TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1

Size: px

Start display at page:

Download "TLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1"

Gwendoline Greene
6 years ago
Views:

1 TLS 1.3 Eric Rescorla Mozilla IETF 92 TLS 1

2 Changes since -03 draft-05 Prohibit SSL negotiation for backwards compatibility. Fix which MS is used for exporters. draft-04 Modify key computations to include session hash. Remove ChangeCipherSpec Renumber the new handshake messages to be somewhat more consistent with existing convention and to remove a duplicate registration. Remove renegotiation. Update format of signatures with context. Remove point format negotiation. IETF 92 TLS 2

3 0-RTT IETF 92 TLS 3

4 Overview of 0-RTT Flow Client Server ClientHello ClientKeyShare {Certificate*} {CertificateVerify*} {Finished} [Application Data] > ServerHello ServerKeyShare < {Finished} [Application Data] < > [Application Data] IETF 92 TLS 4

5 Key Agreement (well-understood) Client caches server s long-term (EC)DH share First flight data encrypted under client ephemeral/server static Server supplies ephemeral in first flight Rest of data encrypted under both ephemeral/static and ephemeral/ephemeral IETF 92 TLS 5

6 Anti-Replay TLS anti-replay is based on each side providing random value Mixed into the keying material Not compatible with 0-RTT Client has anti-replay (since they speak first) Server s random isn t incorporated into client s first flight IETF 92 TLS 6

7 Anti-Replay (borrowed from Snap Start) Server needs to keep a list of client nonces Indexed by a server-provided context token Client provides a timestamp so server can maintain an anti-replay window IETF 92 TLS 7

8 This doesn t work Client Attacker Server ClientHello [+0-RTT] > "POST /buy-something" > ClientHello [+0-RTT] > "POST /buy-something" > [Processes purchase] < ServerHello [accept 0-RTT] (+ rest of handshake) [Force server reboot] ClientHello [+0-RTT] > "POST /buy-something" > < ServerHello [reject 0-RTT] (+ rest of handshake) Finished > "Post /buy-something" > [Processes purchase] IETF 92 TLS 8

9 Less Contrived Client Attacker Server1 Server 2 ClientHello [+0-RTT] --> "POST /buy-something" -> ClientHello [+0-RTT] --> "POST /buy-something" -> [Processes purchase] ClientHello [+0-RTT] > "POST /buy-something" > < ServerHello [reject 0-RTT] (+ rest of handshake) Finished > "Post /buy-something" > [Processes purchase] IETF 92 TLS 9

10 Options Abandon 0-RTT (boo hiss) Keep server state globally and temporally consistent Remove TLS anti-replay guarantee for the first flight Remove TLS reliable delivery guarantee for the first flight This is an inherent problem (as far as we know) IETF 92 TLS 10

11 Example API (option 3) c = new TLSConnection(...) c.setreplayable0rttdata("get /...") c.connect(); IETF 92 TLS 11

12 Example API (option 4) c = new TLSConnection(...) c.setunreliable0rttdata("get /...") c.connect() if (c.delivered0rttdata()) { // Things are cool } else { // Try to figure out whether to replay or not } IETF 92 TLS 12

13 DH-Based Handshake IETF 92 TLS 13

14 Background Reading Git branch: Text file: ietf92_materials/draft-ietf-tls-tls13-dh-based.txt HTML diff: materials/draft-ietf-tls-tls13-dh-based-diff.html IETF 92 TLS 14

15 Existing Draft ClientHello ClientKeyShare > ServerHello ServerKeyShare {EncryptedExtensions*} {Certificate*} {CertificateRequest*} {CertificateVerify*} < {Finished} {Certificate*} {CertificateVerify*} {Finished} > [Application Data] < > [Application Data] {} Indicates messages protected using keys derived from the handshake master secret. [] Indicates messages protected using keys derived from the master secret. IETF 92 TLS 15

16 Right now we have two modes Signature-based (naive 1-RTT) Static DH-based (cached server 1-RTT, 0-RTT) Krawczyk/Wee propose just doing static DH IETF 92 TLS 16

17 Basic idea Server has a semi-static DH key (just like 1-RTT) Probably really has long-term signing key Used to sign the semi-static key.. offline versus online signing Key exchange computations the same for 0-RTT and 1-RTT (and similar with PSK) IETF 92 TLS 17

18 DH-Based Draft ClientHello ClientKeyShare > ServerHello ServerKeyShare {EncryptedExtensions*} {Certificate*} {CertificateRequest*} {ServerParameters*} < {Finished} {Certificate*} {CertificateVerify*} {Finished} > [Application Data] < > [Application Data] {} Indicates messages protected using keys derived from the handshake master secret. [] Indicates messages protected using keys derived from the master secret. IETF 92 TLS 18

19 Server Parameters (prototype) struct { uint64 not_before; uint64 not_after; opaque key_identifier<0..2^8-1>; NamedGroup group; opaque server_key<1..2^16-1>; } UnsignedParameters; enum { online(0), (255)} ParametersType; struct { UnsignedParameters parameters; ParametersType params_type; digitally-signed struct { UnsignedParameters parameters; opaque session_hash[hash.length]; }; opaque zero_rt_id<0..2^16-1>; } ServerParameters; IETF 92 TLS 19

20 What s being signed by the server? Online signature Rough consensus not to do offline now Signature over session_hash + UnsignedParameters IETF 92 TLS 20

21 0 HKDF <- Static Secret< Extract Early Application v Traffic Keys <-HKDFH-- Auth. Master Secret 0 Via Session HKDF <-- Ephemeral --> HKDF Extract Secret Extract v Handshake Master Secret HKDF-Expand v v Handshake Master Traffic Keys Secret Application <--HKDF HKDF---> Resumption Traffic Keys Expand Expand Master Secret Exporter HKDF Master Secret <--Expand----+ IETF 92 TLS 21

22 Performance Comparison (ignoring amortized computations and fixed base) Mode Client Server Current TLS 1.3 (1-RTT) Verify + 1 VB Sign + 1 VB OPTLS (online signing) Verify + 2 VB Sign + 2 VB OPTLS (offline signing) Verify + 2 VB 2 VB OPTLS (online signing, g s == g y ) Verify + 1 VB Sign + 1 VB OPTLS (HMQV) Verify + 1.x VB Sign + 1.x VB 0-RTT 2 VB 2 VB IETF 92 TLS 22

23 How do we provide keys for 0-RTT Reuse/cache the keys from 1-RTT This means you can t use g s == g y Annoying tradeoff for the server Have the server supply a separate key Two keys in ServerParameters? Some other encoding Neither of these is that awesome IETF 92 TLS 23

24 HKDF Some sense that we should convert to HKDF Clearer cryptographic properties Is there anything wrong with the TLS PRF? This is an orthogonal question But I d like to make the change at the same time IETF 92 TLS 24

25 AEAD IV (I) PR??? TLS 1.2 (well, GCM) uses a partially explicit IV 32 bits generated from MS 64 bits explicit 32 bits block counter This chews up bandwidth ChaCha draft reuses sequence number OK (?) if the module checks IETF 92 TLS 25

26 AEAD IV (II) Interim consensus: use record sequence number and pad with 0s Brian Smith: should we have a random offset? Options Do nothing Per-session prefix Per-session offset Per-session XOR mask Let s decide IETF 92 TLS 26

27 Other issues? IETF 92 TLS 27

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila

Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates The main modes, 0-RTT, and replays Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin,