On 10/30/2017 04:51 AM, Jānis Čoders wrote: > Thank you. Ok, I understand that some servers could not allow reuse of > cookie, but why is it FORBIDDEN by standard? It could be suggested to > not reuse in general cases, but if I wanted to use TLS 1.3 with my > custom server, which uses cookies to only prevent spoofing attacks (in > UDP (DTLS) case). And clients know that they can reuse previous > cookies for fast handshake, then why would it be prohibited? > >
The standard must ensure that compliant clients interoperate with compliant servers. Compliant servers are permitted (expected, even, for DTLS!) to offload state such as the handshake hash into the cookie. A client that reused a cookie from an old connection on a new connection to such a server would fail to interoperate, as the server would use the wrong handshake transcript. Ergo, the spec strictly forbids clients from implementing this behavior in order to preserve interoperability. There is "nothing" to stop some actor from deploying a noncompliant implementation on their own private network where interoperability with compliant implementations is not needed, but of course then that actor must take responsibility for any changes to the security and privacy properties as a result of those noncompliant modifications. In this case, for example, the routability proof embedded in the cookie could become stale with time (in case of readdressing), and the repeated cookie provides linkability between ClientHellos from the same client (to an adversary observing at some point in the middle of the network), for a start. No one could guarantee that there are not more changes to the security and privacy properties than those already listed, of course. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
