[TLS] Requiring that (EC)DHE public values be fresh
Adam Langley <agl@imperialviolet.org> Thu, 29 December 2016 17:37 UTC
Return-Path: <alangley@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACCD812961E for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 09:37:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r_RaYhm7TNPB for <tls@ietfa.amsl.com>; Thu, 29 Dec 2016 09:37:40 -0800 (PST)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50F57129620 for <tls@ietf.org>; Thu, 29 Dec 2016 09:37:40 -0800 (PST)
Received: by mail-io0-x22e.google.com with SMTP id p42so357358157ioo.1 for <tls@ietf.org>; Thu, 29 Dec 2016 09:37:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to :content-transfer-encoding; bh=JB09M6lyxGPfI68/nMQYlebHScUzL8BcVJx4a0fyMjE=; b=IhZ7Gs5fTTBZv91NkrDCy/moPsKBwvX+CEBxitggVUCZhYiVrwqZ0LoaMh22bfxMgs Wc0LT1aAjanhbyvpjs55xsh4Toxc43JwEvKgxLB2JzpzRRw7yeeeEg+9ZuAwRD8O9kQC 1K6yDbOVjvI9B/rYXKiBEa0WtvpWrXvfkd3PmY7P3tMi/tuRC8JyLoViB38kLWuDPDW1 T/dBExld11QbioqVHvmy8jv+inQnxWbRTByDcqGzfHtWFlfen0H2vhYNDkMmED2xC/At bPdkCx5Z3GKTNDmrLjtkHF+jm4VGCfZYTH7CgFNia89FE8GZPQ6dGjnXWsLURyPEYrpP DVug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:content-transfer-encoding; bh=JB09M6lyxGPfI68/nMQYlebHScUzL8BcVJx4a0fyMjE=; b=epN/6zkGrRjtbUe36ZuePOvfJFpeFqOIRUkQoUnWAtNvMf98gWVWaUNswKGyTgQr+T 90s5Rhhvd74SINhpTxv7qtSf1Nv8U5qdYtPslS22ihNUEUKRFuXmIvVtkEne6SYRAcH/ Qlvp4aotIRbKNAuFzgGxnBpBlCpTpUzn9hXVXO4wWKKXy+GdeysonfUV/GIDlaOg5Chd T0YbFXWpU8LciszEamN1QOBBWZuH8aydRyg9q+idg+sm7FaWt3H7W5cfDFFzGECiJRow qId9ZemacVJ/Z1U+pqRzx6K6+R89+z6jBFxFkQKL+ce2ar1mbu6Yfrdejx/f/neaCah6 60yA==
X-Gm-Message-State: AIkVDXLwUF+pnl6Ni0J3GL+Tz3T9361g9JFTUfT8L+i9baZmpvBcqvQU30rSlPKvKSI8DraT9oBwhzeppNBKXQ==
X-Received: by 10.107.134.131 with SMTP id q3mr24194186ioi.168.1483033059445; Thu, 29 Dec 2016 09:37:39 -0800 (PST)
MIME-Version: 1.0
Sender: alangley@gmail.com
Received: by 10.36.22.83 with HTTP; Thu, 29 Dec 2016 09:37:39 -0800 (PST)
From: Adam Langley <agl@imperialviolet.org>
Date: Thu, 29 Dec 2016 09:37:39 -0800
X-Google-Sender-Auth: VrdlIEnCqdJX7tXQPaV1IPC55Tw
Message-ID: <CAMfhd9Urd1DWF9yhMdhvx1AcKyB4-E7Qy+tzqz_-1RpXR+Wp1w@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yxiF61zS0YahyUG2pfIUldiivmk>
Subject: [TLS] Requiring that (EC)DHE public values be fresh
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Dec 2016 17:37:50 -0000
https://github.com/tlswg/tls13-spec/pull/840 is a pull request that specifies that (EC)DH values must be fresh for both parties in TLS 1.3. For clients, this is standard practice (as far as I'm aware) so should make no difference. For servers, this is not always the case: Springall, Durumeric & Halderman note[1] that with TLS 1.2: ∙ 4.4% of the Alexa Top 1M reuse DHE values and 1.3% do so for more than a day. ∙ 14.4% of the Top 1M reuse ECDHE values, 3.4% for more than a day. Since this defeats forward security, and is clearly something that implementations of previous versions have done, this change specifically calls it out as a MUST NOT. Implementations would then be free to detect and reject violations of this. This does have a cost because it also excludes the reasonable practice of amortising public value generation over all connections for a few seconds. The draft could attempt to specify a precise, maximum duration for reuse but that is more complex and no value is clearly optimal. Also, this cost doesn't seem too high: 85.6% of servers /don't/ reuse values and manage fine today. The generation of (EC)DH public values is also a fixed-based operation and thus can be much faster than DH key-agreement. Lastly, some have proposed[2] (EC)DH reuse as a mechanism for enabling TLS connections to be decrypted and monitored by a middlebox. TLS is not designed to be decrypted by third-parties—that's kind of the point. Thus anyone doing this should not be surprised to hit a few MUST NOTs and, potentially, to have to configure implementations to allow such a deployment. [1] “Measuring the Security Harm of TLS Crypto Shortcuts”, IMC 2016, pages 33–47, section 4.4. https://dl.acm.org/citation.cfm?id=2987480 [2] https://datatracker.ietf.org/doc/draft-green-tls-static-dh-in-tls13/ Cheers AGL -- Adam Langley agl@imperialviolet.org https://www.imperialviolet.org
- Re: [TLS] Requiring that (EC)DHE public values be… Martin Rex
- [TLS] Requiring that (EC)DHE public values be fre… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Eric Rescorla
- [TLS] cross-domain cache sharing and 0rtt (was: R… Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Eric Rescorla
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Adam Langley
- Re: [TLS] Requiring that (EC)DHE public values be… Brian Smith
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt (wa… Richard Barnes
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Eric Rescorla
- Re: [TLS] cross-domain cache sharing and 0rtt Bill Frantz
- Re: [TLS] cross-domain cache sharing and 0rtt Stephen Farrell
- Re: [TLS] Requiring that (EC)DHE public values be… Scott Schmit
- Re: [TLS] Requiring that (EC)DHE public values be… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Dan Brown
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Peter Gutmann
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Hugo Krawczyk
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Eric Rescorla
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Yoav Nir
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Colm MacCárthaigh
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] cross-domain cache sharing and 0rtt Martin Thomson
- Re: [TLS] cross-domain cache sharing and 0rtt Benjamin Kaduk
- Re: [TLS] cross-domain cache sharing and 0rtt Ilari Liusvaara
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Adam Langley
- Re: [TLS] [SUSPECTED URL!]Re: Requiring that (EC)… Kurt Roeckx