On Tue, May 02, 2017 at 07:44:35AM -0700, Colm MacCárthaigh wrote: > On Sunday at the TLS:DIV workshop I presented a summary of findings of a > security review we did on TLS1.3 0-RTT, as part of implementing 1.3 in s2n. > Thanks to feedback in the room I've now tightened up the findings from the > review and posted them as an issue on the draft GitHub repo: > > https://github.com/tlswg/tls13-spec/issues/1001
What I didn't see in the summary, but I think might be relevant in relation to 0-RTT: There is a thing called 0-RTT exporter, which are exporter values available during 0-RTT transmission. If the server uses 0-RTT exporter and doesn't enforce non-replay, the value grossly fails to be "nonce", which means it is likely unsafe to use for authentication. Unfortunately, there are protocols that are already discussing the use of TLS 1.3 0-RTT exporter, and switching to "full" exporter. Unfortunately, the easiest way is not to switch, which means the possibly weak 0-RTT exporter will be used for authenticating even non-replayable data. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
