Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Mon, Dec 28, 2015 at 06:46:02AM -0500, Eric Rescorla wrote: > On Sun, Dec 27, 2015 at 11:55 PM, Christian Huitema > wrote: > > > For DTLS, we have to consider the packet injection threat. It is fairly > > easy to send some random bytes with a fake source to a UDP

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

From: Eric Rescorla [mailto:e...@rtfm.com] Sent: Monday, December 28, 2015 1:46 AM To: Christian Huitema Cc: Dave Garrett ; tls@ietf.org Subject: Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash? On Sun, Dec 27,

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Mon, Dec 28, 2015 at 4:49 PM, Ilari Liusvaara wrote: > On Mon, Dec 28, 2015 at 06:46:02AM -0500, Eric Rescorla wrote: > > On Sun, Dec 27, 2015 at 11:55 PM, Christian Huitema < > huit...@microsoft.com> > > wrote: > > > > > For DTLS, we have to consider the packet

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Mon, Dec 28, 2015 at 06:59:48PM -0500, Eric Rescorla wrote: > On Mon, Dec 28, 2015 at 4:49 PM, Ilari Liusvaara > wrote: > > > > Also, on topic of DTLS 1.3... It occurs to me that naively doing it > > would leave it open to "fragementation attacks" a'la IPv6. > > > >

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Saturday, December 26, 2015 9:08 PM, Dave Garrett wrote: > On Thursday, December 24, 2015 08:08:25 pm Eric Rescorla wrote: > > Well, this is a general requirement any time the record MAC is bad: > > See > https://na01.safelinks.protection.outlook.com/?url=http%3a%2f%2ftlswg.gith >

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Sunday, December 27, 2015 11:55:16 pm Christian Huitema wrote: > On Saturday, December 26, 2015 9:08 PM, Dave Garrett wrote: > > On Thursday, December 24, 2015 08:08:25 pm Eric Rescorla wrote: > > > Well, this is a general requirement any time the record MAC is bad: > > > See > >

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Thu, Dec 24, 2015 at 5:01 PM, Dave Garrett wrote: > On Thursday, December 24, 2015 04:48:58 pm Eric Rescorla wrote: > > On Thu, Dec 24, 2015 at 4:26 PM, Dave Garrett > > wrote: > > > Do we have anything that protects against an intermediary

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Thu, Dec 24, 2015 at 4:26 PM, Dave Garrett wrote: > On Thursday, December 24, 2015 03:40:26 pm Christian Huitema wrote: > > On Monday, December 21, 2015 6:30 PM, Martin Thomson wrote: > > > On 22 December 2015 at 13:25, Christian Huitema > > >

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Thursday, December 24, 2015 03:40:26 pm Christian Huitema wrote: > On Monday, December 21, 2015 6:30 PM, Martin Thomson wrote: > > On 22 December 2015 at 13:25, Christian Huitema > > wrote: > > >> Unless I'm confused (which is possible given the time of night), > > >>

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Thursday, December 24, 2015 04:48:58 pm Eric Rescorla wrote: > On Thu, Dec 24, 2015 at 4:26 PM, Dave Garrett > wrote: > > Do we have anything that protects against an intermediary stripping 0RTT > > messages from a handshake to force a fallback? > > Yes: > 1. The

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Thu, Dec 24, 2015 at 3:40 PM, Christian Huitema wrote: > On Monday, December 21, 2015 6:30 PM, Martin Thomson wrote: > > > > On 22 December 2015 at 13:25, Christian Huitema > > wrote: > > >> Unless I'm confused (which is possible given the time

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Monday, December 21, 2015 6:30 PM, Martin Thomson wrote: > > On 22 December 2015 at 13:25, Christian Huitema > wrote: > >> Unless I'm confused (which is possible given the time of night), > >> the intention, as you say, is to separate out the 0-RTT handshake > >>

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

> You're referring the editor's copy (WIP-11), right? Yes. ... > I was just going over this text today and realized it's kind of confusing > (and the whole "handshake_hash" abstraction is starting to be less useful > in light of the PR#316 reframing of the authentication block). Yes, the

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Monday, December 21, 2015 09:25:44 pm Christian Huitema wrote: > > I was just going over this text today and realized it's kind of confusing > > (and the whole "handshake_hash" abstraction is starting to be less useful > > in light of the PR#316 reframing of the authentication block). > > Yes,

[TLS] What does it mean to not include 0-RTT message in the handshake hash?

The handshake hash specification in section 7.1 says: Where handshake_hash includes all messages up through the server CertificateVerify message, but not including any 0-RTT handshake messages (the server's Finished is not included because the master_secret is need to compute the

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Mon, Dec 21, 2015 at 5:49 PM, Christian Huitema wrote: > The handshake hash specification in section 7.1 says: > You're referring the editor's copy (WIP-11), right? > Where handshake_hash includes all messages up through the > server CertificateVerify message,

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On Mon, Dec 21, 2015 at 6:33 PM, Dave Garrett wrote: > On Monday, December 21, 2015 09:25:44 pm Christian Huitema wrote: > > > I was just going over this text today and realized it's kind of > confusing > > > (and the whole "handshake_hash" abstraction is starting to be

Re: [TLS] What does it mean to not include 0-RTT message in the handshake hash?

On 22 December 2015 at 13:25, Christian Huitema wrote: >> Unless I'm confused (which is possible given the time of night), >> the intention, as you say, is to separate out the 0-RTT handshake >> messages i.e., (cert, cert verify, finished) from the 1-RTT computations. > >