Re: [TLS] 2nd WGLC: draft-ietf-tls-tls13

Kyle Nekritz <> Tue, 18 July 2017 19:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1872613179D for <>; Tue, 18 Jul 2017 12:05:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=W+CouqAW; dkim=pass (1024-bit key) header.b=jnAimVpl
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id N6vURTnrjpC7 for <>; Tue, 18 Jul 2017 12:05:33 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4D441131BCD for <>; Tue, 18 Jul 2017 12:05:33 -0700 (PDT)
Received: from pps.filterd ( []) by ( with SMTP id v6IJ2Vm7006140; Tue, 18 Jul 2017 12:05:29 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=gV9pHQLneho99fLg5bvr1OIRUhct9qnvsO9D+PIi8uE=; b=W+CouqAWMACI0QwCm51JJg1oLQxHVmc7jgfIN8RAALdYg2+I0DSGvc+tFY2YsTICGp3w qgMeKlyzCDKHRKVNGrqHHtAJCMCKHp13/Nhpl1VxVYXdyI6uJj1WV658wt+I0pzDAqzy ChYgnrbxPqJH7wpZTfERshvaer9//F5dR44=
Received: from ([]) by with ESMTP id 2bspew0h90-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 18 Jul 2017 12:05:29 -0700
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.319.2; Tue, 18 Jul 2017 15:05:27 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=gV9pHQLneho99fLg5bvr1OIRUhct9qnvsO9D+PIi8uE=; b=jnAimVplgYkRoBLLiH8XcWDwC4QhUl6XpJlD3zdL93FD7m6xwisUV1VeWazQG24u8Uzx14Wb0YdRXOwTz3voxGLCVBhzvJOqrboy9b8IPIQ6Iu4dvecaBCMrsmiiasau2bMM++X1W7ojYNyMG4AtIr+HyNltCgTcODEXbKN+gOE=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1261.13; Tue, 18 Jul 2017 19:05:25 +0000
Received: from ([]) by ([]) with mapi id 15.01.1261.024; Tue, 18 Jul 2017 19:05:25 +0000
From: Kyle Nekritz <>
To: Benjamin Kaduk <>, Eric Rescorla <>
CC: "<>" <>
Thread-Topic: [TLS] 2nd WGLC: draft-ietf-tls-tls13
Date: Tue, 18 Jul 2017 19:05:25 +0000
Message-ID: <>
References: <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-originating-ip: [2620:10d:c091:200::2:d50c]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1184; 20:JCLo2SGdo8UaDqZT1OTcNXZZjr/2djLSQnYcPUCzDBL6BZcOv2QFKpONN8j2cSSalQvYRpPwOv2qMlgLQg1NWJFVwuzrJlEjGTYS4mZYXxic644mNgVK6x9Kj+7e+Bzhwq7YGxItHsE3PJLi1m5UA2wosw5rERgNlylwTKHE9l8=
x-ms-office365-filtering-correlation-id: d5c6f6cc-0a90-4e66-9863-08d4ce0ff295
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254075)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:MWHPR15MB1184;
x-ms-traffictypediagnostic: MWHPR15MB1184:
x-exchange-antispam-report-test: UriScan:(151999592597050)(158342451672863)(26388249023172)(236129657087228)(148574349560750)(21748063052155)(247924648384137);
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(8121501046)(5005006)(2017060910075)(3002001)(10201501046)(93006095)(93001095)(100000703101)(100105400095)(6041248)(20161123562025)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123564025)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR15MB1184; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR15MB1184;
x-forefront-prvs: 037291602B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39410400002)(39850400002)(39840400002)(39450400003)(39400400002)(377454003)(24454002)(81166006)(5660300001)(3660700001)(2906002)(8676002)(4326008)(2950100002)(74316002)(7696004)(53546010)(38730400002)(50986999)(76176999)(3280700002)(54356999)(25786009)(7736002)(14454004)(8936002)(53936002)(9686003)(86362001)(54896002)(6306002)(99286003)(189998001)(236005)(2900100001)(6246003)(6436002)(55016002)(229853002)(230783001)(93886004)(6116002)(478600001)(33656002)(790700001)(102836003)(6506006)(77096006); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1184;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB1182EA51FA0477398ED90977AFA10MWHPR15MB1182namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jul 2017 19:05:25.3772 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1184
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-07-18_10:, , signatures=0
Archived-At: <>
Subject: Re: [TLS] 2nd WGLC: draft-ietf-tls-tls13
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 18 Jul 2017 19:05:37 -0000

Timestamps outside the expected window can happen due to variances in RTT, client clock skew, etc. (we see around .1% of clients outside of a 30s window for example). Not likely to happen on a given connection, but it certainly happens enough that you don’t want to abort the connection (rather than allowing 1-RTT) without reason. I’m not sure I understand the desire to abort these connections. What value does it provide? The timestamp mechanism does not provide protection against a malicious client that has possession of the PSK key.

If the server is 100% sure that a CH is replayed it is more reasonable to abort the connection, but I think it should be explicit to the client that that is the reason for the error (ie using a new alert type rather than illegal_parameter) so the client can know to retry without 0-RTT. I’m also slightly concerned that it allows a passive attacker to cause connection failures if it can front-run a copy of the CH to the server, and I still don’t think it is providing much value.

From: TLS [] On Behalf Of Benjamin Kaduk
Sent: Tuesday, July 18, 2017 2:11 PM
To: Eric Rescorla <>;
Cc: <>; <>;
Subject: Re: [TLS] 2nd WGLC: draft-ietf-tls-tls13

On 07/18/2017 08:07 AM, Eric Rescorla wrote:

On Wed, Jul 12, 2017 at 3:39 PM, Benjamin Kaduk <<>> wrote:

That is, in this case, the CH+0RTT data can be replayed by an observer once enough time has elapsed that the expected_arrival_time is within the window, similar to one of the reordering attacks mentioned elsewhere.  We could add the CH to the strike register in this case, which would bloat its storage somewhat and have entries that take longer than the window to expire out.

I don't have a good sense for how often we expect postdated CHs to occur and whether the ensuing breakage would be manageable, but I'm not sure that we've thought very hard as a group about this question.

I think post-dated are going to happen pretty often based on what I understand from
Kyle and others. I wouldn't be comfortable with hard fail, especially given that this
just seems like the dual of the other case. Adding the CH to the list seems like
a problem because it might stay forever.

The "stay forever" part is awkward, yes.  It would be great if Kyle/etc. could say a bit about why post-dated seems likely on the list, but I guess for the purposes of WGLC we can consider this comment resolved.