Re: [TLS] Limiting replay time frame of 0-RTT data

Eric Rescorla <> Tue, 15 March 2016 01:44 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D36BE12D53E for <>; Mon, 14 Mar 2016 18:44:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id bf1clfHWCMdS for <>; Mon, 14 Mar 2016 18:44:33 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 81B2212D857 for <>; Mon, 14 Mar 2016 18:44:26 -0700 (PDT)
Received: by with SMTP id d65so3717253ywb.0 for <>; Mon, 14 Mar 2016 18:44:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=tMoAunR9O7vu92U/Cy6eaAODrk0YPD+CiSiBZ7ulgS0=; b=L/cyZ22d5MCxDmAg3BhafW8FC06tc29wIIv453ZzNHgySC7RnPOOBp866o3PVLIr+s S59RbyB61bimfhbQjJH9g2qEe7+Ej/oMdNwPkK8o1ENbM6b/4XiuMoaFpSaRotPZ2gLU X4Myw39u3U1ikiiHZ4R4PAKHR4COTrCslY4zI3YMuUT+cZ3ZcgTZc6ddBVnC6R7hrDHR S39BNjui3PRrPi0+Uw7Sl+cku56P7GBe2XcLoV13LBZvYnTKIU/8Q8YZmGtAVDhoUlo2 cjzGuZWTxojb2YGhky76+6DEFKpSja+8ujn5vEDI/M+oN7n4ag6HkqHgf0G7eKJ2S53K M11Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=tMoAunR9O7vu92U/Cy6eaAODrk0YPD+CiSiBZ7ulgS0=; b=QblTXmXGNTn3eQRdSAJla8w5OzrwPCpeFCiJ0UATKY/YWG2GNcuJWFkVagT4pmkbBO VCDGp7KDLjwGUa70VLU4jorZrWK/adopHJhukmC1GbcjpE/+Ed+80VM3u420jmpWj1se KRu6p9XO0FfHu3okoyeqU/Y/FDcteomIlI5j+rxzlr8kHwbqZCvC8nBh88Avtt/jbtZ4 XuYrbdHy77rVHnE7fgoWYe23jud10oq3VeGZ1d3mx9LbJB5+KiZLdGk14/IggSSMzHsP v8OMI/EWzWS24ftbHZyH7d7n6EgLhswGQqgZSeFJERJSZyWqDALSDDHFmjauNRwrHrck ldBA==
X-Gm-Message-State: AD7BkJIn2F4KRr8Q59tTPd3rLtfm6a0p5BT6mQuzF0zPyD2m0NibXqlHylx7d8uU+lJ6Siwx5moHPiScD00zYA==
X-Received: by with SMTP id e66mr15826863ywb.231.1458006265804; Mon, 14 Mar 2016 18:44:25 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Mon, 14 Mar 2016 18:43:46 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
From: Eric Rescorla <>
Date: Mon, 14 Mar 2016 18:43:46 -0700
Message-ID: <>
To: Ryan Hamilton <>
Content-Type: multipart/alternative; boundary=001a1147f0788debe2052e0c89ce
Archived-At: <>
Cc: Karthikeyan Bhargavan <>, "" <>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Mar 2016 01:44:37 -0000

On Mon, Mar 14, 2016 at 5:44 PM, Ryan Hamilton <> wrote:

> ​On Mon, Mar 14, 2016 at 2:04 PM, Colm MacCárthaigh <>
> wrote:
>> On Mon, Mar 14, 2016 at 3:15 PM, Ryan Hamilton <> wrote:
>>> On Sun, Mar 13, 2016 at 4:36 PM, Jeffrey Walton <>
>>> wrote:
>>>> 0-RTT seems to be a solution looking for a problem.
>>> ​Google has been using 0-RTT as part of the QUIC transport for quite a
>>> while now. In April of last year, we posted about the performance
>>> benefits we're seeing from QUIC
>>> <>.
>>> Among other things, that post said:
>>> Even on a well-optimized site like Google Search, where connections are
>>> often pre-established, we still see a 3% improvement in mean page load time
>>> with QUIC.
>>> From the browser side of things, 0-RTT is a solution to a very real
>>> problem. We are excited about TLS 1.3 supporting 0-RTT (or 0-RTT
>>> resumption) and converting QUIC to use the TLS 1.3 handshake as a result.
>> Are you sacrificing forward secrecy in this case? For a concrete example:
>> suppose $oppressive_government is collecting all traffic as a routine
>> matter of course, and then later a remote-ex, memory-disclosure, or
>> decrypt-oracle  (like the recent DROWN) came along on the server side:
>> could it be used to decrypt all of $worthy_dissident's requests? how long
>> for, how do you manage that trade-off?
> ​My understanding is that QUIC's current 0-RTT scheme provides effectively
> the same protection as TLS with perfect forward security, at least assuming
> that session resumption is enabled. This is because, as I understand it,
> even with PFS connections, and attacker who is able to compromise the
> server and access the session resumption key can do bad things. In our QUIC
> deployments, we limit the lifetime of the QUIC 0-RTT static secret to
> roughly the lifetime of our session resumption key.

This is, I think, more or less true.

In general, against complete compromise of the server at time X, the
security is limited to whatever
long-term key was used to protect that data. Generally, this means that
tickets and static DHE
are comparable against server key compromise [0], so for this kind of
attack tickets and semi-static
DH are roughly comparable (indeed, you could imagine having the
configuration ID be an
encryption of the semi-static DH key under the ticket key making them
strictly comparable) [1].
The situation is obviously more complicated with attacks where you don't
have control of
the server (e.g., oracle-type stuff) and I suspect depends on the details
of the attack.


[0] As AGL points out, client key compromise is somewhat different.
[1] If you decide to instead store keying material on the server rather
than use tickets,
then TLS 1.3 PSK 0-RTT actually has somewhat better properties because you
can negotiate
a new key with each connection and establish a new "ticket", so the result
is that compromise
of the server is a future secrecy threat but not a threat to past