On 05/02/2017 02:31 PM, Nico Williams wrote: > On Tue, May 02, 2017 at 02:28:37PM -0500, Benjamin Kaduk wrote: >> On 05/02/2017 02:20 PM, Nico Williams wrote: >>> On Tue, May 02, 2017 at 02:17:17PM -0500, Benjamin Kaduk wrote: >>>> [ stuff about 1.2 elided ] >>> OK, sure, but why not avoid the problem in the first place in 1.3 by >>> sending an encrypted timestamp authenticator (sound familiar?). >> If you mean an actual timestamp, see my previous reply about clock accuracy. > Kerberos deas with that. > >> If you mean an encrypted relative time, well, that's what it is. The >> encryption is incredibly ad hoc, and requires that the key only be used >> once, but the whole thing started by thinking of it as a super-janky >> encryption scheme. See >> https://www.ietf.org/mail-archive/web/tls/current/msg20373.html and nearby. > Yeah, it's an XOR with a one-time pad that... gets reused if you reuse > the ticket. OF COURSE that fails. Everyone knows not to reuse one-time > pads. > > So, in 1.3, at least with 0-rtt, can we replaced this with a proper > encryption? >
If you reuse the ticket, the only concrete stated benefit from this encryption is lost already. What benefit would be gained from using better encryption for ticket_age_add? -Ben
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
