IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 28 February 2017 18:46 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3C8B129682 for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 10:46:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uEcfsIfWcuzY for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 10:46:38 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0117.outbound.protection.outlook.com [104.47.38.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A11B129683 for <unbearable@ietf.org>; Tue, 28 Feb 2017 10:46:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=rlK3wISzcP7Lwnf80ZYciXCe8ygAwl9iNuab7tQjSOw=; b=iyeQ3dxi7+AqwfssN9x/pg8YUAfTCxsWgMLWGJ6KfuGVT6gkq75QSQciHjnXPpfTHItakf5Z3a2T50+pMf8cyBBEyG91+iMfdSvB+N09oRXf0+r/8MI8TaTrcB3Y3fukL4RTCz6XNV3cnZ++0bO81LtTvLVM14WN4z83VmCgJR0=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0089.namprd21.prod.outlook.com (10.161.141.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.961.3; Tue, 28 Feb 2017 18:46:35 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) by DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) with mapi id 15.01.0961.002; Tue, 28 Feb 2017 18:46:35 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>
Thread-Topic: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Thread-Index: AQHSbdvurWwJUrGAZkyxVvys5avGZKE28kcggCd4oACAH07+gIABRECQ
Date: Tue, 28 Feb 2017 18:46:35 +0000
Message-ID: <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com>
In-Reply-To: <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:8::1d2]
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0089; 7:QJkKLqlUvCp4P84VChTfrVREZERwme4FmnMUOBm4TYfD5sFxaIxIVf0y0u6Me/Zm8qMUEgqxRLb6F4AQ5hS4QWXAtNgRhQD/BcTEEBLh1I9RBLoVfcv4piNLbPy2eNCCQojvHu4CpOIuGisHQOiVNM295vBuQUgJplE4GVOFmfRNFEpa3TO7hFGyZRhJTmoyu/ll7goJ3JWx8NqUAmifgzf9qZlp8W5XZEvjF1Hka6oF6V3nRpmh1l0yybC3a+7dTQyMxfjWZtqMn/zhRQw8+BeEDJCcpUTY5VeLReb1DGXphRiVp68R7bVfo33VPvtDcdOYnGQF3oqu3BSGmL27gGwM+0d/6miu3b+avnQOOjA=
x-ms-office365-filtering-correlation-id: a0e91e03-8188-40a1-9651-08d4600a1f73
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:DM2PR21MB0089;
x-microsoft-antispam-prvs: <DM2PR21MB0089E4AACA2D2BBE75DF694E8C560@DM2PR21MB0089.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123558025)(20161123560025)(20161123555025)(20161123564025)(20161123562025)(6072148); SRVR:DM2PR21MB0089; BCL:0; PCL:0; RULEID:; SRVR:DM2PR21MB0089;
x-forefront-prvs: 0232B30BBC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39410400002)(39850400002)(39450400003)(39840400002)(39860400002)(199003)(189002)(99286003)(68736007)(8936002)(229853002)(2900100001)(9686003)(9326002)(102836003)(10090500001)(97736004)(106356001)(106116001)(105586002)(6246003)(6916009)(2906002)(76176999)(101416001)(81156014)(54356999)(7696004)(4326008)(6116002)(7736002)(50986999)(38730400002)(110136004)(8676002)(5660300001)(10290500002)(2950100002)(19609705001)(5005710100001)(790700001)(81166006)(8990500004)(6436002)(33656002)(3660700001)(3280700002)(77096006)(93886004)(74316002)(54896002)(6306002)(25786008)(55016002)(122556002)(86612001)(86362001)(6506006)(92566002)(189998001)(53936002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0089; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR21MB0091E3F087E1AECA3A63A3788C560DM2PR21MB0091namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Feb 2017 18:46:35.7659 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0089
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/ucWO_vthjlT_AF01np0IR570tmY>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 18:46:40 -0000

Hi Nick,


Ø  Instead, I propose that if a server accepts the client's 0-RTT data, then the client uses the 0-RTT exporter for the entirety of the connection, and otherwise the client uses the exporter as already specified in TBPROTO. This still has decent security properties.
My understanding is that an attacker who has a stolen bound token and TLS “Early Secret” (but not the corresponding TB private key), can successfully replay this token, alongside the attacker’s HTTP request, to a server that allows TLS 1.3 0-RTT. This type of replay is possible from multiple machines, for as long as the server is willing to accept 0-RTT connections based on the same TLS “Early Secret”. Is this correct?

And this is of course in addition to a network attacker being able to replay a legitimate client’s request without change (no stealing of tokens or secrets required), unless the server takes extraordinary steps to prevent 0-RTT replay.


Ø  A server accepting early data should accept any request sent in early data. The server can't sniff the early data to reject it if it contains a request it doesn't like (e.g. a POST request), because the early data could contain multiple requests (e.g. in the case of HTTP/2), and the server MUST process the ClientHello and immediately send the ServerHello - it cannot wait to process all of the client's early data.
From the fact that the server sends the ServerHello after processing ClientHello, it does not follow that the server will accept every request sent as early data. The server can very well reject certain requests and/or terminate the handshake at any stage.

Cheers,

Andrei

v2.23.0 | Report a Bug | By Email