IETF Logo Mail Archive

Re: [TLS] 0.5 RTT

Hugo Krawczyk <hugo@ee.technion.ac.il> Tue, 23 February 2016 22:38 UTC

Return-Path: <hugokraw@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA371B2BD6 for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:38:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dM52gTcMWtzW for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:38:17 -0800 (PST)
Received: from mail-lf0-x22c.google.com (mail-lf0-x22c.google.com [IPv6:2a00:1450:4010:c07::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED7311B2AA5 for <tls@ietf.org>; Tue, 23 Feb 2016 14:38:16 -0800 (PST)
Received: by mail-lf0-x22c.google.com with SMTP id 78so280638lfy.3 for <tls@ietf.org>; Tue, 23 Feb 2016 14:38:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=mBOTAbQFNuvbLOcTVJYNK0+GgmBPOsU0NM6JpToFJQk=; b=IgYD08J/8uizZ2RI27WZ9+YgrdZBUq1Cp13M17Hch+96XpcHCpthqyvTJErtewHab3 1BVh6Bfi7/+lHTKjA+zny/EdtGzem7cisOmuVCXBNd40HgCNjwy7LcEWVKL+SEEFZYYP CjioHfRx5xt8k2eDmvlSH4BQBbJUM5Bgb+qtu0UXE415CN0SKNPfNEnddetlhuF4lGLF xNwVGrZ3w/qz8y21VkghXC9S96CDMTmblkAVX6u7xQRZJj3HXnll9ynWEkXAOWUWlwY8 E+pBtMbFcjSnZJCJ4fX11ELOEyu3+T7kqyFQeol64wsAIa+my7XnvhbWgdZk2ZigkSqX vGcg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc:content-type; bh=mBOTAbQFNuvbLOcTVJYNK0+GgmBPOsU0NM6JpToFJQk=; b=mRZKJlE55CUVpeuzGqXpMuof73W1wj2cI6no3yL69aw16WKGj3by/6LYjJwTth/m22 F4pmfQnU5fI+dxLLjVciSlBPHuxLXfldxXjj5/Zg+TsIAGO14o3aJvF1IPnJHtvmQ6Jq wdzdtQUyU5GrZ8j01LpkjoJkokqzNXMMYIouM1egjlPRMMkAQmkAZ02ieQuO1beq8PoV Vug3qPXK2g7lUp/qcA4m2YHy7wx+jlwG42sPSvLNiCAyjpeCQl+/Eu7ZnXw6yzeJixl9 fXcnOq1mCXJZR4+lIqv+1ga/sggI+k6BPVYdr2M0HbVJ2WGplwq3S9S7bGfuUbo7Uy5d EihQ==
X-Gm-Message-State: AG10YOSgUFlHSmkKRCYPIdBD0xkC22zu7cS1PemAyeWqFVUFmVpnjnZSRPgRI2hSZlVsRH8y122beNVrmYc1IQ==
X-Received: by 10.25.147.212 with SMTP id v203mr10882113lfd.167.1456267095192; Tue, 23 Feb 2016 14:38:15 -0800 (PST)
MIME-Version: 1.0
Sender: hugokraw@gmail.com
Received: by 10.25.31.18 with HTTP; Tue, 23 Feb 2016 14:37:45 -0800 (PST)
In-Reply-To: <CABkgnnVxrpkMqdmV_JkMaEY39BZ=O07xeWcpod2fwRb3W4_sQA@mail.gmail.com>
References: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com> <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com> <CADi0yUPOEL++R+_Nhy4NTfhzsA6UjbVbMAEiPx1Qg9+vPPHt7g@mail.gmail.com> <CABkgnnUHmtrRNnOyVXdOe-fnAcN7WVKfX=ycXiugV8A77OjQCQ@mail.gmail.com> <15C73D91-9CDD-488E-87AF-4EBB1C8202CB@gmail.com> <CABkgnnVxrpkMqdmV_JkMaEY39BZ=O07xeWcpod2fwRb3W4_sQA@mail.gmail.com>
From: Hugo Krawczyk <hugo@ee.technion.ac.il>
Date: Tue, 23 Feb 2016 17:37:45 -0500
X-Google-Sender-Auth: qBkTWiE7eMPhn9SlLSwPhkt8z1U
Message-ID: <CADi0yUN5b+CfzM-jH5xNL0dgU2u09OzmcUzV3uOwdEmP3wBr5A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="001a11402438e838be052c779a12"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/sL_CjZhFPc6njZvXF-O9qTTTriY>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 22:38:19 -0000

On Tue, Feb 23, 2016 at 5:08 PM, Martin Thomson <martin.thomson@gmail.com>
wrote:

> On 23 February 2016 at 14:01, Karthikeyan Bhargavan
> <karthik.bhargavan@gmail.com> wrote:
> > The main downgrade concern, I think, is for the 0.5-RTT data’s
> confidentiality; i.e. it may have been sent encrypted under a broken cipher.
>
> Hmm, that's a good point.  So Antoine's analogy is closer to correct
> than I had thought, and the need for Finished remains.
>
> There's an argument that says that 0.5RTT data isn't confidential
> because the server would send it to anyone, but I don't agree with
> that viewpoint.


​I would be interested to hear why you don't agree with that viewpoint.
It seems to imply that you are attaching some "client-specific semantics"
even to keys that were not authenticated by the client.
Understanding such semantics would be a good guide for when 0.5 data may be
safe.

​But the truth is that whatever these semantics are, under your above
viewpoint you should never send 0.5 data.​
​Matching vague semantics to cryptographic security is too hard a problem
to get it right.

(In particular, if these semantics may be based on stuff that happens
outside TLS, as Karthik and Watson were pointing out, then maybe we really
put a "Surgeon General" warning on 0.5 data of equal size to that of 0-RTT.)

Hugo​



And we're potentially also handling 0-RTT data before
> sending 0.5 data.
>
> Like I said on the weekend, we don't have to solve every problem.
> None of the cipher suites in TLS 1.3 would fail to qualify as broken
> currently, but if they did, then logic similar to what we recommend
> for false start seems reasonable to me.  Other than that, we can
> simply document the shortcoming.  I don't think that any of this
> justifies a stronger response than that, and that includes extra key
> updates.
>

v2.23.0 | Report a Bug | By Email