Re: [TLS] Comments on EndOfEarlyData

Britta Hale <> Tue, 16 May 2017 23:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 46A2712EA6A for <>; Tue, 16 May 2017 16:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.304
X-Spam-Status: No, score=-2.304 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IL_EKaOUG6qZ for <>; Tue, 16 May 2017 16:02:15 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BEEB212EAAB for <>; Tue, 16 May 2017 15:57:59 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 39FC5480089; Wed, 17 May 2017 00:57:57 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id xjicFpKlMBHs; Wed, 17 May 2017 00:57:56 +0200 (CEST)
Received: from [] ( []) by (Postfix) with ESMTPSA id 9E937480087; Wed, 17 May 2017 00:57:56 +0200 (CEST)
To: Eric Rescorla <>
References: <> <> <> <> <> <>
Cc: "" <>
From: Britta Hale <>
Message-ID: <>
Date: Wed, 17 May 2017 00:57:55 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <>
Subject: Re: [TLS] Comments on EndOfEarlyData
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 16 May 2017 23:02:18 -0000

On 17. mai 2017 00:25, Eric Rescorla wrote:

>> EOED signals the end of data encrypted with early traffic keys, yes, and
>> the next
>> message is the Finished message encrypted with the handshake traffic key.
>> However,
>> the Finished message is not *data*, and use of the application traffic key
>> is signaled
>> by the Finished message, not EOED. The Finished message, like a KeyUpdate
>> message, are
>> handshake messages, and both signal the start of a new key use for
>> application data.
> In comparison, EOED signals the end of key use for application data - which
>> correlates
>> to alert behavior.
> This seems like a point where reasonable people can differ, especially as
> ultimately
> the motivation for this change was some sense of architectural consistency.
> To go back to my earlier question: does this change actually present some
> analytic
> difficulty, or do you just find it unaesthetic?
It is a matter of consistency not aesthetics, and that has actual 
implications on analysis. 

Classifying message types is meaningful in terms of truncation attacks.
Under a application traffic secret, a receiver is only guaranteed protection 
from a truncation if it receives an alert (close_notify). According to the 
current draft, a server is only guaranteed protection from such an attack 
for 0-RTT data if it receives a handshake message. Such a difference is sloppy
in terms of analysis.

Furthermore, there is the inconsistency of placement of the EOED message in 
the Finished hash. The lack of synchronization of EOED, i.e. not being fixed 
with respect to the other handshake messages, could complicate analysis in 
terms of matching server/client transcripts.

-- Britta