On Thu, Dec 24, 2015 at 4:26 PM, Dave Garrett <davemgarr...@gmail.com> wrote:
> On Thursday, December 24, 2015 03:40:26 pm Christian Huitema wrote: > > On Monday, December 21, 2015 6:30 PM, Martin Thomson wrote: > > > On 22 December 2015 at 13:25, Christian Huitema <huit...@microsoft.com > > > > > wrote: > > > >> Unless I'm confused (which is possible given the time of night), > > > >> the intention, as you say, is to separate out the 0-RTT handshake > > > >> messages i.e., (cert, cert verify, finished) from the 1-RTT > computations. > > > > > > > > OK. That does not simplify implementations using running hashes... > > > > > > It does if you consider the possibility of having to drop the 0-RTT > data. > > > > That's right. In fact, it may be a good idea to add to the spec a > description of a "Failed 0-RTT handshake." If I understand correctly, the > following will happen: > > > > * Server will receive the client hello, ignore the Early Data Indication > extension, and proceed as in 1-RTT. > > * Server will indicate that by not adding an Early Data Indication to > the server hello. > > * Server will receive a series of 0-RTT messages that it cannot > decipher, and just drop the messages. > > * Client will receive server hello, and proceed as per 1-RTT. Client API > will signal that 0-RTT data was lost, application may decide to retransmit. > > * Server may send client authentication requests. Client will have to > repeat the authentication messages, even if it already sent them as 0-RTT. > > > > In that scenario, the handshake hash cannot include the 0-RTT messages, > since the server does not in fact receive them, and they do not contribute > to the state of the connection. > > > > We can of course debate whether the 0-RTT messages should also not be > included in the hash if the 0-RTT exchange was successful, the messages > were received, and they contributed to the state of the connection. If they > are not included, then the "Finished" HMAC does not offer a protection > against tampering. This may open the possibility of some kind of > substitution or replay attack. > > > > The failed 0-RTT handshake scenario also has interesting consequences on > the Record layer. We have a legitimate scenario in which received records > cannot be decrypted. This should not trigger alarms. And the numbering > scheme should be robust against these missing records. > > Do we have anything that protects against an intermediary stripping 0RTT > messages from a handshake to force a fallback? > Yes: 1. The EarlyDataIndication tells the server that some 0-RTT messages are coming. 2. The Finished in the 0-RTT flight covers the entire handshake flight, thus preventing tampering with those messages. 3. The server's Finished covers the ClientHello, thus preventing tampering with that. -Ekr Could we just make the handshake hash use the encrypted messages, > regardless of if it can decrypt them? (maybe for all messages?) > > > Dave > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
