Re: [TLS] 0RTT and HelloRetryRequest (Re: Narrowing the replay window)

Martin Thomson <martin.thomson@gmail.com> Thu, 31 March 2016 05:30 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5284B12D0B5 for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 22:30:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o0l2cSQOU47Q for <tls@ietfa.amsl.com>; Wed, 30 Mar 2016 22:30:13 -0700 (PDT)
Received: from mail-io0-x235.google.com (mail-io0-x235.google.com [IPv6:2607:f8b0:4001:c06::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECC3112D0A9 for <tls@ietf.org>; Wed, 30 Mar 2016 22:30:12 -0700 (PDT)
Received: by mail-io0-x235.google.com with SMTP id q128so99714015iof.3 for <tls@ietf.org>; Wed, 30 Mar 2016 22:30:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=tkuj2IEigf1ZuQn3AhYIL9CA8Kl5q3YyBtmML3ehtaw=; b=GOKh/Qh2bEx6TNLI5q8aDPPcUvt633QugyQRFWeQsvVNmb3P3BkjFEgNhzhRtBciCN /plOrARKWoxcWGA9jaPEpvSfH7lLh+68viu+rcQSt5zXh74jzdGNzIebgFZYwsfocd9s G16L3355erbh7V3NTrDZZJjdHMZdhQ4T3acKJOCFPVpRqhAeEpsBou5Wmj1R6mLiyMUH 59CLf3VVIqqRsPDKO/cp0qkvjrHBzI5QjA750K9b6c0uNbmoUZVuszneNUcSgSbZ9cfm nzGWXEJ3n9rfPm3MiplzHMD1UsDsO+BSDycMSdYPfN8StaQru9DFc3pKB5O6W8LjOPQ4 +9wg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=tkuj2IEigf1ZuQn3AhYIL9CA8Kl5q3YyBtmML3ehtaw=; b=IePFP81sq20Gx3poJ/VqBMn7Sa7ixuSb0EusZvWMIuI/w2wcuPmwdOkPOACpvVKtbV kQzPFnqt2AOQFD9Tce/+fQ3iu2wtqKa13ywyWKxWVGJyhihhdtV60mlo8nIyX9pgh7Nm 8lAcJwNvYI8r+HPLvcZTm0dmAYnBzUeKqMJMZsCnjNZGw0pefcuzEjqe1TBYVqXV9hVi 6SPXuFDtpeShOclOImg81J1PJG1Wkdp+WDKkwX4Ehd+U8AO03h+fhQzGZXOAl7IYBaKg 1RWtRgUWGhUU9D/IOId5aezwJ962lhV0nNM/difnGoQbERjPqXOptAoO11X8v66NiAVr NpIQ==
X-Gm-Message-State: AD7BkJLFAQm403Fu0yjyiGK8UXLGJj3W4Ci1znBvuPsYfot2jL+Wwoa94xSCXlxMR3EOrPzQm0bxW/7uMGp/vg==
MIME-Version: 1.0
X-Received: by 10.107.137.100 with SMTP id l97mr3035391iod.100.1459402212397; Wed, 30 Mar 2016 22:30:12 -0700 (PDT)
Received: by 10.36.43.142 with HTTP; Wed, 30 Mar 2016 22:30:12 -0700 (PDT)
In-Reply-To: <20160331050928.GA1138@LK-Perkele-V2.elisa-laajakaista.fi>
References: <CABkgnnWVvpiUJMvUfMehdPC3T5ovF=ooOzP0=-TwK=L1v5SpOQ@mail.gmail.com> <20160331050928.GA1138@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Thu, 31 Mar 2016 16:30:12 +1100
Message-ID: <CABkgnnVJ_bd6p65M6EUYbOGjGbTEOfXHzYTEihF1FMJWEE9fOw@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/whXlWubW3ndLfCYgxw2cQ2JelqQ>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] 0RTT and HelloRetryRequest (Re: Narrowing the replay window)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 31 Mar 2016 05:30:14 -0000

On 31 March 2016 at 16:09, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>> I think that option 1 is easy enough, since both sides have to extend the
>> hash in any case. 3 is just complexity.
>
> Yeah, I agree 3 is just complexity. Except I disagree that currently
> option 1 is easy enough, since the hash going to creating 0-RTT keys
> is not tapped from the main hash (if it was, then continuing would be
> the simplest).

Yeah, I should get this straight in my own mind as well.  I was
assuming that we were going to take something akin to Karthik's
"contexts" proposal and that would eliminate the differences in
hashes.