Hiya, On 29/12/16 17:37, Adam Langley wrote: > https://github.com/tlswg/tls13-spec/pull/840 is a pull request that > specifies that (EC)DH values must be fresh for both parties in TLS > 1.3. > > For clients, this is standard practice (as far as I'm aware) so should > make no difference. For servers, this is not always the case: > > Springall, Durumeric & Halderman note[1] that with TLS 1.2: > ∙ 4.4% of the Alexa Top 1M reuse DHE values and 1.3% do so for more > than a day. > ∙ 14.4% of the Top 1M reuse ECDHE values, 3.4% for more than a day. ...
As an individual, I'd be in favour of this change but reading over [1], section 5, I wondered if we'd analysed the effects of 0rtt/replayable-data with that kind of cross-domain re-use in mind? The situation being where session ID based caches or session ticket equivalents in tls1.3 are shared over multiple domains. I don't recall this being explicitly considered, but maybe that's just me forgetting. And hopefully the analysis is that such re-use doesn't enable broader replay of early data, but there may be something worth a mention in the tls1.3 spec, e.g. that there may be linkages between the duration for which entries are maintained in resumption and replay detection caches. Cheers, S. > > [1] “Measuring the Security Harm of TLS Crypto Shortcuts”, IMC 2016, > pages 33–47, section 4.4. https://dl.acm.org/citation.cfm?id=2987480 > [2] https://datatracker.ietf.org/doc/draft-green-tls-static-dh-in-tls13/ > > > Cheers > > AGL >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
