IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Eric Rescorla <ekr@rtfm.com> Thu, 04 May 2017 21:38 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AACF12945C for <tls@ietfa.amsl.com>; Thu, 4 May 2017 14:38:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.09
X-Spam-Level:
X-Spam-Status: No, score=0.09 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w09FisWzODXv for <tls@ietfa.amsl.com>; Thu, 4 May 2017 14:38:05 -0700 (PDT)
Received: from mail-yb0-x22d.google.com (mail-yb0-x22d.google.com [IPv6:2607:f8b0:4002:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05AD5129535 for <tls@ietf.org>; Thu, 4 May 2017 14:38:02 -0700 (PDT)
Received: by mail-yb0-x22d.google.com with SMTP id 8so6882934ybw.1 for <tls@ietf.org>; Thu, 04 May 2017 14:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=+Q4ZSrJauuFd9kzBMnNSqC8jGbh+rclSoBPQ7jP3x+Q=; b=l2jci7hb865ihEFr1BPWyjqQmSgih3PCm7JGo87c7yWlLUknIFubYD8SoXvJ9sSbWx WgoqDHCBPSjm2Rbu8gx3pMTYT/icG1aurD1JOvujuoALpq8rjUZJPwytWOZvxzGuIWIj o8zgiKhUtWSWXI7O3kEbDtdoQVnHr5xgCCvRyKXrwUrUjItP7mF/l4MNnOa6lEYFvsbA dyI3B71TzDp1gdF8272Lm09ReXb+XbmO4VABhVZSrfXAwbiOqZKYhyAFeRO/AiXtiMxc Q7222Tk8H5b36erytor4HIyfguhcJW5iyiQI+onX/CRyG0bOibyBeELFw7Xn33PJ1Wmw 1izA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=+Q4ZSrJauuFd9kzBMnNSqC8jGbh+rclSoBPQ7jP3x+Q=; b=odeSwu/SEfBe53A4FMQ+iuI/mYkbK9Asis2OcyA6J2ZbgST3pO1kN5DUtR0Ow9FXQy rHkqEsrNDRqOe8DypR8t2raCHA+nC4Q/zlgOdFxhLxQDpy6YfAsy2XbLPu2d4dlc0Ac6 8JBaWJh2AvY3pxjd348qJzibX6rPUu1PQ+PNDcONqiMbPvapJfpAy2n9QfN03FDv4LDy mLl+7EkBqwAb/8Ad2gkU8Fhy++ani+103FWwW7L/pAo8w7A5TNsZEl2+G9y7LatfbDsZ h6ZqF45rZdlNYpdffNcno5qyHk1rrrSOFQl0a5VMVobTIhk4wMerbbOc6OAIRxsxb2xw 5gnA==
X-Gm-Message-State: AN3rC/6ObHeoSfsQKo84JG6kjv8X7d6iexEV3A8Qn6bklaGsnqYXnhNN 90+z1JADUEiNXBhgEHV+QUgsIeYg2g==
X-Received: by 10.37.174.24 with SMTP id a24mr36578484ybj.50.1493933881200; Thu, 04 May 2017 14:38:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Thu, 4 May 2017 14:37:20 -0700 (PDT)
In-Reply-To: <MWHPR15MB11825419AF296AE7EC26F3BDAFEA0@MWHPR15MB1182.namprd15.prod.outlook.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <MWHPR15MB11825419AF296AE7EC26F3BDAFEA0@MWHPR15MB1182.namprd15.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 04 May 2017 14:37:20 -0700
Message-ID: <CABcZeBNyQB3FOik3ZBZvgX7FnEjUydHdJwfa5OkACYDO_FQHaA@mail.gmail.com>
To: Kyle Nekritz <knekritz@fb.com>
Cc: Colm MacCárthaigh <colm@allcosts.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045da3584e9e8f054eb996ad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ePtERgfTwYEo5vRQbUd0_fsd5to>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 21:38:09 -0000

On Thu, May 4, 2017 at 2:27 PM, Kyle Nekritz <knekritz@fb.com> wrote:

> > 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining
> both session-cache and strike register styles and the merits of each.
>
>
>
> First, a point of clarification, I think two issues have been conflated in
> this long thread:
>
> 1) Servers rejecting replayed 0-RTT data (using a single use session
> cache/strike register/replay cache/some other method)
>
>
>
> There are definitely cases (i.e. application profiles) where this should
> be done. I think a general case HTTPS server is one. But I don’t think this
> is strictly necessary across the board (for every application using 0-RTT
> at all). DNS was brought up earlier in this thread as an example of a
> protocol that is likely quite workable without extra measures to prevent
> replay.
>
>
>
> We already state “Protocols MUST NOT use 0-RTT data without a profile that
> defines its use.”. We could also describe methods that may be used to
> provide further replay protection. But I don’t think it’s appropriate to
> make a blanket requirement that *all* application protocols should require
> it.
>
>
>
> I also consider it quite misleading to say TLS 1.3 is insecure without
> such a recommendation. Uses of TLS can be insecure, that does not mean the
> protocol itself is. It’s insecure to use TLS without properly
> authenticating the server. Some users of TLS do not do this correctly. I’d
> actually argue that it is easier to mess this up than it is to mess up a
> 0-RTT deployment (and it can result in worse consequences). That doesn’t
> mean we should require a particular method of authentication, for all uses
> of TLS.
>

I think this is basically right. In the PR I just posted, I spent most of
my time describing the
mechanisms and used a SHOULD-level requirement to do one of the mechanisms.
I think there's a bunch of room to wordsmith the requirement. Perhaps we
say:

- You can't do 0-RTT without an application profile
- Absent the application profile saying otherwise you SHOULD/MUST do one of
these mitigations?


2) Preventing clients from sending 0-RTT data multiple times (on separate
> connections) using the same PSK (for forward secrecy reasons)
>
>
>
> I think this should be allowed. Otherwise, clients will not be able to
> retry 0-RTT requests that fail due to an unknown network error prior to
> receiving a NST (if they are out of cached PSKs). I’d expect the need for
> these retries to be larger with 0-RTT data, particularly when 0-RTT data is
> sent without even a transport roundtrip (in the case of TFO or QUIC).
> Servers are definitely not required to accept multiple 0-RTT connections
> using the same PSK, but I don’t think clients should be banned from
> attempting.
>

I agree, and the PR I provided doesn't attempt to do so.


> 4. I would add to this that we recommend that proxy/CDN implementations
> signal which data is 0-RTT and which is 1-RTT to the back-end (this was in
> Colm's original message).
>
>
>
> I’m not sure that the TLS 1.3 spec is the right place to make
> recommendations for this. I can see several reasonable approaches here, for
> example:
>
> - Adding some kind of application level annotation (for example an HTTP
> header)
>
> - Robustly preventing replay on the 0-RTT hop
>
> - Sending proxied early data with a different TLS ContentType, etc.
>
> I don’t see a need to specifically endorse any particular method here.
>

I think Colm has also agreed we shouldn't do this and it's not in my PR.


>
>
>
> There was also a point brought up about the use of ticket_age without
> 0-RTT. I’m not aware of any use for ticket_age other than 0-RTT replay
> protection. I believe that ticket_age is sent with all PSKs mostly out of
> convenience/consistency. I don’t really have an objection to the current
> method, but I also wouldn’t be opposed to moving the ticket age to the
> early data extension, so that it is only sent along with 0-RTT data.
>

I would be OK with this as well. It does seem slightly more elegant.




> It also seems a little under-specified what implementations unable to
> compute a reasonable ticket age should send (for example in the case of a
> device without a real time clock,
>

Right. I have been basically assuming that you can't really do TLS without
a real-time clock, but maybe that's wrong?



> or with an external PSK).
>

This actually is well-specified (though maybe wrong)
"For identities established externally an obfuscated_ticket_age of 0 SHOULD
be used, and servers MUST ignore the value."
https://tlswg.github.io/tls13-spec/#pre-shared-key-extension

-Ekr


> *From:* TLS [mailto:tls-bounces@ietf.org] *On Behalf Of *Eric Rescorla
> *Sent:* Wednesday, May 3, 2017 11:13 PM
> *To:* Colm MacCárthaigh <colm@allcosts.net>
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] Security review of TLS1.3 0-RTT
>
>
>
> [Deliberately responding to the OP rather than to anyone in particular]
>
>
>
> Hi folks,
>
>
>
> I'm seeing a lot of back and forth about general philosophy and the
>
> wisdom of 0-RTT but I think it would be useful if we focused on what
>
> changes, if any, we need to make to the draft.
>
>
>
> I made some proposals yesterday
>
> (https://www.ietf.org/mail-archive/web/tls/current/msg23088.html
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mail-2Darchive_web_tls_current_msg23088.html&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=l2j4BjkO0Lc3u4CH2z7jPw&m=_2BECf9OfW1r1aRWrL_pSbQeKMshyOm2NIVWF4GGBI0&s=XgHbUwT6upAsOin4T6P8ePs8i0ZFsnD-_BNvueeq83E&e=>
> ).
>
>
>
> Specifically:
>
> 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining
>
> both session-cache and strike register styles and the merits of each.
>
>
>
> 2. Document 0-RTT greasing in draft-ietf-tls-grease
>
>
>
> 3. Adopt PR#448 (or some variant) so that session-id style implementations
>
> provide PFS.
>
>
>
> 4. I would add to this that we recommend that proxy/CDN implementations
>
> signal which data is 0-RTT and which is 1-RTT to the back-end (this was in
>
> Colm's original message).
>
>
>
> Based on Colm's response, I think these largely hits the points he made
>
> in his original message.
>
>
>
> There's already a PR for #3 and I'll have PRs for #1 and #4 tomorrow.
>
> What would be most helpful to me as Editor would be if people could review
>
> these PRs and/or suggest other specific changes that we should make
>
> to the document.
>
>
>
> Thanks,
>
> -Ekr
>
>
>
>
>
>
>
>
>
> On Tue, May 2, 2017 at 7:44 AM, Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>
> On Sunday at the TLS:DIV workshop I presented a summary of findings of a
> security review we did on TLS1.3 0-RTT, as part of implementing 1.3 in s2n.
> Thanks to feedback in the room I've now tightened up the findings from the
> review and posted them as an issue on the draft GitHub repo:
>
>
>
> https://github.com/tlswg/tls13-spec/issues/1001
>
>
>
> I'll summarize the summary: Naturally the focus was on forward secrecy and
> replay. On forward secrecy the main finding was that it's not necessary to
> trade off Forward Secrecy and 0-RTT. A single-use session cache can provide
> it, and with the modification that ekr has created in
> https://github.com/tlswg/tls13-spec/pull/998 , such a cache works for
> both pre-auth and post-auth tickets, and it allows clients to build up
> pools of meaningfully distinct tickets.
>
>
>
> There's also an observation there that it should really be that clients
> "MUST" use tickets only once. Any re-use likely discloses the obfuscated
> ticket age, which is intended to be secret. Right now it's a "SHOULD".
>
>
>
> On replay, the main finding is that what's in the draft is not workably
> secure, and the review includes 5 different attacks against 0-RTT data to
> illustrate that. Attacks 1 and 2 show that the kind of replay permitted by
> the draft is very different from the kind of replay permitted by dkg's
> existing downgrade-and-retry attack. I also go over why it very very
> difficult to many applications to achieve that idempotency, and why one
> idempotency pattern actually relies on non-replayable messages.
>
>
>
> Attack 3 shows that idempotency is not sufficient, applications must also
> be free of measurable side-effects, which is not practical.  Attack 4 shows
> that 0-RTT breaks a common security mechanism: spoofing-resistant
> throttles. Attack 5 shows that 0-RTT replay-ability enables an additional
> form of traffic analysis.
>
>
>
> The recommendation in the review is that implementations "MUST" prevent
> replays of 0-RTT section, with some additional discussion about why the
> existing advice is unlikely to be followed, and why consistent
> interoperability matters here.
>
>
>
> Unfortunately, I wasn't aware until Friday that this review would be
> coming so late in the TLD1.3 draft process, and my apologies for that. I am
> now planning to attend the future WG in-person meetings and look forward to
> seeing many of you there.
>
>
>
> --
>
> Colm
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=l2j4BjkO0Lc3u4CH2z7jPw&m=_2BECf9OfW1r1aRWrL_pSbQeKMshyOm2NIVWF4GGBI0&s=6GIocGzW6wPK4EAlqDLIirNvsuQj7gWhYG_OzROR2qY&e=>
>
>
>

v2.23.0 | Report a Bug | By Email