IETF Logo Mail Archive

Re: [TLS] #445: Enhanced New Session Ticket

Eric Rescorla <ekr@rtfm.com> Fri, 29 April 2016 16:16 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E72BB12D186 for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 09:16:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gqRe5NxW9kD for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 09:16:47 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20ED12D0B8 for <tls@ietf.org>; Fri, 29 Apr 2016 09:16:47 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id g133so174489076ywb.2 for <tls@ietf.org>; Fri, 29 Apr 2016 09:16:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=m/UmRWIxYpSiieneeVF0K6kBmAi/PKSpc7Dfi6zZz/k=; b=jWeYP1If3c+0FHolW+C+oYqbfwsCIBZYvyNqX2FUJmbnZxQhutCd0iREbdZZ1tLqjU VzLLNISzLu36aEvRnVPolBobNKrrmARXfup3eQAxmyKg96QIps7vfQwGdeIjnU60Dte1 /QpyrdVyU+Y5wW1z3f0PbV9AzKxdEhboG8PJvdr2sx7a6PnH0MedA39bs8MqrcJtJqP2 yw5m5tFIrp+FQ6vban9GskBMdbVfx3ibuFEWILiE/hM9jmuUIWjiBaAF34K+84rz4i22 7hPjjgFzZjJBjNHxagHxtiBGbpkOk73jta5zqlJ5ZqnntPOMS1LXI9GevhAj2VbBI30g ++UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=m/UmRWIxYpSiieneeVF0K6kBmAi/PKSpc7Dfi6zZz/k=; b=X0j4pA1tHokaJaoiB+UhjBEQoqVtHVn2an9ELPQDrphIx1OKSkk346c43bKCJKWYcP Exb1lCsXrmhQSUf8d6D8Vs8X/VYF0xFHthYVueiQrA0bzxyI0TcGNgqYMC01D7E4FbM2 OMjfq50l7v7+utN8Q1Pv+jZARMi5U1WW+Z0qnqm0eecVHcDRGwAUwxSwJeYYmJ8wb1KE nXM4nLC4rzsdoG6GBjg6MzFthJG/bXIeqtuinxnpHi6hbk0G0ix2/NjxEKx7nS51vddQ J3s9GYhVihlwohOOP3Nc/XdoXmlA+lqpqz/zePinfRoHSuOICTklTkvGSvJoCwdonuHQ 6v2w==
X-Gm-Message-State: AOPr4FXgjUw3+PkIo5EJ1cgnr+INwWb9pIokU+bqPL7G+b81f9HsG+r4qmRj5FeTBUfSk0yRyT6H/euTDCaWPw==
X-Received: by 10.129.163.146 with SMTP id a140mr5109142ywh.254.1461946606853; Fri, 29 Apr 2016 09:16:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Fri, 29 Apr 2016 09:16:07 -0700 (PDT)
In-Reply-To: <20160429153831.GA16797@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com> <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBMFg4iC-EN9DocqTpmjp46EYrTBdfi-G5nNMKN_xiHxVA@mail.gmail.com> <20160429055831.GA16405@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUFn_UrUFro-yLmn9wf7YkTpRf8anm7LK-bKgYBBkUVNg@mail.gmail.com> <20160429153831.GA16797@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 29 Apr 2016 09:16:07 -0700
Message-ID: <CABcZeBO-C5+93b5qax0wCaUhrKgjVeziphHbQse7NuBCwhdSgA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c1287ee2ed19e0531a1f821"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eL60BrjkwxZFbwgyfWtsIPmyvBE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 16:16:50 -0000

On Fri, Apr 29, 2016 at 8:38 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Fri, Apr 29, 2016 at 04:52:08PM +1000, Martin Thomson wrote:
> > On 29 April 2016 at 15:58, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> > >> [HRR state]
> > >
> > > That enlarges the state that needs to be kept. If one keeps extensions,
> > > one only needs ~40 bytes. Whereas saving full hash state needs IIRC 114
> > > bytes (SHA-256) or 228 bytes (SHA-384). And cookies are max. 255 bytes.
> >
> > Cookies are as yet undefined, but I would imagine that these would be
> > just the same size as the pre-shared-key identity for all the same
> > reasons.
>
> Well, this is about the size one needs for the required state.
>
> > > And not many hash implementations support dumping and reloading state.
> >
> > What would you prefer?  We could specify some very strict rules about
> > what changes a client can make to their ClientHello so that the server
> > can simply store things that might change (like the early_data
> > extension, which will disappear on the second attempt, and whether a
> > key share was needed, and so forth).
>
> That ~40 bytes (IIRC, it was actually 37) was done by exploiting every-
> thing I could out of the rules in WIP #344 and relied on EDI being
> preserved.
>
> EDI looks like rather sizable structure currently (even after compressing
> the configuration_id by obvious means).
>

Are you looking at a different document than I am: EDI currently is:

       struct {
           select (Role) {
               case client:
                   opaque context<0..255>;

               case server:
                  struct {};
           }
       } EarlyDataIndication;

And the context is basically a placeholder.



> >> [extension checking on resumption]
> > >
> > > So the 'etc' stands for "whatever will be defined by future
> extensions"?
> > > One might want to make that clearer.
> > >
> > > Also, things get screwy with SNI, and I think it is better not to try
> to
> > > use SNI with PSK.
> >
> > The primary function of SNI is routing.  Remove it and stuff breaks.
> > Thus, I would say include it, but make sure it doesn't result in a
> > change in configuration.  The simplest thing to do is reject PSK if
> > the old SNI != the new SNI.
>
> That kind of non-obvious stuff really needs to be included.
>
> They way it is right now written, I think very few TLS stacks are going
> to get it right.
>

Proposed text would be welcome here.


> > I mean for the subsequent handshake. Since 0-RTT ALPN and connection
> > > ALPN needs to match, either:
> > >
> > > 1) Take the 0-RTT ALPN implicitly as connection ALPN.
> > > 2) Signal the same ALPN again, and have that client MUST check it
> matches
> > >    and abort otherwise.
> >
> > I believe that we have to do the latter.  Since we can't be sure that
> > the server knows the ALPN from before if it has to reject 0-RTT.  My
> > plan for this is:
> >
> > 1. store ALPN in the ticket/session
> > 2. if doing 0-RTT, before accepting 0-RTT data, perform the normal
> > ALPN negotiation
> > 3. check the negotiated ALPN with the stored value, and if they don't
> > match reject the 0-RTT data
>
> 4. If 0-RTT is accepted, client checks the ALPN server sent and
> compares it with value it impiled. If those don't match, the client
> MUST abort.
>
>
> 1) would be:
>
> 1. store ALPN in the ticket/session
> 2. if doing 0-RTT, before accepting 0-RTT data, check if the 0-RTT
>    ALPN is acceptable. If it isn't, reject 0-RTT.
> 3. If 0-RTT was rejected, select new ALPN, signal it in Encrypted
>    Extensions.
>
> That would make ALPN and EDI mutually exclusive in EncryptedExtensions.
>

This doesn't seem awesome from the client's perspective. I'm trying to make
the ordinary PSK-resumption design less of a special case.

-Ekr




> > Note that this means that clients will have to deal with having to
> > change protocols when 0-RTT data is rejected.  But I don't see any
> > other way to do this.
>
> Well, the applications obviously have to be able to deal with the
> protocol possibly changing.
>



>
> > This also assumes that TLS session resumption is not carrying over
> > application state in addition to TLS state.  I believe that is
> > reasonable, though it's worth stating.
>
> Well, any state they can't recover.
>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email