Re: [TLS] Simple, secure 0-RTT for the masses

Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 16 March 2016 08:17 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC5112D7D3 for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 01:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQJbYrSKuCn4 for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 01:17:31 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 75AA212D7D4 for <TLS@ietf.org>; Wed, 16 Mar 2016 01:17:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 77D6A3116; Wed, 16 Mar 2016 10:17:19 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 2ZI7IFBWhE6K; Wed, 16 Mar 2016 10:17:19 +0200 (EET)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3342821C; Wed, 16 Mar 2016 10:17:19 +0200 (EET)
Date: Wed, 16 Mar 2016 10:17:17 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Colm =?utf-8?Q?MacC=C3=A1rthaigh?= <colm@allcosts.net>
Message-ID: <20160316081717.GA21439@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAH9QtQGdZ9=XG-Qc5G6amM1pOnBse5jZndL0kExxArWXoQbhsQ@mail.gmail.com> <CAAF6GDegiWr3cWPpQAiVTZ5RhWFg24C-=SB=b=tKVTpaPn3V5g@mail.gmail.com> <CAH9QtQHvrz0guqGeMxD-C1ifCLOvOuADGdeqtCMHkEnRZ=y+hw@mail.gmail.com> <CAAF6GDc+Lnzpx38YT0gvgetb8E9yVsgMkLMh1SB7tu=fw_SK4A@mail.gmail.com> <CAH9QtQF02zwnB6dOGjFfWX2RLc4_RSODFpHaVLZkK_5KDf93sg@mail.gmail.com> <CAAF6GDd0h=1--pViASw3pT5nMAM4SRy2C2hzA6XF7Ba_g+oL4w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAF6GDd0h=1--pViASw3pT5nMAM4SRy2C2hzA6XF7Ba_g+oL4w@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iRP4DCAOItZijjVHugiUv2jmgnk>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Simple, secure 0-RTT for the masses
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 08:17:34 -0000

On Wed, Mar 16, 2016 at 12:33:40AM -0400, Colm MacCárthaigh wrote:
> On Tue, Mar 15, 2016 at 9:38 PM, Bill Cox <waywardgeek@google.com>; wrote:
> 
> > I would be happy if we could recommend at least one reasonably secure
> > method for 0-RTT for HTTPS that has a reasonable chance of satisfying the
> > skeptics, and then state that 0-RTT for other protocols, and stateless
> > 0-RTT, needs to be carefully considered for the application.
> >
> 
> After meditating on this a little, how about something like this:
> 
> Benefits Forward secrecy:
> 
> * Clients SHOULD use a resumption ticket only once, and get a new
> resumption ticket when using an existing one.
> 
> Benefits Forward Secrecy and Idempotence:
> 
> * Client and server should erase the existing ticket upon use.
> 
> (a captured early data section is mooted for replay quite quickly in the
> default "good" case)

The best that can be done w.r.t. "forward secrecy" is to erase the
decryption-capable key used for 0-RTT on both sides, and never sending
it on the wire, even encrypted.

> * Make early data and application data separate record layer content types.
> Make it clear that they do not form a continuous stream; you can't simply
> concatenate them at the application level and bolt on to existing protocols
> such as HTTP, SMTP, etc.

You mean inner (encrypted) content type, right (outer content type would
still be 23[TLS PROTECTED DATA]?

> * Advise that clients using 0RTT SHOULD occasionally send duplicate early
> data handshakes. As a normal part of the protocol, a well behaved client
> should intentionally do what an attacker might do and send the whole
> section twice, causing the server to resolve the duplication. Keep the
> anti-bodies strong.

Such duplication does not occur in attack conditions. The duplication
from attack conditions takes two forms:

- Duplication of 0-RTT data into 1-RTT data of _different_ connection.
- Duplication of 0-RTT data into 0-RTT data of _different_ connection.

In both cases, the connections are different, not the same. And this
makes a difference if e.g. protocol banners are sent as 0-RTT (and
such may very well be critical for latency).


-Ilari