Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
Karthik Bhargavan <karthikeyan.bhargavan@inria.fr> Fri, 25 March 2016 11:59 UTC
Return-Path: <karthikeyan.bhargavan@inria.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351BA12D599 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 04:59:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W0MbYd6jClQB for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 04:59:20 -0700 (PDT)
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 732BF12D6BE for <tls@ietf.org>; Fri, 25 Mar 2016 04:59:19 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.24,390,1454972400"; d="scan'208,217";a="170804868"
Received: from unknown (HELO [128.93.82.51]) ([128.93.82.51]) by mail3-relais-sop.national.inria.fr with ESMTP/TLS/DHE-RSA-AES256-SHA; 25 Mar 2016 12:59:17 +0100
Content-Type: multipart/alternative; boundary="Apple-Mail=_F40E1CA0-7EFA-42CE-A643-8BC4A725EA24"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: Karthik Bhargavan <karthikeyan.bhargavan@inria.fr>
In-Reply-To: <20160325115343.GA13213@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Fri, 25 Mar 2016 12:59:16 +0100
Message-Id: <68AC2856-70B5-4B4C-80E8-B8AD1512199A@inria.fr>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <20160325115343.GA13213@LK-Perkele-V2.elisa-laajakaista.fi>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/hH3eedAATH7C-Wc45XpQbztHHRM>
Cc: tls@ietf.org
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 11:59:23 -0000
> You mean combining the 0-RTT aspects of pre_shared_key extension with > early_data? Because I don't think this type of structure can present what > PSK extension presents (e.g. multiple candidate PSK identities). Good question. For 0-RTT, multiple PSK identities make no sense, because we can only use one of these for the 0-RTT key derivation. Are there cases where the client wants to advertise multiple PSK identities for 1-RTT? If so, we could retain the pre_shared_key extension specifically for the 1-RTT PSK case, and disregard it for 0-RTT. Best, Karthik > >> In the semi-static DH case: >> - id is the configuration id >> - context is the hash of the ServerConfiguration + Server Certificate + CertificateRequest > > This would close the loop between static key and the handshake (this > loop being open in previous versions creates some "excitement" (not a > good thing)). > > Also, is this hash also used to bind the configuration, identity and > possible certificate request to 0-RTT keys? ServerConfiguration and > CertificateRequest are not problematic to reconstruct from small space, > but Certificate message can be good bit larger... > > Ah, later it looks like these could then be dropped form 0-RTT key > derivation then... > >> In the PSK resumption case: >> - id is the session ticket >> - context is a *public* value unique to the derived session. For example, it could be defined as the session hash of the original handshake, >> or it could be derived by the client as HKDF(RMS, “early data context”) > > The first would break symmetry between resumption and PSK. The second > would be symmetric with HKDF(PSK, “early data context”). > >> In the pure PSK case >> - id is the PSK identifier >> - context is unique to the PSK and its allowed use. >> For example, it can be generated (out-of-band) as HKDF(PSK, “early data context”) > > Seems reasonable way to generate the context. > >> 2) New Session Ticket >> >> The NewSessionTicket message needs to indicate whether the server will accept 0-RTT, >> and what ciphersuites it is willing to accept (e.g. pure PSK resumption vs only PSK-ECDHE). >> >> I suggest the following modification to this message: >> struct { >> uint32 ticket_lifetime; >> opaque ticket<0..2^16-1>; >> CipherSuite cipher_suites<2..2^16-2>; >> EarlyDataType early_data_type >> } NewSessionTicket; >> >> enum { >> no_early_data_allowed(0), >> replayable_early_data_allowed (1), >> all_early_data_allowed(2), >> (65535) >> } EarlyDataType; >> >> The interpretation of the early_data_type field is that the server is either: >> (a) unwilling to accept 0-RTT (no_early_data_allowed), >> (b) willing to accept 0-RTT, but it has no replay cache (replayable_early_data_allowed), >> (c) willing to accept 0-RTT and has a replay cache that it uses to prevent replay (all_early_data_allowed) > > (b) vs (c) don't affect the next handshake except if 0-RTT data is sent > or not? > > (I ask, because early_data_type with 0rtt auth does affect next handshake > in a way that is not signaled there, making it look horrifying to implement, > at least if one wants to enforce strict state machine behaviour). > >> >> A note on authenticating the 0-RTT “context” >> ---------------------------------------------------------- >> >> When trying to figure out how to authenticate 0-RTT DH mode in an >> earlier draft, we came upon the design of signing the Handshake >> Context that consists of the ClientHello + additional information >> from the previous handshake. This construction prevents 0-RTT >> authentication from unknown key share attacks. > > It also looks to protect the _main_ TLS handshake from unknown key share > attacks when using 0-RTT DH mode. > >> Even if we eliminate client certificate authentication from 0-RTT, >> this notion of “context" is still useful for two reasons: > > Also, lacking 0-RTT certificate auth would be useful to deflect the > headlines if flaw in scheme is discovered (the flaw would then be > blamed on $PROTOCOL, not TLS). :-) > > More seriously, if I was pick one aspect of current TLS 1.3 > implmentability that terrifies me the most, it would be 0-RTT cert. > auth, by far. > > When writing code doing state-machine handshake sequencing on TLS 1.2 > and 1.3, by far the source of most expletives is either: > > 1) Some crazyness TLS 1.2 does with resumption (when session tickets > are involved). > 2) TLS 1.3 0-RTT cert auth (would really love to rip that code out). > >> (a) the application may use TokenBinding or some such protocol to >> authenticate 0-RTT data, and we need to understand what “channel >> binding” to provide for this case, >> (b) in PSK resumption mode, since the handshake log does not contain >> much information that is specific to the previous connection, it >> would be more robust to add an explicit context. > > >> If we accept the definition of “context” in the EarlyDataIndication >> extension, then we can use the hash of the ClientHello uniformly in >> all 0-RTT modes for deriving keys, and for deriving a channel binding >> for the application. Furthermore, we can safely introduce a PSK_ECDHE >> mode where the server sends its Certificate and CertificateVerify and >> its signature is correctly bound to the PSK (via the “context” field). > > Yeah. Would solve a lot of problems with the current design. > > > -Ilari
- [TLS] Cleaning up 0-RTT Signaling (ciphersuites, … Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Bill Cox
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Benjamin Kaduk
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh