Re: [TLS] Simple, secure 0-RTT for the masses
Ilari Liusvaara <ilariliusvaara@welho.com> Wed, 16 March 2016 08:17 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CC5112D7D3 for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 01:17:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pQJbYrSKuCn4 for <tls@ietfa.amsl.com>; Wed, 16 Mar 2016 01:17:31 -0700 (PDT)
Received: from welho-filter4.welho.com (welho-filter4.welho.com [83.102.41.26]) by ietfa.amsl.com (Postfix) with ESMTP id 75AA212D7D4 for <TLS@ietf.org>; Wed, 16 Mar 2016 01:17:22 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id 77D6A3116; Wed, 16 Mar 2016 10:17:19 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp2.welho.com ([IPv6:::ffff:83.102.41.85]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id 2ZI7IFBWhE6K; Wed, 16 Mar 2016 10:17:19 +0200 (EET)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp2.welho.com (Postfix) with ESMTPSA id 3342821C; Wed, 16 Mar 2016 10:17:19 +0200 (EET)
Date: Wed, 16 Mar 2016 10:17:17 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Message-ID: <20160316081717.GA21439@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAH9QtQGdZ9=XG-Qc5G6amM1pOnBse5jZndL0kExxArWXoQbhsQ@mail.gmail.com> <CAAF6GDegiWr3cWPpQAiVTZ5RhWFg24C-=SB=b=tKVTpaPn3V5g@mail.gmail.com> <CAH9QtQHvrz0guqGeMxD-C1ifCLOvOuADGdeqtCMHkEnRZ=y+hw@mail.gmail.com> <CAAF6GDc+Lnzpx38YT0gvgetb8E9yVsgMkLMh1SB7tu=fw_SK4A@mail.gmail.com> <CAH9QtQF02zwnB6dOGjFfWX2RLc4_RSODFpHaVLZkK_5KDf93sg@mail.gmail.com> <CAAF6GDd0h=1--pViASw3pT5nMAM4SRy2C2hzA6XF7Ba_g+oL4w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAAF6GDd0h=1--pViASw3pT5nMAM4SRy2C2hzA6XF7Ba_g+oL4w@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/iRP4DCAOItZijjVHugiUv2jmgnk>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Simple, secure 0-RTT for the masses
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2016 08:17:34 -0000
On Wed, Mar 16, 2016 at 12:33:40AM -0400, Colm MacCárthaigh wrote: > On Tue, Mar 15, 2016 at 9:38 PM, Bill Cox <waywardgeek@google.com> wrote: > > > I would be happy if we could recommend at least one reasonably secure > > method for 0-RTT for HTTPS that has a reasonable chance of satisfying the > > skeptics, and then state that 0-RTT for other protocols, and stateless > > 0-RTT, needs to be carefully considered for the application. > > > > After meditating on this a little, how about something like this: > > Benefits Forward secrecy: > > * Clients SHOULD use a resumption ticket only once, and get a new > resumption ticket when using an existing one. > > Benefits Forward Secrecy and Idempotence: > > * Client and server should erase the existing ticket upon use. > > (a captured early data section is mooted for replay quite quickly in the > default "good" case) The best that can be done w.r.t. "forward secrecy" is to erase the decryption-capable key used for 0-RTT on both sides, and never sending it on the wire, even encrypted. > * Make early data and application data separate record layer content types. > Make it clear that they do not form a continuous stream; you can't simply > concatenate them at the application level and bolt on to existing protocols > such as HTTP, SMTP, etc. You mean inner (encrypted) content type, right (outer content type would still be 23[TLS PROTECTED DATA]? > * Advise that clients using 0RTT SHOULD occasionally send duplicate early > data handshakes. As a normal part of the protocol, a well behaved client > should intentionally do what an attacker might do and send the whole > section twice, causing the server to resolve the duplication. Keep the > anti-bodies strong. Such duplication does not occur in attack conditions. The duplication from attack conditions takes two forms: - Duplication of 0-RTT data into 1-RTT data of _different_ connection. - Duplication of 0-RTT data into 0-RTT data of _different_ connection. In both cases, the connections are different, not the same. And this makes a difference if e.g. protocol banners are sent as 0-RTT (and such may very well be critical for latency). -Ilari
- [TLS] Simple, secure 0-RTT for the masses Bill Cox
- Re: [TLS] Simple, secure 0-RTT for the masses Bill Cox
- Re: [TLS] Simple, secure 0-RTT for the masses Colm MacCárthaigh
- Re: [TLS] Simple, secure 0-RTT for the masses Eric Rescorla
- Re: [TLS] Simple, secure 0-RTT for the masses Bill Cox
- Re: [TLS] Simple, secure 0-RTT for the masses Bill Cox
- Re: [TLS] Simple, secure 0-RTT for the masses Colm MacCárthaigh
- Re: [TLS] Simple, secure 0-RTT for the masses Bill Cox
- Re: [TLS] Simple, secure 0-RTT for the masses Colm MacCárthaigh
- Re: [TLS] Simple, secure 0-RTT for the masses Ilari Liusvaara
- Re: [TLS] Simple, secure 0-RTT for the masses Colm MacCárthaigh
- Re: [TLS] Simple, secure 0-RTT for the masses Bill Cox
- Re: [TLS] Simple, secure 0-RTT for the masses Ilari Liusvaara
- Re: [TLS] Simple, secure 0-RTT for the masses Nicholas Sullivan