IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Nico Williams <nico@cryptonector.com> Tue, 02 May 2017 17:51 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2695E129C30 for <tls@ietfa.amsl.com>; Tue, 2 May 2017 10:51:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qI9-FvxTv4sG for <tls@ietfa.amsl.com>; Tue, 2 May 2017 10:51:06 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B552C129C73 for <tls@ietf.org>; Tue, 2 May 2017 10:47:59 -0700 (PDT)
Received: from homiemail-a35.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTP id 516A8C086D1E; Tue, 2 May 2017 10:47:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:subject:message-id:references:mime-version:content-type :in-reply-to:content-transfer-encoding; s=cryptonector.com; bh=+ o9JjhMmQWRI9BIFDb0+emX3EC0=; b=W8Ir5I95MvGj5qc+IRc5N0Gu1BtCxkMYF A8ijJy8KBUbLIpx8ON4UZ+VgsehdOI/9hitNBZWu8QHJ5iFEIUJEc9KuSB5mJ4M+ LI+iPEDRTN+/+aK0FTF0kApGGMj4//5mDbbQR/nv+n9F1NY65/haDaciEsG901KZ DvoXho6IdI=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a35.g.dreamhost.com (Postfix) with ESMTPSA id 01029C086D1D; Tue, 2 May 2017 10:47:58 -0700 (PDT)
Date: Tue, 02 May 2017 12:47:56 -0500
From: Nico Williams <nico@cryptonector.com>
To: TLS WG <tls@ietf.org>
Message-ID: <20170502174755.GD10188@localhost>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <C29356B3-6D71-4088-9AB3-4954327F1E7B@dukhovni.org> <20170502173905.GC10188@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <20170502173905.GC10188@localhost>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qzWlXBbe8Zl5zRV-TGVAKo6oQww>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 17:51:09 -0000

On Tue, May 02, 2017 at 12:39:06PM -0500, Nico Williams wrote:
> On Tue, May 02, 2017 at 01:33:37PM -0400, Viktor Dukhovni wrote:
> > > On May 2, 2017, at 10:44 AM, Colm MacCárthaigh <colm@allcosts.net> wrote:
> > > https://github.com/tlswg/tls13-spec/issues/1001
> > > 
> > > I'll summarize the summary: Naturally the focus was on forward
> > > secrecy and replay. On forward secrecy the main finding was that
> > > it's not necessary to trade off Forward Secrecy and 0-RTT. A
> > > single-use session cache can provide it, and with the modification
> > > that ekr has created in https://github.com/tlswg/tls13-spec/pull/998
> > > , such a cache works for both pre-auth and post-auth tickets, and it
> > > allows clients to build up pools of meaningfully distinct tickets.
> 
> With existing APIs, dealing with "pools of meaningfully distinct
> tickets" seems meaningfully non-trivial.
> 
> > > There's also an observation there that it should really be that
> > > clients "MUST" use tickets only once. Any re-use likely discloses
> > > the obfuscated ticket age, which is intended to be secret. Right now
> > > it's a "SHOULD".
> 
> Why should ticket age disclosure be a problem?  How does ticket one-time
> use not do the same?

Also, let's separate ticket re-use and 0-rtt.  The former is generally
desirable and workable.  The two might not be, but if so one should
expect a "SHOULD NOT" or "MUST NOT" to be specifically about the
combination of tickets and 0-rtt.  Also, the "SHOULD NOT" should have
guidance as to when/why one might do it anyways.  For many applications
the leakage in re-using tickets w/ 0-rtt will be a non-issue.

Nico
--

v2.23.0 | Report a Bug | By Email