On 12/06/2015 08:50 AM, Bill Cox wrote: > I think the current spec does not describe well enough how to > implement secure 0-RTT infrastructure. Instead, it seems to recommend > against using 0-RTT, with a pretty dire warning about the insecurity > of 0-RTT. I think that nearly the entire world will switch to 0-RTT, > regardless of security limitations and warnings. Companies won’t be > able to
Perhaps I am living under a rock, but I do not have the sense that "nearly the the entire world will switch to 0-RTT". > resist the improved connection time. IMO, the spec should describe > how to address the security issues with 0-RTT, rather than just > warning about security issues. > > So, here are my dumb thoughts about practical 0-RTT security > infrastructure... > > > One way is to bind resumption to orbits, by having only the orbit that > issues a PSK remember the secret key. Something like this is needed > in any case to provide 0-RTT replay protection. Without at least > orbit-based replay protection, I think it does not make sense to allow > a ClientVerify in a 0-RTT connection. > > > There was a TODO in the last version I read asking what the client > would sign in a 0-RTT ClientVerify. If orbit-based replay protection > is in place using PSKs, then signing anything that identifies what PSK > to use is enough. However, the handshake has to somehow be bound to > the orbit to prevent the signature from being replayed in a MitM > attack. Having a ticket that can only be decrypted using the > orbit-specific ticket decryption key would work. Using a source > address token bound to the orbit would also work. Signing the server > Finish is not required to insure the signature will only be accepted once. > > > There are two parts to a proof-of-possession: uniqueness and > freshness. Uniqueness can be had using orbit-bound PSKs. Insuring > freshness is harder. This could be done by adding timestamps to the > material signed. With this, we would not get a complete proof of > possession, because an attacker can attack the client's clock, unlike > a normal proof of possession. However, if steps are taken to secure > clocks, which is needed for TLS in any case, then we can get what I > think of as "compelling evidence" of possession, which might be good > enough. > > Perhaps I do not fully understand the proposal, but binding to source address and signing timestamps sound an awful lot like things that have been causing headaches for *decades* in the Kerberos community. I would be wary of introducing them into TLS. -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls