Re: [TLS] 0-RTT in DTLS 1.3

Martin Thomson <mt@lowentropy.net> Mon, 24 May 2021 04:32 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E8813A1696 for <tls@ietfa.amsl.com>; Sun, 23 May 2021 21:32:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.798
X-Spam-Level:
X-Spam-Status: No, score=-2.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b=u44783hM; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XwKBK9ua
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cfIBXiX79nuc for <tls@ietfa.amsl.com>; Sun, 23 May 2021 21:32:26 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDCF73A1693 for <tls@ietf.org>; Sun, 23 May 2021 21:32:26 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 83A4D5C00C4; Mon, 24 May 2021 00:32:25 -0400 (EDT)
Received: from imap10 ([10.202.2.60]) by compute4.internal (MEProxy); Mon, 24 May 2021 00:32:25 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=6CX4PzEOccVenS4adCW7hx0WC9TOPcp dUYBybip4E2k=; b=u44783hM0hGyE4fXmErxoq5Dm7D4epgVSHiFYeYmdsCld9U v0VhR1CDn4kuuKQuLTQuKqT1fcXxycEUxRuXOr/huqCQncHPSq1nqC7CEWB2fAx6 KJEHmpO1iioZIb2ZF4ODuXsneiZK0xo7xoVVVoi6RckVXQ1o19CRic96T9j9SS5j 0xvsFtHp01coBZEUaJ/voaMEGd4pJkfxltt5oKOkXJtqDPkvYiojfQKHrA8dCSDH iU3CfkYuVKHjzPb5HZT6ckULjKLvoETRQuNwa0wiaWZy2OFbTFRVnFS3T/9c13GP DM9fKVklsNGgWYhp1RoTkCHLb8+SOxCSo59QJjA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=6CX4Pz EOccVenS4adCW7hx0WC9TOPcpdUYBybip4E2k=; b=XwKBK9uaNgS5kv0zImZJR7 5efR/wn4cynjSGG9YPHYmN8ZUYgszxz0qwNa90KF8iMMqNyFuep5efVAORcVwUZ7 i+0oCBsMdRptRylQeE66Cixr8YsRieadhOZNOdt0EcX1Rp48tSZRxCyYVIczBNJ2 5JvC7u17l2EQULo9DB/QptH5cPvOq/OKPO37wfvUwToD47ihuUwJv36mPNObnATE 393uu4WAFCImXr3X2OZ4AXLjXRNg5YKJf6Q4CaYMhcWUWVnADHrpi0l7KYE8tjDT /OrL833tAAzf7Ijzb4gZbtMo+V6EIgUYbiFjNXhB8VfF5yGY+5hnzXMDLAS62clQ ==
X-ME-Sender: <xms:WCyrYGIzYJHc9mU0NjIx3xXaIKA60kMAm9100bngIC_aZOtI-ZlbwQ> <xme:WCyrYOIIbvaZprU_TPbaBw5a4kQXAjbq0AO7LaMnIqbWhgDopYJrDLB5GNhKb2Ohs zIe6L_t50QLXS0OAMA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrvdejkedgheegucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgesthdtredtreertdenucfhrhhomhepfdforghr thhinhcuvfhhohhmshhonhdfuceomhhtsehlohifvghnthhrohhphidrnhgvtheqnecugg ftrfgrthhtvghrnhepkeetueeikedtkeelfeekvefhkeffvedvvefgkefgleeugfdvjeej geffieegtdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrh homhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:WCyrYGssjey5mVy2OIb45M--iqcVA2-RB_iGVrH5pZxhKVvlbwMlaA> <xmx:WCyrYLZ3i48eODZGEqO13HqhM3F8Tw6xN6jieTOqd2ckgQqzSlodTQ> <xmx:WCyrYNZA-9cxjqA0HIw3bOT4QVWkb1aCXo2jSXPRQVU8C5L-WxQ28w> <xmx:WSyrYP21ITKoP1aJfZsugxNq3162LvXuakoX5QWIXUDBUSUW6YwDUg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id CDD4B4E0091; Mon, 24 May 2021 00:32:24 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-448-gae190416c7-fm-20210505.004-gae190416
Mime-Version: 1.0
Message-Id: <e15c1c96-09bd-46e4-bcc7-4fd94ab7dc45@www.fastmail.com>
In-Reply-To: <PAXPR08MB716920F1FE015A77EA09FF679B269@PAXPR08MB7169.eurprd08.prod.outlook.com>
References: <PAXPR08MB7169693DFFA1D93B35B8D9039B279@PAXPR08MB7169.eurprd08.prod.outlook.com> <a2bae4a5-66b8-49db-8fb5-3993f593e64a@www.fastmail.com> <PAXPR08MB716920F1FE015A77EA09FF679B269@PAXPR08MB7169.eurprd08.prod.outlook.com>
Date: Mon, 24 May 2021 14:32:04 +1000
From: "Martin Thomson" <mt@lowentropy.net>
To: "Hanno Becker" <Hanno.Becker@arm.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MWVzQqB9M5oLQOm0yJo3UO65vT8>
Subject: Re: [TLS] 0-RTT in DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 04:32:32 -0000

On Mon, May 24, 2021, at 14:19, Hanno Becker wrote:
> Yep, that's clear - my question was whether the DTLS 1.3 Spec should 
> contain an explicit
> reminder of that, e.g. when it claims that cryptographic material is 
> uniquely identified 
> by epochs. This wouldn't be true if you could send 0-RTT after an HRR, 
> in which case
> you'd end up with an overloading of epoch 1.

It's not necessarily the case that you would end up with an insecure protocol in this case.  It depends on how the keys for epoch 1 are derived.  As TLS equates HRR with early data rejection, there is no answer to the question of what keys would be used after HRR.

If you mean to refer to "Note this epoch is skipped if the client does not offer early data" it seems like you could adjust this to say "Note this epoch is skipped if the client does not offer **or the server rejects** early data".