Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
Eric Rescorla <ekr@rtfm.com> Fri, 25 March 2016 19:31 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 868B212D0EF for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:31:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4VOAy2OdDST for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 12:31:03 -0700 (PDT)
Received: from mail-qk0-x230.google.com (mail-qk0-x230.google.com [IPv6:2607:f8b0:400d:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 06CF512D0C1 for <tls@ietf.org>; Fri, 25 Mar 2016 12:25:13 -0700 (PDT)
Received: by mail-qk0-x230.google.com with SMTP id s68so38047830qkh.3 for <tls@ietf.org>; Fri, 25 Mar 2016 12:25:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tYXT5GCLRs6XLoH+mZcsKpqnlqB5aeWDlxWHR4USHA8=; b=MWRFAyHc14q9d0hUlYEpCs485vlso6QaK8Le9wXC8RbSjOuVq3I//YnL9vb0m7+/T5 QcsquGlHsiLye+ASfMb7xTP9OIllLnr8u87/dO9DVK5Nj3Uo72a7HjpQ0ITxOd3zA2Rk efaSGZJhnEgn8jEGM5o31EHKi40kuDLvE1NZ+oe88FSX5rJ6ycVrtJJG7MgoV9KTkEGH G2ECeYmAvpeM6UQK+UsxmDyi/vubuuFkyWeRT5n3CAX3pa8xF0axAl32msOe6+q6hCAY 5vcixM0sJ8ZI/QjiyCXTjmOKLSxyrYAE1/jpTDQ79H3Rh6jWotC2yBCECEegywmIMB6B d7Eg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tYXT5GCLRs6XLoH+mZcsKpqnlqB5aeWDlxWHR4USHA8=; b=YWX5Fz34AGSryC4SSpZub8bul/kdoME6EMR93mITxBhcOqY4Pj9qFZxgLG/02g2da6 ggT6Lire/v4k0vsqLRidNkmJQon4TqrgHMLiI7VeXI4wb1B7LAWKE9jexroRlJ/UTlG+ gA6/5Bhjx7eL7cu0UvT9/hpy3amt8EAatE0JBF+el8leF6QHfckLY6AJARzXAOP0GLzp 3jl/WgUq8Rma+sj7rXuujWF8hCJQwCjiiCv/Fvt4ZTY3iCNU0THi2Rfv/2eIYNcZkOUc ub6VtMhKvG0RdGAg+7sQ6PCwcAggHrX7mli/u3ESImUfK+FyGQGmr2Qq1OkTYH+iGBas FWCg==
X-Gm-Message-State: AD7BkJIZ9WIHO6b5J0A2DnudHb/l4BN/HVVb5ynvv2USQShTE+8G+GltrRLVjEZRtl7ly6odtMeCVkHwW3i61g==
X-Received: by 10.129.152.208 with SMTP id p199mr1759978ywg.129.1458933912047; Fri, 25 Mar 2016 12:25:12 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Fri, 25 Mar 2016 12:24:32 -0700 (PDT)
In-Reply-To: <CAAF6GDdRzFZ_9YO4KguwTuR2Mi+pvUY6e=yS1MjD0hH9ymC=Ng@mail.gmail.com>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <CAAF6GDefiSCnggjgQJT3NG0DJMC2SDJ=r__npg5L6ycicuzpJQ@mail.gmail.com> <CABcZeBOigwqtBsuKTNTVAztFKuv75m+GmdVdYWX+nWGAkRJM5g@mail.gmail.com> <CAAF6GDdRzFZ_9YO4KguwTuR2Mi+pvUY6e=yS1MjD0hH9ymC=Ng@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 25 Mar 2016 12:24:32 -0700
Message-ID: <CABcZeBOThQ05O9WQsA5VfsZXv=DqZ83pV1EXH+ePcTugnr+8fA@mail.gmail.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Content-Type: multipart/alternative; boundary="94eb2c0bbb0e944611052ee48504"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ylJot4dk0ErO5coX-MI4fIpsGMM>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 19:31:04 -0000
On Fri, Mar 25, 2016 at 12:23 PM, Colm MacCárthaigh <colm@allcosts.net> wrote: > On Fri, Mar 25, 2016 at 11:36 AM, Eric Rescorla <ekr@rtfm.com> wrote: > >> On Fri, Mar 25, 2016 at 11:27 AM, Colm MacCárthaigh <colm@allcosts.net> >> wrote: >>> >>> +1 but I think we can go further here and specify 0RTT in such a way >>> that it only works when the server maintains state, and so that any given >>> 0RTT ticket may only be used once (to preserve forward secrecy as much as >>> possible within the constrains of 0RTT). >>> >> >> I'm not enthusiastic about this. This seems like it would rule out a >> bunch of implementations >> which don't need that guarantee. >> > > With 0RTT, it doesn't seem to be possible to have anti-replay of the > message itself without some kind of server state. > Yes. > It's also beneficial for cryptographic safety to prevent at-will re-use of > the ticket - other-wise the data is subject to the kind of "try and > iterate" attacks we've seen be very successful against DTLS because of its > tolerance for duplicate and out of order messages. If server state is > required, some more good can come of it by improving the forward secrecy of > the 0RTT data to match that of regular data; which I think is most > important of all. > > An implementation would have to be willing to sacrifice replay protection, > some cryptographic safety and forward secrecy for the 0RTT data. I'm sure > there are implementations that would sacrifice these things to get lower > latency more cheaply, but should they be encouraged? > The issue isn't encouraged. It's whether we should design the protocol so that it cannot be implemented any other way. -Ekr > I'll admit that this is an unfair simplification in this case since it's > a more grey area, but "fast, secure, cheap: pick two" is at play here, and > many would pick "fast, cheap". > > > -- > Colm >
- [TLS] Cleaning up 0-RTT Signaling (ciphersuites, … Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Bill Cox
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Karthik Bhargavan
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Eric Rescorla
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Ilari Liusvaara
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Benjamin Kaduk
- Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuit… Colm MacCárthaigh