IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Nick Harper <nharper@google.com> Tue, 28 February 2017 21:53 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C823812950D for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 13:53:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l4_YUcrHflWL for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 13:53:11 -0800 (PST)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F5C412950C for <unbearable@ietf.org>; Tue, 28 Feb 2017 13:53:11 -0800 (PST)
Received: by mail-yw0-x233.google.com with SMTP id p77so18686731ywg.1 for <unbearable@ietf.org>; Tue, 28 Feb 2017 13:53:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=9LuOL6hQ7AbNw9JpFXc3Gs7ceL+sLxKFAO7opBArwWI=; b=gRKP9gDCPmAz7XlgpMtItwtJurgyDk6m7RDJIfJfvDDhyv2rJXsrAA1dp842DMP7+6 fguIXR/hsMwt/cDLH0Sg1XJPXGtcc+/ybNVKCRuRab8fLZLq2ZSHI0/PWjPkImEQHI+W kbWDFb8JqUDk6opoUXbmi9UPFPK6tbAEzfkTZFU+8f0DrwrZZuNLdZ5fwsh2F7c6vBkk qtKtOeGVoz8/pKMEuB21SODiHiB+JCen/c2bN1YJcKZ7DSz9WrXwvyhHguun8R5WxUTm VUqZSSdqR11HUrniOXNouW8lYlCJ3dRW0VkjWBje55q3B+B6/+rrMTySI7y0g6xYqx1M rMdg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=9LuOL6hQ7AbNw9JpFXc3Gs7ceL+sLxKFAO7opBArwWI=; b=LfXCHv6OfSG8uJxWGNaXGmH0f37Xx/vbILLpZXFQl4qRQ8dueBsQAwfur7KMWHIcQB sivTxUy0ZO5khipbBGQchN4LUWK+BBoNDyovS4h4yEgVcGWrywiFgG+3WbQy5LrXROJ3 JgsfnhMLyamcSo9n+IBa0hWoxarjaIViuGMSVjJS+/srfwGVpLrQq1d/8a2TvSUb76jW iHBHb06GJd5Ncoy0DDxUB0z8flG+48MEBRt5LlST1Yh6Vpzt492pgwpvLK9CJcrfrp7m 9nzYK1q5szV21NUA42sLsUfW+TGP5vt+k92I0NdJH4WRUNweubQGgpEojaunSAU1FxOP jFEg==
X-Gm-Message-State: AMke39kvecr/JQ7gBS2i7ngSjRVQ890uxjBu0fyWV6Qu9FV9rfWAsLTh+pXCCwx/DMaq2q92dVCm1zFroRiAui0J
X-Received: by 10.129.145.66 with SMTP id i63mr1552487ywg.137.1488318790548; Tue, 28 Feb 2017 13:53:10 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.65.5 with HTTP; Tue, 28 Feb 2017 13:52:50 -0800 (PST)
In-Reply-To: <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 28 Feb 2017 13:52:50 -0800
Message-ID: <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/lbYFBk7YR4Q6Ph9u_I8XjzULRcg>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 21:53:13 -0000

On Tue, Feb 28, 2017 at 12:55 PM, Andrei Popov
<Andrei.Popov@microsoft.com> wrote:
> Correct, the ClientHello is also needed. Not sure this makes things
> significantly better, but it is an additional piece the attacker needs. I
> guess we’re referring to the same attack, but disagreeing on whether “this
> still has decent security properties”J.

Yes, it sounds like we're talking about the same attack, and the
additional piece of the ClientHello (in addition to the resumption
PSK) doesn't change its feasibility that much. If we do any form of
0-RTT Token Binding, this attack will exist in some form. It is the
major difference between 0-RTT Token Binding and regular Token
Binding. My comment about "decent security properties" was that always
using the 0-RTT exporter (if there is a token binding sent and
accepted in early data) has decent security properties compared to
using the 0-RTT exporter only for token bindings sent in early data.
>
>
> It seems that the right thing to do is not allow Token Binding messages
> until exporter_secret is available.

That restriction would effectively mean that Token Binding can't be
used with 0-RTT.

v2.23.0 | Report a Bug | By Email