Re: [TLS] Single round trip abbreviated handshake

Adam Langley <> Wed, 03 February 2010 11:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A0C0E3A6C28 for <>; Wed, 3 Feb 2010 03:40:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -104.477
X-Spam-Status: No, score=-104.477 tagged_above=-999 required=5 tests=[AWL=1.500, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DV8gGavhOr8s for <>; Wed, 3 Feb 2010 03:40:01 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id B9C413A6C2B for <>; Wed, 3 Feb 2010 03:40:00 -0800 (PST)
Received: from ( []) by with ESMTP id o13Beewi007173 for <>; Wed, 3 Feb 2010 11:40:41 GMT
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed;; s=beta; t=1265197241; bh=tjCtNgrCrre5y5xuH/gVEDEfOh0=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=dln4dqjpZvSPVskXovuD4qMyCvaYldhSH0+wHQbW1B8GltaHAVMwFBvemCIpQ6ZZU zbLxoOVz3q+exa4pq0T9g==
DomainKey-Signature: a=rsa-sha1; s=beta;; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=qGihKrOe+q2vuWR1tjjKnMninFRj7l+BjZhV907ipLraVGehlq0chmnBE3FmxtiOT wursR0RT80cHJmX9drZqQ==
Received: from pxi8 ( []) by with ESMTP id o13BeJTc031478 for <>; Wed, 3 Feb 2010 03:40:39 -0800
Received: by pxi8 with SMTP id 8so1175284pxi.19 for <>; Wed, 03 Feb 2010 03:40:39 -0800 (PST)
MIME-Version: 1.0
Received: by with SMTP id r9mr1419492wfc.201.1265197238321; Wed, 03 Feb 2010 03:40:38 -0800 (PST)
In-Reply-To: <>
References: <>
Date: Wed, 3 Feb 2010 06:40:38 -0500
Message-ID: <>
From: Adam Langley <>
To: Ravi Ganesan <>
Content-Type: text/plain; charset=UTF-8
X-System-Of-Record: true
Subject: Re: [TLS] Single round trip abbreviated handshake
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Feb 2010 11:40:02 -0000

On Tue, Feb 2, 2010 at 11:12 PM, Ravi Ganesan <> wrote:
> Adam/Google was going down this road independently. Adam has suggested
> server-random = function(client-random, unix-gmt, epoch) where last
> value is derived from Server cert.

At the moment, OCSP disk caches and OCSP stapling are the low hanging
latency fruit, but this idea has been knocked around at Google.

However, I didn't explain the 'epoch' bit very well in my emails to
Ravi so I'll try again.

The goal is to give the server an nonce. If the server chooses a long
random string then the job is obviously done. However, if the server
promises to only accept each nonce once, for all time, then we have an
nonce via another route. In order for the server to do this it needs
to bound its storage. Loose clock synchronisation gets us that. The
server can make a trade off between how loose and how much storage.

The epoch value was intended to be learnt by the client (since the
clients need to know the server's certificate before hand anyway) and
used to segment the nonce space. Consider two different clusters on
different sides of the world, both using the same certificate. Without
an epoch value (which would be specific to each cluster) they would
have to synchronise with each other for every new nonce.

Also, it's very expensive to provide durable transactions for
frequently changing data. If we kept the "used nonce" store in memory
then we would need a way to invalidate all previous nonces in the
event of a power failure or other data loss. Changing the epoch value
would suffice here.

However, having the server's nonce be non-fresh leads to this attack:

Client (A) performs a 0-RTT setup to a server (B). This means that it
sends (somehow) enough information for a valid server to extract
application data with no additional round trips. An attacker (M)
intercepts A's traffic and stops it. A sees a timeout as B never
replies. However, the nonce was never used, so M can replay A's
message at a later time.

This suggests that 0-RTT techniques could only be used when the
request is side-effect free (as GETs are supposed to be in HTTP).

That rather scary and we shant be rushing into anything here.