Re: [TLS] 0-RTT security considerations (was OPTLS)
Nico Williams <nico@cryptonector.com> Mon, 24 November 2014 06:47 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34F21A1BEA for <tls@ietfa.amsl.com>; Sun, 23 Nov 2014 22:47:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.233
X-Spam-Level:
X-Spam-Status: No, score=0.233 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gEOk7BENOvwr for <tls@ietfa.amsl.com>; Sun, 23 Nov 2014 22:47:10 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 224811A1B62 for <tls@ietf.org>; Sun, 23 Nov 2014 22:47:10 -0800 (PST)
Received: from homiemail-a104.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTP id 06E8520047B84; Sun, 23 Nov 2014 22:47:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=YwuWhz6Yj9dcWc ajcKRdyc8qHRc=; b=rAcg/sE8didfDWFyDpxCjfIfCSI1D/pybezuzU1poJBfT2 Oo3zb6evMpo5ierukC2DBAlaL8tGnLSjCsq7iZAvldnctCK0yRLFDym9MmKXM9pK 3lnDoyraDl8/uQ37dUEYJPf0p22yggpzvN0j3lHjkaLSHqji/NNNBPwlgIPpc=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a104.g.dreamhost.com (Postfix) with ESMTPA id A959220047B82; Sun, 23 Nov 2014 22:47:09 -0800 (PST)
Date: Mon, 24 Nov 2014 00:47:09 -0600
From: Nico Williams <nico@cryptonector.com>
To: Watson Ladd <watsonbladd@gmail.com>
Message-ID: <20141124064707.GB3200@localhost>
References: <20141118234608.GA20721@localhost> <CABcZeBN7ErepGC0Y5_xiYspJG-i3z6kA=STMk0mnnu+oQNCZqA@mail.gmail.com> <20141119004543.GC20758@localhost> <CABcZeBNru1qEcuxLm96HH-R=yU2S4PzSPeUUwjVY4jHkh0Aq-A@mail.gmail.com> <20141119205117.GE20758@localhost> <CABcZeBNQr=mmPAFT0i4WARtZ0FonY4te0ke_ayQn6gHBG+rQQQ@mail.gmail.com> <20141121185136.GF20758@localhost> <CACsn0ck63EGpp7AYPUn7zp-qvLVeAjbyGF+F9c4ANm0Dh=cZtQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CACsn0ck63EGpp7AYPUn7zp-qvLVeAjbyGF+F9c4ANm0Dh=cZtQ@mail.gmail.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/65LhtvqF6g8_EPzaQ_0KkOc5_HA
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT security considerations (was OPTLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Nov 2014 06:47:11 -0000
On Fri, Nov 21, 2014 at 04:55:23PM -0800, Watson Ladd wrote: > On Fri, Nov 21, 2014 at 10:51 AM, Nico Williams <nico@cryptonector.com> wrote: > >> > It's much easier to have the server hold the > >> > early data and have it bound into the client's next handshake msg. Actually, there's no need to bind early data into the handshakes. It's enough that the client has to eventually confirm a handshake message from the server, and for good measure the client should switch to a key to which the server contributed before sending non-early data. Then the server can detect replays. However, the security consideration remains that replay detection for early data is not available until the handshake completes. Thus early data bearing messages like "launch missiles" must not be acted upon until the handshake completes. This is a fairly severe security consideration... > Why wouldn't the implementation of TLS automatically resend 0-RTT data > if the server didn't accept it? This seems like the right solution. Agreed. In the case of the server not having the key with which to decrypt the early data the only available choices are: a) abort, b) notify the client app and let it abort or retransmit, c) hold on to the early data for retransmission. (a) is not a good idea, and (b) is probably too complicated (as are all of these security considerations) for many apps, which leaves (c) (your suggestion) as the best approach to the problem of the client using a stale key (e.g., a session resumption ticket for which the server forgot the key) for 0-RTT early data. Nico --
- [TLS] 0-RTT security considerations (was OPTLS) Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Eric Rescorla
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Eric Rescorla
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Eric Rescorla
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Watson Ladd
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams
- Re: [TLS] 0-RTT security considerations (was OPTL… Nico Williams