IETF Logo Mail Archive

Re: [TLS] Simpler backward compatibility rules for 0-RTT

David Benjamin <davidben@chromium.org> Tue, 28 June 2016 17:40 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 574C512D10D for <tls@ietfa.amsl.com>; Tue, 28 Jun 2016 10:40:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.125
X-Spam-Level:
X-Spam-Status: No, score=-4.125 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1IJ9mtd9dHHQ for <tls@ietfa.amsl.com>; Tue, 28 Jun 2016 10:40:55 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7EABC12B012 for <tls@ietf.org>; Tue, 28 Jun 2016 10:40:55 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id a5so98540870ita.1 for <tls@ietf.org>; Tue, 28 Jun 2016 10:40:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=vUzGAej4V3jzF8SXSmlsh0M79scyDS6TTXuC7p4IRrs=; b=Nsmk8ivQvVYB5VSAY0qarTh+MYm9xvtUI5YBTVoOoXMGnLK7H7rSc+4GuJL6eaSyyJ VpIG7rBtX3jA1cYcmcokUv0j/O/c1dRenrTsotGuSVKovO55rZoleWJjUHvI0Zk9UINF hCFKe/tC+ednkVvZqhQe7RKFgA4a3QBTkUqJg=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=vUzGAej4V3jzF8SXSmlsh0M79scyDS6TTXuC7p4IRrs=; b=C13JRotlcvNsGMzGX2C3axJIsZw2XL0KGV7pLcLMhm8dLJPXmeEZTkGpnj25d+Tqet IDUsxhVpqh9iQbUMbsXHcvq5ny89ZK9Zwt57Ntp56p4ISj4C7zrLBWEDIcJViMZFnEFi Rnm8MW7JXgrl0trf4pTiDZRhBvFYkZ4rlgiWAryBMU9MlJLOM9MXL4ezipMoTDNIFsuc W+KzxhmJc+IwX7Wsejssh2oyPZUqcGUlw9oDT1trl1/8olDTV1rqM9+Ze5966a5vwyGC sX9FFNbA4Y3bm20w2KisS+8wJUV88zFyf26h6JnDb2UMrcKfxmYcOvZGEijkiETE4I/e 6YsQ==
X-Gm-Message-State: ALyK8tIV0TPqFcDCXeSvj4gcaHE1PTKD3aeZjU7S+oc4BPt5XeAHp4W5AmMTHHlYZcyZmjFfPPWnk3CjmLbE7UvG
X-Received: by 10.36.227.67 with SMTP id d64mr5150231ith.18.1467135654746; Tue, 28 Jun 2016 10:40:54 -0700 (PDT)
MIME-Version: 1.0
References: <CABkgnnVgD2rTgdWkTEhd1b6CUpj_i7wD4-_E2Dd2=nJf1eW5RQ@mail.gmail.com> <CACsn0cmaEcKJsPg418oEoq_QX=+AS-JXzTgp5E=QF7yk_Nqq5w@mail.gmail.com> <20160623155339.GA5659@LK-Perkele-V2.elisa-laajakaista.fi> <2279135.STQlCAVDxp@pintsize.usersys.redhat.com>
In-Reply-To: <2279135.STQlCAVDxp@pintsize.usersys.redhat.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 28 Jun 2016 17:40:45 +0000
Message-ID: <CAF8qwaDy-rBRXRmFBYMPTGew1Q4g6Dwdgj8fong--jJvphZ78Q@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>, tls@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c111ada8a3aaa05365a23a9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ludVGv7nsYr9yblivDi6zRnoD1A>
Subject: Re: [TLS] Simpler backward compatibility rules for 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Jun 2016 17:40:58 -0000

On Tue, Jun 28, 2016 at 1:02 PM Hubert Kario <hkario@redhat.com> wrote:

> On Thursday 23 June 2016 18:53:39 Ilari Liusvaara wrote:
> > On Thu, Jun 23, 2016 at 07:26:37AM -0700, Watson Ladd wrote:
> > > On Tue, Jun 21, 2016 at 8:58 PM, Martin Thomson
> > > <martin.thomson@gmail.com> wrote:
> > > > On 22 June 2016 at 12:01, Watson Ladd <watsonbladd@gmail.com> wrote:
> > > >> Why isn't 0-RTT an extension in the Client Hello to deal with this?
> > > >
> > > > You can't stream extensions, which unfortunately is required given
> how
> > > > most software interacts with their TLS stack.
> > >
> > > A few months ago we had a lengthy discussion on the list and at TRON
> > > about how risky 0-RTT is. This culminated in the idea that 0RTT data
> > > should be provided through a distinct channel to the application,
> > > along with feedback about whether it was not accepted. If we're
> > > willing to change the interaction pattern to support that, we can
> > > accommodate using 0RTT as an extension by gathering it all and sending
> > > when the handshake happens. But it sounds like you are discussing a
> > > design where the handshake fakes completion if 0-RTT is on, and at
> > > some point later "well, i didn't actually send the data you wanted
> > > to". Or am I missing something about the API design that is motivating
> > > this streaming approach?
> >
> > Sticking 0-RTT data into ClientHello also has the following problems:
> > - One needs to mangle ClientHello (strip an extension on receiver side)
> >   to obtain hash suitable for key derivation for 0-RTT. To do it any
> >   other way either doesn't work, or are cryptographically quite risky.
> > - It bloats ClientHello, something you rather not bloat, especially
> >   with DTLS.
>
> here's a crazy idea:
>
>  - introduce a new extension which has meaning of "more data follows"
>  - if the server finds it, it expects another Handshake Protocol message
>    from the client
>  - the client sends a new "ClientHelloExtension" message that includes
>    additional data, in practice it's continuation of the extension list
>    (just let's use 3 byte length fields in the structure)
>
> the obvious downside is, that TLSv1.2 servers do not support it now
>
> the upsides are:
>  * TLSv1.2 servers can be fairly easily updated to support
>    it but ignore it (just feed the next message to handshake hash, but not
>    interpret it) - that fixes the upgrade scenario and allows the process
> to
>    be performed in two steps, either of which can then be safely reversed
>

We could just as easily update TLS 1.2 servers to know how to skip early
data. Or, better yet, update those servers to TLS 1.3.

The problem is requiring those servers to update to begin with. At least
for browsers and the web, any solution that assumes we will get the entire
install-base updated in bounded time won't work. It took us 15 years to get
rid of SSL 3.0 and even then, with a widely publicized protocol bug and a
cutesy name, it was *still* a hassle and took a lot out of metaphorical
breakage budget.

David


>  * makes it possible in the future, if we are forced to, support post
> quantum
>    crypto that requires key shares that won't fit in current extensions
> field
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech
> Republic_______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email