IETF Logo Mail Archive

Re: [TLS] TRON workshop

Ilari Liusvaara <ilariliusvaara@welho.com> Mon, 12 October 2015 14:58 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0265E1A21C2 for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 07:58:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FPAsTkAcTeyi for <tls@ietfa.amsl.com>; Mon, 12 Oct 2015 07:58:06 -0700 (PDT)
Received: from filtteri2.pp.htv.fi (filtteri2.pp.htv.fi [213.243.153.185]) by ietfa.amsl.com (Postfix) with ESMTP id DE6661A21B8 for <tls@ietf.org>; Mon, 12 Oct 2015 07:58:05 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by filtteri2.pp.htv.fi (Postfix) with ESMTP id 8D00619C60C; Mon, 12 Oct 2015 17:58:04 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp4.welho.com ([213.243.153.38]) by localhost (filtteri2.pp.htv.fi [213.243.153.185]) (amavisd-new, port 10024) with ESMTP id RL+0hvhbGZ8o; Mon, 12 Oct 2015 17:58:04 +0300 (EEST)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp4.welho.com (Postfix) with ESMTPSA id 64A6E5BC016; Mon, 12 Oct 2015 17:58:04 +0300 (EEST)
Date: Mon, 12 Oct 2015 17:58:03 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20151012145803.GA29740@LK-Perkele-V2.elisa-laajakaista.fi>
References: <5616DE2A.6060508@cs.tcd.ie> <3257371.23XkUVl0AJ@pintsize.usersys.redhat.com> <CABcZeBMCvvuvDq17awHHMDrYpKE1moiGGOBhz5YdskZGrEKmxw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBMCvvuvDq17awHHMDrYpKE1moiGGOBhz5YdskZGrEKmxw@mail.gmail.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eqevLuyOoBM39sIu2F_bgw8IpSQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TRON workshop
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Oct 2015 14:58:08 -0000

On Mon, Oct 12, 2015 at 04:48:08AM -0700, Eric Rescorla wrote:
> On Mon, Oct 12, 2015 at 4:40 AM, Hubert Kario <hkario@redhat.com> wrote:
> 
> > aren't we still missing the 0-RTT mode?
> 
> It's in the current draft though there are a few details that we're
> going to need to nail down over the next few weeks and in Yokohama.

IMO, that should be nailed rather quick, given that that what there
is right now isn't really sufficient to analyze it.

However, some comments about 0-RTT:


1) It seems to me that if server key is compromised, MITM can
substitute 0-RTT data with its own (at least if original and modified
one have the same number of records). And such modification will not
be detected by handshake, which will complete successfully.

Perhaps the comment about impersonation with compromised server key
was about this (I can't get more usual types of attacks to work)?


2) If static client authentication is used with 0-RTT data, the client
authentication always preceeds 0-RTT data (it is first in early
handshake, and using 1-RTT client auth is forbidden). This seems to
imply 0-RTT data should be interpretted in an authenticated context,
which seems dangerous given the replayability of the 0-RTT data.

If such authentication is not needed, 1-RTT authentication would be
equally fast as 0-RTT authentication (now that 1-RTT auth does not
prohibit server 0-RTT) and much more straightforward (due to having
full-fledged connection context).


3) The document talks about making 0-RTT data unreplayable by using
extra identifier agreed out-of-band. Does that actually work, given
the likely auto-replay by the client?



-Ilari

v2.23.0 | Report a Bug | By Email