Re: [TLS] 0-RTT and Anti-Replay

Colm MacCárthaigh <colm@allcosts.net> Mon, 23 March 2015 14:26 UTC

Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74C6F1A8AD0 for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 07:26:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.678
X-Spam-Level:
X-Spam-Status: No, score=-1.678 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 20atyr6QfgpX for <tls@ietfa.amsl.com>; Mon, 23 Mar 2015 07:26:20 -0700 (PDT)
Received: from mail-oi0-f45.google.com (mail-oi0-f45.google.com [209.85.218.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 477A61A8AC6 for <tls@ietf.org>; Mon, 23 Mar 2015 07:26:20 -0700 (PDT)
Received: by oifl3 with SMTP id l3so111723893oif.0 for <tls@ietf.org>; Mon, 23 Mar 2015 07:26:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=X+pHfGB+w6Bxxnnfkwsf1fHbCsP7xsA+4uyqIK82sT0=; b=EqD/sQqyl/m3CwOnQ+/VUMclsLsNVMD/HZrqp5ExEWziNk0x6LfXLuHUSZIzBZD/Cf uOEfCOkZ4s7YbJ2ZIWDOLpLlhmj71+v4GFkG2CHJjOxpCwp66F4dXKmMBEvyhFPSpGgj eAxh4o+OduzUHrgqLoDWPryB/gH2otIUCHxJ0AxhybwsqSw//z2TSrGZ9Fol1s8f75hG i0XkzcNzISgA4kQ+gA4QVEJ2cFVerkN7GRgayWFP+PxnCPT/Q7suvC7cW2jV0LqSOke1 7zqOHmVP12QgDt9Ir+vDWSWwwNHEW9fcSdYxfrdnn8ug9S3VV8rVWxeNiCiZCzj5dUgA 8bfw==
X-Gm-Message-State: ALoCoQmidInFtsU6YHngAXKW/IfCFWiI9maiy8+n/rNUB3PR0ovjwnf2DupXWrGzrrHonyYG6t7L
MIME-Version: 1.0
X-Received: by 10.60.112.65 with SMTP id io1mr17581970oeb.66.1427120779610; Mon, 23 Mar 2015 07:26:19 -0700 (PDT)
Received: by 10.76.129.235 with HTTP; Mon, 23 Mar 2015 07:26:19 -0700 (PDT)
In-Reply-To: <CABkgnnV8UekO9KMTu_BezbYD6NeayrwrnuyuSWjmYNEzvU56qQ@mail.gmail.com>
References: <CABcZeBP9LaGhDVETsJeecnAtSPUj=Kv37rb_2esDi3YaGk9b4w@mail.gmail.com> <CAAF6GDfuuWBaF1OZXn7hWVzJe_rqzsMqSy8N5ds_07qJk=yVEA@mail.gmail.com> <CABkgnnV8UekO9KMTu_BezbYD6NeayrwrnuyuSWjmYNEzvU56qQ@mail.gmail.com>
Date: Mon, 23 Mar 2015 07:26:19 -0700
Message-ID: <CAAF6GDcwxoVu1CyAQijOw6kbXU=hBxNAnwF9z+fQ02N29rf5bw@mail.gmail.com>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <colm@allcosts.net>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QaedHoXLPIuMENmZi9MKrqXAQ1c>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT and Anti-Replay
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2015 14:26:21 -0000

On Mon, Mar 23, 2015 at 6:12 AM, Martin Thomson
<martin.thomson@gmail.com>; wrote:
> Well, Adam described at the interim why this isn't a concern: as the
> "strike register" takes a higher density of entries, the window of
> time over which it applies can be narrowed to limit the potential for
> state exhaustion.  That simply increases the likelihood of a
> rejection, not the attack.

I haven't been able to get my head around this. Doesn't that mean that
an attacker can disable 0RTT for third parties at will? it also means
that the session itself must be invalidated on a shorter duration, or
else we could just collect 0RTT data from before the time window and
replay those.

-- 
Colm