IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Colm MacCárthaigh <colm@allcosts.net> Wed, 03 May 2017 15:24 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57BA31200E5 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 08:24:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9EW-We6QanWI for <tls@ietfa.amsl.com>; Wed, 3 May 2017 08:24:34 -0700 (PDT)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94BB6124D68 for <tls@ietf.org>; Wed, 3 May 2017 08:22:02 -0700 (PDT)
Received: by mail-yw0-x22b.google.com with SMTP id u70so86704777ywe.2 for <tls@ietf.org>; Wed, 03 May 2017 08:22:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=+SPOXmR90jCRv8j89EOPn3Iu1StI94OTEC14ofzEWEA=; b=rH+lHN3l3EdGRG0lKRmDLxHciOV2ZzoUfoZ9aSdWuqBCFLQv9HHTERVCSENm0P/7QB 6IpGQvj22tu6f5Bbh45JGI1X+ESOiiCovzWKx2CymwHHNeh41gHLr5wC9rX3gy76uTRI IJp7XRSaRRYIVsdO2kpfPrD085p2Z8PLVx1qYehmUiVls1dmERoPRoP9C8voLd9awQth JmNLMjdC92zSTA744l/dPvSoFmra4ABk67ccCpPEb0gbq61vwPeb1qsQG0fbSgRfanfs Lt7f6pirARnvoXfkxH7eitXM5EIs8NXsFH4drobP8bnVbanyk2wn0piVQtZOIthFoMs1 BFFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=+SPOXmR90jCRv8j89EOPn3Iu1StI94OTEC14ofzEWEA=; b=bAI629+yxBnixrhApqrzpbiAm8kkloP2neNQ8C4oUYksX2paHFk4N3BF+FgcxMM7Eg O05SV4mxts0SA8DUapPocl4FdBgQ7DC+ODxIzlwSug0LH6U3M9EbY8eJbOjqCrKhMZLt R6gyypMFpY6fJVPCkwvc1E2aTB2WLIAourcQDFFHxfUfOLJOQEKqG0yEsH+JIeylnXgN RIK7w/hk/IQCKFjNzepyb8w3HICZgW83KBAVk8FogQsspuPdqRZKcGyP9ZEsm/KzAo8a 3LWfDU7OdFHAqYKBc406DVcAiWqIT/y+MKvWPZL+z6Iq9WllCl9tRbyQXzh8pd4JYhuX Fwig==
X-Gm-Message-State: AN3rC/6i2ezesbWCWub8FIjkafR5ga+AYrezjb0zZgDcAKjEElaAhzrg 3IO27Ld3RZ4MHS6/1BWf9woeFG5QZwht
X-Received: by 10.129.105.198 with SMTP id e189mr29592051ywc.296.1493824921379; Wed, 03 May 2017 08:22:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Wed, 3 May 2017 08:22:00 -0700 (PDT)
In-Reply-To: <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <cb518e35-c214-d11d-a068-c454b2e7ea6a@gmx.net> <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 03 May 2017 08:22:00 -0700
Message-ID: <CAAF6GDdpq8DgLx5Fo6apoTHgwQsbdn6hb=ozi1+JP9VMxPw6sA@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11471256cbc517054ea03773"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kF6S4Ad3QmXkkbxyR5rDceyQhV8>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 15:24:36 -0000

On Wed, May 3, 2017 at 6:07 AM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:
>
> > On May 3, 2017, at 8:45 AM, Colm MacCárthaigh <colm@allcosts.net> wrote:
> >
> > The fundamental problem with STEKs is that there is no forward secrecy
>
> Sorry, STEKs are not long-term keys.


There's nothing enforcing that, and research has shown STEKs being used for
long periods of time.

I think if we ask the question "What is probably the weakest security point
in all of TLS?" I would give STEKs a strong nomination. Some problems;

* STEKs can be used for years at a time
* STEKs can be used across many domains and certificates
* STEKs are often stored unencrypted on disk, hardcoded in configs
* No mechanism to enforce how tickets are encrypted. Could be RC4. Most
likely is AES, which mode?
* Tickets are replay-able, weakening the protections against side channels.
Most common algorithm is not side-channel resistant.

They just seem to undo a lot of the good work we do in moving TLS endpoints
to better algorithms and security modes.


> So it makes little sense to claim that use of STEKs breaks forward
> secrecy.


I don't think this is even a controversial claim; the draft itself
describes it. STEKs do break forward secrecy.


> Indeed STEKs may be more safe
> than server-side storage of complete sessions, since the latter are much
> more likely to end up on disk.
>

STEKs often go in config .. which is usually on dist. Caches are most often
in-memory only.


> It is a shared meme that session tickets break forward secrecy, but it is
> not correct.  Poorly implemented session ticket keys can be a problem, but
> so can poorly implemented session caches.
>

That's true about caches, but one of the points in the review is that the
economics work a little different and may favor security.

>
> The distributed single-use caches you are imagining are very complex beasts
>

My bias here is that I work on distributed systems, but a single-key
distributed hash table is one of the simplest things we build. Though I
acknowledge that it takes good attention to detail to properly secure
access, and the data.


> and I am much less inclined to trust those than a comparatively simple key
> rollover system (just three keys need to be known at any time, the past key
> for as yet unexpired sessions, the current key used to mint and decrypt
> new sessions and the future key created shortly before the current key
> becomes
> the past key, giving enough time for all the cluster nodes to get a copy).
>

You can take a hybrid approach where you use such keys to encrypt the data
in the cache itself. I think that gives you the "good" combined security
properties of both.

The time window for session compromise is never zero, after all, the keys
> are in memory while the connection is active.  It is unwise to insist that
> forward-secrecy is broken if session keys are not destroyed instantaneously
> at session closure.


Others argue for something even stronger than this: that the keys should be
ratcheted/rekeyed even while the session is still in use, to provide some
forward secrecy for prior data on a connection that is still active. This
is the general direction of best practice.


>   A reasonably short non-zero window of exposure may yield
> greater security benefit than a design which appears to be more secure by
> attempting synchronous destruction of keys at much greater overall design
> complexity.
>

Yep, that is true.

-- 
Colm

v2.23.0 | Report a Bug | By Email