Re: [TLS] Simple, secure 0-RTT for the masses

Colm MacCárthaigh <> Wed, 16 March 2016 12:13 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EE49312D928 for <>; Wed, 16 Mar 2016 05:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ZKRXS0JZOl9Z for <>; Wed, 16 Mar 2016 05:13:37 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0BABB12D942 for <>; Wed, 16 Mar 2016 05:12:49 -0700 (PDT)
Received: by with SMTP id h129so58930799ywb.1 for <>; Wed, 16 Mar 2016 05:12:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=kiQITQAKm6ZNG1Os4e3E+rNfBgsCXhAiHoiThOnqMUw=; b=s3uGzCrY1aj78eeBdfxtrL0DEInOOvdCUkA2NLwGrnonojV4DJNHEkQwX+S6QohD4i ZRHeJxiLBTHBPG/WX8Gavm6JCQLVfrydCSNZmMIfeLS5g2HL60slawzetkaLPczjG1V9 8DQjBco2XoMO4m9dkT+WuWTCdTR9mTj3gSUqDlMTUbXaRJpz4ToAfEMRYrWPJcZD6QMP ucVnPb9hmVOdFpnaOaqNZP3LQbSWf5MGjRPdbmhJ9s9VQ0XYexRkzuykldkeJHXGnVLO 6vFljgyRgyLpbucoWT78GusuqYk5p02devRQwRH8YSVzbm062ln/Z/KXcLmiaY+STv2P t29w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=kiQITQAKm6ZNG1Os4e3E+rNfBgsCXhAiHoiThOnqMUw=; b=Q295Ha3AQ6mmXO7yObSCAQ3s+k0JykaGwKejAy5yKk7jCo7Ap/lApF1B+qgMKkZf6x 2QkHyKeOrqK5JMDvqbXNqxwoJn2AJuTgwCdE2kN2MmQcW8Syn4twQkIHV8KXJahslR9B 1Zbh3aiXfpBmJdD9iyeNewtnmozxPAoGew1XlVAtZo1DtKw/a2ST/BhjNwSr0UgHzGuD N5ZTx34VHk6o4hk7azTJWuuTFbmK3fTVlewSl9973XRDRNfc/PRuVJv5YimNweVeDN76 H1mOHBis1Z+RYExjSO+/tJSpjx6BDGKNSWTqOcI6Ti61q0qhAG5DpTP/XVkbxKNLwgeu wt9w==
X-Gm-Message-State: AD7BkJLn+iwxzpMSEdU8whjm5clOvGfoTm3+6wTXPuHfdvYXXvqNYOzfW9qx2NgeulsNWMtLFUg3vaXifrNWzg==
MIME-Version: 1.0
X-Received: by with SMTP id b5mr1578508ywd.114.1458130368186; Wed, 16 Mar 2016 05:12:48 -0700 (PDT)
Received: by with HTTP; Wed, 16 Mar 2016 05:12:48 -0700 (PDT)
In-Reply-To: <>
References: <> <> <> <> <> <> <>
Date: Wed, 16 Mar 2016 08:12:48 -0400
Message-ID: <>
From: =?UTF-8?Q?Colm_MacC=C3=A1rthaigh?= <>
To: Ilari Liusvaara <>
Content-Type: multipart/alternative; boundary=001a114e3f98a1fddb052e296ec5
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Simple, secure 0-RTT for the masses
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 16 Mar 2016 12:13:42 -0000

On Wed, Mar 16, 2016 at 4:17 AM, Ilari Liusvaara <>

> > Benefits Forward Secrecy and Idempotence:
> >
> > * Client and server should erase the existing ticket upon use.
> >
> > (a captured early data section is mooted for replay quite quickly in the
> > default "good" case)
> The best that can be done w.r.t. "forward secrecy" is to erase the
> decryption-capable key used for 0-RTT on both sides, and never sending
> it on the wire, even encrypted.

That's why I favor resuming connections where they left off, and cranking a
PRF to generate new keys; but it's not compatible with tickets at all -
works only with some kind of session store.

> > * Make early data and application data separate record layer content
> types.
> > Make it clear that they do not form a continuous stream; you can't simply
> > concatenate them at the application level and bolt on to existing
> protocols
> > such as HTTP, SMTP, etc.
> You mean inner (encrypted) content type, right (outer content type would
> still be 23[TLS PROTECTED DATA]?

Yep, sorry.

> > * Advise that clients using 0RTT SHOULD occasionally send duplicate early
> > data handshakes. As a normal part of the protocol, a well behaved client
> > should intentionally do what an attacker might do and send the whole
> > section twice, causing the server to resolve the duplication. Keep the
> > anti-bodies strong.
> Such duplication does not occur in attack conditions. The duplication
> from attack conditions takes two forms:
> - Duplication of 0-RTT data into 1-RTT data of _different_ connection.

I think using a different content type solves this; the early data is
illegal in the 1-RTT phase and the content type would distinguish it.

> - Duplication of 0-RTT data into 0-RTT data of _different_ connection.
> In both cases, the connections are different, not the same. And this
> makes a difference if e.g. protocol banners are sent as 0-RTT (and
> such may very well be critical for latency).

The client would do what an attacker would; occasionally duplicate the
handshake including early data, so it would use a different connection for
it. The purpose here is to force a kind of "continuous testing in
production" that means the protocol really really does have to have
idempodence solved.

As an aside: an application protocol where latency is so sensitive that
0RTT is attractive would hardly have its own back-and-forth with banners in
the first place.