On Mon, Jun 26, 2017 at 11:16:02AM -0700, Eric Rescorla wrote: > OK, I'll move this out of the "if you can do a lot of replays" section >
Another thing: The PR briefly mentions to be careful with 0-RTT exporters, but nothing concrete-looking. If 0-RTT data is replayed and the replay accepted, all replays share the same 0-RTT exporter values. This causes two kinds of problems: 1) If 0-RTT exporters are used for authentication, then an attacker in possession of resumption secret and DHE key (if any) can replay the generated tokens to another connection with replayed 0-RTT, even without the better-protected authentication key. 2) If 0-RTT exporters are used for key material for to-client direction, then the replays will have the same keying material, which is highly dangerous with many encryption algorithms. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
