Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
"Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com> Fri, 19 February 2016 23:31 UTC
Return-Path: <sfluhrer@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C82AC1A8F46 for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 15:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.507
X-Spam-Level:
X-Spam-Status: No, score=-14.507 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.006, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtdXHQf08dWJ for <tls@ietfa.amsl.com>; Fri, 19 Feb 2016 15:31:34 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 858E21A8876 for <tls@ietf.org>; Fri, 19 Feb 2016 15:31:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5096; q=dns/txt; s=iport; t=1455924694; x=1457134294; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=IZuvOjxdxL+VwJ6Ekrz6cR3EfV/jXh7AinyCxnLw+hM=; b=e2WWLhgKe/tk6SusX4S4ZkYf6jb2+JuiJOYkrBzrdrtWYqoLnsH32I50 Uhup+cRE7StjsfzEzXipspMiuXCp+iLOC3gTiq0X7WieuuV7ZpsQ4UU6s BgO3kIFp/odX3LjRYLs+rSOT+cbYhQ2JipYqEDr6HPTntvTO0fqcB5I36 k=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ABAgBKpcdW/4kNJK1egzpSbQa6PwENgWgXCoVsAoFBOBQBAQEBAQEBZCeEQQEBAQQBAQE3NBcEAgEIEQQBAQEeCQchBgsUCQgCBAESCId9AxIOtwQNhGABAQEBAQEBAQEBAQEBAQEBAQEBAQERBIYSgz59gjqBYwmESQWHUocJiCwBiESDJoFsgWONF4VygROHQgEeAQFCggMZgUhqh0I7fQEBAQ
X-IronPort-AV: E=Sophos;i="5.22,473,1449532800"; d="scan'208";a="240429409"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 19 Feb 2016 23:31:33 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id u1JNVXv0021271 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 19 Feb 2016 23:31:33 GMT
Received: from xch-rcd-006.cisco.com (173.37.102.16) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Fri, 19 Feb 2016 17:31:32 -0600
Received: from xch-rcd-006.cisco.com ([173.37.102.16]) by XCH-RCD-006.cisco.com ([173.37.102.16]) with mapi id 15.00.1104.009; Fri, 19 Feb 2016 17:31:32 -0600
From: "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>
To: Dave Garrett <davemgarrett@gmail.com>, Eric Rescorla <ekr@rtfm.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Do we actually need semi-static DHE-based 0-RTT?
Thread-Index: AQHRarGUzd/3c2l16U6aGMx/+/I1IZ8zQFwAgAADjACAAQ9fAIAABH6AgAAOLYD//5z38A==
Date: Fri, 19 Feb 2016 23:31:32 +0000
Message-ID: <184c96f0ac1a423f8a96fbc645ff7f66@XCH-RCD-006.cisco.com>
References: <CABcZeBMFE24o-F7JO8E2=xFmasR3iqabZhn6Qv4fw+ihYfTc6g@mail.gmail.com> <201602191708.20869.davemgarrett@gmail.com> <CABcZeBNwaLUgDoZZuk9ZQR9bOU2t-0DvC-jRoyMuzCuKmJ+yiw@mail.gmail.com> <201602191815.10375.davemgarrett@gmail.com>
In-Reply-To: <201602191815.10375.davemgarrett@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.98.2.59]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/z-FEemYoYXvTOT-mb0QU2Mxrd4U>
Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Feb 2016 23:31:40 -0000
I would also suggest keeping PSK 0RTT. On of the things I'm looking at is postquatum cryptography (that is, cryptography that would still be secure even if someone manages to build a large quantum computer). While this is not the most important issue that TLS 1.3 needs to deal with; it's probably not in the top 100; however at some point, TLS will need to deal with it, and it would be preferable if we could say "here's a minor tweak/new ciphersuite/named group we apply to TLS 1.3, and we're good to go", rather than "we need to start doing a TLS 1.4". Here's one of the issues that I foresee; we have key exchange protocols that look postquantum, however they can't do everything that (EC)DH can; either either must be run ephemerally (that is, no static keyshares, you have to generate a fresh one for each key exchange), or the response keyshare is a function of the initiator's one (and can't be used be used in a second exchange). While such a key exchange protocol would work fine in an initial contact situation, it doesn't work out nearly as well in a DHE-0RTT protocol (which does make both assumptions). Leaving in a doorway where we don't require our cryptoprimitives to have such capabilities may, in the long run, make things easier on us. > -----Original Message----- > From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Dave Garrett > Sent: Friday, February 19, 2016 6:15 PM > To: Eric Rescorla; tls@ietf.org > Subject: Re: [TLS] Do we actually need semi-static DHE-based 0-RTT? > > On Friday, February 19, 2016 05:24:25 pm Eric Rescorla wrote: > > My impression is exactly the opposite. All the infrastructure to > > PSK-resumption and hence PSK-0RTT is already in place for TLS 1.2. And > > of course PSK-resumption is also much faster. > > That's good to hear. The perf advantage is why I'm not advocating dropping > it; merely saying that I too would prefer a single method if it didn't loose > capability. Dropping PSK resumption drops less than dropping DHE 0RTT, but > keeping both seems like the best option at the moment. > > > On Fri, Feb 19, 2016 at 3:08 PM, Dave Garrett <davemgarrett@gmail.com> > wrote: > > > It would mean that TLS only has 0RTT resumption and not actually have > any 0RTT sessions. > > > > Why do you think that this makes a material difference? > > One of the fundamental complaints about TLS, performance-wise, is the > added round trip time over plaintext. That's why the WG made a point to > focus on adding 0RTT in the first place. Someone considering upgrading from > HTTP to HTTPS generally has this concern (or any other protocol to a variant > over TLS). With only PSK resumption, we can still always have a 1RTT hit on > first connection, and revert to that after the session is considered expired. > With DHE 0RTT we have a longer term config that could allow for more > generic caching and distribution and thus not have to get that 1RTT hit in > many scenarios. > > The lack of a current ability to easily distribute a new config system should > not be used as evidence against creating a new config system that we would > want to create a way to easily distribute. Even dumping the top few dozen > sites' 0RTT DHE config into a static file in a client update would be a noticeable > improvement over not doing so. Coming up with a better method can come > next. > > People should be using TLS or encryption in general as a matter of > responsibility, but they don't. Softening *all* barriers to them upgrading is > very necessary to get more to switch. 0RTT PSK only gets rid of a delay in > continuing a session, which in some use-cases might be minimally noticeable. > 0RTT DHE allows for a first-connect with comparable speed to plaintext (in > scenarios where 0RTT data is safe, namely most HTTP). Within the context of > HTTP, which is singled out as a focus in the TLS WG charter, 0RTT DHE will > provide a more noticeable latency reduction in comparison to 0RTT PSK only. > > Another issue is that of privacy with session resumption. If the only way to > get 0RTT is to keep sessions alive, then clearing that cache on the client side > costs a future 1RTT. You can, however, cache 0RTT DHE configs safely for a > longer time because they are not specific to the user agent. (we should > probably narrow the spec to state that configs SHOULD NOT be per-client) In > order to reliably get 0RTT without DHE configs, applications/services would > need to cache PSK resumption sessions for as long as possible, which leaves a > distinct per-user marker on both the client and server. Anyone trying to > optimize away the 1RTT hit of first-connect will be required to maintain a > system that keeps more user identifiable information than we should want. > > > Dave > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Do we actually need semi-static DHE-based 0… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Bill Cox
- Re: [TLS] Do we actually need semi-static DHE-bas… Salz, Rich
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- Re: [TLS] Do we actually need semi-static DHE-bas… Dave Garrett
- Re: [TLS] Do we actually need semi-static DHE-bas… Scott Fluhrer (sfluhrer)
- Re: [TLS] Do we actually need semi-static DHE-bas… Eric Rescorla
- [TLS] Mass 0RTT of subresources with no prior kno… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Martin Thomson
- Re: [TLS] Mass 0RTT of subresources with no prior… Dave Garrett
- Re: [TLS] Mass 0RTT of subresources with no prior… Eric Rescorla
- Re: [TLS] Mass 0RTT of subresources with no prior… Ilari Liusvaara
- Re: [TLS] Do we actually need semi-static DHE-bas… Nick Sullivan