TLS 1.3 0-RTT introduces an “optimistic” mode where the client encrypts data that the server can then accept or reject.
In the case when the server rejects 0-RTT, the server is left in a somewhat ugly state where it will receive, in sequence: (a) encrypted 0-RTT handshake data (that it needs to throw away) (b) encrypted 0-RTT application data (that it needs to throw away) (c) encrypted 1-RTT handshake data (that it needs to process) Since we have removed content types from the record headers of encrypted messages, these 3 flights of messages look the same. So, the current draft requires the server to “trial decrypt” each message with the 1-RTT Handshake keys, in order to detect where (c) begins, and to discard packets that do not decrypt correctly. The situation can be even worse. Suppose the client sends a ClientHello and 0-RTT data, the server responds with a HelloRetryRequest, and now the client sends a new ClientHello and new 0-RTT data. In this case, we have (a), (b), (a), (b), (c); that is, the server needs to skip 4 flights of messages by trial decryption before getting to the 1-RTT handshake data. This seems inefficient and inelegant, and it may open up a new attack vector where an attacker may sent many messages and get the server to decrypt them under the same key (and same IV, etc). In other modes of TLS, a single decryption failure would close the connection, so this mode of attack is new and we may need to take care. Here is a proposal that would avoid trial decryption. When the client sends 0-RTT application data, it currently ends this flight of messages with an encrypted end_of_early data warning alert. How about: if the server rejects trial decryption, the client must then send an *unencrypted* end_of_early_data warning alert before continuing with 1-RTT handshake data. The server could then easily discard all records until it sees this warning alert. The main disadvantage of this approach seems to be that it reveals to the adversary the point at which the 0-RTT application data ends (if this is sensitive information.) However, note that if the length of 0-RTT data was sensitive, an attacker could probably already obtain it by delaying the server flight. Does anyone see other practical or security disadvantages to using this alert? Best regards, Karthik _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
