IETF Logo Mail Archive

Re: [TLS] 0RTT and HelloRetryRequest (Re: Narrowing the replay window)

Ilari Liusvaara <ilariliusvaara@welho.com> Thu, 31 March 2016 05:09 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C02712D9A1 for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 22:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eyoy1oS-hG0c for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 22:09:30 -0700 (PDT)
Received: from welho-filter2.welho.com (welho-filter2.welho.com [83.102.41.24]) by ietfa.amsl.com (Postfix) with ESMTP id 5671312D0BF for <tls@ietf.org>; Wed, 30 Mar 2016 22:09:30 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter2.welho.com (Postfix) with ESMTP id 462FB2E56; Thu, 31 Mar 2016 08:09:29 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter2.welho.com [::ffff:83.102.41.24]) (amavisd-new, port 10024) with ESMTP id 96-djDbWQpJF; Thu, 31 Mar 2016 08:09:29 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-143-35.bb.dnainternet.fi [87.100.143.35]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 01C032313; Thu, 31 Mar 2016 08:09:29 +0300 (EEST)
Date: Thu, 31 Mar 2016 08:09:28 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Thomson <martin.thomson@gmail.com>
Message-ID: <20160331050928.GA1138@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnWVvpiUJMvUfMehdPC3T5ovF=ooOzP0=-TwK=L1v5SpOQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABkgnnWVvpiUJMvUfMehdPC3T5ovF=ooOzP0=-TwK=L1v5SpOQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/4j5cSvgNVfvE0QIrRCwVFRHkAOQ>
Cc: tls@ietf.org
Subject: Re: [TLS] 0RTT and HelloRetryRequest (Re: Narrowing the replay window)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 05:09:32 -0000

On Thu, Mar 31, 2016 at 09:57:51AM +1100, Martin Thomson wrote:
> On 31 Mar 2016 5:56 AM, "Ilari Liusvaara" <ilariliusvaara@welho.com> wrote:
> > Then on topic of 0-RTT, how does 0-RTT key hashes behave if
> > handshake is restarted (main handshake hash continues, but
> > 0-RTT hash context currently needs to be separate from the
> > main context)?
> 
> Good question. I don't recall that being discussed. I see three options :
> 
> 1. Continue the hash, just like in 1-RTT
> 
> 2. Treat HelloRetryRequest as a denial of the entire first flight.
> 
> 3. Signal the choice.
> 
> Option 2 suits best if we consider HelloRetryRequest to be a DoS feature
> exclusively or at least primarily. But we have other reasons for it and I
> don't think that DoS mitigation is a big factor for TCP.
> 
> I think that option 1 is easy enough, since both sides have to extend the
> hash in any case. 3 is just complexity.

Yeah, I agree 3 is just complexity. Except I disagree that currently
option 1 is easy enough, since the hash going to creating 0-RTT keys
is not tapped from the main hash (if it was, then continuing would be
the simplest).

Relatedly, the proposal for "contexts" dropped the extra messages that
caused the difference between 0-RTT hash and 1-RTT hash.


-Ilari

v2.23.0 | Report a Bug | By Email