IETF Logo Mail Archive

Re: [TLS] Closing on 0-RTT

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 13 June 2017 11:32 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E06D21316A9 for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 04:32:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyEAUB1QBnE3 for <tls@ietfa.amsl.com>; Tue, 13 Jun 2017 04:32:39 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 276DB131688 for <tls@ietf.org>; Tue, 13 Jun 2017 04:32:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id A1BFA39390; Tue, 13 Jun 2017 14:32:37 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id rlDsTOyvCprC; Tue, 13 Jun 2017 14:32:37 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 56A3F2313; Tue, 13 Jun 2017 14:32:37 +0300 (EEST)
Date: Tue, 13 Jun 2017 14:32:32 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170613113232.GC8983@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBNLo51y4-MYS6NTQn9OWg5jTYYpwxn1fiKKNL5bWA37TA@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/g9aQ8s7Z7GY-t76lST83CL_IY70>
Subject: Re: [TLS] Closing on 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Jun 2017 11:32:42 -0000

On Sun, Jun 11, 2017 at 04:18:03PM +0100, Eric Rescorla wrote:
> Hi folks,
> 
> We've had a phenomenal amount of discussion around 0-RTT anti-replay,
> and based on my recent summary e-mails I think we generally agree
> about the technical facts, so it's time to finalize the PR and land it
> in the specification.
> 
> 
> Here's what I propose to do:
> 
> - Describe the attacks that Colm described.

That was mainly five attacks, right?

- 0-RTT without stateful anti-replay allows for very high number of
  replays, breaking rate limiting systems, even high-performance
  ones, resulting in an opening for DDoS attacks.
- 0-RTT without stateful anti-replay allows for very high number of
  replays, allowing exploiting timing side channels for information
  leakage. Very few if any applications are engineered to mitigate
  or eliminate such side channels.
- 0-RTT without global anti-replay allows leaking informtation
  from the 0-RTT data via cache timing attacks. HTTP GET URLs
  sent to CDNs are especially vulernable.
- 0-RTT without global anti-replay allows non-idempotent actions
  contained in 0-RTT data to be repeated potentially lots of times.
  Abuse of HTTP GET for non-idempotent actions is fairly common.
- 0-RTT allows easily reordering request with retransmission from
  the client. This can lead to various unexpected application
  behavior if possibilty of such reordering is not taken into account.
  "Eventially consistent" datastores are especially vulernable.

> - Distinguish between replay and retransmission
> 
> - Mandate (SHOULD-level) that servers do some sort of bounded
>   (at-most-N times) anti-replay mechanism and emphasize that
>   implementations that forbid replays entirely (only allowing
>   retransmission) are superior.

I don't remember seeing any scheme that looks feasible to implement,
and that could limit amount replays but not to one per "server".

(Of course, definition of "server" might sometimes be tricky, e.g.
8 "servers" all running in the same virtual machine.

Also, I think SHOULD is bit questionable when not following it
is almost certain to lead to severe problems.

> - Describe the stateless mechanism as a recommended behavior but not
>   as a substitute for the other mechanisms. As Martin Thomson has
>   pointed out, it's a nice pre-filter for either of these other
>   mechanisms.

Basically, the strike register is unimplementatble without bounding
the replay window first in time.

But I don't think that should be represented as a stateless
mechanism, merely as a way of limiting the resources used by
the strike register.

> - Clarify the behavior you need to get PFS.
> 
> - Require (MUST) that clients only send and servers only accept "safe"
>   requests in 0-RTT, but allow implementations to determine what is
>   safe.
 
Also:

- Note that 0-RTT exporters are not safe for authentication unless
  the server does global anti-replay on 0-RTT.




-Ilari

v2.23.0 | Report a Bug | By Email