Re: [TLS] Limiting replay time frame of 0-RTT data
Colm MacCárthaigh <colm@allcosts.net> Mon, 14 March 2016 21:04 UTC
Return-Path: <colm@allcosts.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B10A12D661 for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 14:04:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=allcosts-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sjWQvkQGgPzw for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 14:04:10 -0700 (PDT)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C8CD12D5AA for <tls@ietf.org>; Mon, 14 Mar 2016 14:04:10 -0700 (PDT)
Received: by mail-yw0-x230.google.com with SMTP id h129so184151396ywb.1 for <tls@ietf.org>; Mon, 14 Mar 2016 14:04:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=allcosts-net.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=h3YLzoGSw4K7WF8wx8aSjGjtd67rF3E7qJwD770C8k0=; b=11+mJF7FP+hYbyKZpVAr7IsFexnX4WDEjOTy0L8gO8stH5oRZZyZDMTixoRIahlERR zlo8tztdixKcVYwz/ryryaxYYYMMMkVVjjCnvjmliWQcKO5bCqJ0X3e15Eetxq5fg/gA Lt5hDmQ0SEa8mxjThy/Ldf9EeyUukGK3KLfRERcMX5gb/iBHf8bTbDsZI9MYklffiWts 3uD3GQNSGScqd1a52TpxBpKopppgkgbaldF1ZaA5S3ddpC5C8hXN/vXRnYWKvHcoIyyD 3vYjCX26Fo+Sl5Za6fo5H3DtZNWAFndFhytiyi+FHdbGkIDR+53mbzJ5tjQZO+UHHg0B m21g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=h3YLzoGSw4K7WF8wx8aSjGjtd67rF3E7qJwD770C8k0=; b=eDJOM0REEdYTNY9ssSqCsOzCZ0nb7aBMFXMS5TO8LN1Xd6bNCk/fWqRKs0HUDpArfu ThfscAvzgpOMeqxUmHvYs2nL0dNNn2cruO/5byHf87hHBovrb5I77HIhHrnFDoUb6glJ jslk+yhbGrwma22Wip7RuVQTq0WXTaXE4UDONegeFYHl5eAVF3GdtDaIb8Ka+I9tVPaH tiCqKN6kpac+AHAi+ZvvzqBhWzu11WXsNnvm2sAuMoOFvttTKBEgc3xTMWUCmS9GnviG 55sktbtYxVN6NDqZZ9yEVcX7erYYGBHNMA9oMVswWt8XimZv/eE7Xism2p2RAlhIUe4S 7dKg==
X-Gm-Message-State: AD7BkJIq+FPw3jTRfEv0RiDydSdk8L2y5i/0/yLJRR3Q2I6/XWQFx7PMJ1apocjqWP4ZZSUZqqGckGAtMDcUhw==
MIME-Version: 1.0
X-Received: by 10.37.88.215 with SMTP id m206mr14188472ybb.168.1457989449610; Mon, 14 Mar 2016 14:04:09 -0700 (PDT)
Received: by 10.129.32.196 with HTTP; Mon, 14 Mar 2016 14:04:09 -0700 (PDT)
In-Reply-To: <CAJ_4DfR1dhX7KHB2MQF9YKxrnKGmY9YvhqOyr=6+FbsTJFFqFA@mail.gmail.com>
References: <8A79BFEDF6986C46996566F91BB63C860D64EA3F@PRN-MBX02-1.TheFacebook.com> <CABcZeBPxMZEuG4KehxyhNafeQ4-HO9O-9ORn+BiQP0n3LJA_xw@mail.gmail.com> <911B10A5-12F5-4094-A832-3FA06834862B@gmail.com> <CAH8yC8nwyTf7N1y=NqmkVoY1tW6Kh4weFFLEFn6w3vLwoEMRSA@mail.gmail.com> <CAJ_4DfR1dhX7KHB2MQF9YKxrnKGmY9YvhqOyr=6+FbsTJFFqFA@mail.gmail.com>
Date: Mon, 14 Mar 2016 17:04:09 -0400
Message-ID: <CAAF6GDe_Hk8DPm3_vVnmgM56NkoN8SDSA4+c_VdmQwNxfxbwtQ@mail.gmail.com>
From: Colm MacCárthaigh <colm@allcosts.net>
To: Ryan Hamilton <rch@google.com>
Content-Type: multipart/alternative; boundary="001a113fcb7a3b31ba052e089f7c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/dT-aKYnlUNgLCxyFZCkzfZKRX7Y>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Mar 2016 21:04:13 -0000
On Mon, Mar 14, 2016 at 3:15 PM, Ryan Hamilton <rch@google.com> wrote: > > On Sun, Mar 13, 2016 at 4:36 PM, Jeffrey Walton <noloader@gmail.com> > wrote: > >> 0-RTT seems to be a solution looking for a problem. >> > > Google has been using 0-RTT as part of the QUIC transport for quite a > while now. In April of last year, we posted about the performance > benefits we're seeing from QUIC > <http://blog.chromium.org/2015/04/a-quic-update-on-googles-experimental.html>. > Among other things, that post said: > > Even on a well-optimized site like Google Search, where connections are > often pre-established, we still see a 3% improvement in mean page load time > with QUIC. > > > From the browser side of things, 0-RTT is a solution to a very real > problem. We are excited about TLS 1.3 supporting 0-RTT (or 0-RTT > resumption) and converting QUIC to use the TLS 1.3 handshake as a result. > Are you sacrificing forward secrecy in this case? For a concrete example: suppose $oppressive_government is collecting all traffic as a routine matter of course, and then later a remote-ex, memory-disclosure, or decrypt-oracle (like the recent DROWN) came along on the server side: could it be used to decrypt all of $worthy_dissident's requests? how long for, how do you manage that trade-off? On the "3% speed up" - we're not going to see that for TLS 1.3 though - right? there's still the TCP handshake to perform; or is some kind of custom TCP in the works? (does TCPCT work on the client side?). Do you have any human perception data; to people even notice the 3% at this point? (loading google seems remarkably fast!). There's a very strong temptation to bias for what's easy to measure here. -- Colm
- [TLS] Limiting replay time frame of 0-RTT data Kyle Nekritz
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla
- Re: [TLS] Limiting replay time frame of 0-RTT data Karthikeyan Bhargavan
- Re: [TLS] Limiting replay time frame of 0-RTT data Brian Smith
- Re: [TLS] Limiting replay time frame of 0-RTT data Erik Nygren
- Re: [TLS] Limiting replay time frame of 0-RTT data Martin Thomson
- Re: [TLS] Limiting replay time frame of 0-RTT data Bill Cox
- Re: [TLS] Limiting replay time frame of 0-RTT data Jeffrey Walton
- Re: [TLS] Limiting replay time frame of 0-RTT data Ryan Hamilton
- Re: [TLS] Limiting replay time frame of 0-RTT data Kyle Nekritz
- Re: [TLS] Limiting replay time frame of 0-RTT data Colm MacCárthaigh
- Re: [TLS] Limiting replay time frame of 0-RTT data Jeffrey Walton
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla
- Re: [TLS] Limiting replay time frame of 0-RTT data Ryan Hamilton
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla
- Re: [TLS] Limiting replay time frame of 0-RTT data Bill Cox
- Re: [TLS] Limiting replay time frame of 0-RTT data Martin Thomson
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla