IETF Logo Mail Archive

Re: [TLS] Security review of TLS1.3 0-RTT

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 07 May 2017 09:27 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B650B127868 for <tls@ietfa.amsl.com>; Sun, 7 May 2017 02:27:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P6qSm9CgbpFS for <tls@ietfa.amsl.com>; Sun, 7 May 2017 02:27:20 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3F367120725 for <tls@ietf.org>; Sun, 7 May 2017 02:27:20 -0700 (PDT)
Received: from [192.168.0.6] (cpe-67-241-70-168.twcny.res.rr.com [67.241.70.168]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 048527A32F1 for <tls@ietf.org>; Sun, 7 May 2017 09:27:18 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBOF385NYTpvvjW301zb8vE1PGCJV=zb85zRSMoxDSmeaQ@mail.gmail.com>
Date: Sun, 07 May 2017 05:27:17 -0400
Content-Transfer-Encoding: 7bit
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <835B5EBF-9B1B-4E3D-9B1B-952944AC3C6A@dukhovni.org>
References: <CAAF6GDcKZj9F-eKAeVj0Uw4aX_EgQ4DuJczL4=fsaFyG9Yjcgw@mail.gmail.com> <CABcZeBNcnW9zEPZ4mEje1_ejR3npNFz65rw-6qUPn7cQt1Nz9w@mail.gmail.com> <MWHPR15MB11825419AF296AE7EC26F3BDAFEA0@MWHPR15MB1182.namprd15.prod.outlook.com> <CABcZeBNyQB3FOik3ZBZvgX7FnEjUydHdJwfa5OkACYDO_FQHaA@mail.gmail.com> <10986afe-873e-a81d-102b-86fa169b156f@akamai.com> <CABcZeBN8ASykSckf7TVBpwEz9yMmyf5eCPqfL-rmSkFEFJiNzQ@mail.gmail.com> <ce359d88-12e5-168e-842a-1050e128fb2d@huitema.net> <CABcZeBOF385NYTpvvjW301zb8vE1PGCJV=zb85zRSMoxDSmeaQ@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9pUexTXRSI2je7M-WoNuV3baVyQ>
Subject: Re: [TLS] Security review of TLS1.3 0-RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 May 2017 09:27:21 -0000

> On May 6, 2017, at 8:51 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Yes, they can. But doing so leaks a unique identifier, which can be used
> to link sessions. When I look at the privacy implications as well as the
> replay attacks, there is real value in using a resume ticket only once.
> 
> Agreed.  Also, I think that's Ben Kaduk you're quoting :)

Agreed, on the general case, but a reminder that not all applications
benefit from such "privacy".  A sending SMTP MTA has a fixed public
IP address, and even sends a fixed fixed SMTP "HELO" name in the clear
before STARTTLS.  It might of course also send SNI in the clear, ...
and will typically perform cleartext DNS queries that identify the
peer.  There is exceedingly little opportunity or desire to hide client
and server host names.  So some applications will reuse session tickets
(while avoiding 0-RTT).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email