Re: [TLS] 0-RTT, server Application Data, and client Finished
David Benjamin <davidben@chromium.org> Wed, 27 January 2016 01:58 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C283D1B3347 for <tls@ietfa.amsl.com>; Tue, 26 Jan 2016 17:58:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gIRd_IL0JMB for <tls@ietfa.amsl.com>; Tue, 26 Jan 2016 17:58:52 -0800 (PST)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEADB1B32DB for <tls@ietf.org>; Tue, 26 Jan 2016 17:58:51 -0800 (PST)
Received: by mail-ig0-x22d.google.com with SMTP id t15so73458892igr.0 for <tls@ietf.org>; Tue, 26 Jan 2016 17:58:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=kbOwUUidN6jmRZ+s7F3ZMVDjp2A4+yjqNwXqqeB5/Lc=; b=JZQ/4a1ZKyhtQo9MpMeNgXlGTJkZJQ3kF40wJcEpuoNXk3f9qiIUNvU3iAcZOnl5g2 PGdCqWX+tqAoFFtcmX2FpXevIhx3+At0bTcrykxPOZpEcEm1QWPjc6PN8qvYwAzd0HzI n45OIfPFbku5EGtmqEtDOmohcSotu7wKYfot0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=kbOwUUidN6jmRZ+s7F3ZMVDjp2A4+yjqNwXqqeB5/Lc=; b=kaPdAA1bqf3J3sSyqO6TZmoz1dS0CqBPmPzj6lNHb4noQS44QyLJaqteiUD1GxHd9k EFEuwtepvdCTKPSWpVQpjWmZT3+6+E92FfzszViK2yUEM9F0zOqnyYBRH1xlsaeJCgVM y3fOqd7GPjS5xTi6UQk1CbOb2uQNfWp1Ue53uzcIURmVxIyFwiyqV8RJCce0nLk7+rgQ MBfWQ14nNEYxQxhq2SwQDjz1NJm+ELo07KN+l5jpyca1ZAPIGU/At71K89GKy3pE8ap0 2kZ2y/l8TQcTYqCuNZ/Y20HT9I/GGx5FxxzWaxVoGjv0kjcQ6+rQa1zLzGE+Xdn9UCU0 4H8w==
X-Gm-Message-State: AG10YOQBeXXYI31YRWzUiv2ULmtNuIBc6aTQDJNcoFyhT5uPnaU5MZbIlhYBrhEpBwW4utgoK3ApHuTX5+ZM8GG+
X-Received: by 10.50.13.102 with SMTP id g6mr27924252igc.77.1453859931076; Tue, 26 Jan 2016 17:58:51 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaCty7qjJGobr+god_TDo+q82hZx2FpOitLQ0ANctWBZ0g@mail.gmail.com> <CABkgnnXD5ZudUW7d2uQSSo1ULeOgxD97H5Sd0ZN3MXy9X6+4qA@mail.gmail.com>
In-Reply-To: <CABkgnnXD5ZudUW7d2uQSSo1ULeOgxD97H5Sd0ZN3MXy9X6+4qA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 27 Jan 2016 01:58:40 +0000
Message-ID: <CAF8qwaCq7LzXp+5ULWYakLXar3_J1QmerfC7EpqHg1TXgxeu5A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="089e013c66d6bf0cb7052a4724e9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wUqectaDJUEaVgyoYcar4mGr5go>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT, server Application Data, and client Finished
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 01:58:53 -0000
On Tue, Jan 26, 2016 at 8:28 PM Martin Thomson <martin.thomson@gmail.com> wrote: > This is in part why I created: > https://github.com/tlswg/tls13-spec/pull/402 Ah, great. And indeed there is a paragraph I missed: """ At this point, the handshake is complete, and the client and server may exchange application layer data. Application data MUST NOT be sent prior to sending the Finished message. Note that while the server may send application data prior to receiving the client’s Authentication messages, any data sent at that point is of course being sent to an unauthenticated peer. """ In addition to the diagram, there's also some text in 6.3.4.3 which somewhat contradicts this (that's the paragraph I was going off of in writing this mail): """ [...] Once a side has sent its Finished message and received and validated the Finished message from its peer, it may begin to send and receive application data over the connection. This data will be protected under keys derived from the ephemeral secret (see Section 7). """ My understanding is that the server is able to send any data that does > not depend on client authentication at t=0.5 and any data that depends > on client authentication at either t=0.5 if it successfully consumes > the client authentication in the 0-RTT flight, or t=1.5 failing that. > This seems unnecessarily complicated and invites all the context-switching problems of mid-stream client auth in even more situations. If the server needs to send a CertificateRequest (i.e. the client mispredicted the 0-RTT Certificate/CertificateVerify) but otherwise has a 0-RTT hit, have it reject 0-RTT altogether. The 0-RTT is already all but useless because the first authenticated byte of the response is delayed to t=1.5. We should just say that 0-RTT accept + CertificateRequest is forbidden. If one really wants to, a la mid-stream[*] auth, send unauthenticated bytes at t=0.5 and then authenticated bytes at t=1.5, one could just as easily use mid-stream auth itself. The server accepts the 0-RTT without a CertificateRequest and, at t=0.5, sends the unauthenticated bytes followed by a mid-stream CertificateRequest. At t=1, the client processes the unauthenticated bytes, sees a mid-stream CertificateRequest, authenticates, which the server receives at t=1.5, sends authenticated bytes, received by the client at t=2. The same data arrives at the same times and we don't increase the state-space. David [*] Mid-stream auth is a serious regression, and I am not endorsing it in any way. But supposing it exists for the purposes of this thread... > On 27 January 2016 at 11:46, David Benjamin <davidben@chromium.org> wrote: > > It's possible I'm reading the draft wrong, so this thread may be a very > > short one. > > > > (t here is in units of RTT, so t=0 is when the client sends ClientHello > and > > t=0.5 is when the server receives ClientHello and sends ServerHello, t=1 > is > > when the client receives ServerHello, etc.) > > > > Looking at the Zero-RTT exchange here: > > https://tlswg.github.io/tls13-spec/#rfc.section.6.2.2 > > > > Is the intention that the client, even in the successful 0-RTT case, send > > two Finished messages (one at t=0 and one at t=1) and that the server not > > send application data until receiving the second of these at t=1.5? If > so, > > does this not defeat the purpose of 0-RTT? Although the client now > eagerly > > sends at t=0, it will not see the response until t=2, which is no better > > than the resumption case (in TLS 1.2 or 1.3) where the client doesn't > send > > until t=1. > > > > David > > > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls > > >
- [TLS] 0-RTT, server Application Data, and client … David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… Bill Cox
- Re: [TLS] 0-RTT, server Application Data, and cli… Watson Ladd
- Re: [TLS] 0-RTT, server Application Data, and cli… Bill Cox
- Re: [TLS] 0-RTT, server Application Data, and cli… Martin Thomson
- Re: [TLS] 0-RTT, server Application Data, and cli… Watson Ladd
- Re: [TLS] 0-RTT, server Application Data, and cli… Salz, Rich
- Re: [TLS] 0-RTT, server Application Data, and cli… Andrei Popov
- Re: [TLS] 0-RTT, server Application Data, and cli… Yoav Nir
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Ilari Liusvaara
- Re: [TLS] 0-RTT, server Application Data, and cli… Andrei Popov
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Ilari Liusvaara
- Re: [TLS] 0-RTT, server Application Data, and cli… David Benjamin
- Re: [TLS] 0-RTT, server Application Data, and cli… Ilari Liusvaara