IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 04 May 2017 00:51 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A5431250B8 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 17:51:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wsnODS5Gmn3E for <tls@ietfa.amsl.com>; Wed, 3 May 2017 17:51:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 519DB129477 for <tls@ietf.org>; Wed, 3 May 2017 17:51:39 -0700 (PDT)
Received: from [172.31.31.193] (gzac12-mdf2-1.aoa.twosigma.com [208.77.215.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 9C2177A32F1 for <tls@ietf.org>; Thu, 4 May 2017 00:51:38 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CAAF6GDf-aJEu8Usss7r9m94YXSVgHq8OB9+=i8-uk=Cv_QtrwA@mail.gmail.com>
Date: Wed, 03 May 2017 20:51:37 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <BF1DC9D8-7E39-4415-A9F9-C1C1995B20C5@dukhovni.org>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <cb518e35-c214-d11d-a068-c454b2e7ea6a@gmx.net> <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org> <CAAF6GDdpq8DgLx5Fo6apoTHgwQsbdn6hb=ozi1+JP9VMxPw6sA@mail.gmail.com> <539D071B-7DDD-4820-A9E4-EC178400B7B2@dukhovni.org> <420471d6016a41ecbcdf9562be303f62@ustx2ex-dag1mb1.msg.corp.akamai.com> <17414FC2-15BB-4A03-8673-7F8299E5428E@dukhovni.org> <20170503182955.GR10188@localhost> <CAAF6GDf_5tuU=L8vCv5f1wgwy8NxvDcJb9TjJ+iHcNOqETASoQ@mail.gmail.com> <7573B494-A1C1-4897-B064-14237B5FB525@dukhovni.org> <CAAF6GDfiLtLT5-NZwFaSHmz35MRiNSqSjQt=MmNoQ04vBDPPTg@mail.gmail.com> <658E74AE-39BC-4518-B11D-92D7AC7F1BD4@dukhovni.org> <CAAF6GDf-aJEu8Usss7r9m94YXSVgHq8OB9+=i8-uk=Cv_QtrwA@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gNCMGwVa1t0ckiHZ3CCFJML6yLw>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 00:51:41 -0000

> On May 3, 2017, at 6:29 PM, Colm MacCárthaigh <colm@allcosts.net> wrote:
> 
> Pervasive forward secrecy is one of the central security goals of modern
> cryptography,

Sure, given a sensible definition of forward-secrecy.  And near instanenous
deletion of session keys is not part of such a definition.

> STEKs aren't compatible with this goal. They may be acceptable operationally
> today, but I think they must be borrowed time if the central goal is meaningful.

We need to recall what thread-model is behind the desire for forward-secrecy.
It is I think not controversial to say that forward is concerned with limiting
the damage from end-point (especially server end-point) compromise, in which
confidentiality of long-term keys (still held on the endpoint) is lost.

Consider the fact that such compromise is unlikely to be detected and remediated
instantaneously.  Indeed not only will the adversary have access for some time
to sessions initiated post-compromise, he will also be able to impersonate the
real server after the server is "secured" because certificate revocation will
take days (or until the certificate expires) to take effect and more sessions
can be compromised via MiTM attacks after the keys stolen.

The incremental exposure of some fraction of a hour of sessions shortly before
compromise pales in comparison with the much longer post-compromise exposure
before the service is again secure.

STEKs are simpler to design and secure than a complex session cache. This
simplicity has security benefits.  Properly implemented STEKS have a lifetime
that is much shorter than any plausible compromise exposure time window.  Given
this, it makes sense to not consider potential STEK compromise as loss of forward
secrecy.

Forward secrecy guards against disclosure of truly long-term key material, with
a lifetime of weeks to years.  Once we get down to hours or minutes, it is quite
sensible to take a coarser view of time, with similar exposure for sessions
"just before" and "just after" compromise.

Maximally sensitive traffic can take the penalty of avoiding session caching
of any kind.

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email