IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Eric Rescorla <ekr@rtfm.com> Sat, 24 June 2017 14:05 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE441273E2 for <tls@ietfa.amsl.com>; Sat, 24 Jun 2017 07:05:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IWTTpM5t8xid for <tls@ietfa.amsl.com>; Sat, 24 Jun 2017 07:05:52 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 725FE126CC7 for <tls@ietf.org>; Sat, 24 Jun 2017 07:05:52 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id e142so25311961ywa.1 for <tls@ietf.org>; Sat, 24 Jun 2017 07:05:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0mjiic4m3UhvwwTY27M7kvdP9PO/CQjxynaQCfFwk0A=; b=GqYRjFILnBVDPPKW1FNEWaIzemc0TiYPXfL48BU4Eysk0I2n90w6t4/aRoyZod3wWw wGnWy4R4qRW96gsB5F4AAn1xk6qtKmgjIbS/10Uf094i5YV32wjUkEqF7Df9fVaweXyv OA4kdfOgXeBKRtlEHsVy/fjUE8U+Da3bjDD/wVUs8WTtQlKNlcMu81p/ZJ7FRDcedacE r9nIXWjcGQ7zVfnlr13gjNX4QMXBzUdo4zCsw8C6fIvMD4w2uxAE0/hwsO/Vy5aV2rU5 wNqVTg0JCwM9fn+YkCTSEHarjjGUCpTg71Up+b4dokH1qZ+v7ACwkOBpIPxVbheVW1Cs JQWg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0mjiic4m3UhvwwTY27M7kvdP9PO/CQjxynaQCfFwk0A=; b=NgfhKecLvnSzmjwKHtnDG2MWqiUecfkpYLkn0vQ0MizOUaikcQkeDzX8B5RziqhJ/6 NJQgSxWRBkup/5E9EOe98MB16neod66oh4fZvqRlYl5yFAInPUkAtjN4QEm7Z6wE9/LU jlp3EZN/ZJFidh5A3XZAkpNUvv8najy70GtK3Oj5Z914yOkjT4uG9KMlqJbFqyQqp8f8 b7Vxh5pN4o4qLKLMvyCpdYVSSnHmT4wuaJhYXx39WpU7z9qkZSmetpYcu3AMqX2YaR8+ UmQaO7whlVfbX1gqIRu3LJTcUHi2QkAFKOr2mLaU3Pz2rbr1W6Y1JtV8r59XFKliW41s RpDA==
X-Gm-Message-State: AKS2vOzNgumwYNTjj57PreVLHySVP8zsfjXuY68wLbJvA5mNym7sHQhw VDenmo3I4sEqm1tPe6ascyjIH6QxFeGaW0U=
X-Received: by 10.13.252.194 with SMTP id m185mr9304102ywf.85.1498313151697; Sat, 24 Jun 2017 07:05:51 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.215.9 with HTTP; Sat, 24 Jun 2017 07:05:11 -0700 (PDT)
In-Reply-To: <20170624052727.26n4spscu77nlnlw@LK-Perkele-VII>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com> <20170613113232.GC8983@LK-Perkele-V2.elisa-laajakaista.fi> <CAH9QtQG0uk+eUozJxxMRwvcROO7x5FhKd5zDbwpCKuXj9zrecQ@mail.gmail.com> <20170613205113.GA13223@LK-Perkele-V2.elisa-laajakaista.fi> <CAH9QtQFez=tUVJOd7ztBaWFtVs5dAAojg8JrixGqjwqN5go+8A@mail.gmail.com> <20170614174531.GA17930@LK-Perkele-V2.elisa-laajakaista.fi> <CAOgPGoAmo1p9BwfxyeA=iWbOpVtbxJsVpdN0TzVuV=bVyFiWEA@mail.gmail.com> <CABcZeBPw94Pn9J2LDLBSijs+aZhhOsTiGKHj0wgBq0Ev8kf=xA@mail.gmail.com> <20170624052727.26n4spscu77nlnlw@LK-Perkele-VII>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 24 Jun 2017 07:05:11 -0700
Message-ID: <CABcZeBNSVu3BA=Zv8qH2QOzbu1xDcq_+3E6yBL==fg1uQ3K5vw@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: Joseph Salowey <joe@salowey.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c08d8102b92470552b53750"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/egX_Bd2rnn2PFaFxMDyE3D5lWUw>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 24 Jun 2017 14:05:54 -0000

i mentioned it here, but perhaps it's not clear enough.

"If data can be replayed a large number of times, additional attacks
become possible. Specifically, attackers can use multiple replays to
exploit information leakage via side channels such as timing network
caches or measuring the speed of cryptographic operations."

I've got some other comments to resolve Monday I'll try to get to this then,
but I'd also welcome suggested text on the PR.

-Ekr


On Fri, Jun 23, 2017 at 10:27 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Fri, Jun 23, 2017 at 10:44:00AM -0700, Eric Rescorla wrote:
> >
> > On Fri, Jun 23, 2017 at 9:21 AM, Joseph Salowey <joe@salowey.net> wrote:
> >
> > > Discussion on this topic is dying down, can you post a PR so we can see
> > > the proposed text.  There is still some discussion on the API thread so
> > > there may be some additional modifications coming in that area.
> > >
> > PR up:
> > https://github.com/tlswg/tls13-spec/pull/1034
>
> I didn't see any mention of the cache probing attack.
>
> I.e., Leak data from 0-RTT requests (especially URLs) by first priming
> caches using 0-RTT replay and then probe the caches using normal
> requests.
>
> This attack can be viable even at low replay count, it isn't like the
> others that require very high number of replays. And in fact, it
> benefits from having numerious zones.
>
>
> E.g., CDNs that have multiple datacenters that accept 0-RTT tickets of
> each other seem vulernable to abusing this for discovering HTTP GET
> URLs in 0-RTT requests.
>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email