Re: [TLS] Security review of TLS1.3 0-RTT
Nico Williams <nico@cryptonector.com> Wed, 03 May 2017 21:22 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F1012129B4C for <tls@ietfa.amsl.com>; Wed, 3 May 2017 14:22:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, RCVD_IN_SORBS_SPAM=0.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CqBGyA7IGugA for <tls@ietfa.amsl.com>; Wed, 3 May 2017 14:22:35 -0700 (PDT)
Received: from homiemail-a64.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB101200C1 for <tls@ietf.org>; Wed, 3 May 2017 14:20:51 -0700 (PDT)
Received: from homiemail-a64.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTP id 06BADA004936; Wed, 3 May 2017 14:20:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to:content-transfer-encoding; s= cryptonector.com; bh=uexOx8p+1nScdqi7U5I+Hqi4GfE=; b=X8DmTEkpnkh aG5uDeAF+u8+nzLHrrT6VjZ1ZZpxmx3zOx7IinESbW4b5haStL3UQDK4t3BPOlxT NSUcpi78aQcFOvWV0IX4hLnbheBVoUi+c9RGseWIcLlnIPlrZ9ovB5LFG4DWS6A5 9nxx7bveMz1KBz77oKB8lAF2VEMu+Yow=
Received: from localhost (cpe-70-123-158-140.austin.res.rr.com [70.123.158.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a64.g.dreamhost.com (Postfix) with ESMTPSA id 971C5A004935; Wed, 3 May 2017 14:20:50 -0700 (PDT)
Date: Wed, 03 May 2017 16:20:48 -0500
From: Nico Williams <nico@cryptonector.com>
To: Colm MacCárthaigh <colm@allcosts.net>
Cc: TLS WG <tls@ietf.org>
Message-ID: <20170503212046.GT10188@localhost>
References: <CAAF6GDfQ+YXV4gvhBOOZKC=wtYhxQUy1_2_M+dgfbdL25pppiQ@mail.gmail.com> <BCD73E79-0675-4B71-92B4-3226F0BAB597@dukhovni.org> <CAAF6GDdpq8DgLx5Fo6apoTHgwQsbdn6hb=ozi1+JP9VMxPw6sA@mail.gmail.com> <539D071B-7DDD-4820-A9E4-EC178400B7B2@dukhovni.org> <420471d6016a41ecbcdf9562be303f62@ustx2ex-dag1mb1.msg.corp.akamai.com> <17414FC2-15BB-4A03-8673-7F8299E5428E@dukhovni.org> <20170503182955.GR10188@localhost> <CAAF6GDf_5tuU=L8vCv5f1wgwy8NxvDcJb9TjJ+iHcNOqETASoQ@mail.gmail.com> <20170503193517.GS10188@localhost> <CAAF6GDeJRPB+1JJ39VrrASHZ6-OT5EL-KVmd6Snw1n1h5DKyng@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
In-Reply-To: <CAAF6GDeJRPB+1JJ39VrrASHZ6-OT5EL-KVmd6Snw1n1h5DKyng@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/1E4lpyJs7kdjYT24cIzulX_1Ykg>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 May 2017 21:22:37 -0000
On Wed, May 03, 2017 at 01:19:35PM -0700, Colm MacCárthaigh wrote: > On Wed, May 3, 2017 at 12:35 PM, Nico Williams <nico@cryptonector.com> > wrote: > > No, please don't remove the obfuscated ticket age. Either make it > > encrypted or leave it as-is. > > If it is to be encrypted, say AEAD'd, it needs to be encrypted under a key > that the client and server share; because the client needs to modify the > age before sending. Moving the age to its own message, post Client-Hello, > could solve that - so it comes out of the ticket. Naturally. That's why we have ticket session keys. > That scheme is a bit weird and circular: the server would have to "use" the > ticket to derive a key that decrypts the age, to then decide if it should > "really use" the ticket for 0-RTT data. That seems pretty convoluted to me > - could be a fairly complicated security proof. It's what Kerberos has been doing for decades. RFC4120 (before that RFC1510). > > Type 2.1 - Ticket intended for 0-RTT, does include the ticket age (maybe > > > not in the ticket itself, but somewhere in the handshake), can only be > > used > > > once. > > > > No. Give advice. Do not remove these features. > > I think the can only be used once for 0-RTT needs to be firm. Otherwise > 0-RTT mode is insecure. I don't agree: the application may not care. > > > Type 2.2 - Same as 2.1, but required to be smaller than RPSK in size, to > > > prevent self-encryption. > > > > I don't grok this. > > > > Self-encrypting tickets require STEKs and all of their problems. [...] Can you elaborate? (I don't follow TLS WG that closely. I'm from KITTEN WG.) Nico --
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Daniel Kahn Gillmor
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Jeffrey Walton
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Hannes Tschofenig
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Timothy Jackson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Watson Ladd
- Re: [TLS] Security review of TLS1.3 0-RTT Martin Thomson
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Peter Gutmann
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Andrei Popov
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Erik Nygren
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Derrell Piper
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Nico Williams
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT David Benjamin
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Kyle Nekritz
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Christian Huitema
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Viktor Dukhovni
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Salz, Rich
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Dave Garrett
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Eric Rescorla
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Victor Vasiliev
- Re: [TLS] Security review of TLS1.3 0-RTT Ilari Liusvaara
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Colm MacCárthaigh
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Benjamin Kaduk
- Re: [TLS] Security review of TLS1.3 0-RTT Bill Cox
- Re: [TLS] Security review of TLS1.3 0-RTT Yoav Nir