Re: [TLS] Call for consensus: Removing DHE-based 0-RTT

Wed, 30 Mar 2016 18:42:49 -0700 

Hi Eric,

Thank you for the reply.

On Tue, Mar 29, 2016 at 10:57 AM, Eric Rescorla <e...@rtfm.com> wrote:
>
> On Tue, Mar 29, 2016 at 10:14 AM, Wan-Teh Chang <w...@google.com> wrote:
>>
>> [...] I am curious to know how we concluded that 0-RTT PSK is simpler to
>> implement. Did anyone implement both 0-RTT modes and can compare the
>> difficulties?
>
> We have a prototype 0-RTT PSK implementation and have looked at but not yet
> implemented 0-RTT DHE in NSS. Based on that, my sense is that the cost of
> doing any 0-RTT is the bulk of the additional effort, but that if you have
> PSK already, which you probably want for ordinary resumption, then the
> incremental cost of 0-RTT with PSK is less than with DHE.

By analyzing Sections 7.1 and 7.3 of draft-ietf-tls-tls13-12. I think
I understand what you meant.

For convenience I reproduce the table at the top of page 74:

   +-----------------+------------------------+------------------------+
   | Key Exchange    |     Static Secret (SS) |  Ephemeral Secret (ES) |
   +-----------------+------------------------+------------------------+
   | (EC)DHE (full   |    Client ephemeral w/ |    Client ephemeral w/ |
   | handshake)      |       server ephemeral |       server ephemeral |
   |                 |                        |                        |
   | (EC)DHE (w/     |    Client ephemeral w/ |    Client ephemeral w/ |
   | 0-RTT)          |          server static |       server ephemeral |
   |                 |                        |                        |
   | PSK             |         Pre-Shared Key |         Pre-shared key |
   |                 |                        |                        |
   | PSK + (EC)DHE   |         Pre-Shared Key |    Client ephemeral w/ |
   |                 |                        |       server ephemeral |
   +-----------------+------------------------+------------------------+

In a PSK session resumption handshake, we always use the same (third)
row, with or without 0-RTT.

On the other hand, in a full handshake, without 0-RTT we use the first
row, and with 0-RTT we use the second row.

Is this what you meant?

But if you already implemented the first row, which is a must, the
incremental effort to implement the second row seems small -- you just
need to use server static instead of server ephemeral for SS.

Wan-Teh Chang

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to