Re: [TLS] 0-RTT security considerations (was OPTLS)

Nico Williams <nico@cryptonector.com> Mon, 24 November 2014 10:43 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D3171A1F01 for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 02:43:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.666
X-Spam-Level:
X-Spam-Status: No, score=-1.666 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0rfB20ODIWYo for <tls@ietfa.amsl.com>; Mon, 24 Nov 2014 02:43:17 -0800 (PST)
Received: from homiemail-a102.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 0DC0D1A1EF8 for <tls@ietf.org>; Mon, 24 Nov 2014 02:43:17 -0800 (PST)
Received: from homiemail-a102.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTP id E365F2006D30A; Mon, 24 Nov 2014 02:43:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=tFW5fIPvxvzb+A OJsJnzo5b1zjY=; b=mwuaG5LX4a+bML0EU3PfwiR+qELLwyBzvQZEkYQ0mE36iq xsJT/f6IGfJ0ig5JJo9YG2CzTizjK+AZuQBdFiA3JIOQinlg2ODN04nTTV3ahZGE dDp7AxtwsW1qG9rxehQqip9lLKcGptebYs47Dn1gexRBkI5892eEu+u8fksOY=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a102.g.dreamhost.com (Postfix) with ESMTPA id A50102006D309; Mon, 24 Nov 2014 02:43:16 -0800 (PST)
Date: Mon, 24 Nov 2014 04:43:16 -0600
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20141124104314.GF3200@localhost>
References: <20141118234608.GA20721@localhost> <CABcZeBN7ErepGC0Y5_xiYspJG-i3z6kA=STMk0mnnu+oQNCZqA@mail.gmail.com> <20141119004543.GC20758@localhost> <CABcZeBNru1qEcuxLm96HH-R=yU2S4PzSPeUUwjVY4jHkh0Aq-A@mail.gmail.com> <20141119205117.GE20758@localhost> <CABcZeBNQr=mmPAFT0i4WARtZ0FonY4te0ke_ayQn6gHBG+rQQQ@mail.gmail.com> <20141121185136.GF20758@localhost> <CACsn0ck63EGpp7AYPUn7zp-qvLVeAjbyGF+F9c4ANm0Dh=cZtQ@mail.gmail.com> <20141124064707.GB3200@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20141124064707.GB3200@localhost>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/07rn3bRIj8avigI3sz5K5UhTqA0
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT security considerations (was OPTLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 10:43:17 -0000

On Mon, Nov 24, 2014 at 12:47:09AM -0600, Nico Williams wrote:
> On Fri, Nov 21, 2014 at 04:55:23PM -0800, Watson Ladd wrote:
> > On Fri, Nov 21, 2014 at 10:51 AM, Nico Williams <nico@cryptonector.com> wrote:
> > >> >   It's much easier to have the server hold the
> > >> > early data and have it bound into the client's next handshake msg.
> 
> Actually, there's no need to bind early data into the handshakes.  It's
> enough that the client has to eventually confirm a handshake message
> from the server, and for good measure the client should switch to a key
> to which the server contributed before sending non-early data.  Then the
> server can detect replays.

One more note: the server has to know that it got all of the client's
early data...