IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Colm MacCárthaigh <colm@allcosts.net> Wed, 03 May 2017 22:30 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C071E129441 for <tls@ietfa.amsl.com>; Wed, 3 May 2017 15:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vhI5q_xgaTQW for <tls@ietfa.amsl.com>; Wed, 3 May 2017 15:30:52 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A195012025C for <tls@ietf.org>; Wed, 3 May 2017 15:29:18 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id k11so1746444ywb.1 for <tls@ietf.org>; Wed, 03 May 2017 15:29:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=G8/PPbhprRJ+83lBsBi2E9N6zUN8kGjRxXQQA+zpryk=; b=X/ldinedzpvlJ83IrHuphwlPj2Ns04+87jjjtyqoddhpYDE+RuOj6Vkcz4u9cm6z1T MVJS0r4pAlizmfjxJzv1XuLo2G0AcKVdssTvB/UMcIQU6AkV6oeHa+OhgLZD/e+TK6Xc WkTNcMuqqRjkXdj6BM48B/c8fyMQAUMMRJjPJaBtb6yq3tiSnyWycy2iEAm0zCsCmGU5 jyqxBMheSFT9TqoaHe09XhPNSVCXIloh+hFXw6FrTFD4hzDqq6Sy8bgWZ7j+C/W+AkVq rHpluYHNF9qhHCbE4X2VKUok2a1AV8vb/5XF4ifXXbvmM8utV3mXoBaNBXPrGDAQwSC9 Bipw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=G8/PPbhprRJ+83lBsBi2E9N6zUN8kGjRxXQQA+zpryk=; b=V4JBpI/AEGJX9xtDMU8+L09J+PnfGCg6JiVB+maohW8r7aP6q/cekcamqG1G5XvEdC 7Vw6FB+iWS1vLKdAWV8xQXpG9l00EG5tbkfwwzO2NyV6G2JN3kFM5ub9RiYOdO8EZe22 f4CdzQ2nqBp3mBFTnwLsiq639swXjQ+ome83IG4voVIrztcwJGDhyA2VcSOZQcYKpekY dapXZ0yYEjOuwOHC15RoPWPlrYywyjdCEkZaNEK6UWAGRRhOW7FNSRcYN+n0M/wMIh9r BeIWUcSGXvA/WogOcd3PBBV0iJl3JwwupQaAbYz03qjWt9+55ge080/lQw4c28hKeiw1 kOHw==
X-Gm-Message-State: AN3rC/6aAqqeKFM/9Uvz+B6LBXCFULei2nBo1apttMoZBUwyIMQ/La78 0WtawqwCQ/OQPmFRUJftZuCgq49xf/vVqXs=
X-Received: by 10.13.238.65 with SMTP id x62mr30765220ywe.122.1493850557553; Wed, 03 May 2017 15:29:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.57.67 with HTTP; Wed, 3 May 2017 15:29:16 -0700 (PDT)
In-Reply-To: <658E74AE-39BC-4518-B11D-92D7AC7F1BD4@dukhovni.org>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <cb518e35-c214-d11d-a068-c454b2e7ea6a@gmx.net> <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org> <CAAF6GDdpq8DgLx5Fo6apoTHgwQsbdn6hb=ozi1+JP9VMxPw6sA@mail.gmail.com> <539D071B-7DDD-4820-A9E4-EC178400B7B2@dukhovni.org> <420471d6016a41ecbcdf9562be303f62@ustx2ex-dag1mb1.msg.corp.akamai.com> <17414FC2-15BB-4A03-8673-7F8299E5428E@dukhovni.org> <20170503182955.GR10188@localhost> <CAAF6GDf_5tuU=L8vCv5f1wgwy8NxvDcJb9TjJ+iHcNOqETASoQ@mail.gmail.com> <7573B494-A1C1-4897-B064-14237B5FB525@dukhovni.org> <CAAF6GDfiLtLT5-NZwFaSHmz35MRiNSqSjQt=MmNoQ04vBDPPTg@mail.gmail.com> <658E74AE-39BC-4518-B11D-92D7AC7F1BD4@dukhovni.org>
From: Colm MacCárthaigh <colm@allcosts.net>
Date: Wed, 03 May 2017 15:29:16 -0700
Message-ID: <CAAF6GDf-aJEu8Usss7r9m94YXSVgHq8OB9+=i8-uk=Cv_QtrwA@mail.gmail.com>
To: TLS WG <tls@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c034d8cd51a7a054ea62f17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rF4p8kYVblc1_dixyy-Apg6F2oc>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 22:30:55 -0000

On Wed, May 3, 2017 at 3:04 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

>
> On May 3, 2017, at 4:27 PM, Colm MacCárthaigh <colm@allcosts.net> wrote:
>
> > On Wed, May 3, 2017 at 1:20 PM, Viktor Dukhovni <ietf-dane@dukhovni.org>
> wrote:
> >
> >> The kind of application whose security requirements preclude use of RFC
> 5077
> >> session tickets can and should likely also avoid both 0-RTT and session
> >> resumption entirely.
> >
> > I don't agree with this. Why should users of mobile devices, to pick one
> example,
> > have to choose between speed and the extra risk of data disclosure for
> their requests
> > and passwords?
>
> Their security requirements don't preclude use of RFC 5077 session tickets,
> they've been using them all along, and will continue to do so for the
> majority
> of destinations that will take quite some time to upgrade to TLS 1.3.
>
> As you might recall, I don't agree that STEKs are fundamentally less secure
> than remote session caches, I rather suspect that sensibly implemented
> STEKs
> are safer.
>

I'm not sure how any of that is relevant. Mobile users, like everyone else,
appreciate speed; they'll want to use 0-RTT. I'm sure they also appreciate
their data being less at risk, so forward secrecy is good for them too. I'm
saying they should be able to get both. Again, you can combine the security
properties of a STEK with a cache if you want, by encrypting the cache
entries the same way you would use a STEK.


>
> [ I do concede that the current OpenSSL implementation leaves too much of
> the
> responsibility of doing STEKs right to applications, and I will endeavour
> to
> fix that.  It is not especially difficult to implement a default-on key
> rotation
> mechanism. ]
>

Just an aside related to that; it can be useful to fuzz ticket lifetimes a
bit so all of the tickets from a STEK don't expire at exactly the same
time. That can lead to a lot of painful renegotiations happening at once.

>> Second-guessing the server's design by looking at ticket sizes seems
> rather
> >> contrived.
> >
> > It's not a second guess. If the ticket size is smaller than the RPSK,
> then it
> > provably can not have been self-encrypted. But I agree that it says
> nothing
> > about the server-side security. They might be posting the keys to
> twitter.
>
> As you yourself concede it is not the size that matters. It is a very
> marginal indication of the security of the remote session. The server may
> wish to decorate

the session id with additional data (say which data-centre issued the
> session)
> and fail your test, and yet be doing the type of session caching you're
> asking
> for.  The client should either trust the server to cache sessions
> correctly (this
> would be the default client behaviour in most cases), or it can choose to
> forgo
> session re-use.
>

True.


> Feel free to malign bad implementations of STEKs, but the basic mechanism
> is
> sound.
>

"sound" goes too far. Pervasive forward secrecy is one of the central
security goals of modern cryptography, some schemes go so far as to bake in
very frequent key agreement and ratcheting. STEKs aren't compatible with
this goal. They may be acceptable operationally today, but I think they
must be borrowed time if the central goal is meaningful.

-- 
Colm

v2.23.0 | Report a Bug | By Email