Re: [TLS] Security review of TLS1.3 0-RTT

Nico Williams <nico@cryptonector.com> Wed, 03 May 2017 04:30 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4F1E1200F1 for <tls@ietfa.amsl.com>; Tue, 2 May 2017 21:30:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.5
X-Spam-Level:
X-Spam-Status: No, score=-1.5 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E0Q8jantLKBV for <tls@ietfa.amsl.com>; Tue, 2 May 2017 21:30:29 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0E5B12EAAD for <tls@ietf.org>; Tue, 2 May 2017 21:28:07 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id 7C1F1A00762E; Tue, 2 May 2017 21:28:07 -0700 (PDT)
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 3DECBA00762D; Tue, 2 May 2017 21:28:07 -0700 (PDT)
Date: Tue, 02 May 2017 23:28:05 -0500
From: Nico Williams <nico@cryptonector.com>
To: TLS WG <tls@ietf.org>
Message-ID: <20170503042804.GP10188@localhost>
References: <CAAF6GDeYc5o=eeeyV6HhK9vrLngB-Y=Ed5BdedrE8h2-py4oAw@mail.gmail.com> <20170502180049.GE10188@localhost> <CAAF6GDecd=x-Ob_eO1vSWr6cb6jAeyHBx7zf6cpX=GfxBosfLQ@mail.gmail.com> <20170502182529.GG10188@localhost> <d325ae84-ad24-859d-50a7-825dbabe3b24@akamai.com> <1493768953994.69753@cs.auckland.ac.nz> <CAAF6GDfq0Rs86Zik7M-fCRv51981DO19rFaxRC8Of322RCg8eA@mail.gmail.com> <803FB95F-3271-407A-B483-5C0C996D3F04@dukhovni.org> <CAAF6GDcriRk1VvBWK6a3YL0-g9xcLOTChVL94n=ax32s25PUwQ@mail.gmail.com> <48763856-04CB-4DC3-9A71-126F6EDB4279@dukhovni.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <48763856-04CB-4DC3-9A71-126F6EDB4279@dukhovni.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jUdqOV9nB-nki6Mj-lpdmKob4AM>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 04:30:31 -0000

On Tue, May 02, 2017 at 11:27:04PM -0400, Viktor Dukhovni wrote:
> > On May 2, 2017, at 9:45 PM, Colm MacCárthaigh <colm@allcosts.net> wrote:
> > I think we have to assume that a replay attempt could come at any time.
> > A time based mitigation doesn't work.
> 
> A time-based mitigation does not remove the need for an anti-replay
> cache (where a service protocol, supports 0-RTT, but is not idempotent).

Bingo.  There's no need for a replay cache for the 0 payload if it
represents an idempotent operation.

As long as the server can fall back on a full handshake, all is good.

> What I am saying, is that a time-based counter-measure can substantially
> reduce the size of the required cache, because out-of-window replays
> are rejected.  That replay window can be a narrow window around the time
> the ticket is first (and never again legitimately) used, rather than the
> much larger ticket validity interval.

I don't believe replay cache size is that big a deal (though it's not
nothing).  The hard thing is concurrency.

> I agree with Nico that additive obfuscation feels like a hack, but am
> willing to accept this as somewhat "natural" within the design tradition
> of TLS.

That is... a ringing endorsement of he obfuscation thing!  :)

Nico
--