Re: [TLS] 0-RTT and Anti-Replay

[Eric Rescorla <ekr@rtfm.com>]

If I can refer you back to the diagrams I provided in my e-mail, I think
you'll
see that this doesn't help. The issue is that the first time that the
client's
data is handled there is *no* feedback from the server to the client, so
nothing
that the server says is going to help.

-Ekr


On Mon, Mar 23, 2015 at 12:47 PM, Nico Williams <nico@cryptonector.com>
wrote:

> On Mon, Mar 23, 2015 at 12:41 PM, Eric Rescorla <ekr@rtfm.com> wrote:
> >> > Maybe I wasn't clear. When I said "reject" I meant "hard-fail" rather
> >> > than
> >> > make it 1-RTT.
> >>
> >> Sorry it wasn't clear to me.  Is there any reason that fallback to 1-RTT
> >> is not feasible?
> >
> >
> > Yes. The issue is that the client has no way of knowing whether the 0-RTT
> > message was duplicated and processed by a separate server instance, so
> > when it falls back to 1-RTT, resending the initial data may be a replay.
>
> The server can certainly indicate what, if any 0-RTT, it received (by
> sending a hash back).  If it did not receive the 0-RTT data then the
> client can fail (TLS over TCP) or retransmit (DTLS over UDP or
> similar).  If the server received the wrong 0-RTT data then the client
> can fail and/or sound the alarms, or even retransmit if the data was
> inconsequential (e.g., a SASL mechanism negotiation, which can then be
> redone).
>
> Nico
> --
>