IETF Logo Mail Archive

[TLS] 0.5 RTT

Martin Thomson <martin.thomson@gmail.com> Tue, 23 February 2016 19:27 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36A2E1A90D3 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 11:27:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ms3OUM_jBaC4 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 11:27:10 -0800 (PST)
Received: from mail-ig0-x22a.google.com (mail-ig0-x22a.google.com [IPv6:2607:f8b0:4001:c05::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0AD71ACD3F for <tls@ietf.org>; Tue, 23 Feb 2016 11:27:10 -0800 (PST)
Received: by mail-ig0-x22a.google.com with SMTP id z8so15585218ige.0 for <tls@ietf.org>; Tue, 23 Feb 2016 11:27:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to; bh=q/vH3M93fs/f5iPXzra5FGaBs3pZk0QY51Kmos2l/3c=; b=kLokuxhD5h9/SU3iu7GEoaq6Aa1J1KtynN0fDdqnSw0MTZMI4X9z9ZMjglUWY9zkM+ bJ+ITr8frBfncA6oHZKEMPOttZ3PJ76KI+0WSgLawZk4iV4vdhTUhKuploZ7epucCrYx n/ycgCDLTCV5ZkQ9BJoRtpidgwfijkeAVwJMrVAs47vvJ7Eqlg3EUJXgXdDr3FrakyuU z5/F9SGqpsu7TXF645O2FIHRhuWq+aEwv4M1q9TXQfYeDzkVlK6AX6o7czDulIjjQJEi kutDvxPw0ekR7raV0FM6xbdJ8RDvxYuG3naKT3sZa/AJvkG4SS6WU5W8lNjpqHnn1mut E/2A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to; bh=q/vH3M93fs/f5iPXzra5FGaBs3pZk0QY51Kmos2l/3c=; b=DR+JZFUWv9THAsFXdZ8FgWjZWMIqzjJgIgfArkbX5eyBQjQqPxq/PJwaSTNFMZGMwk pb46jwtqExuBdyc90NeuK62XIdIPB1lnd5Th3vp83SZriHr3qmuKvlw7l06aLofFpbkn 0C0eqjCCVGVYMmUApZz5CV5YdJqjp9YZDF6yq20W8Uu1zYKRmwocP8U/9kwSRj89qt4w 6ap3q5dJ+nHQex0T2xc3UmF1r8Km8CWgMYrFVpjWifUGjdAut6es/xSWnrl7BLjIxP8f cwK3UCkdnLSdW1hVfisev09QQ0p3F5jeVTirp8gz6WNqGO0D8G7Vwk2d81ao+NWh86SC Ok1A==
X-Gm-Message-State: AG10YOSZqXSeOoFDJSfzw/9bH4DqT+ll6LMBlJaULejS1wqXF3VCf7Oi9Ivwo9h9KcSFXGYa48GNgvSOoqA2qA==
MIME-Version: 1.0
X-Received: by 10.50.20.129 with SMTP id n1mr19612007ige.77.1456255630066; Tue, 23 Feb 2016 11:27:10 -0800 (PST)
Received: by 10.36.53.79 with HTTP; Tue, 23 Feb 2016 11:27:10 -0800 (PST)
Date: Tue, 23 Feb 2016 11:27:10 -0800
Message-ID: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ihp3fY2G9mYKhXCvOMQNOcKItL0>
Subject: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 19:27:12 -0000

Karthik raised some concerns here, and I think that we have some
thinking to do.  But I don't think that it is intractable, nor even
hard, to reason about this problem.

The only thing that the client's second flight provides is
authentication.  The Finished isn't needed if there is no client auth
[P].  Hugo's presentation at TRON did not include a client Finished in
the earlier, simpler examples.

Thus, based on Watson's observation that the client authentication is
removable, we might conclude that the handshake is complete from the
perspective of a server that does not require client authentication.
There are still reasons we might like to keep the client
authentication in the handshake, but those are decisions we can make
on engineering grounds.

If post-handshake client authentication is OK, then 0.5 RTT is equally
OK [X].  I would assert that any decision about changing keys after
the client Finished applies to post-handshake client auth (or vice
versa).

If that logic is sound, then I see no reason we can't have some very
simple advice:

  1. if the server does not request client authentication, it can send
application data immediately following its Finished

  2. if the server requests client authentication, it MUST NOT send
application data until it receives and validates the client's first
flight.  UNLESS the server is certain that the data it sends does not
depend on the client's identity (that is, it would send this
application data to anyone).

>From an API perspective, I believe that we should recommend that there
be a separate function for sending in condition 2, just as we are
going to recommend that there is a separate function for sending 0-RTT
data (as well as there being one to receive on the server end).

Based on this, we should recommend different points in time for the
server API to report that the handshake is "complete" at a server.  In
condition 1, the handshake is complete after the server Finished is
sent; in condition 2, the handshake is complete after the client
Finished is received.


[P] Note that a client Finished does confirm a PSK.  Though you might
reasonably argue that successfully generating valid application data
works equally well in that regard.
[X] Post-handshake client authentication has only been analyzed very
lightly, so we have to caveat that statement too.

v2.23.0 | Report a Bug | By Email