IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Erik Nygren <erik+ietf@nygren.org> Thu, 04 May 2017 19:12 UTC

Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E431E126D73 for <tls@ietfa.amsl.com>; Thu, 4 May 2017 12:12:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.699
X-Spam-Level:
X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OaQFcjYdrAow for <tls@ietfa.amsl.com>; Thu, 4 May 2017 12:12:50 -0700 (PDT)
Received: from mail-qt0-x22a.google.com (mail-qt0-x22a.google.com [IPv6:2607:f8b0:400d:c0d::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E6A7B12947B for <tls@ietf.org>; Thu, 4 May 2017 12:12:42 -0700 (PDT)
Received: by mail-qt0-x22a.google.com with SMTP id m91so18137145qte.3 for <tls@ietf.org>; Thu, 04 May 2017 12:12:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=eZQxW9/fLz0Bpo5D0LyMqqRPjuFsDcwK58y7mwaNrdk=; b=PCIwNxQoRsepugiXS6UtMbx6zkSKTXVJeSJHb/4ey2VnPZO87lS1F/l7ThuVoGyx03 MsV/eYoZbmeYttys4slcLdx8LolDxve27YDfSPnBROyKzzTBJfEfynmnBtADSmOxa8ts UpfAfgAWVkwGuGiRelKD8jxOBcpmDN0Xf6Y2rQr7fSc+R05L2vjfvSR+M1Hdfkke2uL9 LIflqHZ8r2ubX6hEU02YExDy0Y4klV6Gnt+AUJFB4SxrYXAczUvYKcRRMpiVT954ZAjP VaedX4WEnQ/7c1z3TvmPvKp/skLOk7P56JBHPYbNb09MJOuuraG9zS3xUf40zBBLSuPj 3t4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=eZQxW9/fLz0Bpo5D0LyMqqRPjuFsDcwK58y7mwaNrdk=; b=fCoyMX07kwHrBdLZF8sWzj9h5Cqph8VWwdwYMRfA8CHFEJUq7S1co5oDC3GZY2cuLX ZFAnuXcGWtrrniypHnU/faDKD6TQTnCiNGoug0+EdxJZ4rluP5IG+xs/uAgXfGFgI4MY r8KzoMetMEevdVBnNnia5njMcfoaNo9aVjYNyOQAArwqx4hRYYr4guNRFiSTYOkTfM55 tvyooxkWug6CCtW70Z+jKwWcr/i3/UqYAn4K0xelFKxGL8231S6+DV5lHtDn+RtTxwh2 0ZrcQuelpYIeaaxqIFSEJPFoFiFGWTQwbFbYYqRGszems2yGeNru7IV4u6XHjBwqL70h kGbQ==
X-Gm-Message-State: AN3rC/4ZBx+CtYPpqL8wWDZJO0H+X9MRojCTpXTOX0uHBemQ4475887v XB2vmFjhldQ8/36IfvrVOj+x+wDsRsZB
X-Received: by 10.237.36.17 with SMTP id r17mr37165225qtc.44.1493925162125; Thu, 04 May 2017 12:12:42 -0700 (PDT)
MIME-Version: 1.0
Sender: nygren@gmail.com
Received: by 10.12.172.151 with HTTP; Thu, 4 May 2017 12:12:41 -0700 (PDT)
In-Reply-To: <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Thu, 04 May 2017 15:12:41 -0400
X-Google-Sender-Auth: RwRJPC3rUEzKLpA26DtrG6C4TzM
Message-ID: <CAKC-DJhYSCrsXQZS0SMB7ebSTYM49U+dv5iSXx5MSAv4pthabg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Colm MacCárthaigh <colm@allcosts.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11405cbe9c11a1054eb78e55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/krVdITvAhLbMOPYA8KDjBvyoklI>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 May 2017 19:12:52 -0000

On Wed, May 3, 2017 at 11:13 PM, Eric Rescorla <ekr@rtfm.com> wrote:

>
> 1. A SHOULD-level requirement for server-side 0-RTT defense, explaining
> both session-cache and strike register styles and the merits of each.
>

I don't believe this is technically viable for the large-scale server
operators most interested in 0-RTT.  Having session ticket reuse across
clusters is a requirement for performance, especially in cases such as
moving load between clusters.  In the cross-cluster case, neither session
caches nor strike registers are possible in the time-frames that are
interesting and relevant to 0-RTT (as strong consistency between clusters
has inherent latency that isn't possible in the 0-RTT time-frames).

I fear having a "SHOULD" requirement here is one that will be widely
ignored.

Anything stateful here defeats the purpose of session tickets and is also
far too vulnerable to DDoS attacks to be useful, especially when trying to
scale up
to large clusters.

Many of the discussions I've been in seem to have concluded that we should
always be assuming that 0-RTT data can and will be replayed, and
applications
and application protocols need to design and use it carefully, accordingly.

Some of these mechanisms (timestamps, strike registers, etc)
are useful for servers protecting themselves from DDoS attacks
but aren't useful against an adversary trying to actively exploit replays.


4. I would add to this that we recommend that proxy/CDN implementations
> signal which data is 0-RTT and which is 1-RTT to the back-end (this was in
> Colm's original message).
>

I'm not entirely sure what back-ends are going to do here.  By the time
they gain visibility into this it is too late.

As some of us have been saying for awhile, we need to assume that 0-RTT
data is replayable and require application protocols and clients
implementing those protocols to define when and when it is not safe to
use.  For example, if exporters from 0RTT are not safe to use, we should
make that super-clear that this is not a safe use of 0RTT.

In the HTTP case, Patrick McManus has pointed out that many
application-layer clients will retry/replay non-idempotent POST operations
regardless even over 1RTT (and if the app doesn't, the user will just click
reload).  The best defense against these classes of issues is for
end-to-end application semantics rather than trying to provide properties
at the session  layer.

        Erik




> On Tue, May 2, 2017 at 7:44 AM, Colm MacCárthaigh <colm@allcosts.net>
> wrote:
>
>> On Sunday at the TLS:DIV workshop I presented a summary of findings of a
>> security review we did on TLS1.3 0-RTT, as part of implementing 1.3 in s2n.
>> Thanks to feedback in the room I've now tightened up the findings from the
>> review and posted them as an issue on the draft GitHub repo:
>>
>> https://github.com/tlswg/tls13-spec/issues/1001
>>
>> I'll summarize the summary: Naturally the focus was on forward secrecy
>> and replay. On forward secrecy the main finding was that it's not necessary
>> to trade off Forward Secrecy and 0-RTT. A single-use session cache can
>> provide it, and with the modification that ekr has created in
>> https://github.com/tlswg/tls13-spec/pull/998 , such a cache works for
>> both pre-auth and post-auth tickets, and it allows clients to build up
>> pools of meaningfully distinct tickets.
>>
>> There's also an observation there that it should really be that clients
>> "MUST" use tickets only once. Any re-use likely discloses the obfuscated
>> ticket age, which is intended to be secret. Right now it's a "SHOULD".
>>
>> On replay, the main finding is that what's in the draft is not workably
>> secure, and the review includes 5 different attacks against 0-RTT data to
>> illustrate that. Attacks 1 and 2 show that the kind of replay permitted by
>> the draft is very different from the kind of replay permitted by dkg's
>> existing downgrade-and-retry attack. I also go over why it very very
>> difficult to many applications to achieve that idempotency, and why one
>> idempotency pattern actually relies on non-replayable messages.
>>
>> Attack 3 shows that idempotency is not sufficient, applications must also
>> be free of measurable side-effects, which is not practical.  Attack 4 shows
>> that 0-RTT breaks a common security mechanism: spoofing-resistant
>> throttles. Attack 5 shows that 0-RTT replay-ability enables an additional
>> form of traffic analysis.
>>
>> The recommendation in the review is that implementations "MUST" prevent
>> replays of 0-RTT section, with some additional discussion about why the
>> existing advice is unlikely to be followed, and why consistent
>> interoperability matters here.
>>
>> Unfortunately, I wasn't aware until Friday that this review would be
>> coming so late in the TLD1.3 draft process, and my apologies for that. I am
>> now planning to attend the future WG in-person meetings and look forward to
>> seeing many of you there.
>>
>> --
>> Colm
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email