[TLS] 0-RTT & resumption

[Dave Garrett <davemgarrett@gmail.com>]

I'm pretty sure some/all of this was likely mentioned elsewhere, but I don't see any discussion on-list. (it was mentioned in part of the IETF 93 recording I watched as this whole topic needing to go to the list, as well) There's also related TODOs in the draft on this topic. Here's a start to this discussion.

Basically, there's two modes with similar use-cases in TLS 1.3 now: 0-RTT connections using the known configuration extension & PSK-based session resumption. I don't think their roles are well defined yet.

1) There is no 0-RTT resumption. The point of resumption is to get back into the session quick, but it's arguably slower than not doing it, currently.

0-RTT can do first flight (repeatable) requests:
https://tools.ietf.org/html/draft-ietf-tls-tls13-07#section-6.2.3
but PSK-based resumption needs 1-RTT:
https://tools.ietf.org/html/draft-ietf-tls-tls13-07#section-6.2.4

2) There's not yet specifics on what cipher suite to use for PSK-based resumption. I don't see a point in doing PSK-based resumption with anything other than plain PSK, with no PFS (no (EC)DHE). If you're willing to do the extra work for DH, just go straight to normal 0-RTT to get more benefit/flexibility with a similar amount of work. The goal is really to get forward secrecy on the session, not necessarily every single connection within it. (not that it wouldn't be nice) As long as the resumption is within a reasonably short window (e.g. few minutes), not doing another DH is fine. After this window, normal 0-RTT should be the preferred route.

3) Just to state the obvious: If a client is going to do PSK resumption with a non-PFS suite, it needs to offer a non-PFS suite. Even if it's not really going to be negotiated for anything else, I don't really like the feel of this. I think it'd also be cleaner if the offered suites didn't have to change for resumption. One idea would be to rename the groups extension, again, to "supported_key_shares" and mark point 0 (or some other if we want to leave 0) as PSK-resumption, specifically. (_not_ general PSK) A resumption PSK offer could then be listed in the ClientKeyShare like any other, and negotiation of it could side-step the need to pick a new cipher. Mixing it in with regular PSK complicates things a bit and has an expectation of needing to offer a PSK suite with the PSK extension. In this case, it'd just be the previously used suite. 0-RTT becomes a little more straightforward: give both short-term resumption via PSK and mid-term semi-static secret 0-RTT clear expiration dates, then the first flight data is just encrypted using whatever is still valid. Worst case scenario is the server ditched the session early and it falls back to 1-RTT. (double-encrypting early data might work, but would be ugly) This sort of re-separates PSK & resumption a little bit, though the handling is still similar.

4) Related issue: maybe define a generic KeyShare struct (group+key_exchange), simplify the few spots to use these, then allow ServerConfiguration to offer a vector of KeyShares? Alternatively, just have one KeyShare in there and offer a vector of ServerConfiguration in the message so each has an expiration date. If we want the possibility of ServerConfiguration being obtainable through alternate means, then it might help for a server to be able to offer two keys with different curves to make support easier to offer. (e.g. P-256 & Curve25519, as we may be transitioning this way for a bit; could be ECC & PQ of some kind, in the future) This might make constructing a 0-RTT first-connect system a little easier.

Not a solid proposal, really; just some discussion on the topic.


Dave