Re: [TLS] Forward secrecy with resumption, and 0-RTT security

Bill Cox <waywardgeek@google.com> Sun, 06 December 2015 23:07 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 174521B351B for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 15:07:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mL7j0L5SNgz for <tls@ietfa.amsl.com>; Sun, 6 Dec 2015 15:07:32 -0800 (PST)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C5F11B3519 for <TLS@ietf.org>; Sun, 6 Dec 2015 15:07:30 -0800 (PST)
Received: by iouu10 with SMTP id u10so168260570iou.0 for <TLS@ietf.org>; Sun, 06 Dec 2015 15:07:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=O5p6xeu9ROTLcVWDTrFNxpcQQunDsoAUb1W7TencWoQ=; b=mbbie0KtGvtGGdz5/iUqohSR+To2jBdtlu/TrPDsPDpulBuiBmxgzTd4v/5ArHJMkU jUk70FDwoLoi8dlYotMBDy1ZsV1qs/hlP2DBcCqGy00QGDPRMlyad/B/9q+Mx6PEINK2 rAc7fq34lPaBPNNEalnuKvqZTt6iYnXDyJiv7OeoTAeSNixOQgSivJTbzTqOb8w/wTwB dG5pZ4rDumQqu7N9YvJ/0CB6hk/KgkAZej0Q1Q2tG5ZfQl8MwCDs2GgYECg81tya4CHf 44WSriiwZkl6v6LTRLTgS2eiz2l1sgEvCyoxrHiy7xNV9ukTy6A7vs5edkZsrgssLeVH 0ikQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=O5p6xeu9ROTLcVWDTrFNxpcQQunDsoAUb1W7TencWoQ=; b=SCbXxccYiPWwZlJq3MhtDDNeZQkkbE0RrYJn/rHm30rISjdQ1PY6qwAYf/OEQWYgNM cAczJykOJeogVTCbZsLpkDRFVEZ1MlFqRDpl6XbA6aMYdaeLu+J8tbNO/Kqd7PNCFupn WQ0jTeLQkApwJOcEQg53Vbo4PdIZD0ep/dtsWHRpVHd02z1puPVN8wkiEnwM8Xp2M4Mc ov7cqCERQxp4o9IT6zSWUuOKVbrnqfZlQJ4G+8oLpQr03yoNfcMJQ0+RR3BWgcoW4Txc FWxu9gfYeqIzS5/68NNMIa8Hf2x/taelstco8440Yvpu0c43vgUw+UkLT8dqyCTlVSxD I+7g==
X-Gm-Message-State: ALoCoQlbSvc44XXuY2kqsiov3vCLjDXt3rOfXKJjjyJb9lO3zQZ4vpjf7/2LbD85UwUD/s3RNduP
MIME-Version: 1.0
X-Received: by 10.107.25.81 with SMTP id 78mr25753868ioz.127.1449443249658; Sun, 06 Dec 2015 15:07:29 -0800 (PST)
Received: by 10.107.173.15 with HTTP; Sun, 6 Dec 2015 15:07:29 -0800 (PST)
In-Reply-To: <CAHOTMVKUkA0Rjy6-xoS+36+mk-GpJSTYyoerLBhLF_5SZZTPSA@mail.gmail.com>
References: <CAH9QtQEMcVkZAwOS5xCWFCw0uBvQd+Q+Wsj7fXtm3_p6XHk_pA@mail.gmail.com> <CAHOTMVKUkA0Rjy6-xoS+36+mk-GpJSTYyoerLBhLF_5SZZTPSA@mail.gmail.com>
Date: Sun, 6 Dec 2015 15:07:29 -0800
Message-ID: <CAH9QtQGbOtb6_MsudGEUKeq60oSkFKaCR=nxi54VwZ0a5W2=+w@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Tony Arcieri <bascule@gmail.com>
Content-Type: multipart/alternative; boundary=001a113ff00a04f89b052642ce08
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/mNYYKq690fFxfkHv7y7QbvV4Ry0>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Forward secrecy with resumption, and 0-RTT security
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 23:07:33 -0000

On Sun, Dec 6, 2015 at 3:00 PM, Tony Arcieri <bascule@gmail.com> wrote:

> On Sun, Dec 6, 2015 at 6:50 AM, Bill Cox <waywardgeek@google.com> wrote:
>
>> In the past, there were two cases: resumption using session IDs, and
>> resumption with session tickets.  Using session IDs loses forward secrecy,
>> because the server always has session keys in a session cache, which could
>> be used to decrypt the prior sessions.  Using tickets did not work either,
>> because the server always kept a ticket decryption key which could be used
>> to decrypt all resumed sessions since the key was last rotated.
>>
>> My first question is: Do we care?
>>
>
> At least for session tickets, I don't care. There's a simple enough way to
> solve that problem: rotate the session ticket key every few days.
>
> --
> Tony Arcieri
>

I tend to agree.  The difference between 100% forward secrecy and the old
weaker version where sessions become forward secure after a few days is not
a huge deal.

What do you think about client authentication for first flight data?  It is
possible, but painful to implement.

Bill