Re: [TLS] Limiting replay time frame of 0-RTT data
Bill Cox <waywardgeek@google.com> Tue, 15 March 2016 02:22 UTC
Return-Path: <waywardgeek@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 918E912D860 for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 19:22:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dRDJrTyIFldy for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 19:22:34 -0700 (PDT)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F364712D859 for <tls@ietf.org>; Mon, 14 Mar 2016 19:22:33 -0700 (PDT)
Received: by mail-ig0-x231.google.com with SMTP id av4so77159495igc.1 for <tls@ietf.org>; Mon, 14 Mar 2016 19:22:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=dR7/RZDJWCr1XAqibZ+qdL3/H6vUgdzzT14ETYK2Nis=; b=LAj18QuUde8YF4agXVRDdkyxOEoNA3zuVDyxC4v3s4f2lpitc806hsgw8CVi3sYPe/ btT+OzBfQzKF7oRpH5T+i9hnce1lTuUPM+bmJew4gMpwLzRC26ZR6Z+wae4YsQ46yjaW IiiW959p7GndZRgsXCosQyQcFid8FYysX9Af97rhaAx3PzpkTAEtCIWTzeElveTtXaeP 5qAjxFizoZU1uNE3ghTnRyYS5AtsUnd8rxLHUFEsEiXVqHrztmj4VqxkXWwACb3hRomH C33WrGY/kILjIvuzJe3Ww7o3tbxF5wbtBHpFMGihqQJb8xBOIQVWOQyNtK0RQd0JtTsz gu8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=dR7/RZDJWCr1XAqibZ+qdL3/H6vUgdzzT14ETYK2Nis=; b=kxGu8Vjz2QUaaXgVD37r53epII9wQGQTDXMbV9jJ1aX9zdA7exbgebjIA01iXOIF2o /HSmJWWR/cuMnSfHYF4OeKvDZrseNI2MsyxJ4SM2OSXzGevXpfz1S9nwlAH88xgnOWgw ZDEmpGENcGbP8GaSCkNLz8jJWE0j8hbtsQ7OPJhJSuXF/Vyjsx5gtpi6Y4H41jMCDj6u eGilEoMpB5OuaXNitWQs6jncgBuZLKNNQqvcJFkQW+6WFdFIOsk57lJlwy7EAXav9Fvn Weo3rCf6T1J3OlcztknoFoLCpZTRNcbpc+VMyG76raySqNuGBsNgQw5K+1r0Kof/WEYu b4/A==
X-Gm-Message-State: AD7BkJKRRMqQElwRockDGqn4Mc7MGtqcRwvSvAbZHeEOTvMo1id0NTCzXQrkOJF0rSeyimGWSzBgPgF12Ja58coL
MIME-Version: 1.0
X-Received: by 10.50.59.242 with SMTP id c18mr21391562igr.4.1458008553056; Mon, 14 Mar 2016 19:22:33 -0700 (PDT)
Received: by 10.107.183.141 with HTTP; Mon, 14 Mar 2016 19:22:32 -0700 (PDT)
In-Reply-To: <CABcZeBOxQwFaTUkjDi4cewNKr1O2Qw4ZFLUX5V5NFZ19DCaJGw@mail.gmail.com>
References: <8A79BFEDF6986C46996566F91BB63C860D64EA3F@PRN-MBX02-1.TheFacebook.com> <CABcZeBPxMZEuG4KehxyhNafeQ4-HO9O-9ORn+BiQP0n3LJA_xw@mail.gmail.com> <911B10A5-12F5-4094-A832-3FA06834862B@gmail.com> <CAH8yC8nwyTf7N1y=NqmkVoY1tW6Kh4weFFLEFn6w3vLwoEMRSA@mail.gmail.com> <CAJ_4DfR1dhX7KHB2MQF9YKxrnKGmY9YvhqOyr=6+FbsTJFFqFA@mail.gmail.com> <CAAF6GDe_Hk8DPm3_vVnmgM56NkoN8SDSA4+c_VdmQwNxfxbwtQ@mail.gmail.com> <CAJ_4DfQ5FD0ajn0sKudCQTQZZeUdVnjxu54Sypw-o62p==7VGw@mail.gmail.com> <CABcZeBOxQwFaTUkjDi4cewNKr1O2Qw4ZFLUX5V5NFZ19DCaJGw@mail.gmail.com>
Date: Mon, 14 Mar 2016 19:22:32 -0700
Message-ID: <CAH9QtQHXQr=rYKdwwAHqn9g6fC=bqKoe9kZgSfD+j+5VBxQt6A@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
To: Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/alternative; boundary="047d7bea423ee2ce59052e0d115a"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/pF4Gjh11kv3_LOaWM16Yf7RHIFg>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 02:22:35 -0000
I am probably reading this wrong, but isn't the PFS problem with tickets fixed in TLS 1.3? In TLS 1.2, they were sent to clients before ChangeCipherSpec, so given the server-side ticket encryption key, an attacker could decrypt past tickets, and then use that data to decrypt past sessions. In TLS 1.3, tickets are sent after the full handshake completes, after encryption is enabled for the connection. Now, if an attacker has the ticket encryption key, it is not possible to decrypt old connections. Is that right? It looks to me like tickets have real PFS in TLS 1.3. Bill
- [TLS] Limiting replay time frame of 0-RTT data Kyle Nekritz
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla
- Re: [TLS] Limiting replay time frame of 0-RTT data Karthikeyan Bhargavan
- Re: [TLS] Limiting replay time frame of 0-RTT data Brian Smith
- Re: [TLS] Limiting replay time frame of 0-RTT data Erik Nygren
- Re: [TLS] Limiting replay time frame of 0-RTT data Martin Thomson
- Re: [TLS] Limiting replay time frame of 0-RTT data Bill Cox
- Re: [TLS] Limiting replay time frame of 0-RTT data Jeffrey Walton
- Re: [TLS] Limiting replay time frame of 0-RTT data Ryan Hamilton
- Re: [TLS] Limiting replay time frame of 0-RTT data Kyle Nekritz
- Re: [TLS] Limiting replay time frame of 0-RTT data Colm MacCárthaigh
- Re: [TLS] Limiting replay time frame of 0-RTT data Jeffrey Walton
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla
- Re: [TLS] Limiting replay time frame of 0-RTT data Ryan Hamilton
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla
- Re: [TLS] Limiting replay time frame of 0-RTT data Bill Cox
- Re: [TLS] Limiting replay time frame of 0-RTT data Martin Thomson
- Re: [TLS] Limiting replay time frame of 0-RTT data Eric Rescorla