On Tue, Jun 27, 2017 at 11:49 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote:
> On Mon, Jun 26, 2017 at 11:16:02AM -0700, Eric Rescorla wrote: > > OK, I'll move this out of the "if you can do a lot of replays" section > > > > Another thing: > > The PR briefly mentions to be careful with 0-RTT exporters, but nothing > concrete-looking. > > > If 0-RTT data is replayed and the replay accepted, all replays share the > same 0-RTT exporter values. This causes two kinds of problems: > > 1) If 0-RTT exporters are used for authentication, then an attacker > in possession of resumption secret and DHE key (if any) can replay the > generated tokens to another connection with replayed 0-RTT, even > without the better-protected authentication key. > I think this mostly belongs with the token binding spec, but I added a little bit here. 2) If 0-RTT exporters are used for key material for to-client > direction, then the replays will have the same keying material, which > is highly dangerous with many encryption algorithms. > Right. One should not do this. I added text. -Ekr > > > -Ilari >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
