[TLS] 0-RTT (Was: Re: 0-RTT and Anti-Replay)

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sun, 12 April 2015 16:55 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 25E1A1A03F9 for <tls@ietfa.amsl.com>; Sun, 12 Apr 2015 09:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ObUiPJPXnnBt for <tls@ietfa.amsl.com>; Sun, 12 Apr 2015 09:55:46 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 171841A014E for <tls@ietf.org>; Sun, 12 Apr 2015 09:55:44 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi []) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 65E19699D4; Sun, 12 Apr 2015 19:55:42 +0300 (EEST)
Date: Sun, 12 Apr 2015 19:55:42 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20150412165542.GA19481@LK-Perkele-VII>
References: <CABcZeBP9LaGhDVETsJeecnAtSPUj=Kv37rb_2esDi3YaGk9b4w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <CABcZeBP9LaGhDVETsJeecnAtSPUj=Kv37rb_2esDi3YaGk9b4w@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/LWuD57Fm_cUwt7E-wsOqEfnGzZU>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: [TLS] 0-RTT (Was: Re: 0-RTT and Anti-Replay)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Apr 2015 16:55:48 -0000

On Sun, Mar 22, 2015 at 02:49:28PM -0700, Eric Rescorla wrote:
> In the interim in Seattle, we had an extensive discussion of 0-RTT
> anti-replay in which DKG observed that all the proposed anti-replay
> mechanisms provide limited protection. The underlying problem is the
> desire to present a uniform interface in which the calling application
> can count on reliable delivery of the data it provides in the first
> flight, thus requiring the TLS stack to retransmit it automatically.

I thought about 0-RTT some more, here are some questions. Few
might be protocol-relevant, most are only about guidance.

1) What is the recommended 0-RTT API model on server side
   (also consider server apps or app implementations that don't
   support 0-RTT)?
2) What are the semantics of successfully received 0-RTT transfer
   (especially considering the client-side autoretransmit on
3) How does 0-RTT interact with ALPN (especially considering
   potential for multiple protocol candidates)?
4) Can handshake with attempted 0-RTT be securely downgraded to
   v1.2 (obviously causes the 0-RTT to fail)?
5) There is potential footgun if 0-RTT is used with (DH-)PSK: The
   PSK authenticates the connection immediately, but 0-RTT is
   as replayable as ever. What to do with that?
6) The same as above, but when attempting to resume a session.
   with a client certificate (since cc is property of session)?
7) What guidance to give regarding what data can be put to 0-RTT,
   considering its replayability?
8) If resumption attempt has 0-RTT data, what keying material is
   used for the 0-RTT?
9) Can server roll over its 0-RTT keys without waiting for the
   previous ones to expire?
10) How is attacker establishing a session (or at least decoding
    server's first application flight) replaying captured
    0-RTT data prevented (since that could leak quite a bit of
    info about what's in 0-RTT blob)? Or not?