Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

Eric Rescorla <> Thu, 24 December 2015 21:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 7E35F1A6EDA for <>; Thu, 24 Dec 2015 13:44:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id gFMCxeSJ1FqD for <>; Thu, 24 Dec 2015 13:44:41 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4002:c07::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E47A81A6ED9 for <>; Thu, 24 Dec 2015 13:44:40 -0800 (PST)
Received: by with SMTP id p130so230421140yka.1 for <>; Thu, 24 Dec 2015 13:44:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=tsPcY96AoU9fb285sa+KZVhZFgke9UyxZZnnB12ooVM=; b=03L7IeUuwSf8X6sRwYLBoha2aW/gfAvwrggXdWLplqqvHeh0Eu8PkG32pb9bPxtDnX 7ixW6iVoApOjOWq/G327/yTi+WYYVmq8497b+7Gf3Q9AehPvlOtTWK266bb49HAHBF5l ljfOztNUL2B+VdzKDFz8pWGLm3drdfQTlNgqLCGhMN9VnhlOQdCutSNpKxBQMmX4AzwN IcQefFXN4poJ/UmoTRyd57uYyDPp9mYAHR2iK3pDto1YJUrJxqBmqrx90bEZqnUjdP0D oOwCQ0xIF1Kuu6G3CWAmrwHRUFznF/xj5I9kl1MAjKMX29wKsy/MTZ7c6XtBeRismxzl MvfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=tsPcY96AoU9fb285sa+KZVhZFgke9UyxZZnnB12ooVM=; b=Mz35l0io4LCde9djwL7Mf4w/Rcf6LAYlufFczwYRN5xYHvdrqnMhZ5bJ0rUETaawXs 93DwrlDITKouq8dYw9VDiF61N+Vj7Rw5X3SWm07ttDZgSj0XMDy86FmmXNxi031WDMCK 5swP92YlEYAXggJawxX6Pf1ocD6WDXKKRoey9hLZL+zhoUC3Jjp8ow1DgKEquIr5R6vZ myqnkpQ7FjNl8HAt9pL4KoEivrc/uCVtY/+Zd6i0AKQO0NusoAzXzPGoEq5mYfG30Fw9 riFc/PBJTRxHzWguh3LBOOLBQxKfH8a2Ob6kNuuCx6ZanSSillB0EAXxfbai8bQzspma G9bQ==
X-Gm-Message-State: ALoCoQkqlPZZsDPCLF3Yya9uyPZp5OTd4y9ROwzvNmdbmURFM74z6KuXEX86YpeFtpSjU/xx4q6fSzEW/5PsLq5eWWBoVT+Heg==
X-Received: by with SMTP id w127mr33059400ywa.223.1450993480215; Thu, 24 Dec 2015 13:44:40 -0800 (PST)
MIME-Version: 1.0
Received: by with HTTP; Thu, 24 Dec 2015 13:44:00 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
From: Eric Rescorla <>
Date: Thu, 24 Dec 2015 16:44:00 -0500
Message-ID: <>
To: Christian Huitema <>
Content-Type: multipart/alternative; boundary=001a114dcf6af603870527abbed9
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Dec 2015 21:44:42 -0000

On Thu, Dec 24, 2015 at 3:40 PM, Christian Huitema <>

> On Monday, December 21, 2015 6:30 PM, Martin Thomson wrote:
> >
> > On 22 December 2015 at 13:25, Christian Huitema <>
> > wrote:
> > >> Unless I'm confused (which is possible given the time of night),
> > >> the intention, as you say, is to separate out the 0-RTT handshake
> > >> messages i.e., (cert, cert verify, finished) from the 1-RTT
> computations.
> > >
> > > OK. That does not simplify implementations using running hashes...
> >
> > It does if you consider the possibility of having to drop the 0-RTT data.
> That's right. In fact, it may be a good idea to add to the spec a
> description of a "Failed 0-RTT handshake." If I understand correctly, the
> following will happen:
> * Server will receive the client hello, ignore the Early Data Indication
> extension, and proceed as in 1-RTT.
> * Server will indicate that by not adding an Early Data Indication to the
> server hello.
> * Server will receive a series of 0-RTT messages that it cannot decipher,
> and just drop the messages.
> * Client will receive server hello, and proceed as per 1-RTT. Client API
> will signal that 0-RTT data was lost, application may decide to retransmit.
> * Server may send client authentication requests. Client will have to
> repeat the authentication messages, even if it already sent them as 0-RTT.

This seems exactly correct.

In that scenario, the handshake hash cannot include the 0-RTT messages,
> since the server does not in fact receive them, and they do not contribute
> to the state of the connection.


We can of course debate whether the 0-RTT messages should also not be
> included in the hash if the 0-RTT exchange was successful, the messages
> were received, and they contributed to the state of the connection. If they
> are not included, then the "Finished" HMAC does not offer a protection
> against tampering. This may open the possibility of some kind of
> substitution or replay attack.

They are included in the client's 0-RTT Finished, so as long as SS is not
compromised, you should not be able to modify them. They are not protected
against modifications if SS is compromised, whereas other messages are
covered by the server's signature.

The failed 0-RTT handshake scenario also has interesting consequences on
> the Record layer. We have a legitimate scenario in which received records
> cannot be decrypted. This should not trigger alarms. And the numbering
> scheme should be robust against these missing records.

Yes. Resetting the sequence number as proposed by Fournet et al. and
in WIP-11 makes this easier.