Re: [TLS] Limiting replay time frame of 0-RTT data

Martin Thomson <martin.thomson@gmail.com> Tue, 15 March 2016 02:26 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0052112D55B for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 19:26:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2ibbbUEQZjFJ for <tls@ietfa.amsl.com>; Mon, 14 Mar 2016 19:25:59 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34F8912D53E for <tls@ietf.org>; Mon, 14 Mar 2016 19:25:59 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id n190so8023978iof.0 for <tls@ietf.org>; Mon, 14 Mar 2016 19:25:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=MKTGgUKaHO/BEFiGImdb1kL0hFOYs+BEtxJBEa60NAU=; b=BTLVpf1Em/XG6X0W6QsWqkT3kPO3zFCS8qCKBSSRZNglpvMNwklwXL+4qYP+rzrF2+ qcFDr8uf6sdchodZ0zQDQyC4qPnlAUBNXKITXb8cUtvY+/kswdoAf2JCjUArjoQqUsSt 7vGGxu8WG0cHP3g5BvCTMH89t07jzQZ3p29AYs/VMaqYA6Dj7u9bLSh5X+JqGiOnjt4i oDvme+TdlCl9vQdncpQGCSW8YxEahPpCp/v9Fsvw2lyObrgY194vdtZyoZx2MbtnLtU4 MPcLUS0Kg/32n5C9fRXXKFYIGeK8tKX4hGNJt4T1Y258ptBYWRAkGdMZ97ql9PvxRR1y OMTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=MKTGgUKaHO/BEFiGImdb1kL0hFOYs+BEtxJBEa60NAU=; b=kzNRZP5eLd0PRZakF00Xd2b+DVe/P0MgLaVhxNzoS5hsIc7UzrMTDQod+8S83lu/NY YvVemEuvWfZ9cSKCC98olALty7fv6q6gBQzGQG41Bs5h0VNxbpDrJtzqO11pnzhyc39X VtUgBLT9EC1UGJSvgAGlzBJBs6ITsvBewGNuWsZl7GvcACCHlzQpz/f2cr9QyqlKFkIy 7IQzUKSAYdPz6OU3qmHVm73pEtvbeAxhVsTLqHLtBTjQCj8np9tNzq+6u/a4hLjk+bW+ +jAKo9/jzWyZAFsx7s/bsKxXj5mr9TG8BKbjBitKEP6oYj2FKfIcETuLftijCy9eleA8 E8/A==
X-Gm-Message-State: AD7BkJJBWK6+7brCllMtwAYCSTOCW+z6psIFg79ljiwHfqzo6UHca57rgx55FHRaxNY/gG7pz1WevZlqmZJk5w==
MIME-Version: 1.0
X-Received: by 10.107.41.133 with SMTP id p127mr27720387iop.100.1458008758456; Mon, 14 Mar 2016 19:25:58 -0700 (PDT)
Received: by 10.36.43.5 with HTTP; Mon, 14 Mar 2016 19:25:58 -0700 (PDT)
In-Reply-To: <CAH9QtQHXQr=rYKdwwAHqn9g6fC=bqKoe9kZgSfD+j+5VBxQt6A@mail.gmail.com>
References: <8A79BFEDF6986C46996566F91BB63C860D64EA3F@PRN-MBX02-1.TheFacebook.com> <CABcZeBPxMZEuG4KehxyhNafeQ4-HO9O-9ORn+BiQP0n3LJA_xw@mail.gmail.com> <911B10A5-12F5-4094-A832-3FA06834862B@gmail.com> <CAH8yC8nwyTf7N1y=NqmkVoY1tW6Kh4weFFLEFn6w3vLwoEMRSA@mail.gmail.com> <CAJ_4DfR1dhX7KHB2MQF9YKxrnKGmY9YvhqOyr=6+FbsTJFFqFA@mail.gmail.com> <CAAF6GDe_Hk8DPm3_vVnmgM56NkoN8SDSA4+c_VdmQwNxfxbwtQ@mail.gmail.com> <CAJ_4DfQ5FD0ajn0sKudCQTQZZeUdVnjxu54Sypw-o62p==7VGw@mail.gmail.com> <CABcZeBOxQwFaTUkjDi4cewNKr1O2Qw4ZFLUX5V5NFZ19DCaJGw@mail.gmail.com> <CAH9QtQHXQr=rYKdwwAHqn9g6fC=bqKoe9kZgSfD+j+5VBxQt6A@mail.gmail.com>
Date: Tue, 15 Mar 2016 13:25:58 +1100
Message-ID: <CABkgnnVuiaiRXdfniBNyU=UsfasggMBQ3w4sVO-hFnPuL6NtuQ@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Bill Cox <waywardgeek@google.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/zih0F6CzGvKT3t2gOndAu24xVUE>
Cc: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Limiting replay time frame of 0-RTT data
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Mar 2016 02:26:01 -0000

On 15 March 2016 at 13:22, Bill Cox <waywardgeek@google.com> wrote:
> In TLS 1.3, tickets are sent after the full handshake completes, after
> encryption is enabled for the connection.  Now, if an attacker has the
> ticket encryption key, it is not possible to decrypt old connections.  Is
> that right?  It looks to me like tickets have real PFS in TLS 1.3.


It's the properties of the session that matter here, not the tickets.

The tickets are sent in the clear in the resumed handshake.