IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 28 February 2017 20:55 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A75A1296F5 for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 12:55:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVIWpyzCzOjd for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 12:55:37 -0800 (PST)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0113.outbound.protection.outlook.com [104.47.42.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D1A21296EE for <unbearable@ietf.org>; Tue, 28 Feb 2017 12:55:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=6KiIymR4ylVweQ9ENqLxH6hqf8mH3tEJobbUVKrwrVc=; b=JuyaHBSanFaVJv7FhEOrfpcftk6vS6v1reLMe20FgQASbYZbjV3rtRF4ReKT+32gSX118GqdcTcp9AJjDFA9vRahdKuHe07hl80xmhRWOBBXw0t2xwcbnM4Dl8LeAwMC48n39sxua+Ls0E5MigXjkTFUYbyTHouRmR0hEqUJdpo=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0092.namprd21.prod.outlook.com (10.161.141.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.3; Tue, 28 Feb 2017 20:55:34 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) by DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) with mapi id 15.01.0961.002; Tue, 28 Feb 2017 20:55:34 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>
Thread-Topic: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Thread-Index: AQHSbdvurWwJUrGAZkyxVvys5avGZKE28kcggCd4oACAH07+gIABRECQgAAemICAAAhjEA==
Date: Tue, 28 Feb 2017 20:55:34 +0000
Message-ID: <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com>
In-Reply-To: <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0092; 7:L2vSFaK9kAVOG5/+82vP5tErjlYViKT6blFRAWI4LWBJ3Ql5m/sMJcIKUVPt6qnyXWvkROe3cNHFCH2POrAHZk1cdQfxDEHqN+GELrD6q4t0ZNTy0wA83enGTaBlIX9Xiux4S2pN0zlFjziCkcpngrHh28PSBg2gM1mb5a++iAqCeO3c67QAj5KFk6CR15EHTaUGm4Kz0OZGHYd5eCj4hM4tiMiQ7/Lzi1OfMa1b2bms1bmIi11OSa5Zdl+45VKH7HLc4t5qM+9yaWSs9YQDDeDS/+2JwQkZjxqwiOfzSECoi3AszojugRTTHlNOPz20VwOrqE8rAY1j0QCwRpb9cY8TKhOyaUNYmxdKLsWlOCI=
x-ms-office365-filtering-correlation-id: b94135e7-eea0-4190-138a-08d4601c23ee
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:DM2PR21MB0092;
x-microsoft-antispam-prvs: <DM2PR21MB0092E7A6F145164EE15D95998C560@DM2PR21MB0092.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(6072148); SRVR:DM2PR21MB0092; BCL:0; PCL:0; RULEID:; SRVR:DM2PR21MB0092;
x-forefront-prvs: 0232B30BBC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39860400002)(39410400002)(39850400002)(39840400002)(189002)(199003)(53936002)(106356001)(2900100001)(106116001)(3660700001)(2950100002)(105586002)(189998001)(6916009)(76176999)(97736004)(5005710100001)(8676002)(6306002)(3280700002)(7736002)(9686003)(54896002)(92566002)(81166006)(86362001)(122556002)(86612001)(74316002)(77096006)(6506006)(55016002)(81156014)(99286003)(6436002)(25786008)(2906002)(8936002)(38730400002)(229853002)(10090500001)(7696004)(101416001)(790700001)(6116002)(102836003)(54356999)(10290500002)(50986999)(33656002)(93886004)(110136004)(5660300001)(6246003)(8990500004)(68736007)(4326008); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0092; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR21MB00910C83983BEE885B0E04288C560DM2PR21MB0091namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2017 20:55:34.2675 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0092
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/eTZ1UCbN1fB3zGxGJ1c-MHRuV_g>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 20:55:39 -0000

Ø  The attacker needs more than just the TLS "Early Secret". The attacker needs the resumption PSK (effectively the Early Secret), but also the ClientHello used for a 0-RTT connection and the Sec-Token-Binding header sent on that 0-RTT connection.
Correct, the ClientHello is also needed. Not sure this makes things significantly better, but it is an additional piece the attacker needs. I guess we’re referring to the same attack, but disagreeing on whether “this still has decent security properties”☺.


Ø  TLS 1.3 doesn't provide any mechanism for a server to say "I don't like that that request was sent in early data, please send it again now that the handshake is complete", and I'm not aware of any application layer specs (e.g. HTTP) that have such a mechanism. That's how I reached the conclusion that the server won't reject some requests sent in early data.
HTTP allows the server to reject individual requests, therefore I disagree with the above logic. E.g. an HTTP server could reject a security-sensitive request authenticated by a replayable token, but accept other requests.

It seems that the right thing to do is not allow Token Binding messages until exporter_secret is available.

Cheers,

Andrei

v2.23.0 | Report a Bug | By Email