Re: [TLS] RFC 8446 Early data, server response: deprotect vs. type checking
Ben Smyth <research@bensmyth.com> Thu, 30 April 2020 09:47 UTC
Return-Path: <research@bensmyth.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD35D3A02BC for <tls@ietfa.amsl.com>; Thu, 30 Apr 2020 02:47:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bensmyth.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZJRzzghpuCNH for <tls@ietfa.amsl.com>; Thu, 30 Apr 2020 02:47:15 -0700 (PDT)
Received: from 1.smtp.34sp.com (1.smtp.34sp.com [46.183.9.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 287D63A0101 for <tls@ietf.org>; Thu, 30 Apr 2020 02:47:14 -0700 (PDT)
Received: from smtpauth3.mailarray.34sp.com (lvs5.34sp.com [46.183.13.73]) by 1.smtp.34sp.com (Postfix) with ESMTPS id E0BBF148009D for <tls@ietf.org>; Thu, 30 Apr 2020 10:46:20 +0100 (BST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bensmyth.com; s=dkim; t=1588239980; bh=HHVdpEcr8mbJG/Ge8MwFx7PVa9Z94Nmalq7k0D/Kzsc=; h=References:In-Reply-To:Reply-To:From:Date:Subject:To:Cc; b=Ham4GSnapR0lMDglZ28/23qk9PKqxD9GOKyUvgXFTdiset8Nv/hRpP8ziRKzgOHqC 0Bw8GLpCc5nZc5zJxmXCBbRkQG/hc9EY5/w89oxKI3L2xsd56zyKmugQYtZzEpenEp HLsZNyfL31R0Hbti/5OLwRWoCNr4gR7QnBQlyGFw=
Received: from mail-ed1-f51.google.com ([209.85.208.51]:42846) by smtpauth3.mailarray.34sp.com with esmtpsa (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92) (envelope-from <research@bensmyth.com>) id 1jU5ls-00035B-Tc for tls@ietf.org; Thu, 30 Apr 2020 10:46:20 +0100
Received: by mail-ed1-f51.google.com with SMTP id l3so3948200edq.13 for <tls@ietf.org>; Thu, 30 Apr 2020 02:46:20 -0700 (PDT)
X-Gm-Message-State: AGi0PuYowofm2XTebI6WIaUS9lqhrRqMpPkq4OpIPeQrEy5LU+4O/9c0 ydBB8dfra7S6xOjJXi85fgwYzRvyLWUDUM7Z5/Q=
X-Google-Smtp-Source: APiQypKsB/gEpkZRAgWDcyEp0DJA3mfvvCTzFPxuHEEf7anMzTe/8/fXmjFuNfJPAfODV7TCvknyLYJF6OhgM2xe150=
X-Received: by 2002:aa7:c306:: with SMTP id l6mr1808404edq.356.1588239980516; Thu, 30 Apr 2020 02:46:20 -0700 (PDT)
MIME-Version: 1.0
References: <CA+_8xu1uyyCeV_-YgrRfEOqkc3aapzKfGJMZJWqm+iMofbBzeA@mail.gmail.com> <CABcZeBNg21wcrx4N_tqPe5ta2id56kEt50=rsG2WTUucqxycYA@mail.gmail.com>
In-Reply-To: <CABcZeBNg21wcrx4N_tqPe5ta2id56kEt50=rsG2WTUucqxycYA@mail.gmail.com>
Reply-To: research@bensmyth.com
From: Ben Smyth <research@bensmyth.com>
Date: Thu, 30 Apr 2020 11:45:54 +0200
X-Gmail-Original-Message-ID: <CA+_8xu33UcnvYV40-vSx=CAiDZNO2A0rLPBcoa6cy1tufYZJCw@mail.gmail.com>
Message-ID: <CA+_8xu33UcnvYV40-vSx=CAiDZNO2A0rLPBcoa6cy1tufYZJCw@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000db5ae405a47eef32"
X-Authenticated-As: research@bensmyth.com
X-OriginalSMTPIP: 209.85.208.51
X-34spcom-MailScanner-Information: Please contact the ISP for more information
X-34spcom-MailScanner-ID: E0BBF148009D.A6C93
X-34spcom-MailScanner: Found to be clean
X-34spcom-MailScanner-SpamCheck: not spam, SpamAssassin (score=-20.1, required 6.5, autolearn=disabled, DKIM_SIGNED 0.10, DKIM_VALID -0.10, DKIM_VALID_AU -0.10, HTML_MESSAGE 0.00, SPF_PASS -0.00, X34SP_ALLOW_GMAIL_EVEN_IF_BLACKLISTED -10.00, X34SP_OVERRIDE -10.00)
X-34spcom-MailScanner-From: research@bensmyth.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5oZyHPL3j3mGwB2ufMYD5flmkGs>
Subject: Re: [TLS] RFC 8446 Early data, server response: deprotect vs. type checking
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Apr 2020 09:47:19 -0000
> > Section 4.2.10 requires a server receiving early data to behave in ways >> including (p53): >> >> * Ignore the extension and return a regular 1-RTT response. The server >> then skips past early data by attempting to deprotect received records >> using the handshake traffic key, discarding records which fail >> deprotection... >> >> * Request that the client send another ClientHello by responding with a >> HelloRetryRequest... The server then ignores early data by skipping all >> records with an external content type of "application_data"... >> >> What are the use cases for each behaviour? >> > I expect that the first response will be the ordinary one. However, in some > cases you will be forced to employ the second one because it is not > possible to send a SH. For instance, consider the case where the server has > been reconfigured and no longer accepts the DH group that the client > employs in the CH. In that case, it will have to send HRR. > SH and HRR are simply used in their usual ways: Thanks for the clarification. > And why does the former rely on deprotecting, when checking record content >> types is surely more efficient? >> > > Unfortunately, the record types are encrypted, and this will not work. > (I meant the external content type. But, that doesn't work anyhow.) I have now understood: When not consuming early data, respond with SH or HRR. For the former, given that all messages will be encrypted, the server must decrypt messages with the handshake traffic key, discard messages when decryption fails, and treat the first successfully decrypted message as the client's next handshake message, thereafter proceeding as if no early data were sent. For the latter, the second CH message will be unencrypted and the server can discard all encrypted messages (identified by record type 0x23, rather than 0x22), before proceeding as if no early data were sent when the second CH is identified. Thanks for your support, Ben
- [TLS] RFC 8446 Early data, server response: depro… Ben Smyth
- Re: [TLS] RFC 8446 Early data, server response: d… Eric Rescorla
- Re: [TLS] RFC 8446 Early data, server response: d… Ben Smyth
- Re: [TLS] RFC 8446 Early data, server response: d… Eric Rescorla