IMHO what we have is a facility in TLS 1.3 that: 1. Requires extraordinary effort on the server side to mitigate replay (for all but the smallest deployments); 2. Offers no way for the client to determine whether the server is mitigating replay (before replay becomes possible); 3. Is trivial to enable on the client and improves connection latency; 4. Eliminates a nonce that other protocols (used to) rely on.
While it is true that there are cases where this facility is beneficial, there is no doubt that it will be widely misused, in both applications and protocols. Cheers, Andrei -----Original Message----- From: TLS [mailto:tls-boun...@ietf.org] On Behalf Of Ilari Liusvaara Sent: Thursday, May 4, 2017 2:35 AM To: Colm MacCárthaigh <c...@allcosts.net> Cc: tls@ietf.org Subject: Re: [TLS] Security review of TLS1.3 0-RTT On Tue, May 02, 2017 at 07:44:35AM -0700, Colm MacCárthaigh wrote: > On Sunday at the TLS:DIV workshop I presented a summary of findings of > a security review we did on TLS1.3 0-RTT, as part of implementing 1.3 in s2n. > Thanks to feedback in the room I've now tightened up the findings from > the review and posted them as an issue on the draft GitHub repo: > > https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithu > b.com%2Ftlswg%2Ftls13-spec%2Fissues%2F1001&data=02%7C01%7CAndrei.Popov > %40microsoft.com%7C51d7739d6f4341108acb08d492d0cd8f%7C72f988bf86f141af > 91ab2d7cd011db47%7C1%7C0%7C636294872882067868&sdata=HTQL9a3CxUEC0GkAQ% > 2BviRMMO5ts2PnifQjOaZ%2BLZXR8%3D&reserved=0 What I didn't see in the summary, but I think might be relevant in relation to 0-RTT: There is a thing called 0-RTT exporter, which are exporter values available during 0-RTT transmission. If the server uses 0-RTT exporter and doesn't enforce non-replay, the value grossly fails to be "nonce", which means it is likely unsafe to use for authentication. Unfortunately, there are protocols that are already discussing the use of TLS 1.3 0-RTT exporter, and switching to "full" exporter. Unfortunately, the easiest way is not to switch, which means the possibly weak 0-RTT exporter will be used for authenticating even non-replayable data. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Ftls&data=02%7C01%7CAndrei.Popov%40microsoft.com%7C51d7739d6f4341108acb08d492d0cd8f%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636294872882067868&sdata=sgnwm3v7jfjLeWHZV77zwpchfzgy85ASKeKYYxEQxss%3D&reserved=0 _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls