[TLS] Would there be security issues with a 0-RTT resume?

Bill Cox <waywardgeek@google.com> Sun, 06 December 2015 00:24 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5196C1B2DBC for <tls@ietfa.amsl.com>; Sat, 5 Dec 2015 16:24:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Level:
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s6kTklgRU140 for <tls@ietfa.amsl.com>; Sat, 5 Dec 2015 16:24:50 -0800 (PST)
Received: from mail-ig0-x232.google.com (mail-ig0-x232.google.com [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 522D31B2D96 for <TLS@ietf.org>; Sat, 5 Dec 2015 16:24:50 -0800 (PST)
Received: by igl9 with SMTP id 9so54746038igl.0 for <TLS@ietf.org>; Sat, 05 Dec 2015 16:24:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=Lbvwiu5SWVghCDlASoi4wi3UhdyseLNh/Zp7VKQcgMo=; b=crRRpf0Fi/XzrrkhXUB5ryltcuBuMffNZMrGr9DaGOamNDCUYULy2AjNOktcZUuAxu eX474Ko1yDgOtwr6p8hLk6tJ6DC17w3mi1gT48FsJgKlW5EaMATPlfVPyJn/jJXvrsxy JUdMktNDfNij3L5I87m+/e7d9M1K2AuwudSa4g6uLzjRPbWPIxL0ZwRwafyVeiWSRntD ax9PVANHEQNEJIIC8R93vamK3bQ31sbqHb1ljLxI+uCg4B9m2w9FMNGf6J11ZNQOmeyZ mJls/94AEa6IzLz92c9070d6S6C+NLpJiP3nkY9t3XQllnmZa3b4enAQ6pezPNc4gd/3 YAww==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=Lbvwiu5SWVghCDlASoi4wi3UhdyseLNh/Zp7VKQcgMo=; b=No4RI4VYPuO0xIt2joEt+0eiiBnTcJoD17yXpiIYYgLAezXi7PrtRO0qFOU5SM8smm FpO0O++9k/E0VLEEuKyt6p2XIl1Cj5MlaKippRYhAbmdfUwcuxRwPDyCaX0498AIZ72T KLRZvT/Xhm35SUrzTYwwnFTKvT6xq8Y98zY2X8sP9mB5it7LVed7DbVMZ6j4de6uZO7v dupLjI9XWZ4oKzyf/EWGVj7S6tvEVEu/Mr5QjIkq95od4rTqlN4fVwt9P9AUeJnDgLGt oAtYkNfcw4UmBx011QYw6McfhVrkybQC7rnuxesNJs+xdBWluHpbivvk75HgChf7JuLC 9Gag==
X-Gm-Message-State: ALoCoQkdcQzX2AFeHv3d9VmEuHidRrpMvnvVo5Rt+BlShIFPZh1kIAS/395FMlkmcBXYD0zc1rG9
MIME-Version: 1.0
X-Received: by 10.50.150.9 with SMTP id ue9mr10508455igb.40.1449361489533; Sat, 05 Dec 2015 16:24:49 -0800 (PST)
Received: by 10.107.173.15 with HTTP; Sat, 5 Dec 2015 16:24:49 -0800 (PST)
Date: Sat, 5 Dec 2015 16:24:49 -0800
Message-ID: <CAH9QtQHtiuKnYoYoDpiNVz31HZH23sv9Bt-Rya985tWHorhcYA@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary=001a113491a4bc68a505262fc4ea
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/XmvsqyYSD9PX2CuctCyjT-wTEdY>
Subject: [TLS] Would there be security issues with a 0-RTT resume?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Dec 2015 00:24:51 -0000

I am not sure why we have a 0-RTT connect, but only a 1-RTT resume.  If
anything, it seems like it would be easier to have a secure 0-RTT resume
than a 0-RTT connect, though the 0-RTT connect does use some information
from prior connections.

Is there a good reason for having only a 0-RTT connect, and not resume?

Thanks,
Bill