Re: [TLS] TLS client puzzles
Erik Nygren <erik+ietf@nygren.org> Fri, 08 July 2016 18:58 UTC
Return-Path: <nygren@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B15DA12D620 for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 11:58:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.4
X-Spam-Level:
X-Spam-Status: No, score=-2.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.198, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nasSmLWFVwz9 for <tls@ietfa.amsl.com>; Fri, 8 Jul 2016 11:58:14 -0700 (PDT)
Received: from mail-it0-x22b.google.com (mail-it0-x22b.google.com [IPv6:2607:f8b0:4001:c0b::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B49312D0AF for <tls@ietf.org>; Fri, 8 Jul 2016 11:58:14 -0700 (PDT)
Received: by mail-it0-x22b.google.com with SMTP id u186so16279531ita.0 for <tls@ietf.org>; Fri, 08 Jul 2016 11:58:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=eKzIfiWg+yPwrshneUlRDGotntXnGFfSDv9HvCpVFGM=; b=IgB9ECrUG2/vRmTZVABNXr+80egix5OAPP+ONCjegPUXAnoty7ulU2PqmE+6DNBKiz Q2a3a9nCf0AbI31boC/jbIAmXjlgyFBxdZ8zP12tuAtXUjlegppUD8eSX0BlaFkbNQ4R dWBggz01O7K/V3wiiJ/7tq/siXO98QKy85VyIrbDQJ1Qjm5XOM08vjwP2aALXWGRrtpd eP8Gqak9Jp5AjZEsWfUZUBlElBjOeaCT7U9P4YtVze7w0n6LA6CPIZPDP4XeYlr9qLzD r/ikkZdt/9R88WdKD+frEIM2iEVaIjrB5wjOFhMRG5179JRGOtpG3Qu8WmMBqiEQThZk 4DxQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=eKzIfiWg+yPwrshneUlRDGotntXnGFfSDv9HvCpVFGM=; b=Bf1gjfVMg33r7d0cXeJNBD6BqDqJPskEcIoK/sVvJjimcK4ZZTkiolAeyLVQaC8p+4 DOb+VWiWuZZujHlao9QPI0EolhCe6OLhcvGZIz1ZPsk2N1PhxCRQDmmLa7sKPiLigdhx RRo2qiU+ZAk1yTMMwgKLWBIIVPfC7pZsnUUvBhgurECGsvjp879N4VDIRTO6CWUa52ZK JnyD9IDpTkZ9YH3iy7yu1Z+EyZAR/K2swoqaY0wnDGUBloN3/XP9EkbtYGq8JCAt6HIL h4iK37HuJt6hthLtlHZCvTSIB6ydpwpZTIGnNBER/5/Pn4bzk9c0FMLD1Zzv5gMNRiwr wMQA==
X-Gm-Message-State: ALyK8tJIsEgMd5Ufu69gfmIk9inQHLIYzINYXgBL2Pu4N701v7U27wYARLqAaWms1KbB3AD+e82GPyztRvFqbw==
X-Received: by 10.36.137.215 with SMTP id s206mr4974232itd.82.1468004293666; Fri, 08 Jul 2016 11:58:13 -0700 (PDT)
MIME-Version: 1.0
Sender: nygren@gmail.com
Received: by 10.107.128.65 with HTTP; Fri, 8 Jul 2016 11:58:12 -0700 (PDT)
In-Reply-To: <CAJU8_nXjy_OoyHD8Gn+Sr9LX1ArKQq5+g693NSS+8ovYW2DY+g@mail.gmail.com>
References: <CALW8-7Kv01Dw3YBiW20SBEScWqkup53xpCjy8834PpLDkgb4cg@mail.gmail.com> <CAFewVt4uUA-3X3M-ZmREo81p+MZp+72g9CX1d1Z7bK8G8AL9Vg@mail.gmail.com> <577D655A.40802@gmx.net> <CAJU8_nV=oq+Vcp7rHnuzGt9fY+G-cvEqvA7nYagh19ALd2M1ZQ@mail.gmail.com> <CAH9QtQFPeEUQf0wDx5+tWfgv7YeDRBUKMw1=RZ3Sm3vt7FwHVw@mail.gmail.com> <CAJU8_nXjy_OoyHD8Gn+Sr9LX1ArKQq5+g693NSS+8ovYW2DY+g@mail.gmail.com>
From: Erik Nygren <erik+ietf@nygren.org>
Date: Fri, 08 Jul 2016 14:58:12 -0400
X-Google-Sender-Auth: --gy7yqhgK72t3ICsvaSF5rolJQ
Message-ID: <CAKC-DJhj1m+awYfW2o1eM_BoxbAB7nvQwFuowAfNvc=5p08NXQ@mail.gmail.com>
To: Kyle Rose <krose@krose.org>
Content-Type: multipart/alternative; boundary="94eb2c05e6ec73ed3c05372462ba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/omxCi2cxr_NpVeM-zj_cSFVQ18U>
Cc: Dmitry Khovratovich <khovratovich@gmail.com>, "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] TLS client puzzles
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Jul 2016 18:58:17 -0000
This is also what is still proposed in the -01 version at the top of this
thread:
https://tools.ietf.org/html/draft-nygren-tls-client-puzzles-01
By leveraging the HelloRetryRequest in TLS 1.3, it provides client puzzles
as an extension mechanism to TLS without requiring changes to the state
machine
or protocol itself. (Clients indicate support via an extension, and then
puzzles
are challenged with a HelloRetryRequest extension, and then the ClientHello
retry
contains the updated extension.)
Note that the -01 version still needs some updates to match up to more
recent TLS 1.3 drafts. (Some of the specifics may be a little out-of-date
and will be updated in the next revision.)
Erik
On Thu, Jul 7, 2016 at 5:36 PM, Kyle Rose <krose@krose.org> wrote:
>
> I agree, and I think it is clear that client puzzles can be a useful
>> addition to the DDoS defense toolbox. However, most of this can be handled
>> at the higher levels above TLS, or possibly as a custom extension that does
>> not complicate TLS.
>>
>
> A custom extension is a promising approach: this is what Erik Nygren
> proposed in nygren-tls-client-puzzles-00 following discussions with some
> IETF folks and Akamai colleagues. That draft has expired and doesn't
> reference any of the recent work on memory-hard puzzles, but it might be a
> good starting point.
>
> Except at the pre-TLS stage for applications that use STARTTLS-style
> mechanisms, I'm not sure how this could work at levels above TLS: the
> primary attack targeted by client puzzles would be a client doing almost no
> work in order to force the server to do expensive crypto, which means it
> must be engaged prior to the handshake.
>
> Kyle
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>
- Re: [TLS] TLS client puzzles Erik Nygren
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Bill Cox
- Re: [TLS] TLS client puzzles Peter Gutmann
- Re: [TLS] TLS client puzzles Dave Garrett
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Hannes Tschofenig
- Re: [TLS] TLS client puzzles Hannes Tschofenig
- Re: [TLS] TLS client puzzles Tony Arcieri
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Salz, Rich
- Re: [TLS] TLS client puzzles Hannes Tschofenig
- Re: [TLS] TLS client puzzles David Adrian
- Re: [TLS] TLS client puzzles Yoav Nir
- Re: [TLS] TLS client puzzles Valery Smyslov
- Re: [TLS] TLS client puzzles Christian Huitema
- Re: [TLS] TLS client puzzles Geoffrey Keating
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Christian Huitema
- Re: [TLS] TLS client puzzles Kyle Rose
- Re: [TLS] TLS client puzzles Brian Smith
- [TLS] TLS client puzzles Dmitry Khovratovich
- Re: [TLS] TLS client puzzles Bill Cox