Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

Ilari Liusvaara <> Mon, 28 December 2015 21:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5C2041ACD2E for <>; Mon, 28 Dec 2015 13:49:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.31
X-Spam-Status: No, score=-1.31 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_12=0.6, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Rcl6_b-wDLmD for <>; Mon, 28 Dec 2015 13:49:18 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id 2F64F1ACD2D for <>; Mon, 28 Dec 2015 13:49:18 -0800 (PST)
Received: from localhost (localhost []) by (Postfix) with ESMTP id CF9E81A4; Mon, 28 Dec 2015 23:49:16 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at
Received: from ([IPv6:::ffff:]) by localhost ( [::ffff:]) (amavisd-new, port 10024) with ESMTP id cHHGm6wSQNy7; Mon, 28 Dec 2015 23:49:16 +0200 (EET)
Received: from LK-Perkele-V2 ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 51FAF230D; Mon, 28 Dec 2015 23:49:16 +0200 (EET)
Date: Mon, 28 Dec 2015 23:49:15 +0200
From: Ilari Liusvaara <>
To: Eric Rescorla <>
Message-ID: <>
References: <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 28 Dec 2015 21:49:20 -0000

On Mon, Dec 28, 2015 at 06:46:02AM -0500, Eric Rescorla wrote:
> On Sun, Dec 27, 2015 at 11:55 PM, Christian Huitema <>
> wrote:
> > For DTLS, we have to consider the packet injection threat. It is fairly
> > easy to send some random bytes with a fake source to a UDP destination.
> > Such attacks should not cause the DTLS association to fail! The normal
> > behavior ought to be to just ignore UDP packets that fail to decrypt. This
> > would cause 0-RTT rejects to just result in dropped packets. Can we ensure
> > that the handshake protocol is robust against that?
> >
> We obviously need to distinguish here between handshake and application
> data messages, because DTLS is intended to allow loss of application data
> messages.
> WRT handshake messages, as I indicated before, I believe that there is
> enough information in the handshake messages to prevent removal.
> Namely:
> 1. The ClientHello contains an indication that 0-RTT handshake messages
> are coming.
> 2. The Client's 0-RTT Finished contains a MAC of all the Client's
> 0-RTT messages.
> 3. The Server's Finished contains a MAC of the ClientHello.
> Thus, provided that the client and server in fact share a configuration
> (which, again, is in the ClientHello) then the server knows at the time
> of receiving the first-flight Finished that he has (or has not) received
> all the client's 0-RTT Handshake messages. [0].

Also, maybe a stupid question:

While the 0-RTT handshake parts are obviously reliably transmitted, is
the same true for the 0-RTT data part?

That is, is the server allowed to ACK the flight after having received
ClientHello/Certificate/CertificateVerify/Finished; and deal with any
0-RTT data messages should they arrive (these are not necressarily
retransmitted if lost)?

Or if the context does not support early auth, just ACK immediately
after ClientHello.

It occurs to me that data messages in DTLS 1.2 lack the fields needed
for automatic retransmission.

> The more interesting question, however, is what drives the DTLS state
> machine forward to ensure progress in the face of innocuous loss.
> The basic DTLS design is that the receipt of the first message of the
> peer's next flight indicates receipt of the entire flight. In this case,
> then, the receipt of the ServerHello would indicate receipt of the
> Client's 0-RTT Finished. However, this would place a requirement
> that the server not *send* the ServerHello until that point, which we've
> left open in WIP-11 by not hashing in the 0-RTT plaintext.

I think that would be fairly easy way to deal with it (not saying that
simpler ways don't exist).

Also, on topic of DTLS 1.3... It occurs to me that naively doing it
would leave it open to "fragementation attacks" a'la IPv6.

Basically, it occurs to me that ClientHello messages SHOULD NOT be
fragmented (at TLS level, SCTP(?) or IP level fragmentation is another
kettle of fish) and if it is fragmented, the Cookie extension MUST be
in the first fragment.

The 0-RTT messages aren't so bad as those can just be dropped if
server does not want to accept right now.

Also, there's question of how to handle HelloVerifyReqest (one can't
just downgrade to DTLS 1.2!). One way:

- If it was in reply to ClientHello with EarlyData extension (at least
  with early auth?), treat it as fatal protocol_version Alert. TLS 1.2
  can't handle early data.
- If it was in reply to ClientHello without EarlyData extension, write
  the cookie into the header cookie field (not extension cookie field)
  and resend. This counts as a retry.