Re: [TLS] 0.5 RTT
Watson Ladd <watsonbladd@gmail.com> Fri, 26 February 2016 03:20 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16AA81A88AF for <tls@ietfa.amsl.com>; Thu, 25 Feb 2016 19:20:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, J_CHICKENPOX_32=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PUluvog-EzOB for <tls@ietfa.amsl.com>; Thu, 25 Feb 2016 19:20:47 -0800 (PST)
Received: from mail-yw0-x22e.google.com (mail-yw0-x22e.google.com [IPv6:2607:f8b0:4002:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60EA31A88A0 for <tls@ietf.org>; Thu, 25 Feb 2016 19:20:47 -0800 (PST)
Received: by mail-yw0-x22e.google.com with SMTP id e63so59629717ywc.3 for <tls@ietf.org>; Thu, 25 Feb 2016 19:20:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=R5uRgdUmWkuDKg5gvawLwgqsnPmAGzwduv4FV5CWoFs=; b=wHWiDW9YhuZwx+RAtL1tc3NrCXdQ1wxNxYxY0ZoJZej4OS2+Vmw4ELeApaA7Q0wodQ Jfn+glQJyCtikDby3BhcPg2bV7xYkRAFiuDz5CqsQ2c3ywaVL2S8NCcIQeCR2L559sod igeVZRWim7ddVqPJAPNAdxyUVFRA7AhLtyXsaiYmhpZkl4i1l/ZyOXuimkAOxsoocYaw YTSIvTmikmhtGlXGb/QOFi0WYi/5spJt/INM1/p9JDBVVUl+acVsPSfIQhxrMnvBo1FA RbIVzWB/Dh3ZH7r7Hg+dW2gybyBCjo1gP0kwum3osP96N6FUKV4z9orloyE3l3Vy/K+a rd6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=R5uRgdUmWkuDKg5gvawLwgqsnPmAGzwduv4FV5CWoFs=; b=aMFl9cTEBf7Ays9qx14oLRebjK4vjBM47y+nUEhex6zn3J4h78Hrlv+Cjqnn60en8z lTwewbbN4QLZugrH43krF2127iP4+Qj+s1H53BjzDQNsJLcnSo7n5s2I9NQfsEWpGjlI WG6Va2TouaNagso1q/GK/9nBz5GJfpb5PcF94hJHs1jrTmnZNl2qgH8SHAdOKj00tRQS GOSVvMR8P9DUZ78EkEwLw0yYs9VczG9IP3EaXf1jR2rHx1EVcC0vZQaCmC4yvkyp97CJ Y9zPIgSichEtbu+hKiTxhbO+/1EsihywtOzdx6VOPNffLEdHmgJR+NKJz6nJNXYXXG9V +88w==
X-Gm-Message-State: AG10YOT+OHVw+ZnNMAYtDleGg8T3YGaIeJjGei3bIwZLwPyUO5E6HH/V6LMQPoY27gS+8oFkxiiAccoVdChx3w==
MIME-Version: 1.0
X-Received: by 10.129.0.9 with SMTP id 9mr25192172ywa.101.1456456846577; Thu, 25 Feb 2016 19:20:46 -0800 (PST)
Received: by 10.13.216.138 with HTTP; Thu, 25 Feb 2016 19:20:46 -0800 (PST)
In-Reply-To: <CADi0yUPi=_+QxXKdQHOvi+J9JbL6bFv_0wRbnAmSy-k4yhqXsg@mail.gmail.com>
References: <35EE1C1C-132D-47A1-ADF3-5AD3C3D5EE4D@gmail.com> <20160225122954.9F45D1A43F@ld9781.wdf.sap.corp> <CADi0yUPi=_+QxXKdQHOvi+J9JbL6bFv_0wRbnAmSy-k4yhqXsg@mail.gmail.com>
Date: Thu, 25 Feb 2016 19:20:46 -0800
Message-ID: <CACsn0cm4UYAZ4mRNxGt8SbT14AycxPuSvQYUmmdwih7qawJqsQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Hugo Krawczyk <hugo@ee.technion.ac.il>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/GMeabeNoBAdfWTT7nNOhMm0jExw>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 03:20:49 -0000
On Thu, Feb 25, 2016 at 11:54 AM, Hugo Krawczyk <hugo@ee.technion.ac.il> wrote: > As I said in another email, without client authentication (which is the > scenario in the Karthik quote), data sent by the server should be considered > secure only against passive adversaries. Any additional assumption on > confidentiality (i.e., restricting the power of an active attacker) must > consider some form of client authentication, either implicit or explicit. > Both cases must be dealt with with care, especially the implicit ones (e.g. > authentication implied by application mechanisms and semantics). I think this is unnecessarily pessimistic/ignores the ways in which higher-level applications may have authentication and what we need from them. The below should be taken as a clever guess, rather than representative of the truth. First, we know that negotiation doesn't work in 0-RTT. But that's ok: we need to limit to only strong ciphers anyway, because negotiation doesn't work/general depreciation. This means that clients can be fooled by attackers into using the weakest notion they support for continued authentication of PSKs: this applies to resumption with tickets as well. We also know that each PSK is only shared between one server and one other client from the unpredictability of the negotiated keys. And so when when a server decrypts a ticket, it knows that whatever data it saved in the ticket negotiated in the original negotiation applies to whoever sent it this 0-RTT data, and it knows its response will go only to someone who *at one point* sent this 0-RTT data. And so if there is a cookie or url parameter authenticating the client that is not tied to the PSK, so long as the PSK is secure there is only one party that could have sent that cookie, and the response will go to it. The same is true for prior client authentication, saved in the ticket. Formalizing the above is likely to be a bit tricky, but I don't see why it wouldn't be possible. > > > On Thu, Feb 25, 2016 at 7:29 AM, Martin Rex <mrex@sap.com> wrote: >> >> Karthikeyan Bhargavan wrote: >> > >> > Yes Hugo, you?re right that when there is no client auth, >> > the situation is less problematic. >> >> I'm not so sure. >> >> There might be the desire of the server to keep some data confidential, >> and your argument is that if the data wasn't confidential to begin with, >> the server is not "breaking" confidentiality--although the server is >> clearly doing this. >> >> But what about the client and the client's desire to keep confidential, >> which particular "public data" it is just requesting and receiving >> from the server. >> >> >> -Martin > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau.
- [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT Karthikeyan Bhargavan
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Thomson
- Re: [TLS] 0.5 RTT Stephen Farrell
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT stephen.farrell
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Martin Rex
- Re: [TLS] 0.5 RTT Martin Rex
- Re: [TLS] 0.5 RTT Antoine Delignat-Lavaud
- Re: [TLS] 0.5 RTT Hugo Krawczyk
- Re: [TLS] 0.5 RTT Eric Rescorla
- Re: [TLS] 0.5 RTT Watson Ladd
- Re: [TLS] 0.5 RTT Hugo Krawczyk