IETF Logo Mail Archive

Re: [TLS] #445: Enhanced New Session Ticket

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 28 April 2016 21:40 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AA1C12D522 for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 14:40:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.896
X-Spam-Level:
X-Spam-Status: No, score=-2.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.996] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fY3TkerXqb4J for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 14:40:51 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 51D2512D19F for <tls@ietf.org>; Thu, 28 Apr 2016 14:40:51 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id D45E76B91; Fri, 29 Apr 2016 00:40:49 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id Xw4LSsl0lGeX; Fri, 29 Apr 2016 00:40:49 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id 690D327F; Fri, 29 Apr 2016 00:40:49 +0300 (EEST)
Date: Fri, 29 Apr 2016 00:40:46 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/gEiObexSqE9YmxQxHOCMXYPXN00>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2016 21:40:54 -0000

On Thu, Apr 28, 2016 at 01:43:41PM -0700, Eric Rescorla wrote:
> On Thu, Apr 28, 2016 at 12:32 PM, Ilari Liusvaara <ilariliusvaara@welho.com>
> wrote:
> 
> 
> > - I presume 0-RTT used in retried ClientHello uses (and for the verify
> >   mechanism to work, that needs to be allowed!) uses ClientHello1...
> >   ClientHello2 as its base hash?
> >
> 
> I don't think I understand what you are asking. Can you rephrase.

Client sends ClientHello with 0RTT data, gets HelloRetryRequest back and
resends ClientHello. For hash continuation to work, the new ClientHello
needs to contain the EarlyData extension, which would imply there is
0RTT data following that too.
 
> > - Server can send CertificateRequest in GDHE-PSK or PSK mode???
> >
> 
> Is there a reason that's undesirable? Note that it can always do
> post-handshake
> authentication, so we need to ensure that this is secure. My understanding
> is
> that because it covers the server's Finished, it therefore builds in the PSK
> value (per the analyis from Scott et al.). Do you have a concern with this.

Note that carelessly doing post-handshake auth can lead to nasty issues
(fortunately it is not allowed for HTTP/2!).
 
And wonder what it would do to the handshake state machine to have the
possibility of the CertificateRequest message (you need state machine to
avoid all sorts of attacks).

> - What are 'etc' for parameters for 0-RTT data? Use the present
> >   extension list here and have any future extensions that matter here
> >   explicitly define their interaction.
> >
> 
> The list is an example. The operative word is "all".

And what is "all" with current extensions (defined as whatever is in
registry currently + whatever TLS 1.3 base defines)? I think ciphersuite
(apporiately transformed) and ALPN. Are there others?

I'm ignoring future extensions, as those can define whatever is needed.

> - The requirement for server to validate its extensions... Hopefully
> >   there is no security reason for that... I really don't see it being
> >   implemented correctly (and the description looks completely screwy[1]).
> >
> 
> This is an important requirement. For instance, you need the same ALPN
> value.

ALPN yes. However, with all the extensions the chances this requirement
is implemented correctly are slim.

Which means that relying upon it for safety is a Bad Idea.

I think one should explicitly call out extensions that need special
handling here (which I think is presently only ALPN).

> > - 1 RTT server context presumably ends in CertificateRequest, not
> >   CertificateVerify (the Certificate and CertificateVerify are
> >   impiled).
> >
> 
> I'm not sure which section of the draft you're referring too here.

The table of authentication block (Certificate+CertificateVerify+Finished
sequences) base keys and hashes (section 6.3.4 in current Editor's Copy).
 
> - You might want flag for if server promises replay protection or
> >   not in NST.
> >
> 
> We discussed this in BE and the consensus was that it was not clear how
> the server implemented this and so it was unwise to promise it.

You can replay-cache on ClientHello hash.
 
> > - You might want to specify that allow_dhe_resumption doesn't
> >   change key exchange, only authentication (so DHE_CERT becomes
> >   DHE_PSK and ECDHE_CERT becomes ECDHE_PSK).
> 
> I'm not sure I follow. It changes key exchange. If we want to have
> a resumption mode that has the server sign, we'll need a different
> indicator here.

Can ciphersuite C02B (ECDHE_ECDSA/...) become 00AA (DHE_PSK/...)
upon use of the created PSK?

> [1] There are many extensions that are not relevant because those
> > control server authentication (e.g. status_request, status_request_v2,
> > signed_certificate_timestamp, server_certificate_type). And some that
> > are low-level connection control (e.g. max_fragment_length)
> 
> Yes, I am being conservative here because false positives don't seem like
> they will happen a lot.

False positives? Try implementation errors.
 
> ALPN is special here tho: It needs to match the impiled 0-RTT ALPN
> > (does one want that extension in 0-RTT case anyway?).
> >
> 
> Yes, you absolutely need ALPN for early data.

I mean do you need explicit indication, as opposed to taking the
protocol the accepted 0-RTT data was for and not signaling it.

Otherwise you need MUST abort requirement for the client.


-Ilari

v2.23.0 | Report a Bug | By Email