Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
Nick Sullivan <nick@cloudflare.com> Sun, 21 February 2016 17:29 UTC
Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 522201A8994 for <tls@ietfa.amsl.com>; Sun, 21 Feb 2016 09:29:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPBQ7p0su8q4 for <tls@ietfa.amsl.com>; Sun, 21 Feb 2016 09:29:50 -0800 (PST)
Received: from mail-yw0-x235.google.com (mail-yw0-x235.google.com [IPv6:2607:f8b0:4002:c05::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA1DD1A898C for <tls@ietf.org>; Sun, 21 Feb 2016 09:29:49 -0800 (PST)
Received: by mail-yw0-x235.google.com with SMTP id g127so103115615ywf.2 for <tls@ietf.org>; Sun, 21 Feb 2016 09:29:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=TH/mg8/vfZkbiDQ09zR9MUJydi87RpEdqN/H8iZA4Iw=; b=m9uUMAjbMAGlyT/j/u6k7ycjMLJl+9X+lMLP7Pfvssbn+3OYpW00GK7grZJk1PaUJi TZiez5bau0qnu5W/pvmBoDpY4wQOP8Mvlr2N8n2dKAiHo53rL9hW44eUyNrdtpiDY5c8 5Y8ycLjXN7wEblwCudc0yJ3zGmo/7+1HQY2cI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=TH/mg8/vfZkbiDQ09zR9MUJydi87RpEdqN/H8iZA4Iw=; b=lyF/0r+tLUJ/zZfwQqxoCEsN73aKeiiQYCZl60GrQ/A7vuvpRZ+Q/uzXJw41m8Ld+C GuZ43IYUI6k3/8wczkMNUih/sSvwGxJ5FalxQ3obMnYFI3VcqXtrasCxnlNtRePV0O4g iw7HHQ8b1kMCEPf4xlQZdxTkL8tC/YmAp7GITe2iXHdVPYeNUCl4/d4Au5jLmRkjHLPY hInhjFlIM3qXQw/HmQnk08IHBX3V9Semefkh7IqD27kT37altncY9PzVo0yqi9c7kXpe Utd5BsMQmd+c+gNLoyYbQbzsPReeNyupSwve0P0rzQDtTOj6WmgkJW0+yFSwIpjVv3Jk dhXg==
X-Gm-Message-State: AG10YOT50TXerKtFF+NqZPUPTMKDDs/tQSYQPZ8a2M2IfI9EqSZa5wmuJWJgFxgYFR1ZuLVoDItdfD8TVHxuTOE5
X-Received: by 10.13.225.5 with SMTP id k5mr13431274ywe.316.1456075789153; Sun, 21 Feb 2016 09:29:49 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.86.67 with HTTP; Sun, 21 Feb 2016 09:29:29 -0800 (PST)
In-Reply-To: <201602191815.10375.davemgarrett@gmail.com>
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com> <201602191708.20869.davemgarrett@gmail.com> <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com> <201602191815.10375.davemgarrett@gmail.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Sun, 21 Feb 2016 09:29:29 -0800
Message-ID: <CAFDDyk9viU7ECf8GkERk83GK4+-fQPi8dZJYtE5Yfs4ff=2d6Q@mail.gmail.com>
To: Dave Garrett <davemgarrett@gmail.com>
Content-Type: multipart/alternative; boundary="94eb2c0765fa2dc3ee052c4b106b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/x9ctoFtXNNvJY0gGnQ17YktzYBw>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Feb 2016 17:29:52 -0000
On Fri, Feb 19, 2016 at 3:15 PM, Dave Garrett <davemgarrett@gmail.com> wrote: > On Friday, February 19, 2016 05:24:25 pm Eric Rescorla wrote: > > My impression is exactly the opposite. All the infrastructure to > PSK-resumption and > > hence PSK-0RTT is already in place for TLS 1.2. And of course > PSK-resumption > > is also much faster. > > That's good to hear. The perf advantage is why I'm not advocating dropping > it; merely saying that I too would prefer a single method if it didn't > loose capability. Dropping PSK resumption drops less than dropping DHE > 0RTT, but keeping both seems like the best option at the moment. > > > On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <davemgarrett@gmail.com> > wrote: > > > It would mean that TLS only has 0RTT resumption and not actually have > any 0RTT sessions. > > > > Why do you think that this makes a material difference? > > One of the fundamental complaints about TLS, performance-wise, is the > added round trip time over plaintext. That's why the WG made a point to > focus on adding 0RTT in the first place. Someone considering upgrading from > HTTP to HTTPS generally has this concern (or any other protocol to a > variant over TLS). With only PSK resumption, we can still always have a > 1RTT hit on first connection, and revert to that after the session is > considered expired. With DHE 0RTT we have a longer term config that could > allow for more generic caching and distribution and thus not have to get > that 1RTT hit in many scenarios. > > The lack of a current ability to easily distribute a new config system > should not be used as evidence against creating a new config system that we > would want to create a way to easily distribute. Even dumping the top few > dozen sites' 0RTT DHE config into a static file in a client update would be > a noticeable improvement over not doing so. Coming up with a better method > can come next. > I don't think distributing the 0RTT semi-static DHE config for a set of top sites using a file is a realistic use case. As Eric said, for each active DH share, the server has a long-term key floating around which is a risk to PFS. Keeping these keys around for longer than the recommended 7 days is not a good practice. If the semi-static secrets are rotated at this rate, this increases the rate at which clients will have to download the configuration file. For everything other than these few dozen sites, the first connection will still be 1RTT. Clients who want 0RTT with these top sites might as well just establish a session out of band and then use 0RTT PSK. > > People should be using TLS or encryption in general as a matter of > responsibility, but they don't. Softening *all* barriers to them upgrading > is very necessary to get more to switch. 0RTT PSK only gets rid of a delay > in continuing a session, which in some use-cases might be minimally > noticeable. 0RTT DHE allows for a first-connect with comparable speed to > plaintext (in scenarios where 0RTT data is safe, namely most HTTP). Within > the context of HTTP, which is singled out as a focus in the TLS WG charter, > 0RTT DHE will provide a more noticeable latency reduction in comparison to > 0RTT PSK only This assumes that there is a reasonable concrete scenario for distributing the semi-static DH share. It is not clear that this use case exists. Any use case we find to distribute semi-static secrets out of band needs to handle authentication, key freshness, and provide a latency improvement over simply priming the connection with a full handshake. At the very least, we should consider removing the ServerConfiguration distribution as part of the TLS handshake. It is only useful for establishing 0-RTT in resumption connections, and there is already a method for 0-RTT resumption using PSK. Having a two ways in TLS to distribute key material to prime 0-RTT for resumed connections is redundant. > > Another issue is that of privacy with session resumption. If the only way > to get 0RTT is to keep sessions alive, then clearing that cache on the > client side costs a future 1RTT. You can, however, cache 0RTT DHE configs > safely for a longer time because they are not specific to the user agent. > (we should probably narrow the spec to state that configs SHOULD NOT be > per-client) In order to reliably get 0RTT without DHE configs, > applications/services would need to cache PSK resumption sessions for as > long as possible, which leaves a distinct per-user marker on both the > client and server. Anyone trying to optimize away the 1RTT hit of > first-connect will be required to maintain a system that keeps more user > identifiable information than we should want. > > > > Dave > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Do we actually need semi-static DHE-based 0… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Bill Cox
- Re: [TLS] Do we actually need semi-static DHE-bas… Salz, Rich
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Scott Fluhrer (sfluhrer)
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- [TLS] Mass 0RTT of subresources with no prior kno… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Martin Thomson
- Re: [TLS] Mass 0RTT of subresources with no prior… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Eric Rescorla
- Re: [TLS] Mass 0RTT of subresources with no prior… Ilari Liusvaara
- Re: [TLS] Do we actually need semi-static DHE-bas… Nick Sullivan