IETF Logo Mail Archive

Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)

Eric Rescorla <ekr@rtfm.com> Fri, 25 March 2016 15:40 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03B7D12DC21 for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 08:40:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4BI_EBp66Km for <tls@ietfa.amsl.com>; Fri, 25 Mar 2016 08:40:20 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFB9C12DC13 for <tls@ietf.org>; Fri, 25 Mar 2016 08:40:19 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id g3so98429537ywa.3 for <tls@ietf.org>; Fri, 25 Mar 2016 08:40:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=KzlArgbngun2uE4szB+wwWrkXjbTKB/e3cbOIoWoRrY=; b=XFzoS41SZPGehvdmWZLLWb46d4ntgWpfPlT4ahQouhuGESYSBzki7Fmzw28JrBGdSx Td9ZJTtYvcsfAu5DfkVnWRU4uzVuLdvr2OX9HBlYvXo6jOkOESDXz4oIzdI6xLU/G5J2 qBEQADIRSoANVV7CHEX44zeEY2eJM7eCCEFL/OFxOBJsO+Gi7BsMeKVrlj1KC/tNc27l CZYhkzcsfZCjwnsSj7UgE6ejfys6QrgbkNd8aCdCYSCE/8K/EuKk5hB7CPuRyEivVE/Z Lzz2b2obPH9MVHelh++YxD+iomQZbDjfge4QI0agYZCLOhqU+nWwLRKmv4EL1QNcrFa+ x76w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=KzlArgbngun2uE4szB+wwWrkXjbTKB/e3cbOIoWoRrY=; b=F+LD9tZNq87yhHa7ZMxK+teEnVkVTirS7APo6H7kA+4HZZzDGcU48e+TOCDnHESHft cXnS7SJl4xVAVojqJubq8hW4yZvB5hbiuIJ/lddiG4wu+gVqdmslo8W85zu8RDoa9Zrt VRpN2gTSdunG0e9uiT4eEi+FXi/HTV9VxKYEa1SYegC5YsRf5mlZBDB1A2BDP/KHvgZC MEyJdLx/aHZcMdoKBGqfor7k5Dd+8h9cslIuX1N9CJYRpvgIuYc1DH4Gyh+s+A/pP2bb 2OSKPw19I2/4XpCGdYn5C5WS4AwVnhuq1RIgKqPIemdB27eKlMSHPhfnkaUoUE6HBUMQ pcCw==
X-Gm-Message-State: AD7BkJLOH+78lhDdVSxu2gUTubJjlgjSy5FNcX13ujli+PRyW87W2lhd/UTTqoUJymBROZIc87WsCm6JtJrd3A==
X-Received: by 10.37.64.6 with SMTP id n6mr6210430yba.162.1458920418923; Fri, 25 Mar 2016 08:40:18 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.13.249.5 with HTTP; Fri, 25 Mar 2016 08:39:39 -0700 (PDT)
In-Reply-To: <CAH9QtQFkaGZjc85vRuK0vB5g4--5od8vRmrBU0ejp+k+KWUmJg@mail.gmail.com>
References: <BC748097-6833-4BEB-9282-AF278B00FB96@inria.fr> <20160325115343.GA13213@LK-Perkele-V2.elisa-laajakaista.fi> <68AC2856-70B5-4B4C-80E8-B8AD1512199A@inria.fr> <CAH9QtQFkaGZjc85vRuK0vB5g4--5od8vRmrBU0ejp+k+KWUmJg@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 25 Mar 2016 08:39:39 -0700
Message-ID: <CABcZeBO+=hLSc=SdEYnBr7K10h0EOREtLZvpMtgC-gSOdsrMKg@mail.gmail.com>
To: Bill Cox <waywardgeek@google.com>
Content-Type: multipart/alternative; boundary="001a11c0086653c6e7052ee1619b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/oylhQAKFRyiaePyffVbEw59_Hh4>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Cleaning up 0-RTT Signaling (ciphersuites, replays, PSK context)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Mar 2016 15:40:22 -0000

On Fri, Mar 25, 2016 at 8:33 AM, Bill Cox <waywardgeek@google.com> wrote:

> Adding 1 byte EarlyDataType seems like a good idea.
>
> As for the CipherSuite, assuming DH-0RTT goes away, would it be simpler to
> require that the cipher suite negotiated from the original 1-RTT connection
> be used?
>
> For channel binding, the only mode that seems to work with 0-RTT is when
> we issue new tickets on each 0-RTT connection to emulate a single session
> like we have in TLS 1.2, and use a replay cache on the server.  The only
> valid proof-of-possession the server can do with the client before
> processing application requests is the one done on the 1-RTT connection, so
> this single proof needs to secure the entire chain of 0-RTT connections.
> The master resumption secret becomes a bearer token and needs to be
> protected accordingly.
>
> The Export Key Material API also needs to be updated.  The simplest
> implementation where keys are derived from the current ephemeral secrets
> will cause the exported keys to be different whenever new keys are
> negotiated.  This will probably cause bugs at the application layer.  We
> may need to have an EKM API that depends only on the original PSK, and
> another one for generating ephemeral EKM material.
>

PTAL at draft-12 which has a definition of exporters based on the Exporter
Secret, which is computed at the end of the handshake.

-Ekr




>
>
> Bill
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
>

v2.23.0 | Report a Bug | By Email