Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

Eric Rescorla <> Tue, 22 December 2015 02:03 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4440D1AD0AA for <>; Mon, 21 Dec 2015 18:03:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id suvcbIVFxHpN for <>; Mon, 21 Dec 2015 18:03:27 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D19C91AD0A6 for <>; Mon, 21 Dec 2015 18:03:26 -0800 (PST)
Received: by with SMTP id 140so149856785ykp.0 for <>; Mon, 21 Dec 2015 18:03:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=HolATKKcFxmXyBZNcLzMkWC0u26fDmBRLn4M/8C34tk=; b=OqcWMiU5NVROIxnlgqMt54gAjCGWNPo4Rf7Ekdz5XriG9lC3KWgCIExftPlaUQfFEn YHsLKkxKGCZpcHMStUpX9MHcFy6RVrgi9Fwg4462kHP0qR+vMiUioPQ2BVjd4kam8qP5 Xwp3A4i7T1wjYMhLYBvloAXFMVWhKaBW98UnQpvgKxWVoBZYwyn1xVF1E12dmvvAfcY5 Vzmb0zUQ6D4xBxNC1CZRKJ64pCZZATKMg+7fGEayXZAz78IxUz9JeNNgag0DUbIIaRg2 ijZYaDOdT0J4VdSnVFjTT/cLafFrHmWT0jh72A9WFt37KBcueNWY0bk3Q8mrBzz2xOrk i6ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=HolATKKcFxmXyBZNcLzMkWC0u26fDmBRLn4M/8C34tk=; b=YFiN1hWw288F+jAm4dqJ9KNuPEJhCMBZZVwYid+aLKuVNnNwPASLaE6siPBJjj6mFz WFN0hfozU14oQKUaDqJCqqIEyVL0/2I4o5RpqlF7ZK27uyrCoqrqgDCHoKgVP8D+7u2l /W+MTvaznkUHTaZTfvabsymf8LPPIR40/a02Wjx0qY1hFreetW9bjd+tq5yLqe+op1Uj VMOF+ru3lL7wzAeKCWMyINLRxHoLrwuRRSyWKFdOwkGKbHYqk7zJWNb226XNeURyxEfR lpr/87KmlsFDH6IyFuHeNLDzrC3sjUYdZCveCosU58A7WN9qRFDu0ksEo/XjCXxpcMdy WnkQ==
X-Gm-Message-State: ALoCoQm7BbdzWfUxPKwZztlkNhzGzyWM+23FQVEasNbFiCCBw08uSCO6DCZhbGtcNHXmnKf427VPuWM0HA+ixN9KrJIQ0Mcb/w==
X-Received: by with SMTP id u199mr17188578ywu.129.1450749806009; Mon, 21 Dec 2015 18:03:26 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Mon, 21 Dec 2015 18:02:46 -0800 (PST)
In-Reply-To: <>
References: <>
From: Eric Rescorla <>
Date: Mon, 21 Dec 2015 18:02:46 -0800
Message-ID: <>
To: Christian Huitema <>
Content-Type: multipart/alternative; boundary=001a11408592d892a60527730235
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 22 Dec 2015 02:03:28 -0000

On Mon, Dec 21, 2015 at 5:49 PM, Christian Huitema <>

> The handshake hash specification in section 7.1 says:

You're referring the editor's copy (WIP-11), right?

>   Where handshake_hash includes all messages up through the
>   server CertificateVerify message, but not including any
>   0-RTT handshake messages (the server's Finished is not
>   included because the master_secret is need to compute
>   the finished key).
> What are the 0-RTT handshake messages that should be excluded? The diagram
> in 6.2.2 shows the client hello and its extensions, the optional client
> cert and client cert verify, and a finished message. Presumably, the
> handshake hash does not exclude the client hello. What is the intent there?
> Is the sentence meant to exclude the 0-RTT cert, cert verify and finished
> messages?

I was just going over this text today and realized it's kind of confusing
(and the whole "handshake_hash" abstraction is starting to be less useful
in light of the PR#316 reframing of the authentication block).

Unless I'm confused (which is possible given the time of night),
the intention, as you say, is to separate out the 0-RTT handshake
messages i.e., (cert, cert verify, finished) from the 1-RTT computations.
However,  as indicated in S 6.3.3. and 6.3.4:

- The 0-RTT Certificate Verify covers the ClientHello and Certificate
  (as well as the cached messages from the server shown in the
  table in 6.3.4)
- The 0-RTT Finished includes the above messages plus the

Trying to figure out the best way to clarify this text. PRs welcome :)