IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Jeffrey Walton <noloader@gmail.com> Wed, 03 May 2017 02:40 UTC

Return-Path: <noloader@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18784129B42 for <tls@ietfa.amsl.com>; Tue, 2 May 2017 19:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id si43p-2lY7WO for <tls@ietfa.amsl.com>; Tue, 2 May 2017 19:40:11 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5A3AB129B83 for <tls@ietf.org>; Tue, 2 May 2017 19:38:11 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id l18so18750258oig.2 for <tls@ietf.org>; Tue, 02 May 2017 19:38:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:reply-to:in-reply-to:references:from:date:message-id :subject:to:cc:content-transfer-encoding; bh=Wbc3j+0jzE3BW0KWuYWyuiIV+bYbwfOAG8kshCoOs9U=; b=Foi/XbngGaD3aMsnrmInIbcOYPFW3JYSOPpWxCNxoO4Qkjv3ivQtlXec8s2aGDgGAV qq2YWo5Zx9eZqRXsi0TpyF29DnFw2EMTs9mzqRQwkERK9QLJFLmmP1wiYevLsnJ+PXO3 kiAKNld22CxRvFwTK9U+dTQF6u/BjCPXROhygxd6Lx1S0evI9rmwoJIMpwFpFvfr2ePG Hn/sL3s/AhnnkFntvTLlmtoldTZibbTWvABaGP49h6uJF4UL7wpsmulEWJ/lyXpICN37 HMN1l7dz8YjDf6a5f92xGUMwP98fCYaQgc42Yvo16+4e/Pol68Nn4TtAoC/hVjcKKZj1 fzTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:reply-to:in-reply-to:references :from:date:message-id:subject:to:cc:content-transfer-encoding; bh=Wbc3j+0jzE3BW0KWuYWyuiIV+bYbwfOAG8kshCoOs9U=; b=aPyR33qeMqMffGXbFIBQlvLV/m3j/InnOd3uJxSpKtIHDk6NlTcFwNyVZUVCofljwU LGGsytbHuAoXEI4UZbppTBsUrcZCtPl22HFTCEgXVtFaDFINXPm8GlPaEjxZjvOwmixu Ne5gJk6Ev84nvEytsL1lCzMf3DhSpnP/f51LbMrPP51+ybYZ94j5929BnSbnssgMYtoT IevwxG/l+iUyE5zT+VNGbyeLJCyFz5Dnh4W0v/K+wjDhXFplNtdD1vh9IBqSheRbiXwV Y0icLqLKTtLfYRxiMq2hThPO26bcdx49rjbFER7Hvl3UhtyLTbPIqcKIkfrlMF2pf3we TiEQ==
X-Gm-Message-State: AN3rC/629dwFXQfApBdWMkO+oxuR0DU2K8dbd0qiXwNzeUDTVTvySMr9 RkTh0WwfV+N8t/WCG/vz95Vu01mKSrcOkGg=
X-Received: by 10.202.77.195 with SMTP id a186mr11172146oib.117.1493779090714; Tue, 02 May 2017 19:38:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.139.199 with HTTP; Tue, 2 May 2017 19:38:09 -0700 (PDT)
Reply-To: noloader@gmail.com
In-Reply-To: <CAAF6GDcriRk1VvBWK6a3YL0-g9xcLOTChVL94n=ax32s25PUwQ@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <C29356B3-6D71-4088-9AB3-4954327F1E7B@dukhovni.org> <20170502173905.GC10188@localhost> <CAAF6GDeYc5o=eeeyV6HhK9vrLngB-Y=Ed5BdedrE8h2-py4oAw@mail.gmail.com> <20170502180049.GE10188@localhost> <CAAF6GDecd=x-Ob_eO1vSWr6cb6jAeyHBx7zf6cpX=GfxBosfLQ@mail.gmail.com> <20170502182529.GG10188@localhost> <d325ae84-ad24-859d-50a7-825dbabe3b24@akamai.com> <1493768953994.69753@cs.auckland.ac.nz> <CAAF6GDfq0Rs86Zik7M-fCRv51981DO19rFaxRC8Of322RCg8eA@mail.gmail.com> <803FB95F-3271-407A-B483-5C0C996D3F04@dukhovni.org> <CAAF6GDcriRk1VvBWK6a3YL0-g9xcLOTChVL94n=ax32s25PUwQ@mail.gmail.com>
From: Jeffrey Walton <noloader@gmail.com>
Date: Tue, 02 May 2017 22:38:09 -0400
Message-ID: <CAH8yC8mdWX3HsneuVh1_AOeEZahMC2WUYqoeHN4aKW6c0aG9tw@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: TLS WG <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/h9uV9hqtnwMT8V5cQGdrq-g4YLk>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 02:40:13 -0000

On Tue, May 2, 2017 at 9:45 PM, Colm MacCárthaigh <colm@allcosts.net> wrote:
>
> On Tue, May 2, 2017 at 5:51 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
>>
>> .Some choices are driven by practical engineering considerations.
>>
>> The ticket lifetime is likely to be considerably longer than the
>> replay clock window.  The server should indeed reject replays,
>> but if it is able to flush the replay cache faster, it may be able
>> to handle that job a lot more efficiently under load.
>
> Good point! It's also common for caches to implement LRU, where a shorter
> lifetime is better.
>
>> What is a likely ticket lifetime for a server that supports 0-RTT
>> (let's assume an HTTP server)?
>
> I'm going to guess that providers will set it as high as they can ... every
> little helps. So 7 days.

It seems like this would follow the same policies for session
management and/or authentication and authorizations. If its low value
data (like a GMail account), then let it live longer, like weeks. If
its high value data (like executive compensation, mergers and
acquisitions or pending litigation), then its probably shorter, like
hours to days.

What's the polyfill that allows data sensitivity levels to trickle
down into the transport layer?

Jeff

v2.23.0 | Report a Bug | By Email