IETF Logo Mail Archive

Re: [TLS] TLSv1.3 Cookies

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 13 September 2017 15:09 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B6DA9133055 for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:09:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id glPDn20qs17s for <tls@ietfa.amsl.com>; Wed, 13 Sep 2017 08:09:35 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 652861321C7 for <tls@ietf.org>; Wed, 13 Sep 2017 08:09:35 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id C68945DE77; Wed, 13 Sep 2017 18:09:32 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id JLjRB3QCDJzI; Wed, 13 Sep 2017 18:09:32 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3831E21C; Wed, 13 Sep 2017 18:09:30 +0300 (EEST)
Date: Wed, 13 Sep 2017 18:09:29 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Matt Caswell <frodo@baggins.org>
Cc: "tls@ietf.org" <tls@ietf.org>
Message-ID: <20170913150929.nupe6fq5rqtroflp@LK-Perkele-VII>
References: <CAMoSCWYXWJMkFAdrcy033_bjMZjRUiU-V5f8MkoTXyvDfw+z6A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAMoSCWYXWJMkFAdrcy033_bjMZjRUiU-V5f8MkoTXyvDfw+z6A@mail.gmail.com>
User-Agent: NeoMutt/20170609 (1.8.3)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hqq20VhK0SnXsB6CPjTcIKbvLeA>
Subject: Re: [TLS] TLSv1.3 Cookies
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2017 15:09:38 -0000

On Wed, Sep 13, 2017 at 03:53:46PM +0100, Matt Caswell wrote:
> I am looking at trying to implement the TLSv1.3 stateless cookie
> mechanism (in order to be able to support QUIC stateless retries).
> 
> I am not clear how cookies are supposed to interact with early_data.
> Consider the scenario where a server is operating statelessly. Because
> there is no state each ClientHello looks like the first one it ever
> saw. The server only knows that a particular ClientHello is actually a
> ClientHello2 following an HRR because of the state held in the cookie.

Looking at the definitions of Cookie and EarlyData extensions, those
two are mutually exclusive. That is, there can be three kinds of
ClientHello messages:

1) Contains neither Cookie nor EarlyData.
2) Contains an EarlyData, but not Cookie.
3) Contains a Cookie, but not EarlyData.

(This exclusivity arises because Cookie can only be present in a retry,
but EarlyData is stripped out for retry).
 
> What happens when a client attempts to send early data to such a
> server? The server will process the ClientHello and determine that
> there is no cookie, sends back an HRR and then forgets all of its
> state and waits for the next ClientHello. However what it actually
> gets next is early_data. It does not know that that early data
> followed an earlier ClientHello (because it is stateless) so it does
> not know to skip the records. It just looks like illegal records so,
> presumably, it will respond with an alert.

Yes, if one receives a ClientHello with both Cookie and EarlyData, one
can reply with a fatal alert, because that is not supposed to happen.

There is worse edge case with client key share tho: If a ClientHello
that contains a Cookie does not contain suitable key share, that is an
irrecoverable error, and the only thing server can do is to send a
fatal alert (and hope the client somehow retries the connection setup).

> Should a stateless server silently drop any records that it doesn't understand?

No, records should not be dropped for non-transistent problems, as
doing this causes difficult-to-debug timeouts (the client will retry,
and the retry will be dropped again, repeat until client gives up).

In stateless operation, errors are sent back only once, not
retransmitted if lost.

> I am also unclear what protects against cookies being replayed. If an
> attacker wishes to perform an amplification attack on a particular IP
> it awaits a legitimate ClientHello with a cookie coming from that IP
> and records it. It then replays that ClientHello with cookie to the
> server many times. The cookie looks valid to the server and it
> responds with its ServerHello, full Certificate chain etc back to the
> original IP. What have I missed here?

The attacker is likely able to inject packets, but not capture packets
(the usual "no BCP38 compliance" case).


-Ilari

v2.23.0 | Report a Bug | By Email