Re: [TLS] Thoughts on TLS 1.3 cryptography performance

Trevor Perrin <trevp@trevp.net> Thu, 13 March 2014 08:01 UTC

Return-Path: <trevp@trevp.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E2711A094E for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 01:01:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d-OJELiiXMMb for <tls@ietfa.amsl.com>; Thu, 13 Mar 2014 01:01:38 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) by ietfa.amsl.com (Postfix) with ESMTP id 6621B1A0963 for <tls@ietf.org>; Thu, 13 Mar 2014 01:01:38 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id n15so699986wiw.17 for <tls@ietf.org>; Thu, 13 Mar 2014 01:01:31 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=rP8XoUiFrcOGYmhIPsEWlWgez4kfpAZ2VPRRwlXDNhE=; b=EwlUehBRXR6qrGAeA5tHWVJY/luEORyZZJCULn7L1PWgDRjHzid2r6j0OSF+xEuijU TYxyhZcIcugd1XFByqysSc/qzmV6C9zRvmZUjjvpsojVxXFOBfe/KX+IUy1/zB2sUddZ M12gwXTP+NY7vSfL8RUScztxZv3qDue6RdHHeufQkIgJeGLSRi6xVkh6klws5E1LUSzq yzxKnTk6bCawAohkqJQ61P+qTSXT7jhRtj13f+epMEsHlg1aQlbbjoyBkwVi04zE4hKc PceVIzhvxpDKW6X4w8rWAB8Feu6u0E3s8lW7kFZKEOjqgcEK9gvg1kTc4fb1BnT+sRPp +J2w==
X-Gm-Message-State: ALoCoQk38FH6O39Fw8lRj2/sJUYKfGmFHoP+3gRDdMzLwOKkt35cdGSsiOYuk3IB72CPLUtjMvtm
MIME-Version: 1.0
X-Received: by 10.180.19.35 with SMTP id b3mr445231wie.20.1394697691560; Thu, 13 Mar 2014 01:01:31 -0700 (PDT)
Received: by 10.216.45.146 with HTTP; Thu, 13 Mar 2014 01:01:31 -0700 (PDT)
X-Originating-IP: [184.23.29.222]
In-Reply-To: <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com>
References: <CACsn0ckbrrt0rBsHM+5A_jNK6UvkaiO9mHx6=Jr+jjqy+bZ6MQ@mail.gmail.com> <CAK3OfOj_+RzqPj0LJa=EyeJ5UqSy42z-_kF2tqYYZb=efFEwrQ@mail.gmail.com> <CACsn0ckVq5wkjsZgV6XrsgA6tU6_6YLKOsJQMivFY59esX1Ywg@mail.gmail.com> <CAK3OfOhzD+D2Tf=1JwzCfPf_m5uWhBj3sVd=UQw8b4fthGt-Bw@mail.gmail.com>
Date: Thu, 13 Mar 2014 01:01:31 -0700
Message-ID: <CAGZ8ZG3JXiJiCRUUBGGuaVTabn11yZ2u+Nv9cWHO8yagoxr+yw@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: Nico Williams <nico@cryptonector.com>
Content-Type: multipart/alternative; boundary="bcaec53d5eb57996a404f4785cf2"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/tbyJQTmehcf9tUDwHjBS8VNdBdw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Thoughts on TLS 1.3 cryptography performance
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Mar 2014 08:01:40 -0000

On Wed, Mar 12, 2014 at 11:26 PM, Nico Williams <nico@cryptonector.com>wrote:

> On Thu, Mar 13, 2014 at 1:12 AM, Watson Ladd <watsonbladd@gmail.com>
> wrote:
> > On Wed, Mar 12, 2014 at 9:54 PM, Nico Williams <nico@cryptonector.com>
> wrote:
>
> > By contrast resumption only works if the client maintains some data
> > that has to be kept secret, and if the server still remembers how to
> > read the tickets that it handed out.  [...]
>
> Ah!  Thanks, that's the key.  It's OK to expect servers to remember
> how to read their session tickets.  As for the need to keep session
> resumption tickets private on the client side... certainly the client
> would have to provide integrity protection to any cache of signature
> validations and server public ECDH keys, but ticket compromise is
> rather severe: past non-PFS resumptions are compromised


Not necessarily.  The cached session key doesn't need to be the same as the
session key for previous sessions.  And 0-RTT resumptions could have a DH
exchange overlaid on the 1st RT, so they get PFS after that RT.



> and the
> attacker can impersonate the client in future resumptions regardless
> of past PFS use.


And impersonate the server to the client.



>  Of course, in your scheme if the client can't
> protect its local cache then it's subject to some MITM attacks, but
> that's a much smaller concern.
>

On the other side of the balance - doing 0-RTT resumption based on session
tickets saves at least 1 DH compared to the 0-RTT flow in EKR's draft or
QUIC.  If clients need to re-authenticate with something like ChannelID, it
might save a second asymmetric op.  Seems worth considering.


Trevor