Re: [TLS] AD review of draft-ietf-tls-falsestart-01
Eric Rescorla <ekr@rtfm.com> Fri, 01 April 2016 16:01 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9538512D709 for <tls@ietfa.amsl.com>; Fri, 1 Apr 2016 09:01:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nph4HPkThTnL for <tls@ietfa.amsl.com>; Fri, 1 Apr 2016 09:01:05 -0700 (PDT)
Received: from mail-yw0-x232.google.com (mail-yw0-x232.google.com [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD72C12D70D for <tls@ietf.org>; Fri, 1 Apr 2016 09:00:54 -0700 (PDT)
Received: by mail-yw0-x232.google.com with SMTP id d68so31892930ywe.1 for <tls@ietf.org>; Fri, 01 Apr 2016 09:00:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=66WK1DjzygRU/fJ78lBEPijchEovcmxy73k4SJEJloU=; b=USsDpQUDRaF3P6HVBM6R1EuPSkrPZRwaIqlB6ggE/U6YW+8YWS1tiPGn6fyEhan7rP epVHBUhvqsWvfaxnyghXTuDTuMqtKiYqcathfDM0n0E8zUjI8BSI54DQtIwPYrRbNNB1 CxNPO+M+1B9d76j+4vP62tPqRaoQREPc8xbIM69jjjXIin2RAPbTJoSEdgfbSls2WznN rYLyX+bu+1OMmwUbatMCkJj07QQGTPuV7dRRVdjgPkd+Ruc3dvd/e5qfkC0n65BAtRxT UEI/KSGmh8SJQ8YH7ChEV5ox1bN3gBrMyJn6TueNAYEiY8QAWpanyazXux+dK4+dTSQz QkzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=66WK1DjzygRU/fJ78lBEPijchEovcmxy73k4SJEJloU=; b=e2XwwK9Hdc+bXccAA6flTDQeXbh7xOI+IOJLObndRr9w8VQmINODag6afE56+ZjG+D o8/cvaFVh1VwMReUdoAZ2VzXffSAslAiDC0ewvwpTooR2KBh2IuH230wRxdWyA1Omza/ 9RVJ2XF1Hupqwqxk3AqUeJ2wdlA5QAHOkXvFULKpXlN98Bd0sUl/IFvUe4bzknuoukdp /SUwzJZ43hFbq3FibmvxxQKOYNu67Sj2hy4xY8yGCSOlkU8yA2FUVMzBU9IhOork6OLl 7zwGzXPEDoAYebWTcOPYUOQD8RX/LRB+QWIC18Wf2IecThsGVmmK6tAtWDSbTuKRcSLa ZSkg==
X-Gm-Message-State: AD7BkJJ1tEm9zGmGoU7OGoLQhj8ChP2L8DwX8A8dH3BEIqricqoWt+1Yer83d8BGH4WjqP5X0V1MgiiXowUpvA==
X-Received: by 10.37.230.67 with SMTP id d64mr3701361ybh.159.1459526452840; Fri, 01 Apr 2016 09:00:52 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Fri, 1 Apr 2016 09:00:13 -0700 (PDT)
In-Reply-To: <56FE6751.7040100@cs.tcd.ie>
References: <56F2B2E7.1060809@cs.tcd.ie> <CADMpkcLg4c2Q1Rq8n+HKzOM2Q7-S+VRmWy+W9kDOX5dZ9Z67Hg@mail.gmail.com> <56F3B9CC.8050305@cs.tcd.ie> <F1A09055-2D99-4697-9018-C5778C4E198F@sn3rd.com> <56FE6751.7040100@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 01 Apr 2016 13:00:13 -0300
Message-ID: <CABcZeBNQht5G7C80V6P3tH8J26FgoZK8Zy6yfU3_PxSTg1u8UQ@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: multipart/alternative; boundary="94eb2c0afa10c39ff4052f6e7bf4"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/fc8Q4Sst_QMEfJ-JKo42CMMMN4c>
Cc: draft-ietf-tls-falsestart@ietf.org, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] AD review of draft-ietf-tls-falsestart-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2016 16:01:08 -0000
On Fri, Apr 1, 2016 at 7:19 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > Forward secrecy can be achieved using ephemeral Diffie-Hellman or > > ephemeral Elliptic-Curve Diffie-Hellman ... > > > > If we summarize these in the Introduction we’re good? > > No, I'm on about missing text not placement of text. Again if > we added something like "False start is not safe for a ciphersuite > that has properties <A,B,C> such as <example> because of <problem>. > See [refs] for full details" then we'd be done because a reader > could use that to analyse whether or not it is ok to use a future > ciphersuite (or a current one, being re-evaluated in the future) with > false-start. > The issue isn't primarily the ciphers themselves, it's the security properties of False Start. Specifically, TLS is intended to allow a client and server to negotiate the most preferred joint cipher suite, even if they also support weaker cipher suites, even in the face of active attack [0]. In TLS 1.2, this guarantee is enforced by the Finished messages and therefore the client isn't able to verify it at the time it sends its second flight [1]. Thus, when you are doing False Start, the client has no guarantee that an attacker hasn't forced him into a much weaker cipher suite (potentially the weakest cipher suite that the client supports). Of course, the handshake won't complete, but the client will have already sent data under the weaker cipher suite. The restrictions here are targeted at minimizing the exposure due to potentially negotiating weaker ciphers with the general idea being that the weakest cipher acceptable for false start is not too far away from the best cipher. So, it's not really practical to pair it to specific cipher properties. -Ekr [0] Note, this protection starts to break down if the weakest joint cipher suite is really weak. [1] This is why TLS 1.3 signs the entire server's second flight and why False Start is redundant in TLS 1.3. > > Cheers, > S. > > PS: If I'm just not managing to explain myself well here, we can > chat about it in B-A. > > > > > spt > > > >> Cheers, S. > >> > >> > >>> > >>> Bodo > >>> > >>>> That could be done with some explanatory text and using some of > >>>> the references below maybe. Or, if we don't really want new > >>>> folks to implement this (do we?) then just saying that might > >>>> mean it's ok to not explain the "why." (And then you could also > >>>> address #1 above then by issuing this as an historic RFC too if > >>>> you wanted.) > >>> > >> > >> _______________________________________________ TLS mailing list > >> TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls > > > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] AD review of draft-ietf-tls-falsestart-01 Stephen Farrell
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Bodo Moeller
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Martin Thomson
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Stephen Farrell
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Dave Garrett
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Stephen Farrell
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Sean Turner
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Peter Bowen
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Eric Rescorla
- Re: [TLS] AD review of draft-ietf-tls-falsestart-… Stephen Farrell