IETF Logo Mail Archive

Re: [TLS] 0.5 RTT

Watson Ladd <watsonbladd@gmail.com> Tue, 23 February 2016 22:32 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0A421A03A0 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:32:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1c2mmUtkFW9G for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:32:18 -0800 (PST)
Received: from mail-yk0-x236.google.com (mail-yk0-x236.google.com [IPv6:2607:f8b0:4002:c07::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7E061A0193 for <tls@ietf.org>; Tue, 23 Feb 2016 14:32:18 -0800 (PST)
Received: by mail-yk0-x236.google.com with SMTP id u9so226075ykd.1 for <tls@ietf.org>; Tue, 23 Feb 2016 14:32:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=kHtzFc6SSPniGiKa56iJv0YSqUoxwZ4DYuPtjC7TXUI=; b=AeoeqxogZo/Zz8eqSPcLu4uvpz0j3yhUPdel39dz37rmMZiLsxpW6aCLPLNINfk4nI 3Q9/NTSgs+nX44w+0QjkLqNIpEgHGdGQPUaMUspVYowYHP7nabSOUl1IDXc3OdFrPUy4 OZt0FQ4VnzQvzXo+lCr1ddMJMDRJaUy/WyxDlAl1Zxz+HYSS1I5Z70ViZv6mfuw02w0B x5vcEgp29fZcR1FHxyvMdEsFkDfX51g1XQDURm1zr/XaKvHvNZR5FXrCJ8tfBAoEz305 5Lp1v2mPrzDKEVbemFRpto5MOrZZqP2FfZnQoGvqnQY11w9ZFPkXkSkqR9HRZx2wvzQg cgFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=kHtzFc6SSPniGiKa56iJv0YSqUoxwZ4DYuPtjC7TXUI=; b=cp/ZFkRKA1NB7x159rwVxFpA7GV9TaCRIYj8XdW/M04VyAsJY9jcyKEZCtWIEIr0YA bU3iIJvrx45YLkXW6laxat72PwZPuxarL4ClohXQUCIAfGUYxVE9YoNQeIu6bGvP31jH pcJQvxjn7v3AMThpiKkfnbCep7Q5OuhO/i1WDlqnEhWGcvevV/xLMcyPzrNKzn3ZcwFY i2aRTK73C/yNRZxuohZy0UHzIHOkuS1Ag/KRK9nelwA3XtF/Q09etWUiabHZKscXlf4C ya/L2lBRQh2aX0YigDrrvNgQA1BWndcu86KpL/JzSqB7cg5U6rRmv1cSxtyameEXZydk 1++g==
X-Gm-Message-State: AG10YOT1g0+VaejjCPhhjhyad/y5zZ8NxQ2zktOrHS0HUdK9rbnHvYGMRv8nkTwPw80rotH0jIa8rwDSW/tyIw==
MIME-Version: 1.0
X-Received: by 10.37.78.5 with SMTP id c5mr18492246ybb.53.1456266737832; Tue, 23 Feb 2016 14:32:17 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Tue, 23 Feb 2016 14:32:17 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Tue, 23 Feb 2016 14:32:17 -0800 (PST)
In-Reply-To: <CADi0yUNKiFuAXK-qFjdOc0SBHfd1Gkp=UoEK5OxAw5Cps70Ryw@mail.gmail.com>
References: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com> <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com> <CADi0yUPOEL++R+_Nhy4NTfhzsA6UjbVbMAEiPx1Qg9+vPPHt7g@mail.gmail.com> <35EE1C1C-132D-47A1-ADF3-5AD3C3D5EE4D@gmail.com> <CADi0yUNKiFuAXK-qFjdOc0SBHfd1Gkp=UoEK5OxAw5Cps70Ryw@mail.gmail.com>
Date: Tue, 23 Feb 2016 14:32:17 -0800
Message-ID: <CACsn0c=pdqrtr0yK60odK31GRR8Zarkq1pOocne5bQCxEGYcBw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: multipart/alternative; boundary="001a113fd6fe9b59e5052c77852f"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/s--Mhq-ZAyo6Cxzk0au9z-3c6vc>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, tls@ietf.org
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 22:32:22 -0000

On Feb 23, 2016 2:27 PM, "Hugo Krawczyk" <hugo@ee.technion.ac.il> wrote:
>
> Karthik, I think that what you are pointing to are cases where the client
*is* authenticated via its PSK.
>
> There is an important distinction between PSKs that have been
authenticated by the client (in a previous exchange) and those that are not.
> Any PSK-based handshake that uses a (previously) client-authenticated PSK
needs to be treated as client-authenticated and replay needs to be dealt
with utmost care, including the need to validate via the client finished
that the current exchange is not a replay. In the case where the PSK is
client-unauthenticated (e.g. a resumption from a server-only authenticated
handshake) and the server does not request client authentication then the
need for client finished is less crucial.

Authentication is also handled at a higher layer through HTTP cookies or
token binding. We need to ensure our analysis covers these interactions.

>
> Let me be clear, I prefer a conservative design to a more liberal one so
if we can do without 0.5 data then much better.

I think we should seperate a conservative TLS 1.3 core consisting only of
those features we are absolutely certain function together well, with RSA
endpoint cert signatures banned, and no 0-RTT, and encourage implementors
to make it easy to restrict to this subset.

>From TRON my impressesion is that this includes 1-RTT exchanges and so is
already a latency gain over existing TLS.

>
> Hugo
>
>
>
>
> On Tue, Feb 23, 2016 at 4:58 PM, Karthikeyan Bhargavan <
karthik.bhargavan@gmail.com> wrote:
>>>
>>> ​That's right, we do not consider downgrades or client authentication
but Martin's suggestion explicitly only applies to the case​ where the
server does not require client authentication so the analysis holds in that
case. As for downgrades, this will be discovered by the server when
receiving the client's Finished message. So the only problem I see is that
the server might have been "tricked" to send the 0.5-RTT data with less
protection than intended by the (honest) client. But for that there is no
need for downgrade. The attacker could have generated the exchange with the
weaker ciphersuite by himself (acting as a client). If the server accepts
that ciphersuite it means he is willing to send that particular data with
that level of security to *anyone*. That is the meaning of not requiring
client authentication.
>>
>>
>> Yes Hugo, you’re right that when there is no client auth, the situation
is less problematic.
>>
>> However, let’s note there may still be implicit kind of authentication,
for example, what if the client hello requests PSK-based 1-RTT with a
old-broken cipher that the real client would never use.
>> The server should not, in this case, send user-specific data under the
old-broken cipher until it receives the client finished.
>> Of course, this could be worked around by having a nice whitelist of
ciphers, or possibly other designs.
>> I am mainly pointing out that we need to be careful that the guarantees
for 0.5-RTT seem to be strictly weaker than that for 1-RTT.
>>
>>
>>> ​One useful feature of client's finished is to catch 0-RTT replays. But
even then I am not sure what damage can be done to the 0.5 data. Either the
attacker knows the client's keying material (say PSK) and can generate the
client finished by himself or he doesn't know that keying material but then
it cannot decrypt 0.5 data.
>>
>>
>> Right, this is the other concern. Suppose a passive adversary records a
clients 0-RTT data (under a PSK that is bound to an authenticated client).
>> He can then go home and replay this 0-RTT request as many times as he
wants and record the server’s 0.5-RTT responses.
>> They will be encrypted, sure, but maybe even the length of those
responses may give the attacker useful dynamic information (e.g. he can
tell whether the user’s bank balance went up or down by a digit).
>>
>> Yes, this attack is always possible for a persistent passive adversary,
and we can mitigate it with length-hiding techniques, but it gives us an
example of how 0.5-RTT may provide new avenues for attacking encrypted
connections.
>>
>> Best,
>> Karthik
>>
>>
>>>
>>> Am I missing something on these particular points?
>>>
>>>
>>>
>>>>        On the whole, cryptographers including the authors of OPTLS
would be happier with 0.5-RTT keys
>>>>        not being the same as 1-RTT keys. Again, so far, this is a
matter of taste and proof modularity.
>>>
>>>
>>>
>>> ​Agreed.
>>>
>>> Hugo
>>>
>>> ​
>>>
>>>>
>>>> > On 23 Feb 2016, at 11:27, Martin Thomson <martin.thomson@gmail.com>
wrote:
>>>> >
>>>> > Karthik raised some concerns here, and I think that we have some
>>>> > thinking to do.  But I don't think that it is intractable, nor even
>>>> > hard, to reason about this problem.
>>>> >
>>>> > The only thing that the client's second flight provides is
>>>> > authentication.  The Finished isn't needed if there is no client auth
>>>> > [P].  Hugo's presentation at TRON did not include a client Finished
in
>>>> > the earlier, simpler examples.
>>>> >
>>>> > Thus, based on Watson's observation that the client authentication is
>>>> > removable, we might conclude that the handshake is complete from the
>>>> > perspective of a server that does not require client authentication.
>>>> > There are still reasons we might like to keep the client
>>>> > authentication in the handshake, but those are decisions we can make
>>>> > on engineering grounds.
>>>> >
>>>> > If post-handshake client authentication is OK, then 0.5 RTT is
equally
>>>> > OK [X].  I would assert that any decision about changing keys after
>>>> > the client Finished applies to post-handshake client auth (or vice
>>>> > versa).
>>>> >
>>>> > If that logic is sound, then I see no reason we can't have some very
>>>> > simple advice:
>>>> >
>>>> >  1. if the server does not request client authentication, it can send
>>>> > application data immediately following its Finished
>>>> >
>>>> >  2. if the server requests client authentication, it MUST NOT send
>>>> > application data until it receives and validates the client's first
>>>> > flight.  UNLESS the server is certain that the data it sends does not
>>>> > depend on the client's identity (that is, it would send this
>>>> > application data to anyone).
>>>> >
>>>> >> From an API perspective, I believe that we should recommend that
there
>>>> > be a separate function for sending in condition 2, just as we are
>>>> > going to recommend that there is a separate function for sending
0-RTT
>>>> > data (as well as there being one to receive on the server end).
>>>> >
>>>> > Based on this, we should recommend different points in time for the
>>>> > server API to report that the handshake is "complete" at a server.
In
>>>> > condition 1, the handshake is complete after the server Finished is
>>>> > sent; in condition 2, the handshake is complete after the client
>>>> > Finished is received.
>>>> >
>>>> >
>>>> > [P] Note that a client Finished does confirm a PSK.  Though you might
>>>> > reasonably argue that successfully generating valid application data
>>>> > works equally well in that regard.
>>>> > [X] Post-handshake client authentication has only been analyzed very
>>>> > lightly, so we have to caveat that statement too.
>>>> >
>>>> > _______________________________________________
>>>> > TLS mailing list
>>>> > TLS@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>
>>
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email