IETF Logo Mail Archive

Re: [TLS] Separate APIs for 0-RTT

Yoav Nir <ynir.ietf@gmail.com> Fri, 23 June 2017 03:43 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D4491241FC for <tls@ietfa.amsl.com>; Thu, 22 Jun 2017 20:43:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.998
X-Spam-Level:
X-Spam-Status: No, score=-0.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ret_1Wo9i1Dl for <tls@ietfa.amsl.com>; Thu, 22 Jun 2017 20:43:44 -0700 (PDT)
Received: from mail-wr0-x22b.google.com (mail-wr0-x22b.google.com [IPv6:2a00:1450:400c:c0c::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C355129463 for <tls@ietf.org>; Thu, 22 Jun 2017 20:43:44 -0700 (PDT)
Received: by mail-wr0-x22b.google.com with SMTP id k67so47751331wrc.2 for <tls@ietf.org>; Thu, 22 Jun 2017 20:43:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=e/IaQ0+c4A0ZsiKt8biU4HlfrHAZmw3gka6mqxUb3iE=; b=mX2FFRE/rzQ+uAHrysyhoZHdxBzLgXFpv1Ey14BH0vb/GGJc36Gu2FfpUCNhHSPDoJ JtCbvms08dXoVTMXgrjlTdhJPJ8oxVEpjhgeQLG2MEGhXshDICEzigEKaVM0aR8rugiC wPTYVqsi8PJWojLsT3HJlvc5Di4OvvCsL5EYzzgg3au5l+i29ytO+eUILF7ptxMjHD57 yvbFea7EwRwFO0GKwqR2lxgCVTG9s1NiNKr5/ayPjAWPrJHJLoiFGJaz1PwKPLuNCsEl SGeHyXnPhUXghYyNiMjBa5i9PXzcu4ufGJ/otQKXSPfXVIUAkOBXTtosq2k2WhYOICRR GN6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=e/IaQ0+c4A0ZsiKt8biU4HlfrHAZmw3gka6mqxUb3iE=; b=W0MK9duPo0wUn9qwDTjuaFBgEpiQyS2GuFOA+RvC2kknHQb6Chy+dkjV5/LUZxXcWP 7oSQXb4g7+UW4R5oiX1GTQpXeBc/36QjimUhIF0uBak/KEmU7u9KScKxy9zUz8ETXunT KqFzHaCtOYZxxbMQDOcOTlN1RYPW6BvLYH7SYItXtAVVCB/mon2hLba1+Ot7i+4d6wbY gCTL4uQdwHy7jSWCpN2zpvcYTmy3FduarQbKvHtYrqSK3sh6szhrHKhkyLbmJLF+yKu2 YpINmkzsIzSKY4g6yCkWu2XED/1gqxvMQJABL11Z74Wrt+WsA5y6VuFdssDPhzVbCUYf sh/g==
X-Gm-Message-State: AKS2vOwqZNuYZMBYlmj3Rezpa+UQYB+HDADyzHMFnhk8Kc4+bye8MCa8 aY/rrck2PiW7Rw==
X-Received: by 10.80.147.79 with SMTP id n15mr4584791eda.84.1498189422559; Thu, 22 Jun 2017 20:43:42 -0700 (PDT)
Received: from [192.168.1.18] ([46.120.57.147]) by smtp.gmail.com with ESMTPSA id g28sm2018709eda.58.2017.06.22.20.43.40 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 22 Jun 2017 20:43:41 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Message-Id: <9A520B6A-D8DE-41FC-B732-5E1C6DFCD707@gmail.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_627B4EA3-A8BD-41CA-901D-64988DC838E7"; protocol="application/pgp-signature"; micalg="pgp-sha512"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
Date: Fri, 23 Jun 2017 06:43:37 +0300
In-Reply-To: <bi1n55pr8mut29311935117k.1498183830709@email.android.com>
Cc: Martin Thomson <martin.thomson@gmail.com>, David Benjamin <davidben@chromium.org>, "tls@ietf.org" <tls@ietf.org>
To: Timothy Jackson <tjackson@mobileiron.com>
References: <CABcZeBMpeBhcKoJYuMwLyER0VBh+RtVr6amWMPos3CJipXYHcA@mail.gmail.com> <DM2PR21MB00916718A71749E5D2CB19C38CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <CABcZeBO+Qprg4DTwNJrFU1PXDPyKbbdakMrF9fhe02jRL50cow@mail.gmail.com> <8e206c83-645f-6389-a7bd-ddd51e747ea2@akamai.com> <CAAF6GDfyqMndibTujY83_Xha2dZn7qvaCpZJw7xZ--b=-EOaYA@mail.gmail.com> <bf4506e7-13ce-ce7f-d20e-67a0d73c642a@akamai.com> <CAAF6GDePg9FL0JgzrWrTcrK7X=J0_fKjHVCj9EScvyQobJWTKA@mail.gmail.com> <20170613183536.GA12760@LK-Perkele-V2.elisa-laajakaista.fi> <63c8ac33-489c-0ace-d4ba-b960cd965281@akamai.com> <DM2PR21MB0091B8DC8780B4FA67464F0A8CC20@DM2PR21MB0091.namprd21.prod.outlook.com> <20170613205530.GB13223@LK-Perkele-V2.elisa-laajakaista.fi> <e5ab9945-054b-67bf-beef-9fce7a4a6f36@nic.cz> <CAF8qwaCuDk3oemXeKyEzzRgg2oCMA22qMBXQaL4YW3yWAeXUvA@mail.gmail.com> <DM2PR21MB009176844759F65141E1D6EA8CC30@DM2PR21MB0091.namprd21.prod.outlook.com> <CAF8qwaCwHYJP3p569CAN-9Fmd_ddDjg9d9wPi8j3uSrno_wHyw@mail.gmail.com> <CABkgnnXr=YaFVuXraOCJjqsfy+D98bEfasW8jLgDw50DhKkyww@mail.gmail.com> <bi1n55pr8mut29311935117k.1498183830709@email.android.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/glpGnbjj4_GSZHKiDCW-MBkGee8>
Subject: Re: [TLS] Separate APIs for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jun 2017 03:43:46 -0000

> On 23 Jun 2017, at 5:10, Timothy Jackson <tjackson@mobileiron.com> wrote:
> 
> +1 and a preference for MUST, just so people understand the importance.
> 
> Since we're agreed that 0-RTT data and 1-RTT data have (almost) the same security properties once the handshake completes, it seems to me, unless I've missed something, that a lot of protocols will accept 0-RTT but withhold the response until after the handshake completes. I expect this massively simplifies the analysis the for the app developers.
> 
> Clientdata = readData()
> Reply = CreateReply(client data); //time intensive operation (e.g. Database, CDN cache lookup)
> 
> While(!clientFinished())
> Wait(); //do nothing until 1-RTT finished
> 
> Send(reply)

This assumes that CreateReply() has no side effects. It’s valid as long as all actions done by the server in response to the client data is getting stuff from a database.

> 
> This has the benefit of allowing slow lookups/processing to happen against 0-RTT, while delaying the "risky actions" until after 1-RTT. If I'm not mistaken, it would also make timing attacks harder since any cache misses would be at least partly masked by the time required for the 1-RTT handshake.
> 
> Dual streams seems to just add complexity here. What I really care about as a developer is whether I can fully trust the 0-RTT data, which is determined by whether the handshake is finished.
> 
> Cheers,
> 
> Tim
> --
> Tim Jackson
> 
> Senior Product Security Architect, MobileIron Inc.
> 
> 
> From: "Martin Thomson" <martin.thomson@gmail.com <mailto:martin.thomson@gmail.com>>
> Date: Thursday, June 15, 2017 at 5:16:29 PM
> To: "David Benjamin" <davidben@chromium.org <mailto:davidben@chromium.org>>
> Cc: "tls@ietf.org" <tls@ietf.org <mailto:tls@ietf.org>>
> Subject: Re: [TLS] Separate APIs for 0-RTT
> 
> On 15 June 2017 at 08:23, David Benjamin <davidben@chromium.org> wrote:
> > When accepting 0-RTT as a server, a TLS implementation SHOULD/MUST provide a
> > way for the application to determine if the client Finished has been
> > processed.
> 
> 
> I'm going to throw my support behind this distinction.  Though I would
> phrase this more simply as "the handshake is complete".
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>

v2.23.0 | Report a Bug | By Email