IETF Logo Mail Archive

Re: [TLS] Additional warnings on 0-RTT data

Colm MacCárthaigh <colm@allcosts.net> Thu, 24 November 2016 14:37 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2918129527 for <tls@ietfa.amsl.com>; Thu, 24 Nov 2016 06:37:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Li7ElKJ7E3SS for <tls@ietfa.amsl.com>; Thu, 24 Nov 2016 06:37:53 -0800 (PST)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8961B129475 for <tls@ietf.org>; Thu, 24 Nov 2016 06:37:53 -0800 (PST)
Received: by mail-yw0-x230.google.com with SMTP id r204so40771716ywb.0 for <tls@ietf.org>; Thu, 24 Nov 2016 06:37:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=XO8dbytLsP9HEogFSk7Z3PS9pUBQilyitI1TCJE2sAs=; b=HMVtOoRoCzwonsKjhRa5G0vz3dOvOV0axZ38KCQMcznEiHTBYfPq3hRNqcYFv6qdw6 zCIwWvmMcIyTAKEFwElxppcspazByz+AfWumiwbziEdjVRByxxQRbdaIvVv59ntrU3Bq uOs43dHn7iKYOS927ub6NZxChmFPerkvLukJKbqkxKIgEq50fxCGy7dtTvBXHZ44Xp6d 6ixj2+SoxBO/ijriKH+cLLnSkK+Scw0U8TpG/4zPkZo4/48Dm/7QS8ob5ITCBqghuP7z weSuwLtzE8gNc6eZtvdAGQslYuHWxyO+q7HcIx3yWz51KFCe7B6ow4TGFGJRzJg37OvA N60Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=XO8dbytLsP9HEogFSk7Z3PS9pUBQilyitI1TCJE2sAs=; b=eEYzTiLXMu+csDQvb30+raVW+XW0/0kr697BcZLu+dcXTcyqHWaUMMtBySEQ1+EDAh YaZMwKSUZHUtWRKSDpNXMKpTcFSDwMlzLGdvbSomZD8LG84GhU3tmokLJ3M5t65FiOX5 uJcjLmnCOGvyoYX5l2ayKbkOpn4RuWJrwkn6E7B6Pdsr+2lncKYhHLTrSO1JhDNYSaH4 nn8qPxyx5oNQGrqX5qoHHhBKPMW5Wbzi982WjE0lkKxmhUBShO924VxbUZAEe0udG8Pd o+Rjwn4emWUKac9538X56sJWZmhDaDRhfcEXeVAtMka6wp/Fr3rzPmPhjNXhvgfGL5zh WFSg==
X-Gm-Message-State: AKaTC00bZ2r4DGtI/oKrlE6kCX82QJutNo81WM/rZwhYkfRl/blTzwS/EH8rOONEfIpAWmdGX3zchQ06mVwbsA==
X-Received: by 10.13.198.71 with SMTP id i68mr4087071ywd.158.1479998272817; Thu, 24 Nov 2016 06:37:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.115.3 with HTTP; Thu, 24 Nov 2016 06:37:52 -0800 (PST)
In-Reply-To: <095e01d2461e$4335acc0$c9a10640$@huitema.net>
References: <CAAF6GDeAbbwnUaCGg4sVxzP6S3ECoQ2nzCi3FyB1gRV9mJHxGA@mail.gmail.com> <CABkgnnXuL9jE04omz3n4FRWBKuJtpEV-bS2tSVvN7AJhW_4GUA@mail.gmail.com> <CAAF6GDcbJm7YWmUZ66JK9hUbU+Gt_-ERmjWxz9YnJe2KCtru-g@mail.gmail.com> <CABkgnnUhnFY5H6ew2uAhvPuqm8E1dP2-9OupaNfvF7qdKvggBg@mail.gmail.com> <CAAF6GDdrPO+eYMmWmvmwL2RVB5UV8184Xc5uOz99PhkkZfNY9w@mail.gmail.com> <CABkgnnVOrCAu0sKNSLJC8FNLXEzZxLNA3dPDPfxc86KWSLvjyQ@mail.gmail.com> <CAAF6GDfg0fO46-NLD0j4p52j-n50w4vmGa1YUBAsow8N+0U=gA@mail.gmail.com> <095e01d2461e$4335acc0$c9a10640$@huitema.net>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Thu, 24 Nov 2016 06:37:52 -0800
Message-ID: <CAAF6GDf=gLXQ90RCcfzXCeKE3B4jdeX0T0Zo2QLQrjWZh4WHqg@mail.gmail.com>
To: Christian Huitema <huitema@huitema.net>
Content-Type: multipart/alternative; boundary="001a114e53da5250e305420cf387"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/e4lRvwXAVSHujR3z04HdtyJ_DfE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Additional warnings on 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Nov 2016 14:37:54 -0000

On Wed, Nov 23, 2016 at 10:44 PM, Christian Huitema <huitema@huitema.net>
wrote:

> On Wednesday, November 23, 2016 7:20 PM, Colm MacCárthaigh wrote:
> >
> > Prior to TLS1.3, replay is not possible, so the risks are new, but the
> end-to-end designers
> > may not  realize to update their threat model and just what is required.
> I'd like to spell
> > that out more than what's where at present.
>
> Uh? Replay was always possible, at the application level. Someone might
> for example click twice on the same URL, opening two tabs, closing one at
> random. And that's without counting on deliberate mischief.
>

Much more than browsers use TLS, and also more than HTTP. There are many
web service APIs that rely on TLS for anti-replay, and do not simple retry
requests. Transaction and commit protocols for example will usually have
unique IDs for each attempt.

But even if this were not the case, there are other material differences
that are still relevant even to browsers. Firstly, an attacker can replay
0-RTT data at a vastly higher rate than they could ever cause a browser to
do anything. Second, they can replay 0-RTT data to arbitrary nodes beyond
what the browser may select. Together these open new attacks, like the
third example I provided.

-- 
Colm

v2.23.0 | Report a Bug | By Email