If a client nonce cache is used then the threat is essentially the same as with ordinary retries.
As far as forward secrecy, yes, the 0-RTT data loses some forward secrecy. I think this is a reasonable trade off for a lot of use cases. Currently, TLS 1.2 implementations commonly use session tickets to improve performance. This actually sacrifices more forward secrecy (the whole connection, instead of just the initial client->server 0-RTT flight), for a smaller performance gain (it doesn’t even save a roundtrip compared with TLS false start). 0-RTT has a smaller forward secrecy cost and larger benefit compared to session tickets in use today. Kyle From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Colm MacCárthaigh Sent: Monday, March 14, 2016 2:29 PM To: Subodh Iyengar <sub...@fb.com> Cc: tls@ietf.org Subject: Re: [TLS] analysis of wider impact of TLS1.3 replayabe data On Mon, Mar 14, 2016 at 11:04 AM, Subodh Iyengar <sub...@fb.com<mailto:sub...@fb.com>> wrote: Like Kyle mentioned the thing that 0-RTT adds to this is infinite replayability. As mentioned in the other thread we have ways to reduce the impact of infinite replayable data for TLS, making it reasonably replay safe. That too is a mis-understanding. The deeper problem is that a third party can do the replay, and that forward secrecy is gone for what likely is sensitive data. Neither is the case with ordinary retries. -- Colm
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
