93xnUb4cGHxoxAlb5L5KEM16jrYUeMc7zXBfrhXiCeGnWhB6A1UtbUp7kO/6aufSWrEiLJrGK5U4CIBI76pU8L8m4/N41dEM088/C9283LDBZ8eq4EankgjR+VsfCE6dUXNN60p1y72s5fRjaTFFlh/+Uc/Jg0iSkTy4rezkiA7Bkmb0b+UHid8Cy8swOm58veAUz98tO3ljUTTszWq5xsQJTX8Wy/+unmufWXpIQya6C1vPwo3lMSE2cHKwE0B9mwJNmKdxWLESAqEsxOuviLJlGDF1g0IFA1BodD0du3dnz0bM2ar8Ut0GKCFnQYTNqS8dX1MhsG+Dwe7sey8kOo+7ZBdUC/J8v69YtjjcOFt6Kk+tC9tou6S+ABd4SAIsoaFJAV3WvgT8WqofMjCPUxalqP/c7W+H0Xout2IaZib5yb6xcl5sTPu5I2oNU/QTzpEOBrU+tYfrWxjUcwkkBdUzNZdMmevxr79aoWXIQ7DjvIGyzc1Ykgybxo6k7biGHP/0j7WMdioPO/r88Uie3Z+yaMiIgFEO5To8wR7k2Ub4Mh/xS4/gHeuYLO6aUgDTVq6mZm+tNocHwP64puG9j0daxP4h49ymS6Ron7+rwimECuIE+r6INqUYLsUKYAu5JZRQ/nQHbpw/6+1e83u1GVhGE12jnjT5GcF8DwR9jjFroBKDwfkkRHPgMcsmtBWUKflvMSEGVtOERhM8a0W684qmuZwu7lSkSt6RyybCuCoC7hcRyfQH1o0kL9U/gQwMB9luHx1Zp2QHKI7vB4r6Su8x2Tq1diwPMRgkd0rg1Swd4HBY2/7cjj8SS4F++QJgPfmpNvw4tgzdXQQwzkRlrZ4xyMlqs0Jr6GnWUOpvu/DndQmP2oMnUNptlT2Bd3QqEUmHJpdSazdZckds2uZf+OQ1FbF4/DL74XVxeXsjER8vEdCCqJd7IwuPZIissBkpeuZ2ju3Av/FrL+eKC/1xgJ9QpgAzq53Ir0vnSO3tCdztUl/bMyKekuuewhBpWWoO9u9A3Y1tuBO7p+FidJcmY5jLFgZvyiojQ152MQt+T3FPAIyPXlcg9wzip4XYHNRA+VhVsNVn1Rn+gaGI=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB9678B9DFEE6DDF993E4DC54C899EAGVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 53e393c1-a210-4124-14f5-08dc07a32629
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Dec 2023 12:47:28.0611 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QPrh1Q2+QQ4aESje+NXandQZXuQexA3au1DJAdg80iBGWLknvBvcM8gXltmO1nhow27mFCM3wKo23Z9pc93mXhwMcbVyDzUTsN8Eku3IV30=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU2PR07MB8272
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/doyN4Umhbd0dXAReQ3qZ_8l3D44>
Subject: Re: [TLS] DTLS 1.3 replay protection of post-handshake messages?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Dec 2023 12:47:36 -0000

On Wed, Nov 29, 2023, at 11:21, Eric Rescorla wrote:
> I agree that it would be good to require replay protection at this
> time. Perhaps we should just publish a short RFC requiring it.

I think that is a good idea and I would be happy to help with such an RFC. Either one mandating DTLS replay protection or one mandating replay protection at some layer.

I think it would maybe make most sense to mandate DTLS replay protection. Applications wanting to turn off DTLS replay protection should be required to register an extension.

I made a PR to RFC8446bis that shortly describes that 0-RTT replay can be used for server tracking.
https://github.com/tlswg/tls13-spec/pull/1334/files

Cheers,
John Preuß Mattsson

From: Martin Thomson <mt@lowentropy.net>
Date: Wednesday, 29 November 2023 at 06:02
To: Eric Rescorla <ekr@rtfm.com>, John Mattsson <john.mattsson@ericsson.com>
Cc: tls@ietf.org <tls@ietf.org>
Subject: Re: [TLS] DTLS 1.3 replay protection of post-handshake messages?
One thing that I observed when we were doing QUIC was that the canonical reference for how to do this sort of anti-replay is a section that is buried deep in an IPsec RFC.  Perhaps that short RFC is an opportunity to also document the process in a way that can be a reference to other documents.  (That's a slightly longer RFC, but still fairly short; Section 3.4.3 of RFC 4303 is just two pages in the old measure.)

On Wed, Nov 29, 2023, at 11:21, Eric Rescorla wrote:
> I agree that it would be good to require replay protection at this
> time. Perhaps we should just publish a short RFC requiring it.
>
> -Ekr
>
>
> On Tue, Nov 28, 2023 at 3:00 PM John Mattsson
> <john.mattsson=40ericsson.com@dmarc.ietf.org> wrote:
>> Hi,____
>> __ __
>> Lack of replay also enables tracking of client and server. If the client or server is a device moving together with a person this enables tracking of the person.____
>> __ __
>> An attacker can store a message from one location and then replay it to the client or server in another location. If the client or server accept the replayed message, the attacker knows that the device in the two locations are one and the same. It is best practice to assume that an attacker can always detect if a message was accepted. If the client or server send a response to the replayed message (like a replayed client authentication request) this is trivial.____
>> __ __
>> This is different from the attack described in Section C.4 “Client and Server Tracking Prevention” of RFC8446bis, which describes the client reusing a ticket. A network attacker mounting a replay attack are described in Section 8 of RFC8446bis. I think a sentence or two should be added to Section C.4 to describe that a network attacker mounting a replay attack can be used for server tracking and that the mitigations in Section 8 help.____
>> https://datatracker.ietf.org/doc/draft-ietf-tls-rfc8446bis/____
>> __ __
>> Cheers,____
>> John Preuß Mattsson____
>> __ __
>> *From: *TLS <tls-bounces@ietf.org> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
>> *Date: *Tuesday, 28 November 2023 at 09:30
>> *To: *TLS@ietf.org <tls@ietf.org>
>> *Subject: *Re: [TLS] DTLS 1.3 replay protection of post-handshake messages?____
>> Hi,____
>>  ____
>> Reading RFC 9147 (DTLS 1.3) I cannot find any other interpretation than that replay protection may be disabled for all records. This is not a problem for the initial lock-step handshake, alerts, KeyUpdate, and ACKs. It seems to be a major problem for NewSessionTicket, NewConnectionId, RequestConnectionId, and Post-handshake client authentication as the lack of replay protection might significantly affect availability. It seems to me that DTLS 1.3 forgot to update replay protection based on the new post-handshake messages. Let me know if I miss something.____
>>  ____
>> It is a bit surprising that DTLS 1.3 published in 2022 allows the application to turn off replay protection at all. This very far from current best practice for security protocols. There are very good reasons why Datagram QUIC mandates replay protection and why TLS 1.3 has several pages discussing security considerations for 0-RTT data, which lacks replay protection. In general, turning off replay protection (even just for application data) might lead to loss of confidentiality, integrity, and availability, i.e., the whole CIA triad.____
>>  ____
>> Applications cannot be expected to understand the severe consequences of not having replay protection or understand how to fix it on the application layer. I also don't see any need for turning off replay protection except RFC 6083 which is a bit of a special case, and which turned out to have replay issues.____
>> https://datatracker.ietf.org/meeting/115/materials/slides-115-tsvwg-sctp-auth-security-issues-00____
>>  ____
>> I would strongly recommend all DTLS 1.3 libraries to completely remove the option to disable replay protection.____
>>  ____
>> An easy fix for the post-handshake messages is to "clarify" that replay protection must not be turned off for anything else than application data. I you agree I can submit an “erratum” for RFC 9147. But this does not solve the general issue that turning off replay protection would be a major security problem in almost all applications. ____
>>  ____
>> Cheers,____
>> John Preuß Mattsson____
>>  ____
>> *From: *TLS <tls-bounces@ietf.org> on behalf of John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
>> *Date: *Friday, 24 November 2023 at 14:50
>> *To: *TLS@ietf.org <tls@ietf.org>
>> *Subject: *[TLS] DTLS 1.3 replay protection of post-handshake messages?____
>> Hi,____
>>  ____
>> How does replay protection of Post-handshake messages work in DTLS 1.3 if the per-record replay-protection mechanism is turned off?____
>>  ____
>> 1. Is the post-handshake messages replay protected in some other way, which I miss?____
>>  ____
>> 2. Should RFC 9147 state that the per-record replay-protection mechanism can only be turned off for application data? (I could not find anything in RFC 9147 stating something like this).____
>>  ____
>> (things like post-handshake authentication need replay protection in some way)____
>>  ____
>> Cheers,____
>> John Preuß Mattsson____
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email