Re: [TLS] Limiting replay time frame of 0-RTT data

Bill Cox <waywardgeek@google.com> Tue, 15 March 2016 02:22 UTC

Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918E912D860 for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 19:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRDJrTyIFldy for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 19:22:34 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F364712D859 for <tls@ietf.org>; Mon, 14 Mar 2016 19:22:33 -0700 (PDT)
Received: by mail-ig0-x231.google.com with SMTP id av4so77159495igc.1 for <tls@ietf.org>; Mon, 14 Mar 2016 19:22:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=dR7/RZDJWCr1XAqibZ+qdL3/H6vUgdzzT14ETYK2Nis=; b=LAj18QuUde8YF4agXVRDdkyxOEoNA3zuVDyxC4v3s4f2lpitc806hsgw8CVi3sYPe/ btT+OzBfQzKF7oRpH5T+i9hnce1lTuUPM+bmJew4gMpwLzRC26ZR6Z+wae4YsQ46yjaW IiiW959p7GndZRgsXCosQyQcFid8FYysX9Af97rhaAx3PzpkTAEtCIWTzeElveTtXaeP 5qAjxFizoZU1uNE3ghTnRyYS5AtsUnd8rxLHUFEsEiXVqHrztmj4VqxkXWwACb3hRomH C33WrGY/kILjIvuzJe3Ww7o3tbxF5wbtBHpFMGihqQJb8xBOIQVWOQyNtK0RQd0JtTsz gu8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=dR7/RZDJWCr1XAqibZ+qdL3/H6vUgdzzT14ETYK2Nis=; b=kxGu8Vjz2QUaaXgVD37r53epII9wQGQTDXMbV9jJ1aX9zdA7exbgebjIA01iXOIF2o /HSmJWWR/cuMnSfHYF4OeKvDZrseNI2MsyxJ4SM2OSXzGevXpfz1S9nwlAH88xgnOWgw ZDEmpGENcGbP8GaSCkNLz8jJWE0j8hbtsQ7OPJhJSuXF/Vyjsx5gtpi6Y4H41jMCDj6u eGilEoMpB5OuaXNitWQs6jncgBuZLKNNQqvcJFkQW+6WFdFIOsk57lJlwy7EAXav9Fvn Weo3rCf6T1J3OlcztknoFoLCpZTRNcbpc+VMyG76raySqNuGBsNgQw5K+1r0Kof/WEYu b4/A==
X-Gm-Message-State: AD7BkJKRRMqQElwRockDGqn4Mc7MGtqcRwvSvAbZHeEOTvMo1id0NTCzXQrkOJF0rSeyimGWSzBgPgF12Ja58coL
MIME-Version: 1.0
X-Received: by 10.50.59.242 with SMTP id c18mr21391562igr.4.1458008553056; Mon, 14 Mar 2016 19:22:33 -0700 (PDT)
Received: by 10.107.183.141 with HTTP; Mon, 14 Mar 2016 19:22:32 -0700 (PDT)
In-Reply-To: <CABcZeBOxQwFaTUkjDi4cewNKr1O2Qw4ZFLUX5V5NFZ19DCaJGw@mail.gmail.com>
References: <8A79BFEDF6986C46996566F91BB63C860D64EA3F@PRN-MBX02-1.TheFacebook.com> <CABcZeBPxMZEuG4KehxyhNafeQ4-HO9O-9ORn+BiQP0n3LJA_xw@mail.gmail.com> <911B10A5-12F5-4094-A832-3FA06834862B@gmail.com> <CAH8yC8nwyTf7N1y=NqmkVoY1tW6Kh4weFFLEFn6w3vLwoEMRSA@mail.gmail.com> <CAJ_4DfR1dhX7KHB2MQF9YKxrnKGmY9YvhqOyr=6+FbsTJFFqFA@mail.gmail.com> <CAAF6GDe_Hk8DPm3_vVnmgM56NkoN8SDSA4+c_VdmQwNxfxbwtQ@mail.gmail.com> <CAJ_4DfQ5FD0ajn0sKudCQTQZZeUdVnjxu54Sypw-o62p==7VGw@mail.gmail.com> <CABcZeBOxQwFaTUkjDi4cewNKr1O2Qw4ZFLUX5V5NFZ19DCaJGw@mail.gmail.com>
Date: Mon, 14 Mar 2016 19:22:32 -0700
Message-ID: <CAH9QtQHXQr=rYKdwwAHqn9g6fC=bqKoe9kZgSfD+j+5VBxQt6A@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary=047d7bea423ee2ce59052e0d115a
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pF4Gjh11kv3_LOaWM16Yf7RHIFg>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 02:22:35 -0000

I am probably reading this wrong, but isn't the PFS problem with tickets
fixed in TLS 1.3?  In TLS 1.2, they were sent to clients before
ChangeCipherSpec, so given the server-side ticket encryption key, an
attacker could decrypt past tickets, and then use that data to decrypt past
sessions.

In TLS 1.3, tickets are sent after the full handshake completes, after
encryption is enabled for the connection.  Now, if an attacker has the
ticket encryption key, it is not possible to decrypt old connections.  Is
that right?  It looks to me like tickets have real PFS in TLS 1.3.

Bill