IETF Logo Mail Archive

Re: [TLS] 0.5 RTT

Martin Thomson <martin.thomson@gmail.com> Tue, 23 February 2016 22:08 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDDF81A885D for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:08:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yR4IK_Yq1HFO for <tls@ietfa.amsl.com>; Tue, 23 Feb 2016 14:08:22 -0800 (PST)
Received: from mail-io0-x236.google.com (mail-io0-x236.google.com [IPv6:2607:f8b0:4001:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DAEA1B3472 for <tls@ietf.org>; Tue, 23 Feb 2016 14:08:22 -0800 (PST)
Received: by mail-io0-x236.google.com with SMTP id g203so3945270iof.2 for <tls@ietf.org>; Tue, 23 Feb 2016 14:08:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=66ydGXZPxd/ImX+ka+tvveFdD5O20CdW7fYFLN+WKBg=; b=Fr/F4o/pWL4Ki4afvuUe/konxTxtQy98FaaEY7SlP5I375VviDoIWIlmF/LANm76tt 7AV98JFfPojIQwpxc0r5T3MzLwZnzNK5B74uWDJ3AHAPg2OJilA59OUzVLirxANlAvVb /0D+LNCz2QEiTARxIKt6LQR8JkfLj8o+nsvLfrLB26Doc5eAGkGIU08cHafAZrIcUhp8 r9eSoiaCiW5LhyvuyvqyRfV+PEaMLZKT1xow1e/ra9Cdz3sDiWDpbqfn7ReWT6zkG2Qm DtYSRewrjXlYxAnpmYHiSuS0nPy/pN2iI++9UXQNcJdJbdF2X/WwddlOZZ0+EQfnvzg7 7yLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=66ydGXZPxd/ImX+ka+tvveFdD5O20CdW7fYFLN+WKBg=; b=hFoGDoAEEoNC9uYhEq7sSZ/Q5d3Xv3fCYUYBmN86ln018UHlfiPk/0cYhXHNeUTTW/ kv/s5HKuXjEsZRQv5larN7e9VO7jQKCIXQENOg+998zW54ISA2HIxr1TdcRv9t9o6tlm DK5Es6clesGA5RsEFEYp63J2NbxlSmi3djggRl5xXQYr1vH53rMl8MfGS9T3Q2rBJ1aK 3qZCIml5OcOKkwWmeJPiHsdLCZ6FwsECE+y25X60DLPTfMcm4QtKO0668XDKY9dWJ/fV A2sONqfMU9XHJzR284uz1X62c2xAwXl5Xttg5as48Yo3SdgnBUAtXB+I405eNhrvX1QC mTOw==
X-Gm-Message-State: AG10YORbIiXoyWOTm1b209iXFiVU7YUxjniSw+yYphzKhHAa77gCjTm0t8Aa7liWx5c6M68IP1e+KNwOzLZ66w==
MIME-Version: 1.0
X-Received: by 10.107.131.27 with SMTP id f27mr38256017iod.190.1456265301715; Tue, 23 Feb 2016 14:08:21 -0800 (PST)
Received: by 10.36.53.79 with HTTP; Tue, 23 Feb 2016 14:08:21 -0800 (PST)
In-Reply-To: <15C73D91-9CDD-488E-87AF-4EBB1C8202CB@gmail.com>
References: <CABkgnnW1LRhSA_i0nL=rDYnUwBZWg5dSys7yk6aDefYWptnpZQ@mail.gmail.com> <8FA1A0FD-B911-474F-AC08-6208A80EB980@gmail.com> <CADi0yUPOEL++R+_Nhy4NTfhzsA6UjbVbMAEiPx1Qg9+vPPHt7g@mail.gmail.com> <CABkgnnUHmtrRNnOyVXdOe-fnAcN7WVKfX=ycXiugV8A77OjQCQ@mail.gmail.com> <15C73D91-9CDD-488E-87AF-4EBB1C8202CB@gmail.com>
Date: Tue, 23 Feb 2016 14:08:21 -0800
Message-ID: <CABkgnnVxrpkMqdmV_JkMaEY39BZ=O07xeWcpod2fwRb3W4_sQA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/tqLFDuUja-sQD9AUmhQEli43mrA>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0.5 RTT
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2016 22:08:23 -0000

On 23 February 2016 at 14:01, Karthikeyan Bhargavan
<karthik.bhargavan@gmail.com> wrote:
> The main downgrade concern, I think, is for the 0.5-RTT data’s confidentiality; i.e. it may have been sent encrypted under a broken cipher.

Hmm, that's a good point.  So Antoine's analogy is closer to correct
than I had thought, and the need for Finished remains.

There's an argument that says that 0.5RTT data isn't confidential
because the server would send it to anyone, but I don't agree with
that viewpoint.  And we're potentially also handling 0-RTT data before
sending 0.5 data.

Like I said on the weekend, we don't have to solve every problem.
None of the cipher suites in TLS 1.3 would fail to qualify as broken
currently, but if they did, then logic similar to what we recommend
for false start seems reasonable to me.  Other than that, we can
simply document the shortcoming.  I don't think that any of this
justifies a stronger response than that, and that includes extra key
updates.

v2.23.0 | Report a Bug | By Email