Re: [TLS] 0-RTT in DTLS 1.3

Hanno Becker <Hanno.Becker@arm.com> Mon, 24 May 2021 05:02 UTC

Return-Path: <Hanno.Becker@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 437B13A17A7 for <tls@ietfa.amsl.com>; Sun, 23 May 2021 22:02:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=kF0a1FBb; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=kF0a1FBb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TpHHEU4Y00G8 for <tls@ietfa.amsl.com>; Sun, 23 May 2021 22:02:01 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130088.outbound.protection.outlook.com [40.107.13.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CC073A17A6 for <tls@ietf.org>; Sun, 23 May 2021 22:02:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/16VTT22TPi1Iged58QR8/u6a2X4NGO8if3IsXurqZY=; b=kF0a1FBbQubh8FgDQL2vwkbqhUrJ4wTt284OZO/Le3nsg8lghCTbTueWSz5IIRmfBH4Vq3qahx8n9PdIgSUkGGwxykNr7fDtJDETnjgsAWIuWJYndp9/jNtIZD12MKIvxnqSjoG3bSzaPTPQh1WTZ4L5xENodBTgtTPyt/4+ylc=
Received: from AS8PR04CA0052.eurprd04.prod.outlook.com (2603:10a6:20b:312::27) by VE1PR08MB4797.eurprd08.prod.outlook.com (2603:10a6:802:a1::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Mon, 24 May 2021 05:01:58 +0000
Received: from AM5EUR03FT058.eop-EUR03.prod.protection.outlook.com (2603:10a6:20b:312:cafe::59) by AS8PR04CA0052.outlook.office365.com (2603:10a6:20b:312::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23 via Frontend Transport; Mon, 24 May 2021 05:01:58 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=pass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT058.mail.protection.outlook.com (10.152.17.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.25 via Frontend Transport; Mon, 24 May 2021 05:01:57 +0000
Received: ("Tessian outbound 0f1e4509c199:v92"); Mon, 24 May 2021 05:01:57 +0000
X-CheckRecipientChecked: true
X-CR-MTA-CID: 5f61d603c9173a65
X-CR-MTA-TID: 64aa7808
Received: from 7db10b45bfba.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 14BEDEE5-6819-418B-854E-39F7A21F440D.1; Mon, 24 May 2021 05:01:50 +0000
Received: from EUR04-DB3-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 7db10b45bfba.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Mon, 24 May 2021 05:01:50 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FZwa3TQ4f2zU+f/egmbUWk3D9EnP8w+9n8T/0+uoPSNu1aFHs7GkS/SaWrp+AKEQxXyWcYTbqGs45E4sfvnvT/RM+hLFoCzZacic4e5566womlGWhrkYzIGYCWGgSJNLuKREqAnCiNJLv6lciDNiWcXEEDQmXDTbhM6qUF/p4PhFF6BHQuXOjEHuip5Rq3Crs0OMNxf2VOZoJwJHTpqTahTnNOYcPd6Gs/pWgja0gHFi1Q0j5GEJMKHf9cmFoh4UTOaXVhh8dSqB1MH0F+HJztn3iy0EGkmEueWzVXFhEvpORU61dmzpVhTLqZmw8s+YHm0doB6DOTmJo5fc4BTXJQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/16VTT22TPi1Iged58QR8/u6a2X4NGO8if3IsXurqZY=; b=b2UNzHxoihWbT+G8vF/j7ojKFjsdkZylIMmmJwQXi9FnVaAg6YAogQ2eztjvwAUVzJGPxNH2Kr/Adbqwm4w6ivl2UEH0ZJGAKlNY/iO8/eoz4G3DpxD28gM2tq9mukkBoT9T21fo0y4LgrmlSQcE+NUF0bq1ErOU6aEUm0dhsDMwiz/ZohQ7eT25cJgYhP8Z+bmn5Q7k0NH8DUt6lnBhogpXj7jWtnR0DaJROBRt/GLZRZXSSBoDpmM5iKZeAA5rqRepFUAQP3mQLJSk9A1daRMTkQ+zM1ZUyA8vwD/WYhkXeYT68Hg0f2abM+Lyxo0keW1xcQjJjfyyenJ2PrQDcQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/16VTT22TPi1Iged58QR8/u6a2X4NGO8if3IsXurqZY=; b=kF0a1FBbQubh8FgDQL2vwkbqhUrJ4wTt284OZO/Le3nsg8lghCTbTueWSz5IIRmfBH4Vq3qahx8n9PdIgSUkGGwxykNr7fDtJDETnjgsAWIuWJYndp9/jNtIZD12MKIvxnqSjoG3bSzaPTPQh1WTZ4L5xENodBTgtTPyt/4+ylc=
Received: from PAXPR08MB7169.eurprd08.prod.outlook.com (2603:10a6:102:207::5) by PAXPR08MB7262.eurprd08.prod.outlook.com (2603:10a6:102:211::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Mon, 24 May 2021 05:01:49 +0000
Received: from PAXPR08MB7169.eurprd08.prod.outlook.com ([fe80::2ce6:1720:d8d7:cc6d]) by PAXPR08MB7169.eurprd08.prod.outlook.com ([fe80::2ce6:1720:d8d7:cc6d%6]) with mapi id 15.20.4150.027; Mon, 24 May 2021 05:01:49 +0000
From: Hanno Becker <Hanno.Becker@arm.com>
To: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] 0-RTT in DTLS 1.3
Thread-Index: AQHXT5aLwV27l0Usl06DlAK6J9Pij6rxv5EAgABHeReAAAVHAIAAAwMX
Date: Mon, 24 May 2021 05:01:49 +0000
Message-ID: <PAXPR08MB7169032DC071A9576BEA11BF9B269@PAXPR08MB7169.eurprd08.prod.outlook.com>
References: <PAXPR08MB7169693DFFA1D93B35B8D9039B279@PAXPR08MB7169.eurprd08.prod.outlook.com> <a2bae4a5-66b8-49db-8fb5-3993f593e64a@www.fastmail.com> <PAXPR08MB716920F1FE015A77EA09FF679B269@PAXPR08MB7169.eurprd08.prod.outlook.com>, <e15c1c96-09bd-46e4-bcc7-4fd94ab7dc45@www.fastmail.com>
In-Reply-To: <e15c1c96-09bd-46e4-bcc7-4fd94ab7dc45@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Authentication-Results-Original: lowentropy.net; dkim=none (message not signed) header.d=none;lowentropy.net; dmarc=none action=none header.from=arm.com;
x-originating-ip: [81.153.223.88]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-Correlation-Id: a7e3ae1a-7be3-4ad1-201c-08d91e710edd
x-ms-traffictypediagnostic: PAXPR08MB7262:|VE1PR08MB4797:
X-Microsoft-Antispam-PRVS: <VE1PR08MB4797A69905D1EF29F18615609B269@VE1PR08MB4797.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: C2Y9NeQmfG/5jlL9TdE6IDqOxa28yH669ZwUDPe0YS9MZMjNDzQaIh5zJEFjo1ywVTcn2w0xyaPwTDf0qtQuqkhXVzWJ/7PVsCCEpyqBER4TcwC1zvp21NwoB0CKggSJaOfb5ukOrNJZTJx124Ywl00uHnN2NRonzBRyGkEH8utCVRKlVIiwGm8uotP6scnlHN3noB11ugEDb9lN1KlEE8HEooivgYC/3UMZdVGFKXsvjstwwMo26nm+3y2MckQ4tFCcNfesguRDgnSbrc1WQSKPzWUgzNLNyx4MtwtLPI4nXu/O8bqTY/hMwqcs8PnI/5DT6ehUo9dfYDFAFymbxk+KfhkwfDZ3mWQJlL/4S9e/wFsH0h6O14EHb8NSiQVhpNU7zZ9tIFyqN/ppMsqlI8venZnSbYYZpArHKf88wkawFyzMP7fCH6tkyTAmX1KEU9rkUoISrKT6ZaP2HStD37DnRbawiWOrlUSOzGWZbJ0UvQX9o5grqHy7fEkd3xYqnp0vWUx+P9yR8Z8YvHFvPcNfbKJNF+t+5m0qTZVPwq3akz5pU18ZKhtolEI/cW/h+qFTE4/tKXm8PmGuAotcuuvbV3CQCykR3iprm4lFh64=
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PAXPR08MB7169.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(396003)(136003)(366004)(39850400004)(376002)(122000001)(71200400001)(83380400001)(8676002)(38100700002)(7696005)(33656002)(26005)(186003)(52536014)(19627405001)(6506007)(66446008)(76116006)(64756008)(66556008)(66946007)(110136005)(86362001)(478600001)(5660300002)(8936002)(9686003)(316002)(2906002)(66476007)(55016002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: iDK9EmABGMvK7uKzrXWrv7VKCKpCeE+ZT1O5vvFF0De0v2dhMDvY9oKtZSbBDcxqfSVHIMmHLiNwh3O8wILjtA3M1EQwVub8tx1AIWcjhOl6yqVh9ny1LYQ5I/tSrqXUp5CXW6U/35KU3o5luSrcsUNboGVNQ1uyjFG6gjj+tKVh76Ho6CMpVJBec6diY4rSfggfIyvGIESvA7XhasGj45ydlExI8emQHaSyAUsklCRMvL91IClphwdbkyYc/CEUqFaiar4Vqpwac/xdMeNeoDVU8IX2aiqj9TVRokgE8E4x0mmE2aFZ5msou9lLgM5FbBNLSJN6+0IvAC53GwZGsoDwjCmfcRCX9hR4AeC0HOfn5+tsK6uvrIR1uxaLHPG0Uz+y7omvrm509O9TeTeC1EE//aT846tJXm7wNj2Os5QW4xd4bA9uQ4vwxxaoyBDUqoyWfCgB1Jkmhn6RZ/MoZXZY4EpVYc3p4Re5pdfGASmZ0OcbmPdLyJEQNIQHp5jyKb9EKEkYJvLLGo2la/6/5u2EIHf25rNjBIzqRHqvA5sytEq7YeLryl4h95+FffafNetZH5TNezlciliTUo4ltig6hvrY+uunrZtfLuYBdWggkP0HvtokiMDofKUztQ8k4kxh+l0HISMQq6LTpYVRTnochLs3myK2vfBKu6c4oBW1DBEL2wWxBX+X5o6Ky1xympsYnlVG9xcMZHBaYfL2gC80n5P+Ysfrl0J7Yq+gNHDrlEhFpzPgeZ5NQSRvbjVPxiHPCZeFbJ/vgz8EWuicZpPODGQJOqcn8AJZCscYRQCYl2IHt+sUpn7UL50ogeMkAM+lV/qlUuclIDnSDPoVrVN76d4rrU4zq4eHNUMpMkZZJ4FQYsQRG8taqEBjuPf8SP2yxUrwIapoNxA/LD6mjRkdGzC/oB5ooSO7zKupbZeAafXcnSwjOoQHlVHJT6Ce55Z4o7XkBtuZT9nBOmgoPNfQ5WGU3M/0UeOUqQn3wCXrlRpitjWu7O4Z3ZOS8b3EQOvfGAitTWfBojXd3hq5nAKIstJwGOZFC9UI6EJ4pmdhUvv4hj2i/dfwbkDIYFz59afJDssuldXsigubQ+twGkRFDsuOOeIX8IyavJelDpclL/eOJGjKWWUUXq3LYnLwV/Hg1XQfO0TeDE+MmL1CHh5QjZ+YjKqcEk9ZUX5c/LYh42N9iYsES7YZMsnkz1GnmLcW+gYRYwn3LBUeM97+pOKKXGnhYExrZmIWwJ+jwqZchMc0i4rE0N/9YiY80+4YdM9nspNDAUTngi1Ps6FV4POCfUD93DOknX6QCAFAqkI=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_PAXPR08MB7169032DC071A9576BEA11BF9B269PAXPR08MB7169eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB7262
Original-Authentication-Results: lowentropy.net; dkim=none (message not signed) header.d=none; lowentropy.net; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT058.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 9d98744f-9a0f-49d1-7e61-08d91e7109f5
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 1vOxfblaejEg1vkPZQ5rK4SYcwPDa7jdM8QdFO/2i0qXMaQhZtxQ+S09TjjZSR04RZbhHOE1bLOCDC2rbytIsNghs+m9U+o+bZGsKR10rcY4cGSRm2ZQ/CcpHTu0w4mbJiiaQsfpQwGt20Uz/7/rcQ8Byy5SaUHgiMB/t0Cw790B1bCQF5bMi8+Al/XMggTmWCpUS0ULnlhgsFuXSGvk7MXt4P0CdRJEWORTLUYRLaSMHL+pbFPT7r7OYuhDFhpXtyRHnbq+MxtOHywYDXABYLH0SP/nvCX4uqEKTK1z6WMLSRdoAVitDyx91JJsw082AuL1RH29hpR+UhGSmHx08PwRarc5JAsS7nup9SxcBMrYDDWceRYv6Ld7OBluzNfZO+/xfsiHVNhiujI/UDIJy6Qfjk+ob5NCi5zyWDWa7e78+SQstdf2f3pRMXNiaD1iInUgwgJIJC8XLJKqmeN1qZHCcnzQe9F1Y+gkCmWk0hvl9rOh8Wodz91lYAwmp4gs7Pnb9i43Att6slq7Gk6Od6IvHPxVDr8X9zaYz/n5uopGbAwqBJHBW7R70iqPAiNCVdmQsF1VYlmEfmhXIo1ovgT1SXCWw1MOOIJMfvS6SQh4mk7yzOandk5C27Dxhlm6H7vehzvltunmk4mWvmH9WQ==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(396003)(39850400004)(46966006)(36840700001)(33656002)(55016002)(81166007)(70206006)(70586007)(9686003)(82740400003)(186003)(82310400003)(336012)(83380400001)(356005)(52536014)(8676002)(8936002)(2906002)(110136005)(36860700001)(19627405001)(478600001)(5660300002)(7696005)(6506007)(316002)(86362001)(47076005)(26005); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2021 05:01:57.8337 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: a7e3ae1a-7be3-4ad1-201c-08d91e710edd
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT058.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB4797
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VGRWSSlBUkGKMw6OMyKFbiRT3q4>
Subject: Re: [TLS] 0-RTT in DTLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 05:02:06 -0000

Hi,

> It's not necessarily the case that you would end up with an insecure protocol in this case.

One should rather ask: Is it necessarily the case that you would still end up with a secure protocol, and if so, why.

I don't see an attack either, but I think the binding of epochs to keys is fundamental
to DTLS, and if there's danger of violating it, this may well be worth pointing out.

For example, is it obvious enough that there cannot be any risk to early data confidentiality if a non-conforming
client sends two batches of 0-RTT after its first and second ClientHello, both with epoch 1 but with different keys?
Unless this can be ruled out easily, I think it would be worth adding an explicit reminder and/or entry in the
"Implementation pitfalls" section.

Cheers,
Hanno
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.