[TLS] Requiring that (EC)DHE public values be fresh

Adam Langley <agl@imperialviolet.org> Thu, 29 December 2016 17:37 UTC

Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACCD812961E for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 09:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_RaYhm7TNPB for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 09:37:40 -0800 (PST)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50F57129620 for <tls@ietf.org>; Thu, 29 Dec 2016 09:37:40 -0800 (PST)
Received: by mail-io0-x22e.google.com with SMTP id p42so357358157ioo.1 for <tls@ietf.org>; Thu, 29 Dec 2016 09:37:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to :content-transfer-encoding; bh=JB09M6lyxGPfI68/nMQYlebHScUzL8BcVJx4a0fyMjE=; b=IhZ7Gs5fTTBZv91NkrDCy/moPsKBwvX+CEBxitggVUCZhYiVrwqZ0LoaMh22bfxMgs Wc0LT1aAjanhbyvpjs55xsh4Toxc43JwEvKgxLB2JzpzRRw7yeeeEg+9ZuAwRD8O9kQC 1K6yDbOVjvI9B/rYXKiBEa0WtvpWrXvfkd3PmY7P3tMi/tuRC8JyLoViB38kLWuDPDW1 T/dBExld11QbioqVHvmy8jv+inQnxWbRTByDcqGzfHtWFlfen0H2vhYNDkMmED2xC/At bPdkCx5Z3GKTNDmrLjtkHF+jm4VGCfZYTH7CgFNia89FE8GZPQ6dGjnXWsLURyPEYrpP DVug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:content-transfer-encoding; bh=JB09M6lyxGPfI68/nMQYlebHScUzL8BcVJx4a0fyMjE=; b=epN/6zkGrRjtbUe36ZuePOvfJFpeFqOIRUkQoUnWAtNvMf98gWVWaUNswKGyTgQr+T 90s5Rhhvd74SINhpTxv7qtSf1Nv8U5qdYtPslS22ihNUEUKRFuXmIvVtkEne6SYRAcH/ Qlvp4aotIRbKNAuFzgGxnBpBlCpTpUzn9hXVXO4wWKKXy+GdeysonfUV/GIDlaOg5Chd T0YbFXWpU8LciszEamN1QOBBWZuH8aydRyg9q+idg+sm7FaWt3H7W5cfDFFzGECiJRow qId9ZemacVJ/Z1U+pqRzx6K6+R89+z6jBFxFkQKL+ce2ar1mbu6Yfrdejx/f/neaCah6 60yA==
X-Gm-Message-State: AIkVDXLwUF+pnl6Ni0J3GL+Tz3T9361g9JFTUfT8L+i9baZmpvBcqvQU30rSlPKvKSI8DraT9oBwhzeppNBKXQ==
X-Received: by 10.107.134.131 with SMTP id q3mr24194186ioi.168.1483033059445; Thu, 29 Dec 2016 09:37:39 -0800 (PST)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.36.22.83 with HTTP; Thu, 29 Dec 2016 09:37:39 -0800 (PST)
From: Adam Langley <agl@imperialviolet.org>
Date: Thu, 29 Dec 2016 09:37:39 -0800
X-Google-Sender-Auth: VrdlIEnCqdJX7tXQPaV1IPC55Tw
Message-ID: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yxiF61zS0YahyUG2pfIUldiivmk>
Subject: [TLS] Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 17:37:50 -0000

https://github.com/tlswg/tls13-spec/pull/840 is a pull request that
specifies that (EC)DH values must be fresh for both parties in TLS
1.3.

For clients, this is standard practice (as far as I'm aware) so should
make no difference. For servers, this is not always the case:

Springall, Durumeric & Halderman note[1] that with TLS 1.2:
  ∙ 4.4% of the Alexa Top 1M reuse DHE values and 1.3% do so for more
    than a day.
  ∙ 14.4% of the Top 1M reuse ECDHE values, 3.4% for more than a day.

Since this defeats forward security, and is clearly something that
implementations of previous versions have done, this change
specifically calls it out as a MUST NOT. Implementations would then be
free to detect and reject violations of this.

This does have a cost because it also excludes the reasonable practice
of amortising public value generation over all connections for a few
seconds. The draft could attempt to specify a precise, maximum
duration for reuse but that is more complex and no value is clearly
optimal.

Also, this cost doesn't seem too high: 85.6% of servers /don't/ reuse
values and manage fine today. The generation of (EC)DH public values
is also a fixed-based operation and thus can be much faster than DH
key-agreement.

Lastly, some have proposed[2] (EC)DH reuse as a mechanism for enabling
TLS connections to be decrypted and monitored by a middlebox. TLS is
not designed to be decrypted by third-parties—that's kind of the
point. Thus anyone doing this should not be surprised to hit a few
MUST NOTs and, potentially, to have to configure implementations to
allow such a deployment.

[1] “Measuring the Security Harm of TLS Crypto Shortcuts”, IMC 2016,
pages 33–47, section 4.4. https://dl.acm.org/citation.cfm?id=2987480
[2] https://datatracker.ietf.org/doc/draft-green-tls-static-dh-in-tls13/


Cheers

AGL

-- 
Adam Langley agl@imperialviolet.org https://www.imperialviolet.org