IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Kyle Nekritz <knekritz@fb.com> Mon, 22 May 2017 17:12 UTC

Return-Path: <prvs=6315748958=knekritz@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCB3A12EB30 for <tls@ietfa.amsl.com>; Mon, 22 May 2017 10:12:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.719
X-Spam-Level:
X-Spam-Status: No, score=-2.719 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=pvPyNqpH; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=OnQ7mnj8
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NDT5ZsR0mX1L for <tls@ietfa.amsl.com>; Mon, 22 May 2017 10:12:24 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93B05126C23 for <tls@ietf.org>; Mon, 22 May 2017 10:12:24 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.20/8.16.0.20) with SMTP id v4MH9tB8015354; Mon, 22 May 2017 10:12:22 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=uJ36TymipTgbwDtH07ehlRnP2lFZap/P8SFXxamoU0U=; b=pvPyNqpHTR3+Tr0HCSVuj5he38MA0+5lqi3ye+ZidLq/GR3SkbvJ5wCxHzXZj79QyRL2 eg00MnkDpTNKNz5SDcpPaq6fW0UXm3bAfg7AiV920ZkMwdCTVG1lpHfBZGYq4y0cXydI iY3aLFfAG0xp2V46uB/REaPCkQXxkToz6nc=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2am22t8j58-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 22 May 2017 10:12:22 -0700
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.28) with Microsoft SMTP Server (TLS) id 14.3.319.2; Mon, 22 May 2017 13:12:20 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=uJ36TymipTgbwDtH07ehlRnP2lFZap/P8SFXxamoU0U=; b=OnQ7mnj8sGPduohmfm3HiUN8OukIJ7eioJOoUYoglzoVk5OnosBf7HmlOvST5Juw2UdZcRFP1kdktdTdUR9sTwb01SH3EHNacd4iK17PrXJV1k1+SgrQXCsSSGuvwN4UP8glogkFW0jvjv+r2EnHmvnI32YutrIwraTV0EcVYxc=
Received: from MWHPR15MB1182.namprd15.prod.outlook.com (10.175.2.136) by MWHPR15MB1182.namprd15.prod.outlook.com (10.175.2.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1101.14; Mon, 22 May 2017 17:12:19 +0000
Received: from MWHPR15MB1182.namprd15.prod.outlook.com ([10.175.2.136]) by MWHPR15MB1182.namprd15.prod.outlook.com ([10.175.2.136]) with mapi id 15.01.1101.019; Mon, 22 May 2017 17:12:19 +0000
From: Kyle Nekritz <knekritz@fb.com>
To: Colm MacCárthaigh <colm@allcosts.net>, Eric Rescorla <ekr@rtfm.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Security review of TLS1.3 0-RTT
Thread-Index: AQHSw1NWfzhsEfLgEUy3mG3N+R1DLqHjghwAgAAB3wCAAABtgIABK3OAgBMVs4CAA79FgIAAdzaAgAEhiwCAAmQwAIAAPdqAgADlUOA=
Date: Mon, 22 May 2017 17:12:19 +0000
Message-ID: <MWHPR15MB1182F59E2B60534CB20EC9C4AFF80@MWHPR15MB1182.namprd15.prod.outlook.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <CAAF6GDe1_ih1aUShrzAHUuTzbLx6+0BdVexpGnq90RZsST8GvA@mail.gmail.com> <CABcZeBOX5NXuhgfap2S0naO9PFXv+K-+fZVPbgck6yciVnrYbQ@mail.gmail.com> <CABcZeBPuOupLTNKOtuCgOjYNdiuw571HM-pq1vNZz_8x-XX5mg@mail.gmail.com> <CABcZeBMqALJ10cU7FMUhv8k5Q=tw3yu1-5pdrKzOBM3=g5PHJw@mail.gmail.com> <20170519095316.GA30080@LK-Perkele-V2.elisa-laajakaista.fi> <CAAF6GDeuRMZx9MRynrxMp1fCvRS2jjr0vcqt0R89cJEkD6u=rQ@mail.gmail.com> <20170520101616.GC32428@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBNj_X4qbXrH4732kQiAHrBpPZhW1nmn4Xnp-pm0gv1Psg@mail.gmail.com> <CAAF6GDcEKaBaJZU0q822KqoJDL5kyZJGbOBKsnU9tnpU=YvoxA@mail.gmail.com>
In-Reply-To: <CAAF6GDcEKaBaJZU0q822KqoJDL5kyZJGbOBKsnU9tnpU=YvoxA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: allcosts.net; dkim=none (message not signed) header.d=none;allcosts.net; dmarc=none action=none header.from=fb.com;
x-originating-ip: [2620:10d:c091:200::4:3a71]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1182; 7:UKcVxpfvgd2PPN3HwKpYrzm+FLTz6YyYM5prMYZBkQ60UGZ7VV1D/FfNMSV3Bclh4L66UOJfJ0ApCw950YD9aaRKZDqCw/GT5jfxQK2V8RXm6/0EhxJZrSDkEMFERf9kw4emd0bwYOdH/KfbgP5vF5nXfjvvv0k21Clfja/brE5Oyo51VA9bhVDN+hFmIkDhnDiG/Rh9MKLgFs2LLcPyIQLfMmJUk30CAsBLjr5e1Mvr4vGlIxwcaELw0iK/b2vKeSJ5uU9nAxfSyP/d7nkD7cwhLqMmWEXkQiBOLZ7PJbPFTWWYPoQp3/rzSBrt1jzDCdaHJ2m7p5LRlC0d54Ia8A==; 20:Le+DK2kHyQIbcKNzUoMqHhTJ7wVeBz0xjqqyci2KwgYoKJdBduvL6XXU0gYdSXt65UafnVIa/8bXt/GZ9Y8AwKnTTOUqtmgm7bVniEanmouFMxfzPtzRcO/3ArVmorEtSNhWmd7YRNOdRjhDbf5CjwlvdUCZzdijsmbZ9WYOEzQ=
x-ms-traffictypediagnostic: MWHPR15MB1182:
x-ms-office365-filtering-correlation-id: b08abe49-6a0c-468e-e761-08d4a135b426
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:MWHPR15MB1182;
x-microsoft-antispam-prvs: <MWHPR15MB11827C1A46A90CCAB2029DB3AFF80@MWHPR15MB1182.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(93006095)(93001095)(6041248)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123558100)(20161123555025)(20161123562025)(6072148); SRVR:MWHPR15MB1182; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1182;
x-forefront-prvs: 03152A99FF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39840400002)(39450400003)(39400400002)(39850400002)(377454003)(24454002)(54356999)(46360400001)(5660300001)(74316002)(3660700001)(7736002)(3280700002)(76176999)(50986999)(53546009)(93886004)(38730400002)(4326008)(99286003)(54896002)(53936002)(9686003)(10710500007)(236005)(55016002)(33656002)(6306002)(6246003)(2906002)(122556002)(8936002)(2900100001)(19609705001)(2950100002)(6506006)(77096006)(229853002)(6436002)(478600001)(7696004)(81166006)(25786009)(189998001)(7110500001)(102836003)(15650500001)(6116002)(2420400007)(86362001)(8676002)(790700001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1182; H:MWHPR15MB1182.namprd15.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1182F59E2B60534CB20EC9C4AFF80MWHPR15MB1182namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 May 2017 17:12:19.1427 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1182
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-05-22_09:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/iF2oPDlz8zYhAuHZjnEMqlH3734>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 17:12:27 -0000

The stateless technique certainly doesn’t solve all issues with replay. Neither do the other techniques, unless a fairly unrealistic (imo, in most use cases) retry strategy is used. But the stateless technique is definitely an improvement over no anti-replay mechanism at all (for instance it reduces the possible number of rounds of a cache probing attack, assuming the cache TTL > replay window). Which mechanisms to use, and whether to enable 0-RTT in the first place (or PSK mode at all), should be decided considering the tradeoff between security/performance/implementation constraints, etc. In the case of DNS, most DNS security protocols (dnssec, etc.) do allow this kind of replay so I think it is a pretty reasonable tradeoff to consider.

Additionally, I think the stateless technique is quite useful as a defense-in-depth mechanism. I highly doubt all deployments will end up correctly implementing a thorough anti-replay mechanism (whether accidentally or willfully). The stateless method is very cheap, and can be implemented entirely within a TLS library even in a distributed setup, only requiring access to an accurate clock. I’d much rather deployments without a robust and correct anti-replay mechanism break down to allowing replay over a number of seconds, rather than days (or longer).

Kyle

From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Colm MacCárthaigh
Sent: Sunday, May 21, 2017 10:29 PM
To: Eric Rescorla <ekr@rtfm.com>
Cc: tls@ietf.org
Subject: Re: [TLS] Security review of TLS1.3 0-RTT



On Sun, May 21, 2017 at 3:47 PM, Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>> wrote:
- Clients MUST NOT use the same ticket multiple times for 0-RTT.

I don't understand the purpose of this requirement. As you note below,
servers are ultimately responsible for enforcing it, and it's not clear to
me why clients obeying it makes life easier for the server.

I think clients should duplicate them sometimes, just to keep servers on their toes ;-) this is what we talked about maybe being a grease thing .. if at all.

- Servers MUST NOT accept the same ticket with the same binder multiple
  times for 0-RTT (if any part of ClientHello covered by binder is
  different, one can assume binders are different). This holds even
  across servers (i.e., if server1 accepts 0-RTT with ticket X and
  binder Y, then server2 can not accept 0-RTT with ticket X and binder
  Y).

I assume that what you have in mind here is that the server would know
which tickets it was authoritative for anti-replay and would simply reject
0-RTT if it wasn't authoritative? This seems like it would significantly cut
down on mass replays, though it would of course still make application-level
replay a problem.

I'm happy to write this up as part of the first two techniques. I'd be
interested in hearing from others in the WG what they think about:

1. Requiring it.
2. Whether they still want to retain the stateless technique.

I'm for requiring it, and for removing the stateless technique ... because it prevents the side-channel and DOS attacks and those seem like the most serious ones (and also, the new ones).

So far each case where we've thought "Actually stateless might be ok in this case" ... like the example of DNS ... turns out not to be safe when examined more closely (in DNSes case it would compromise privacy because caches could be probed).

--
Colm

v2.23.0 | Report a Bug | By Email