IETF Logo Mail Archive

[TLS] HelloRetryRequest and stateless reject

Eric Rescorla <ekr@rtfm.com> Wed, 21 October 2015 17:33 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20C8B1A92FB for <tls@ietfa.amsl.com>; Wed, 21 Oct 2015 10:33:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C2ryBtK-6wZp for <tls@ietfa.amsl.com>; Wed, 21 Oct 2015 10:33:39 -0700 (PDT)
Received: from mail-yk0-f172.google.com (mail-yk0-f172.google.com [209.85.160.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEB651A92F1 for <tls@ietf.org>; Wed, 21 Oct 2015 10:33:39 -0700 (PDT)
Received: by ykba4 with SMTP id a4so50781846ykb.3 for <tls@ietf.org>; Wed, 21 Oct 2015 10:33:39 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=AtDB3rdZMnBOBsS0pbi3Qa6mXchcIEngRJxXCUkdR5Y=; b=b//9l57x5OcWFjiqguy5qRjc8JWEdp1Ra9J9SO80S5lXBVVbfrtdocSXWOWJzw/h+v 5qgZ8zwYJoKkOrcP/Nc40CcqnlE35Ax/jkJIEYD3HO8KnJISpCVF2mc8M8vFfQ8lIGSe qhMYjdu0ICuEmvX048Ev70bicLz4lgwwb04Httl1fg28BErt/6cc1ilkLULisgDtPO+b 8QDM87LSu03jJO7MOyW5yQe4A3boGtRCvAUIu7YwLBfXlgNPZnjMP8bcCN3kOCG41oVq jyIlKkFuWwxWrp7c6gZ8s854ATe7l6B93D0RV6G3mcQMlRkp5nVV3UYSyDI3KJfArq8z lX6g==
X-Gm-Message-State: ALoCoQkhis6fDTRK9sp2sOL7T4lB7GDLih6LWZ+EG/WKIGysV2cdTWHnd8UJ5aB1x6fwF86+o4mo
X-Received: by 10.13.216.141 with SMTP id a135mr7600009ywe.12.1445448819028; Wed, 21 Oct 2015 10:33:39 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.221.85 with HTTP; Wed, 21 Oct 2015 10:32:59 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Oct 2015 10:32:59 -0700
Message-ID: <CABcZeBOxiK90WYJiTwH4dN6aqN9sBYCZSg4pv=RTYB859Ybb_g@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114e488a665b340522a0c74b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/7rLQEHrqKaYo7u31iNBNsPI_OVg>
Subject: [TLS] HelloRetryRequest and stateless reject
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Oct 2015 17:33:42 -0000

Folks,

Several of the remaining TLS 1.3 issues have to do with the
ClientHello/HelloRetryRequest interaction. To recap, if the
ClientHello does not contain a KeyShare with an acceptable group, the
server sends a HelloRetryRequest indicating the correct group,
and the client sends a ClientHello with the correct group:

         Client                                               Server

         ClientHello
           + KeyShare              -------->
                                   <--------       HelloRetryRequest

         ClientHello
           + KeyShare              -------->
                                                         ServerHello
                                                          + KeyShare
         ...


DTLS has a very similar mechanism where the server provides a
HelloVerifyRequest containing a cookie in order to force the client to
provide proof of routabilty at its claimed address. The client
re-sends the ClientHello with the cookie and the handshake restarts.

It seems natural to try to merge these mechanisms, but this raises
the question of whether the handshake hashes should continue through
the rejection exchange (https://github.com/tlswg/tls13-spec/issues/104).
The tension here is that you want to be able to have a stateless
rejection (to avoid DoS in the DTLS scenario) but having things
makes it much harder to analyze the handshake's resistance to
downgrade attacks.

Recently, Karthik, Martin Thomson, and I were talking and I think we've
come to a good resolution. The basic observation is that it's possible
to continue the handshake hash through the rejection exchange while
still being stateless. We are aware of two main techniques here:

- The server offloads its handshake hash state into the cookie
  it provides in the HelloRetryRequest (we'll need the cookie here
  in any case to support the DTLS case. The cookie obviously needs
  to be cryptographically protected, but that's what you're supposed
  to do for DTLS anyway
  (see: https://tools.ietf.org/html/rfc6347#section-4.2.1)

- The server reconstructs the original ClientHello and HelloRetryRequest
  based on the re-sent ClientHello. This is possible because there are
  very strict rules about re-sent ClientHello construction
  (namely: send the same ClientHello except just add a KeyShareEntry
  for the indicated group). The cookie should also allow the server
  to double-check this (and will also need to indicate the reason
  for rejection).

Because the handshake hash is continued through the entire handshake,
it's much easier to analyze the downgrade properties. Moreover,
servers which don't need stateless reject (because there is some
other connection construct as with TLS over TCP or DTLS with
ICE) don't need either of these techniques. They can just continue
the handshake hash in the usual way.

This seems like it fulfills both imperatives, at the primary cost of
some additional complexity on servers who really care about
statelesness (the client is indifferent to the server's implementation
strategy).

If this sounds good to people, I'll work up a PR for this, but
really all it is is saying that you don't reset the hash and
then a non-normative appendix describing stateless implementation
techniques.

Thoughts? Does anyone see anything wrong with this?
-Ekr

v2.23.0 | Report a Bug | By Email