[TLS] Do we really need two 0-RTT keys?
Christian Huitema <huitema@microsoft.com> Fri, 18 December 2015 22:45 UTC
Return-Path: <huitema@microsoft.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4E011B39BA for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 14:45:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id enpCPLpj5DiL for <tls@ietfa.amsl.com>; Fri, 18 Dec 2015 14:45:37 -0800 (PST)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0796.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:796]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 795F11B39BF for <tls@ietf.org>; Fri, 18 Dec 2015 14:45:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=HWSedEeadCrIpPbTQvTeJWxsAlm+uTsFaRdHZzb0Q50=; b=d/ee4rmdKQ2SYKAzWGzHMwnWC2i03jhuUcCAxy+Vlkcv0qWGRzEoEiewK8C0dzWLbjHhIvaOEKbP/WWpSgnSXCdiJ+czJfPWYt0Qj00qu+SE0fXsVjqHtZLt8ESd0IzUJsRCQHtZu2gqZ1ixWtnpgs1KWwVI3HMITKgCunqW13M=
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com (10.160.96.17) by DM2PR0301MB0654.namprd03.prod.outlook.com (10.160.96.16) with Microsoft SMTP Server (TLS) id 15.1.361.13; Fri, 18 Dec 2015 22:45:15 +0000
Received: from DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) by DM2PR0301MB0655.namprd03.prod.outlook.com ([10.160.96.17]) with mapi id 15.01.0361.006; Fri, 18 Dec 2015 22:45:15 +0000
From: Christian Huitema <huitema@microsoft.com>
To: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Do we really need two 0-RTT keys?
Thread-Index: AdE545+dJMVvs5LHSUe65W5oKcLEUQ==
Date: Fri, 18 Dec 2015 22:45:15 +0000
Message-ID: <DM2PR0301MB065560395A8F3BD86855348DA8E10@DM2PR0301MB0655.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=huitema@microsoft.com;
x-originating-ip: [131.107.159.119]
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0654; 5:MZC5LzMvXviaDEv3rd0tINaegQTbVxMBWxkpIIAkkWbFBfVM4ppj+41O5JXsaQCkc40PxOa/92cLiV2kSQCmKRAxYvumiigPX14RZL47eyoupc/jRwabzOZrDKCwOIiMtRom4E0yIr0vHvQGvpzKmQ==; 24:zOeYgnFYeAXW/NQQrx+U9QJxl9N9fSsyB9jdjLkm6ARyLLUOzoDKPiGBs+LQS8Pjo97RrySJIu2JgCgmNllpaZh8727AQOrH41EmXN0+QOA=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB0654;
x-o365ent-eop-header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
x-microsoft-antispam-prvs: <DM2PR0301MB0654C7C981B347B8B5122E7CA8E10@DM2PR0301MB0654.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(601004)(2401047)(5005006)(520078)(8121501046)(10201501046)(3002001)(61426038)(61427038); SRVR:DM2PR0301MB0654; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0654;
x-forefront-prvs: 07943272E1
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(189002)(199003)(5001960100002)(107886002)(106356001)(189998001)(81156007)(105586002)(54356999)(99286002)(110136002)(86362001)(86612001)(101416001)(5003600100002)(50986999)(66066001)(74316001)(97736004)(2900100001)(33656002)(76576001)(3846002)(2501003)(2351001)(11100500001)(77096005)(450100001)(87936001)(8990500004)(1730700002)(229853001)(10400500002)(5004730100002)(40100003)(92566002)(5002640100001)(586003)(5005710100001)(10090500001)(122556002)(6116002)(10290500002)(1220700001)(5008740100001)(102836003)(1096002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0654; H:DM2PR0301MB0655.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Dec 2015 22:45:15.8211 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0654
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/p-4aPniRhSQfDq7hBSoyI0NCsJA>
Subject: [TLS] Do we really need two 0-RTT keys?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Dec 2015 22:45:40 -0000
The ladder diagram describing the 0-RTT exchange is simple enough, as seen in this extract:
Client Server
ClientHello
+ KeyShare
+ EarlyDataIndication
^ (Certificate*)
0-RTT | (CertificateVerify*)
Data | (Finished)
v (Application Data*)
(end_of_early_data) -------->
The text indicates that client auth and application data messages are protected by "keys derived from the static secret." But then, hidden in section 7.2 is an interesting twist -- too different keys are supposed to be derived from the static secret, one for 0-RTT handshake, another for 0-RTT Application. If I understand correctly, the Certificate, CertificateVerify and Client Finished message would be protected with the "0-RTT Handshake" key, and the Application data and end-of-early data message would be protected with the "0-RTT Application" key.
I assume that there is a good reason for this extra complexity, even if it eludes me. But I worry a bit about what that would do when we start working on DTLS 1.3. UDP messages can arrive out of order. Yes, there is a message number, but the record layer is not necessarily well positioned to interpret it -- the certificate and verify message are optional, so when a record layer receives packet #3 before packet #2, it does not know whether this is a CertificateVerify message (handshake key) or an application message (application key).
Yes, there are solutions, yes, it can be managed, but are we sure that this particular bit of complexity is worth it?
And if it worth it, can we add a description of the key switching logic in section 6.2.2?
-- Christian Huitema
- [TLS] Do we really need two 0-RTT keys? Christian Huitema
- Re: [TLS] Do we really need two 0-RTT keys? Eric Rescorla
- Re: [TLS] Do we really need two 0-RTT keys? Christian Huitema