Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

Eric Rescorla <ekr@rtfm.com> Tue, 22 December 2015 02:03 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4440D1AD0AA for <tls@ietfa.amsl.com>; Mon, 21 Dec 2015 18:03:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id suvcbIVFxHpN for <tls@ietfa.amsl.com>; Mon, 21 Dec 2015 18:03:27 -0800 (PST)
Received: from mail-yk0-x229.google.com (mail-yk0-x229.google.com [IPv6:2607:f8b0:4002:c07::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D19C91AD0A6 for <tls@ietf.org>; Mon, 21 Dec 2015 18:03:26 -0800 (PST)
Received: by mail-yk0-x229.google.com with SMTP id 140so149856785ykp.0 for <tls@ietf.org>; Mon, 21 Dec 2015 18:03:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=HolATKKcFxmXyBZNcLzMkWC0u26fDmBRLn4M/8C34tk=; b=OqcWMiU5NVROIxnlgqMt54gAjCGWNPo4Rf7Ekdz5XriG9lC3KWgCIExftPlaUQfFEn YHsLKkxKGCZpcHMStUpX9MHcFy6RVrgi9Fwg4462kHP0qR+vMiUioPQ2BVjd4kam8qP5 Xwp3A4i7T1wjYMhLYBvloAXFMVWhKaBW98UnQpvgKxWVoBZYwyn1xVF1E12dmvvAfcY5 Vzmb0zUQ6D4xBxNC1CZRKJ64pCZZATKMg+7fGEayXZAz78IxUz9JeNNgag0DUbIIaRg2 ijZYaDOdT0J4VdSnVFjTT/cLafFrHmWT0jh72A9WFt37KBcueNWY0bk3Q8mrBzz2xOrk i6ug==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=HolATKKcFxmXyBZNcLzMkWC0u26fDmBRLn4M/8C34tk=; b=YFiN1hWw288F+jAm4dqJ9KNuPEJhCMBZZVwYid+aLKuVNnNwPASLaE6siPBJjj6mFz WFN0hfozU14oQKUaDqJCqqIEyVL0/2I4o5RpqlF7ZK27uyrCoqrqgDCHoKgVP8D+7u2l /W+MTvaznkUHTaZTfvabsymf8LPPIR40/a02Wjx0qY1hFreetW9bjd+tq5yLqe+op1Uj VMOF+ru3lL7wzAeKCWMyINLRxHoLrwuRRSyWKFdOwkGKbHYqk7zJWNb226XNeURyxEfR lpr/87KmlsFDH6IyFuHeNLDzrC3sjUYdZCveCosU58A7WN9qRFDu0ksEo/XjCXxpcMdy WnkQ==
X-Gm-Message-State: ALoCoQm7BbdzWfUxPKwZztlkNhzGzyWM+23FQVEasNbFiCCBw08uSCO6DCZhbGtcNHXmnKf427VPuWM0HA+ixN9KrJIQ0Mcb/w==
X-Received: by 10.129.46.208 with SMTP id u199mr17188578ywu.129.1450749806009; Mon, 21 Dec 2015 18:03:26 -0800 (PST)
MIME-Version: 1.0
Received: by 10.13.249.197 with HTTP; Mon, 21 Dec 2015 18:02:46 -0800 (PST)
In-Reply-To: <DM2PR0301MB06555FC15830293E0C4E381AA8E50@DM2PR0301MB0655.namprd03.prod.outlook.com>
References: <DM2PR0301MB06555FC15830293E0C4E381AA8E50@DM2PR0301MB0655.namprd03.prod.outlook.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 21 Dec 2015 18:02:46 -0800
Message-ID: <CABcZeBO3F067nJ=maZDbH4-jg1kFZwck7qXUOYbttr3VO9Ykrg@mail.gmail.com>
To: Christian Huitema <huitema@microsoft.com>
Content-Type: multipart/alternative; boundary=001a11408592d892a60527730235
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ML6OeMf4WDAGmvUhvr3FmB9pgMk>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Dec 2015 02:03:28 -0000

On Mon, Dec 21, 2015 at 5:49 PM, Christian Huitema <huitema@microsoft.com>
wrote:

> The handshake hash specification in section 7.1 says:
>

You're referring the editor's copy (WIP-11), right?



>   Where handshake_hash includes all messages up through the
>   server CertificateVerify message, but not including any
>   0-RTT handshake messages (the server's Finished is not
>   included because the master_secret is need to compute
>   the finished key).
>
> What are the 0-RTT handshake messages that should be excluded? The diagram
> in 6.2.2 shows the client hello and its extensions, the optional client
> cert and client cert verify, and a finished message. Presumably, the
> handshake hash does not exclude the client hello. What is the intent there?
> Is the sentence meant to exclude the 0-RTT cert, cert verify and finished
> messages?
>

I was just going over this text today and realized it's kind of confusing
(and the whole "handshake_hash" abstraction is starting to be less useful
in light of the PR#316 reframing of the authentication block).

Unless I'm confused (which is possible given the time of night),
the intention, as you say, is to separate out the 0-RTT handshake
messages i.e., (cert, cert verify, finished) from the 1-RTT computations.
However,  as indicated in S 6.3.3. and 6.3.4:

- The 0-RTT Certificate Verify covers the ClientHello and Certificate
  (as well as the cached messages from the server shown in the
  table in 6.3.4)
- The 0-RTT Finished includes the above messages plus the
  CertificateVerify.

Trying to figure out the best way to clarify this text. PRs welcome :)

-Ekr