IETF Logo Mail Archive

Re: [TLS] Call for consensus: Removing DHE-based 0-RTT

Hugo Krawczyk <hugo@ee.technion.ac.il> Fri, 01 April 2016 03:40 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCFC412D533 for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 20:40:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.399
X-Spam-Level:
X-Spam-Status: No, score=-2.399 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.199, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QyvPHfJu1jYh for <tls@ietfa.amsl.com>; Thu, 31 Mar 2016 20:40:14 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75B1C12D520 for <tls@ietf.org>; Thu, 31 Mar 2016 20:40:13 -0700 (PDT)
Received: by mail-lb0-x22a.google.com with SMTP id bc4so64131527lbc.2 for <tls@ietf.org>; Thu, 31 Mar 2016 20:40:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=c1SKFWdjwan3oI++IiM7irBpgNKdl42EXW+N6Nj2osk=; b=FsPzBaFPPTm+KPkcxHgCQKQu22LsWQRERapQMMKcAxMK7pL9R8JhgQhegxmCW/za24 s6Uq1L+K4uNGMgo8jlI5t4V7y0rRQeSpntmqePccuXuGtY3PKZrfBruFKHKi5hK/6Dbv aSqmOgvl0hCmqZNuB0YI1NfJ5VWsbxrBjQJnjpyLSAAm6U6PczOkr/6bP8EQCIqLYSmn hg+SzyuYUCQ8knngPB7zToheDieUS95yg6e9Jg3mNApcXCTY17OaeC35EbCft8JCgikf 8X7BNLC/Ee6mfqJL4uY0GW9aJxLNI3QwUzbMaJdg3DOmVS0S0A65OIAP2U/gqfP1Gemh IyIQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=c1SKFWdjwan3oI++IiM7irBpgNKdl42EXW+N6Nj2osk=; b=EqdhQ4gG8LprBIBK75MvlhJmq8vvNw6oU/P2TF+7UH/VOQZ8GUgmqyjvYvNezttXcK dkL0dYEJA00WR/B/+KOFC0qK+k7yKnDzKlO2F53ugZKihlsc5wmrXkUGYpVXovcc8EZV OegHsWK7tAHkGE7FamEtdJFl5WdydcjmKLTH0lMM1F8OfsIHsLbH31kKWG4vAIrvh6w3 MZVoXSV3wxU9hDxqd9nkxW7tEBTCCBRWYJzSfw0dCOmChvzYQrzgWWMer5po65d1krWu hPJ2l8ERtlc4D7ZZVoq05qLYjKUxqu+0PtmCSZ23pdMZbeFLKuIISoiV2PMue9xkkDfL 8dAQ==
X-Gm-Message-State: AD7BkJKfxC2nGQBK4OctkgCgCA1khhMmdMisGeMNhaYGFZAX5z7J7Oc/3GegHx4oCHz7tBz8RiwAMvBNuROaAA==
X-Received: by 10.112.181.38 with SMTP id dt6mr863428lbc.114.1459482011524; Thu, 31 Mar 2016 20:40:11 -0700 (PDT)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.31.6 with HTTP; Thu, 31 Mar 2016 20:39:42 -0700 (PDT)
In-Reply-To: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com>
References: <063B3B0B-B141-459C-890F-9E001655936F@sn3rd.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Thu, 31 Mar 2016 23:39:42 -0400
X-Google-Sender-Auth: d5hnWszyyQ_7CrSi4b29-yD1Scs
Message-ID: <CADi0yUNTXynz-8FfN_U+h3MhvWvaKAfZspkWVNR+YxRCAm9w1w@mail.gmail.com>
To: Sean Turner <sean@sn3rd.com>
Content-Type: multipart/alternative; boundary="001a11361298da6568052f6422ba"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/xmnvrKEQkEbD-u8HTeQkyitmclY>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Call for consensus: Removing DHE-based 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2016 03:40:17 -0000

On Tue, Mar 29, 2016 at 9:11 AM, Sean Turner <sean@sn3rd.com> wrote:

> All,
>
> To make sure we’ve got a clear way forward coming out of our BA sessions,
> we need to make sure there’s consensus on a couple of outstanding issues.
> So...
>
> There also seems to be (rougher) consensus not to support 0-RTT via DHE
> (i.e., semi-static DHE) in TLS 1.3 at this time leaving the only 0-RTT mode
> as PSK. The security properties of PSK-based 0-RTT and DHE-based 0-RTT are
> almost identical,


​I am not offering an opinion about what the WG should decide regarding
keeping
DHE-based 0-RTT in the base TLS 1.3 document, but just wanted to note that
the
above claim "The security properties of PSK-based 0-RTT and DHE-based 0-RTT
are
almost identical" is not quite right (nothing I say here is new, I just felt
that I had to "object" to this statement as written).

There are some significant differences - in some cases even "fundamental
differences" - between keeping secret state (in the PSK case) and keeping
non-secret state (in the DHE case) or even not keeping state at all (in the
DHE case) and retrieving the server key g^s from some external source (with
integrity but not secrecy).  In addition, using DHE 0-RTT would require the
client to send a key share g^x leading to a PFS 1-RTT exchange while with
PSK
it may be "tempting" to omit PFS.  Moreover,  if the server's configuration
key g^s is refreshed often (say each 5 minutes) then the g^xs key used by
the
client to protect its 0-RTT data already has some good level of forward
secrecy (the attacker has a 5 minute window to find s and after that forward
security is guaranteed).  The latter point touches on an important aspect
which is the key management complexity of ticket encryption/decryption keys
(as needed in the PSK case) vs managing secret DH key s (in the DHE case).
I am not sure what would be done better (more secure) in practice.

But really it seems that the discussion boils down to identifying cases of
enough interest where avoiding the original 1-RTT trip for establishing a
session ticket is important. I am puzzled by the fact that the Google team
seems ok with something that essentially voids the main feature and design
basis of of QUIC.

Hugo​

​​

> but 0-RTT PSK has better performance properties and is simpler to specify
> and implement. Note that this does not permanently preclude supporting
> DHE-based 0-RTT in a future extension, but it would not be in the initial
> TLS 1.3 RFC.
>
> If you think that we should keep DHE-based 0-RTT please indicate so now
> and provide your rationale.
>
> J&S
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email