Re: [TLS] Application layer interactions and API guidance

Kyle Rose <> Wed, 12 October 2016 19:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 315581294F4 for <>; Wed, 12 Oct 2016 12:55:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3jTCvt42idLa for <>; Wed, 12 Oct 2016 12:55:51 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id A115B1294D0 for <>; Wed, 12 Oct 2016 12:55:51 -0700 (PDT)
Received: by with SMTP id f6so27467683qtd.2 for <>; Wed, 12 Oct 2016 12:55:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ouTBcGJ/snLKu3W5DIiQDUIME2gVKh5a34mFyytToJk=; b=V9aO2O+hTKLeveUoRyIRCtXvJE/lDX35LiznuBbHkPw9P+TnsUeb0Pgxa2z5gXcWpX rTzaknvJehBPd+cRxogx/b1UCGbkX2TYHj1RMmQjmIYrZZhgMPyN5QSLMQAqoAOZJAJJ EPDMe0muz/CTrfQoGIJLRyCsyrrzYKYT2kmvQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ouTBcGJ/snLKu3W5DIiQDUIME2gVKh5a34mFyytToJk=; b=KYmBR7FROiM49fsmYbkhKfVQnmOFdOXjuJ+5fCIemx1tZ3KqQKhnyvqd03qPntdtpz VjeK+NXwy6gKrKcTAEfYQf8jIScx9H49EPSMmIXUXUOkYVfTO4HySTguDFQCMLKQ0h91 zMFYqed8yglZ9iHvhSb0TEgYv78dO+Gy1HwuQMmK+HCL2kseEEM5dpw+IAF3+sXwel33 i+MbOCxwqLEmSgIbZSDS8eWc8DwW8J7FZywxqz9+i4xPsEFdAyG7CqjNbfZSBjDSB908 PXzIbW4Cm9PL4TPoPpVtBS/NKjadRjjQdG0NGYdFgF2VJfzMoeT9QDv48JZxG6MW0f3F 9AjA==
X-Gm-Message-State: AA6/9RlxhiyEfejr/3+3K98fUq9aKffhLzepgvSlgvl0YUk+oyey/MK/zoWz/jxhIxaVX2TWM604qbo9m+eJoA==
X-Received: by with SMTP id a30mr3097651qta.25.1476302150717; Wed, 12 Oct 2016 12:55:50 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Wed, 12 Oct 2016 12:55:49 -0700 (PDT)
X-Originating-IP: []
In-Reply-To: <>
References: <> <> <> <> <> <> <> <> <> <> <>
From: Kyle Rose <>
Date: Wed, 12 Oct 2016 15:55:49 -0400
Message-ID: <>
To: Ilari Liusvaara <>
Content-Type: multipart/alternative; boundary=001a113a8008466a7f053eb06191
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] Application layer interactions and API guidance
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 12 Oct 2016 19:55:54 -0000

On Wed, Oct 12, 2016 at 2:03 PM, Ilari Liusvaara <>

> > There's my confusion. I misinterpreted both the Zero-RTT diagram and the
> > table of handshake contexts under "Authentication Messages", specifically
> > "ClientHello ... later of EncryptedExtensions/CertificateRequest". I'm
> > guessing I should be looking at the 0-RTT row only? I.e., if 0-RTT is
> > accepted, is the second Finished message from the client ("{Finished}")
> the
> > same message encrypted differently (using the handshake traffic secret)?
> No, there is no difference in ClientFinished in case of 0-RTT accept or
> reject (other than the contents of the CH and EE hashed in).

Still confused. :-)

In the message flow for 0-RTT, there are two Finished messages sent from
client to server. One is sent right after CH, and is protected by the
client_early_traffic_secret: (Finished). The other is sent after the server
sends its Finished, and this is protected by the handshake_traffic_secret:

In the table under "Authentication Messages", there are four rows, one for
each Mode: 0-RTT, 1-RTT (Server), 1-RTT (Client), and Post-Handshake.

Which handshake context is used for the (Finished) message and which is
used for the {Finished} message?

The thing that protects the 0-RTT data from substitution is the record
> protection MACs that are made using key derived from the PSK secret. So
> if the PSK secret is unknown, the key for 0-RTT can't be derived, and
> as consequence, 0-RTT data can't be altered (there's end-of-data marker
> too, preventing truncation).

Altered is one thing, and I agree that is prevented; I'm talking about

> And basically, ServerFinished MAC covers everything up to that point,
> and ClientFinished MAC covers the entiere handshake (0-RTT data not
> included).

So client Finished doesn't protect 0-RTT data, but...

> You can't swap out 0-RTT data (without PSK keys). One can only create
> new connection attempts (that fail!) with the same 0-RTT data (and the
> same ClientHello) before or after the real connection (if any, it
> could be supressed, in which case you would get only failed handshakes
> with 0-RTT data).

This is exactly what I'm trying to understand. What specifically prevents
this swapping? I.e., what ties the 0-RTT data sent on a particular
connection to the rest of that connection, such that replacing that 0-RTT
data with 0-RTT data from a previous successful connection will cause a