Re: [TLS] Forward secrecy with resumption, and 0-RTT security

Bill Cox <> Sun, 06 December 2015 22:55 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 46C8D1B34E6 for <>; Sun, 6 Dec 2015 14:55:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.388
X-Spam-Status: No, score=-1.388 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id IfIyhyjsDNpn for <>; Sun, 6 Dec 2015 14:55:21 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4001:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1F1FD1B34E3 for <>; Sun, 6 Dec 2015 14:55:21 -0800 (PST)
Received: by igbxm8 with SMTP id xm8so71102367igb.1 for <>; Sun, 06 Dec 2015 14:55:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=XYry1+LjARvS/H4reHt/Lo3B62UQdgQEoJoV4v6hl+c=; b=Hcsl8q79NtvJf5utNKRX2Fac1R0mogTS4cPqYoQ9LNK1lHzb1p9VZZjS2F96YNneUC GE1GkYuLdGunGap5UE/p1dw8nIMCDHm7z0sSPI9ta5DfOYIAJO4xWv7aN857KxnjwqxN KZgwXDMsvYgW5iteJjn8C7jrzZZjcIfvqWREX1KlIz9FZXO9pGpuUKUPKAMZrDzU4Qba zf5AKEFoIkp8HNEIuui7x9KA8fQoOhcsBHCqTY54HxkNC7vbMOw/U56unqBJMrc25Yn3 AnMNupLmPQ7frsUMc5sprFaMB7Dj+7q7sW+En1RdfuZx5GCZV9bDKjW80qBnre/CNPPZ Ej/g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=XYry1+LjARvS/H4reHt/Lo3B62UQdgQEoJoV4v6hl+c=; b=UiqF86o49Od41wG5KmIj+080aU6HsoHmhY5+B9H4s1GgUzu79+2IxPWz4X9EN/YdCV dn39UPNgtJmnY0k1B9n6HsdGReoGKPQ3xJgS8NgAEEx4Y5w+Xi4+8R/uf4itqVLO/9X/ tJriJekvAShdO+2d9D7M6RFY06uLhLEBGG1s3nPRwYkA1+s1rem1p6EnPXDq0+6zFOaJ 5fta72ePg/xc6xTIh8JP4/vC4ZvulpQ0frFMFaLWmLYjQYxeEjOPJo4mZqYY8m27ifZS 87k/0+h0UBlevu6GYMxgqO4YIDmTwDP63L7wsG15VeS7/VjJk+ojdIoYJAbNTtVnikkS igVg==
X-Gm-Message-State: ALoCoQlF4VQl5Cwz0z43Y/Qan+Gw1USuPYVc/7pT/w88R2M9dZYXKNNjf5q5bt1foC9EoM4y9wT2
MIME-Version: 1.0
X-Received: by with SMTP id m5mr14295724igr.4.1449442520405; Sun, 06 Dec 2015 14:55:20 -0800 (PST)
Received: by with HTTP; Sun, 6 Dec 2015 14:55:20 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <> <>
Date: Sun, 06 Dec 2015 14:55:20 -0800
Message-ID: <>
From: Bill Cox <>
To: Eric Rescorla <>
Content-Type: multipart/alternative; boundary="001a1135f3048d71dd052642a205"
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Forward secrecy with resumption, and 0-RTT security
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 06 Dec 2015 22:55:22 -0000

Just how strict do we want to be with forward secrecy?  The choices I see

1) Avoid 0-RTT connections, and do only 1-RTT connections when we want
strict forward secrecy and strong client authentication
2) Keep server-side state for decrypting each ticket, and issue new tickets
on each connection, while avoiding 0-RTT replay to the same data center.
3) Give up on first flight forward secrecy, as well as client
authentication for first flight data.

If tickets are reused for multiple 0-RTT resumptions, then the earlier
connections can be decrypted using whatever state the server keeps to
decrypt later connections.

I think option 1 simple and secure, but is too slow.  The choice between 2)
and 3) is a security vs cost and complexity trade-off.

No new functionality is required to implement 1, 2, or 3, I think.  It can
be up to the implementation and application.  Is it worth spelling out in
the spec the gory details?

I'm trying out some language for implementing 2, and the downsides for 1
and 3.  Not sure if it belongs...