[TLS] xLS 1.3: cookie
Mark Dunn <mark.dunn@objectiveintegration.uk> Wed, 29 March 2017 13:10 UTC
Return-Path: <mark.dunn@objectiveintegration.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD7E8126C26 for <tls@ietfa.amsl.com>; Wed, 29 Mar 2017 06:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lz9vF5Z2Mt95 for <tls@ietfa.amsl.com>; Wed, 29 Mar 2017 06:10:55 -0700 (PDT)
Received: from mail.objectiveintegration.uk (objectiveintegration.uk [134.213.135.47]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 97C10126DD9 for <tls@ietf.org>; Wed, 29 Mar 2017 06:10:54 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.objectiveintegration.uk (Postfix) with ESMTP id 302691A02E40 for <tls@ietf.org>; Wed, 29 Mar 2017 13:10:53 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at objectiveintegration.uk
Received: from mail.objectiveintegration.uk ([127.0.0.1]) by localhost (mail.objectiveintegration.uk [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQtrgPTs-foQ for <tls@ietf.org>; Wed, 29 Mar 2017 13:10:29 +0000 (UTC)
Received: from [192.168.110.205] (host86-136-78-129.range86-136.btcentralplus.com [86.136.78.129]) (Authenticated sender: mark.dunn@objectiveintegration.uk) by mail.objectiveintegration.uk (Postfix) with ESMTPSA id 13C341A01A96 for <tls@ietf.org>; Wed, 29 Mar 2017 13:10:29 +0000 (UTC)
To: tls@ietf.org
From: Mark Dunn <mark.dunn@objectiveintegration.uk>
Message-ID: <16998c3d-4de6-7c88-d8a3-6d6193326500@objectiveintegration.uk>
Date: Wed, 29 Mar 2017 14:10:28 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tKJbmAkywxvEggb71MBdA1Pkda8>
Subject: [TLS] xLS 1.3: cookie
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 13:10:58 -0000
I am trying to implement cookie and finding it a little underspecified.
I am using the TLS 1.3 specified in github and
draft-rescorla-tls-dtls13-01
1a) Should a client expect to respond to a cookie during session
resumption?
It seems unlikelyas it would kill 0-RTT, and I am not sure whetherit
would reduce the workload of the server.
ClientHello
+pre_shared_key
+early_data
+... ----->
HelloRetryRequest
<----- +cookie
ClientHello
+cookie
+pre_shared_key
+... ----->
ServerHello
+pre_shared_key
<----- +...
ClientResponse
finished
application Data ----->
1b) If (1a) is false then do you agree that the "cookie" extension
MUST be accompanied by the "key_share" extension? Otherwisewe might be
faced with
ClientHello
+key_share
+... ----->
HelloRetryRequest
<-----+cookie
ClientHello
+cookie
+key_share
+... ----->
HelloRetryRequest
<----- +key_share
ClientHello
+key_share
+... ----->
ServerHello
+key_share
+...
2) I understand this is too late for TLS(only DTLS SHOULD use
cookies) but is there a better solution than a cookie?
While the use of the "cookie extension" helps mitigate DOS and DOS
amplification(ref draft-rescorla-tls-dtls13-01 section 5.1), it
penalises the legitimate client which requires an extra round
trip.Alsocookie does not help with a botnet attack where the bots may
send legitimate unauthenticated requests.
For authenticatedclients a botnet DOS attack could be mitigated by
authenticating the clientfirst.
In the worst case where the client provided an unacceptable key_share
the Server would have to provide
ClientHello // flight 1
+key_share
+signature_algorithms
+supported_groups
+... ----->
HelloRetryRequest // flight 2
+cookie // from DTLS 1.2: HMAC(secret,
Client-IP, Client-Parameters)
+key_share(server_share)
+signature_algorithms // not required
as supplied by client
+supported_groups // not required as
supplied by client
<----- {CertificateRequest} // implied
when key_share(server_share) is used
ClientHello // flight 3
+key_share
+cookie // this may provide state information to the server
+...
{Cetrificate}
{CertificateVerify}
{finished} // provides reachability for the client first and is
protected by server_handshake_traffic_secret
[application data] -----> // protected using keys derived from
traffic_secret_N
ServerHello // flight 4
{EncryptedExtensions}
{Certificate}
{CertificateVerify}
{Finished} // provides reachability for
the server
<----- [application data]
For authenticating clients, this would provide better defense against
DOS, DOS amplification and require fewer round trips.
- Re: [TLS] [xLS 1.3: cookie] - DTLS queries Mark Dunn
- Re: [TLS] [xLS 1.3: cookie] - DTLS queries Hannes Tschofenig
- Re: [TLS] [xLS 1.3: cookie] - DTLS queries Benjamin Kaduk
- Re: [TLS] [xLS 1.3: cookie] - DTLS queries Hannes Tschofenig
- Re: [TLS] xLS 1.3: cookie Eric Rescorla
- [TLS] xLS 1.3: cookie Mark Dunn