IETF Logo Mail Archive

Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?

"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 19 February 2016 23:31 UTC

Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82AC1A8F46 for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 15:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.507
X-Spam-Level:
X-Spam-Status: No, score=-14.507 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtdXHQf08dWJ for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 15:31:34 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 858E21A8876 for <tls@ietf.org>; Fri, 19 Feb 2016 15:31:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5096; q=dns/txt; s=iport; t=1455924694; x=1457134294; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=IZuvOjxdxL+VwJ6Ekrz6cR3EfV/jXh7AinyCxnLw+hM=; b=e2WWLhgKe/tk6SusX4S4ZkYf6jb2+JuiJOYkrBzrdrtWYqoLnsH32I50 Uhup+cRE7StjsfzEzXipspMiuXCp+iLOC3gTiq0X7WieuuV7ZpsQ4UU6s BgO3kIFp/odX3LjRYLs+rSOT+cbYhQ2JipYqEDr6HPTntvTO0fqcB5I36 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ABAgBKpcdW/4kNJK1egzpSbQa6PwENgWgXCoVsAoFBOBQBAQEBAQEBZCeEQQEBAQQBAQE3NBcEAgEIEQQBAQEeCQchBgsUCQgCBAESCId9AxIOtwQNhGABAQEBAQEBAQEBAQEBAQEBAQEBAQERBIYSgz59gjqBYwmESQWHUocJiCwBiESDJoFsgWONF4VygROHQgEeAQFCggMZgUhqh0I7fQEBAQ
X-IronPort-AV: E=Sophos;i="5.22,473,1449532800"; d="scan'208";a="240429409"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Feb 2016 23:31:33 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id u1JNVXv0021271 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 19 Feb 2016 23:31:33 GMT
Received: from xch-rcd-006.cisco.com (173.37.102.16) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Fri, 19 Feb 2016 17:31:32 -0600
Received: from xch-rcd-006.cisco.com ([173.37.102.16]) by XCH-RCD-006.cisco.com ([173.37.102.16]) with mapi id 15.00.1104.009; Fri, 19 Feb 2016 17:31:32 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Dave Garrett <davemgarrett@gmail.com>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Do we actually need semi-static DHE-based 0-RTT?
Thread-Index: AQHRarGUzd/3c2l16U6aGMx/+/I1IZ8zQFwAgAADjACAAQ9fAIAABH6AgAAOLYD//5z38A==
Date: Fri, 19 Feb 2016 23:31:32 +0000
Message-ID: <184c96f0ac1a423f8a96fbc645ff7f66@XCH-RCD-006.cisco.com>
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com> <201602191708.20869.davemgarrett@gmail.com> <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com> <201602191815.10375.davemgarrett@gmail.com>
In-Reply-To: <201602191815.10375.davemgarrett@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.59]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/z-FEemYoYXvTOT-mb0QU2Mxrd4U>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 23:31:40 -0000

I would also suggest keeping PSK 0RTT.

On of the things I'm looking at is postquatum cryptography (that is, cryptography that would still be secure even if someone manages to build a large quantum computer).  While this is not the most important issue that TLS 1.3 needs to deal with; it's probably not in the top 100; however at some point, TLS will need to deal with it, and it would be preferable if we could say "here's a minor tweak/new ciphersuite/named group we apply to TLS 1.3, and we're good to go", rather than "we need to start doing a TLS 1.4".

Here's one of the issues that I foresee; we have key exchange protocols that look postquantum, however they can't do everything that (EC)DH can; either either must be run ephemerally (that is, no static keyshares, you have to generate a fresh one for each key exchange), or the response keyshare is a function of the initiator's one (and can't be used be used in a second exchange).

While such a key exchange protocol would work fine in an initial contact situation, it doesn't work out nearly as well in a DHE-0RTT protocol (which does make both assumptions).  Leaving in a doorway where we don't require our cryptoprimitives to have such capabilities may, in the long run, make things easier on us.

> -----Original Message-----
> From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Dave Garrett
> Sent: Friday, February 19, 2016 6:15 PM
> To: Eric Rescorla; tls@ietf.org
> Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
> 
> On Friday, February 19, 2016 05:24:25 pm Eric Rescorla wrote:
> > My impression is exactly the opposite. All the infrastructure to
> > PSK-resumption and hence PSK-0RTT is already in place for TLS 1.2. And
> > of course PSK-resumption is also much faster.
> 
> That's good to hear. The perf advantage is why I'm not advocating dropping
> it; merely saying that I too would prefer a single method if it didn't loose
> capability. Dropping PSK resumption drops less than dropping DHE 0RTT, but
> keeping both seems like the best option at the moment.
> 
> > On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <davemgarrett@gmail.com>
> wrote:
> > > It would mean that TLS only has 0RTT resumption and not actually have
> any 0RTT sessions.
> >
> > Why do you think that this makes a material difference?
> 
> One of the fundamental complaints about TLS, performance-wise, is the
> added round trip time over plaintext. That's why the WG made a point to
> focus on adding 0RTT in the first place. Someone considering upgrading from
> HTTP to HTTPS generally has this concern (or any other protocol to a variant
> over TLS). With only PSK resumption, we can still always have a 1RTT hit on
> first connection, and revert to that after the session is considered expired.
> With DHE 0RTT we have a longer term config that could allow for more
> generic caching and distribution and thus not have to get that 1RTT hit in
> many scenarios.
> 
> The lack of a current ability to easily distribute a new config system should
> not be used as evidence against creating a new config system that we would
> want to create a way to easily distribute. Even dumping the top few dozen
> sites' 0RTT DHE config into a static file in a client update would be a noticeable
> improvement over not doing so. Coming up with a better method can come
> next.
> 
> People should be using TLS or encryption in general as a matter of
> responsibility, but they don't. Softening *all* barriers to them upgrading is
> very necessary to get more to switch. 0RTT PSK only gets rid of a delay in
> continuing a session, which in some use-cases might be minimally noticeable.
> 0RTT DHE allows for a first-connect with comparable speed to plaintext (in
> scenarios where 0RTT data is safe, namely most HTTP). Within the context of
> HTTP, which is singled out as a focus in the TLS WG charter, 0RTT DHE will
> provide a more noticeable latency reduction in comparison to 0RTT PSK only.
> 
> Another issue is that of privacy with session resumption. If the only way to
> get 0RTT is to keep sessions alive, then clearing that cache on the client side
> costs a future 1RTT. You can, however, cache 0RTT DHE configs safely for a
> longer time because they are not specific to the user agent. (we should
> probably narrow the spec to state that configs SHOULD NOT be per-client) In
> order to reliably get 0RTT without DHE configs, applications/services would
> need to cache PSK resumption sessions for as long as possible, which leaves a
> distinct per-user marker on both the client and server. Anyone trying to
> optimize away the 1RTT hit of first-connect will be required to maintain a
> system that keeps more user identifiable information than we should want.
> 
> 
> Dave
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email