IETF Logo Mail Archive

Re: [TLS] 0-RTT, server Application Data, and client Finished

David Benjamin <davidben@chromium.org> Wed, 27 January 2016 01:58 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C283D1B3347 for <tls@ietfa.amsl.com>; Tue, 26 Jan 2016 17:58:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.379
X-Spam-Level:
X-Spam-Status: No, score=-1.379 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6gIRd_IL0JMB for <tls@ietfa.amsl.com>; Tue, 26 Jan 2016 17:58:52 -0800 (PST)
Received: from mail-ig0-x22d.google.com (mail-ig0-x22d.google.com [IPv6:2607:f8b0:4001:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BEADB1B32DB for <tls@ietf.org>; Tue, 26 Jan 2016 17:58:51 -0800 (PST)
Received: by mail-ig0-x22d.google.com with SMTP id t15so73458892igr.0 for <tls@ietf.org>; Tue, 26 Jan 2016 17:58:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-type; bh=kbOwUUidN6jmRZ+s7F3ZMVDjp2A4+yjqNwXqqeB5/Lc=; b=JZQ/4a1ZKyhtQo9MpMeNgXlGTJkZJQ3kF40wJcEpuoNXk3f9qiIUNvU3iAcZOnl5g2 PGdCqWX+tqAoFFtcmX2FpXevIhx3+At0bTcrykxPOZpEcEm1QWPjc6PN8qvYwAzd0HzI n45OIfPFbku5EGtmqEtDOmohcSotu7wKYfot0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-type; bh=kbOwUUidN6jmRZ+s7F3ZMVDjp2A4+yjqNwXqqeB5/Lc=; b=kaPdAA1bqf3J3sSyqO6TZmoz1dS0CqBPmPzj6lNHb4noQS44QyLJaqteiUD1GxHd9k EFEuwtepvdCTKPSWpVQpjWmZT3+6+E92FfzszViK2yUEM9F0zOqnyYBRH1xlsaeJCgVM y3fOqd7GPjS5xTi6UQk1CbOb2uQNfWp1Ue53uzcIURmVxIyFwiyqV8RJCce0nLk7+rgQ MBfWQ14nNEYxQxhq2SwQDjz1NJm+ELo07KN+l5jpyca1ZAPIGU/At71K89GKy3pE8ap0 2kZ2y/l8TQcTYqCuNZ/Y20HT9I/GGx5FxxzWaxVoGjv0kjcQ6+rQa1zLzGE+Xdn9UCU0 4H8w==
X-Gm-Message-State: AG10YOQBeXXYI31YRWzUiv2ULmtNuIBc6aTQDJNcoFyhT5uPnaU5MZbIlhYBrhEpBwW4utgoK3ApHuTX5+ZM8GG+
X-Received: by 10.50.13.102 with SMTP id g6mr27924252igc.77.1453859931076; Tue, 26 Jan 2016 17:58:51 -0800 (PST)
MIME-Version: 1.0
References: <CAF8qwaCty7qjJGobr+god_TDo+q82hZx2FpOitLQ0ANctWBZ0g@mail.gmail.com> <CABkgnnXD5ZudUW7d2uQSSo1ULeOgxD97H5Sd0ZN3MXy9X6+4qA@mail.gmail.com>
In-Reply-To: <CABkgnnXD5ZudUW7d2uQSSo1ULeOgxD97H5Sd0ZN3MXy9X6+4qA@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 27 Jan 2016 01:58:40 +0000
Message-ID: <CAF8qwaCq7LzXp+5ULWYakLXar3_J1QmerfC7EpqHg1TXgxeu5A@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Content-Type: multipart/alternative; boundary="089e013c66d6bf0cb7052a4724e9"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/wUqectaDJUEaVgyoYcar4mGr5go>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0-RTT, server Application Data, and client Finished
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jan 2016 01:58:53 -0000

On Tue, Jan 26, 2016 at 8:28 PM Martin Thomson <martin.thomson@gmail.com>
wrote:

> This is in part why I created:
> https://github.com/tlswg/tls13-spec/pull/402


Ah, great. And indeed there is a paragraph I missed:
"""
At this point, the handshake is complete, and the client and server may
exchange application layer data. Application data MUST NOT be sent prior to
sending the Finished message. Note that while the server may send
application data prior to receiving the client’s Authentication messages,
any data sent at that point is of course being sent to an unauthenticated
peer.
"""

In addition to the diagram, there's also some text in 6.3.4.3 which
somewhat contradicts this (that's the paragraph I was going off of in
writing this mail):
"""
[...] Once a side has sent its Finished message and received and validated
the Finished message from its peer, it may begin to send and receive
application data over the connection. This data will be protected under
keys derived from the ephemeral secret (see Section 7).
"""

My understanding is that the server is able to send any data that does
> not depend on client authentication at t=0.5 and any data that depends
> on client authentication at either t=0.5 if it successfully consumes
> the client authentication in the 0-RTT flight, or t=1.5 failing that.
>

This seems unnecessarily complicated and invites all the context-switching
problems of mid-stream client auth in even more situations.

If the server needs to send a CertificateRequest (i.e. the client
mispredicted the 0-RTT Certificate/CertificateVerify) but otherwise has a
0-RTT hit, have it reject 0-RTT altogether. The 0-RTT is already all but
useless because the first authenticated byte of the response is delayed to
t=1.5. We should just say that 0-RTT accept + CertificateRequest is
forbidden.

If one really wants to, a la mid-stream[*] auth, send unauthenticated bytes
at t=0.5 and then authenticated bytes at t=1.5, one could just as easily
use mid-stream auth itself. The server accepts the 0-RTT without a
CertificateRequest and, at t=0.5, sends the unauthenticated bytes followed
by a mid-stream CertificateRequest. At t=1, the client processes the
unauthenticated bytes, sees a mid-stream CertificateRequest, authenticates,
which the server receives at t=1.5, sends authenticated bytes, received by
the client at t=2. The same data arrives at the same times and we don't
increase the state-space.

David

[*] Mid-stream auth is a serious regression, and I am not endorsing it in
any way. But supposing it exists for the purposes of this thread...


> On 27 January 2016 at 11:46, David Benjamin <davidben@chromium.org> wrote:
> > It's possible I'm reading the draft wrong, so this thread may be a very
> > short one.
> >
> > (t here is in units of RTT, so t=0 is when the client sends ClientHello
> and
> > t=0.5 is when the server receives ClientHello and sends ServerHello, t=1
> is
> > when the client receives ServerHello, etc.)
> >
> > Looking at the Zero-RTT exchange here:
> > https://tlswg.github.io/tls13-spec/#rfc.section.6.2.2
> >
> > Is the intention that the client, even in the successful 0-RTT case, send
> > two Finished messages (one at t=0 and one at t=1) and that the server not
> > send application data until receiving the second of these at t=1.5? If
> so,
> > does this not defeat the purpose of 0-RTT? Although the client now
> eagerly
> > sends at t=0, it will not see the response until t=2, which is no better
> > than the resumption case (in TLS 1.2 or 1.3) where the client doesn't
> send
> > until t=1.
> >
> > David
> >
> > _______________________________________________
> > TLS mailing list
> > TLS@ietf.org
> > https://www.ietf.org/mailman/listinfo/tls
> >
>

v2.23.0 | Report a Bug | By Email