IETF Logo Mail Archive

Re: [TLS] Remove DH-based 0-RTT

Subodh Iyengar <subodh@fb.com> Wed, 24 February 2016 15:44 UTC

Return-Path: <prvs=1862dc9ddd=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53E751B368C for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 07:44:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.377
X-Spam-Level:
X-Spam-Status: No, score=-0.377 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dx4u8tfitvKB for <tls@ietfa.amsl.com>; Wed, 24 Feb 2016 07:44:26 -0800 (PST)
Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F7F41B372B for <tls@ietf.org>; Wed, 24 Feb 2016 07:44:26 -0800 (PST)
Received: from pps.filterd (m0001303.ppops.net [127.0.0.1]) by m0001303.ppops.net (8.15.0.59/8.15.0.59) with SMTP id u1OFg08k002616; Wed, 24 Feb 2016 07:44:20 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=bpFYki6V1TlJW5he7dHeH8ynl/G5PNR/SckBU9EXPbE=; b=dd6xoz11ugrudPU0cp8egR1t+MFkK110dH5TYU8jJp4mX5aezLyeLOsseooh4se73CUq c4niTDXtxTbhLgHmB1Lz7wrhpQ1hj0XojEevEqIMUzna8zZ/FAyNcLwwcF8WcSFc5/SY WGk40mgnQ/Ki3WLUJ4b+FzcVgoe7vFW61Ys=
Received: from mail.thefacebook.com ([199.201.64.23]) by m0001303.ppops.net with ESMTP id 218wt8bxrw-1 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Wed, 24 Feb 2016 07:44:20 -0800
Received: from PRN-MBX01-4.TheFacebook.com ([169.254.3.151]) by PRN-CHUB15.TheFacebook.com ([fe80::3479:9544:c2df:1fc0%12]) with mapi id 14.03.0248.002; Wed, 24 Feb 2016 07:44:18 -0800
From: Subodh Iyengar <subodh@fb.com>
To: Eric Rescorla <ekr@rtfm.com>, Watson Ladd <watsonbladd@gmail.com>
Thread-Topic: [TLS] Remove DH-based 0-RTT
Thread-Index: AQHRbmz3h1PWJrQdf02SDKus8BJPkJ869qMAgAAcl4CAADsiAIAACK4A///+s+8=
Date: Wed, 24 Feb 2016 15:44:17 +0000
Message-ID: <974CF78E8475CD4CA398B1FCA21C8E99564E7F92@PRN-MBX01-4.TheFacebook.com>
References: <CABkgnnUUXQh=aStz4DuPtw5mWaF7aDFozuUwQp_QbJ2EGL0eHg@mail.gmail.com> <201602232057.18505.davemgarrett@gmail.com> <CADi0yUP-TAFPWgzG4voFTfUcbrPXcffC5rTTsbsOs+=TQ7jYmw@mail.gmail.com> <CACsn0cnoCNLPY3ic9Z72ZgUuvCwTyxzzGXU5W8LeZ4zBEwpHVw@mail.gmail.com>, <CABcZeBNCgfdsBioP8_9E2Jrh0WDLHjW0QS+x=99LqdYnYwsbuw@mail.gmail.com>
In-Reply-To: <CABcZeBNCgfdsBioP8_9E2Jrh0WDLHjW0QS+x=99LqdYnYwsbuw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [192.168.52.123]
Content-Type: multipart/alternative; boundary="_000_974CF78E8475CD4CA398B1FCA21C8E99564E7F92PRNMBX014TheFac_"
MIME-Version: 1.0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-02-24_09:, , signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/qqUD3IXauH-QDLLzV6HQ-gxif-o>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Remove DH-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Feb 2016 15:44:29 -0000

Removing DH based 0-RTT would make it more important to make the lifetime of the ticket enforced.

One interesting difference is that DH based 0-RTT requires proof of possession of the private key for the client to accept the connection, however PSK based 0-RTT might not be associated with a certificate at all. Thus the only way to prove that the key is still fresh is to limit the time that the PSK is valid and strictly bound that time. Unless we add a way for the client to require a server authentication during PSK resumption.

This is relevant in situations where compromise of the ephemeral key does not mean that the long term private key has been compromised like in ssl offloading type scenarios.

Subodh Iyengar
________________________________
From: TLS [tls-bounces@ietf.org] on behalf of Eric Rescorla [ekr@rtfm.com]
Sent: Tuesday, February 23, 2016 11:42 PM
To: Watson Ladd
Cc: tls@ietf.org
Subject: Re: [TLS] Remove DH-based 0-RTT



On Wed, Feb 24, 2016 at 3:11 PM, Watson Ladd <watsonbladd@gmail.com<mailto:watsonbladd@gmail.com>> wrote:
On Tue, Feb 23, 2016 at 7:39 PM, Hugo Krawczyk <hugo@ee.technion.ac.il<mailto:hugo@ee.technion.ac.il>> wrote:
>
>
> On Tue, Feb 23, 2016 at 8:57 PM, Dave Garrett <davemgarrett@gmail.com<mailto:davemgarrett@gmail.com>>
> wrote:
>>
>> On Tuesday, February 23, 2016 02:03:53 pm Martin Thomson wrote:
>> > I propose that we remove DH-based 0-RTT from TLS 1.3.
>> >
>> > As ekr's previous mail noted, the security properties of PSK-based
>> > 0-RTT and DH-based 0-RTT are almost identical.  And DH-based 0-RTT is
>> > much more complex.
>> >
>> > For those who love DH-based 0-RTT, and I know that some people are
>> > fans, here's something that might make you less sad about removing it
>> > from the core spec.  You can use DH out of band to negotiate a PSK.
>> > You might even do this as an extension to TLS, but that's of less
>> > value.
>>
>> I think there is a good argument for moving DH 0RTT into a TLS extension.
>> Implementations that are explicitly not going to use it should not be
>> expected to implement it and risk screwing it up. If we accept that premise
>> that online DH 0RTT will be unlikely in practice, then we would be
>> specifying it at least primarily for out-of-band use, and doing it via an
>> extension will probably be cleaner and safer.
>
>
> Combining this comment (which I agree with) with the following comment from
> Watson in another thread:
>
>>
>  If they rely on extensions then either those
>>
> extensions need to be included in the security proofs, or we need to
>>
> make clear that they are not as secure as TLS 1.3, and that
>>
> implementations which enable both of them can get completely wrecked
>>in new and exciting ways.
>
> We get that even if it is decided not to include the DH-based 0-RTT as part
> of mandatory-to-implement TLS 1.3, it should be defined as an extension and
> as part of the TLS 1.3 document. Leaving the reduction from this case to PSK
> (as Martin suggested) to popular imagination is too dangerous. By including
> it as part of TLS 1.3 official text we also encourage the groups that are
> currently analyzing the protocol to include this specific mechanism in their
> analysis. If they find something wrong with it then even more reason to do
> the analysis.
>
>
>>
>> I would still prefer it be defined in the TLS 1.3 specification document,
>> though optional.
>
>
> I suggest to also define TLS 1.3-EZ.
> A subset of core safe functionality that should address the majority of the
> usage cases.

I strongly encourage this proposal, and will even massacre the
markdown to attempt it.

Great. Let's sync up as we get a little closer to done.


I also commit to implementing TLS 1.3-EZ in
Go, and possibly in C based on Amazon's s2n. (A trustable X509 library
in C is still beyond my reach, so that C might be server-only).

I believe Richard Barnes has already started something along these lines,
so maybe you guys could join forces (not sure how confident he is in
it).

https://github.com/bifurcation/mint

This library currently interoperates with my experimental implementation
in NSS.

-Ekr


>
> Hugo
>
>
>>
>>
>>
>> Dave
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org<mailto:TLS@ietf.org>
>> https://www.ietf.org/mailman/listinfo/tls<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=EoheRUAdZH7W_a384ARn0T_WL5c3mFNpiUQPcze2j_g&s=zk_uHWMVkpGkuJ8OSCl7M6Xq8kisJzYYWzB8mlPo_ms&e=>
>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org<mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=EoheRUAdZH7W_a384ARn0T_WL5c3mFNpiUQPcze2j_g&s=zk_uHWMVkpGkuJ8OSCl7M6Xq8kisJzYYWzB8mlPo_ms&e=>
>



--
"Man is born free, but everywhere he is in chains".
--Rousseau.

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=CwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=EoheRUAdZH7W_a384ARn0T_WL5c3mFNpiUQPcze2j_g&s=zk_uHWMVkpGkuJ8OSCl7M6Xq8kisJzYYWzB8mlPo_ms&e=>

v2.23.0 | Report a Bug | By Email