IETF Logo Mail Archive

Re: [TLS] The case for a single stream of data

Kyle Rose <krose@krose.org> Sat, 06 May 2017 23:54 UTC

Return-Path: <krose@krose.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53DD61272E1 for <tls@ietfa.amsl.com>; Sat, 6 May 2017 16:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=krose.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id v0VzX47UG5MX for <tls@ietfa.amsl.com>; Sat, 6 May 2017 16:54:43 -0700 (PDT)
Received: from mail-qt0-x22d.google.com (mail-qt0-x22d.google.com [IPv6:2607:f8b0:400d:c0d::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E4EA120227 for <tls@ietf.org>; Sat, 6 May 2017 16:54:42 -0700 (PDT)
Received: by mail-qt0-x22d.google.com with SMTP id n4so28354567qte.2 for <tls@ietf.org>; Sat, 06 May 2017 16:54:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=krose.org; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=g5ymnvBtfvz3dYVkf0cGFlL3NuEwel3XAlc4Zyr4cGg=; b=edrK2v9jVWnNrepynLX1QUKDLgaFijHvtKB5qh1sl6QoTKbLIpvYuDPaGadkobVmHy Xrp1cnI7AXjoUNdzRA+Pw5fLThLx3aIRLJpblmkT4jygzu8s70VMmGBePwE8M3r+unQw UyPVattplXXhII+O6w7Nj3gcc718JWobHk7e0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=g5ymnvBtfvz3dYVkf0cGFlL3NuEwel3XAlc4Zyr4cGg=; b=sKxg3XEO2MFql/V9JmXQaJS2syV1I1kKWi5r1SrD9wJoUxD1XUPYz5GEReKIP1xush Gc9gvrkJJ568NdreJAdv6BMIurqDCUrfCsLUg4V0NUBmGcDXOxEErYyzitblnWIWx/DB a0jpEOA+JUfXws06MIjyyVAwosFxbj1r0P6QtOjXQZjr4+AmxphizexXxbOtEIkOlSTz ijq4WDWTkE9Nb70ceQeQp1naL4/IQ8yyJEwfG87rODVbEoKX3pbiOdokcrGYR+AdJ7Ld yVmMA0HgBpmxdlnohwfu/R1jVgC9KEnYI7aejYzo3CMFtjmI9e4uJrADF1C8eWecLT3u LJjg==
X-Gm-Message-State: AN3rC/5SGoBD+pzAMNF3J/RSE692mGQBzBRgPm/3JLq2PUAr61L/eTC4 iOwo89LmALXD8xMYKHRPPoJI03R7xw==
X-Received: by 10.200.38.41 with SMTP id u38mr27421235qtu.165.1494114882156; Sat, 06 May 2017 16:54:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.55.80.65 with HTTP; Sat, 6 May 2017 16:54:41 -0700 (PDT)
X-Originating-IP: [2001:470:1f07:121:802e:2aff:fea9:7bd]
In-Reply-To: <20170506151208.GA4491@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CAAF6GDfm=voTt_=JrdGtiaYby1JG8ySU2s6myjjpHKeGvi0bMg@mail.gmail.com> <879211b6670148a19b816018664324f2@usma1ex-dag1mb1.msg.corp.akamai.com> <CAJU8_nXxNrSj4L+Ab+ENOgWaVhmn6Lt5eRUQOtPFfBCYqTOJeA@mail.gmail.com> <20170506151208.GA4491@LK-Perkele-V2.elisa-laajakaista.fi>
From: Kyle Rose <krose@krose.org>
Date: Sat, 06 May 2017 19:54:41 -0400
Message-ID: <CAJU8_nWPtNM=OJ911VbbkbpqHt=yBDRsh7QW6veZ=FWKMZDYdQ@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: "Salz, Rich" <rsalz@akamai.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11413122ce11ba054ee3ba98"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oQTJR1trbhBo2YszUKb-hr49X1o>
Subject: Re: [TLS] The case for a single stream of data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 May 2017 23:54:45 -0000

On Sat, May 6, 2017 at 11:12 AM, Ilari Liusvaara <ilariliusvaara@welho.com>
wrote:

> On Sat, May 06, 2017 at 09:43:55AM -0400, Kyle Rose wrote:
> > I asked this question a while back, and didn't get a satisfying answer:
> if
> > an on-path attacker replaces the early data with a replay from an earlier
> > connection, does the server eventually figure this out once the handshake
> > is complete, or is this mix-and-match impossible for the server to
> detect?
> > It would be nice if a security property of early data is that a replay
> > attack is eventually detected, because at least then you'll know you're
> > under attack.
>
> Trying to replace the early data leads to fatal handshake error if the
> server accepts 0-RTT (since actual deprotection failure from 0-RTT data
> is fatal). If server rejects, then the substitution is silently ignored.
>

I'm not sure this completely answers my question, so let me propose where I
think protection lies.

If the on-path attacker replaces only the early data bytes, deprotection of
early data will fail since the early traffic secret incorporates the
ClientHello in its derivation, which includes a (presumably) fresh client
random.

If the on-path attacker replaces the entire first flight (or at least
ClientHello and the early data), the early data may be accepted but the
subsequent handshake will fail because the client and server will derive
different handshake traffic keys.

If this is accurate, then replays of partial requests don't really pose a
problem (at least for HTTP) because the remainder of the request will fail
deprotection and so the request won't actually be delivered to the
application.

Kyle

v2.23.0 | Report a Bug | By Email