IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Eric Rescorla <ekr@rtfm.com> Thu, 04 May 2017 22:04 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01F34127286 for <tls@ietfa.amsl.com>; Thu, 4 May 2017 15:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id McM0k-nvr8ED for <tls@ietfa.amsl.com>; Thu, 4 May 2017 15:04:01 -0700 (PDT)
Received: from mail-yb0-x22b.google.com (mail-yb0-x22b.google.com [IPv6:2607:f8b0:4002:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A94F129469 for <tls@ietf.org>; Thu, 4 May 2017 15:04:00 -0700 (PDT)
Received: by mail-yb0-x22b.google.com with SMTP id s22so7020248ybe.3 for <tls@ietf.org>; Thu, 04 May 2017 15:04:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=nkixfKtJqTf0zCCoJG25HMrUfBVtTng61f9CyfoolF8=; b=p6M8GDun6pCFuHbbhG+0ASrg6KCoCXd8EFLrr2SKxzx2qli7+GKk148EFE9cc1keqH 3ynzKqivdr3156AxH+ZRFOznD+0MoY/bP2uI8x0goBCOWp/pHTWgE37h3hD0SlOmLgCU N0iJPY75DXPNpWjcuGYI/NQuAeXPMwzMgA2ZJwN6krpT/CY+WMQB7+RqEftFwvmfOX9D bQ2OU2i5Pzgsy2N8jXE2PyUzWnJYrlDf/oi/HtCpyPadXNebZKIvqjgm0XX9h4qtwQuC T7HZoG5SXl8y3X2rQ5+BdnuaqVUXf8j51vqFOrECHgLlia2DwLQRU5mLI2mjlzfoJSm4 bwUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=nkixfKtJqTf0zCCoJG25HMrUfBVtTng61f9CyfoolF8=; b=Q2Xno6Fu4a90c/Ot13OoSVuWoGCsOi41qH9JVlESkgTdRPevEWsbmpEirY5Q+ZhGII uCkeoAKi85gjEWWFcU64PObfqpsz/HlLj1Oz9aufEZZGGJGYAgkyDLhDZlfgXsZaAPaj bJvnWexqptX3NZkaPihr2n215tF3k7u234IaNtL0Hb9zjkFGeIPwee3rmaTsJeXa9NF6 qBq76vWLG0V3o5oSIu4RhF3FLWYfGwtS24JoKtGpFfsgOV9y43K+KL1vlwYc6SBqUICX xTL5A3zlBg4swCMwbr3XHbSACwaSzJdfx+4lqDzcX0fSL8YZrS44qHCl0agH5agsOB/9 RUMQ==
X-Gm-Message-State: AN3rC/797JD+UQvlXxPCddI+DOGEOPvU7dZxpQFwwoBXTerMYXD2OeIi Wew3yAJ5SqfjsT6K2o43D6h6mKDXZQO0
X-Received: by 10.37.161.196 with SMTP id a62mr37467093ybi.9.1493935439832; Thu, 04 May 2017 15:03:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.131.150 with HTTP; Thu, 4 May 2017 15:03:19 -0700 (PDT)
In-Reply-To: <CAKC-DJj2JzjP8+6ygsWOxTG3u8Ps3NmiyV5zyq7UyrNqaXNFZA@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <MWHPR15MB11825419AF296AE7EC26F3BDAFEA0@MWHPR15MB1182.namprd15.prod.outlook.com> <CABcZeBNyQB3FOik3ZBZvgX7FnEjUydHdJwfa5OkACYDO_FQHaA@mail.gmail.com> <CAKC-DJj2JzjP8+6ygsWOxTG3u8Ps3NmiyV5zyq7UyrNqaXNFZA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 04 May 2017 15:03:19 -0700
Message-ID: <CABcZeBNEbOqK21G+-HUzfX3ivpiOc=Bq2+EOLiA1suS5BkgShA@mail.gmail.com>
To: Erik Nygren <erik+ietf@nygren.org>
Cc: Kyle Nekritz <knekritz@fb.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045c5632358deb054eb9f3be"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hFX54ieCwKPIfCLihncqz-FjVL8>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 22:04:03 -0000

On Thu, May 4, 2017 at 3:00 PM, Erik Nygren <erik+ietf@nygren.org> wrote:

> On Thu, May 4, 2017 at 5:37 PM, Eric Rescorla <ekr@rtfm.com> wrote:
>
>>
>>
>>
>> On Thu, May 4, 2017 at 2:27 PM, Kyle Nekritz <knekritz@fb.com> wrote:
>>
>>> > 1. A SHOULD-level requirement for server-side 0-RTT defense,
>>> explaining both session-cache and strike register styles and the merits of
>>> each.
>>>
>>>
>>>
>>> First, a point of clarification, I think two issues have been conflated
>>> in this long thread:
>>>
>>> 1) Servers rejecting replayed 0-RTT data (using a single use session
>>> cache/strike register/replay cache/some other method)
>>>
>>>
>>>
>>> There are definitely cases (i.e. application profiles) where this should
>>> be done. I think a general case HTTPS server is one. But I don’t think this
>>> is strictly necessary across the board (for every application using 0-RTT
>>> at all). DNS was brought up earlier in this thread as an example of a
>>> protocol that is likely quite workable without extra measures to prevent
>>> replay.
>>>
>>>
>>>
>>> We already state “Protocols MUST NOT use 0-RTT data without a profile
>>> that defines its use.”. We could also describe methods that may be used to
>>> provide further replay protection. But I don’t think it’s appropriate to
>>> make a blanket requirement that *all* application protocols should require
>>> it.
>>>
>>>
>>>
>>> I also consider it quite misleading to say TLS 1.3 is insecure without
>>> such a recommendation. Uses of TLS can be insecure, that does not mean the
>>> protocol itself is. It’s insecure to use TLS without properly
>>> authenticating the server. Some users of TLS do not do this correctly. I’d
>>> actually argue that it is easier to mess this up than it is to mess up a
>>> 0-RTT deployment (and it can result in worse consequences). That doesn’t
>>> mean we should require a particular method of authentication, for all uses
>>> of TLS.
>>>
>>
>> I think this is basically right. In the PR I just posted, I spent most of
>> my time describing the
>> mechanisms and used a SHOULD-level requirement to do one of the
>> mechanisms.
>> I think there's a bunch of room to wordsmith the requirement. Perhaps we
>> say:
>>
>> - You can't do 0-RTT without an application profile
>> - Absent the application profile saying otherwise you SHOULD/MUST do one
>> of these mitigations?
>>
>
> I generally agree with Kyle here (and also added a few minor comments to
> the PR).
> I think we should be clear where the responsibilities generally lie as
> well, for example:
>
> "The onus is on clients not to send messages in 0-RTT data which are not
> safe to have replayed and which they would not be willing to retry across
> multiple 1-RTT connections. The onus is on servers to protect themselves
> against attacks employing 0-RTT data replication."
>
> The server responsibility is a general property TLS can maintain while the
> client responsibility requires an application profile to define.
>

These seem like good changes. I will work to incorporate them.

-Ekr


>
>         Erik
>
>

v2.23.0 | Report a Bug | By Email