On Fri, Jun 02, 2017 at 05:49:51PM -0400, Victor Vasiliev wrote: > On Thu, Jun 1, 2017 at 8:22 PM, Eric Rescorla <e...@rtfm.com> wrote: > > > I've just gone through this thread and I'm having a very hard time > > understanding what the actual substantive argument is about. > > > > I believe at this point we mostly disagree on what specific scenarios > are and are not a concern that should be solved by TLS layer. > Replay/retry distinction might be at core for some disagreements. > > Let me lay out what I think we all agree on. > > > > 1. As long as 0-RTT is declinable (i.e., 0-RTT does not cause > > connection failures) then a DKG-style attack where the client > > replays the 0-RTT data in 1-RTT is possible. > > > > Correct.
Err, how does not failing connection enable DKG-style attack? If connection failed on 0-RTT failure, the client would then presumably just establish a new one (if it can) without 0-RTT, and we are where we started (the client doesn't even gain additional knowledge, because 0-RTT ACK exists today). But failing the connection on 0-RTT failure is not nice on other grounds. > > > > 3. Allowing the attacker to generate an arbitrary number of 0-RTT > > replays without client intervention is dangerous even if > > the application implements replay-safe semantics. > > > > Correct, and the specific number is highly situational. For some attacks, it is pretty low (few dozens or less or so), especially if you can distribute across servers. > > 4. If implemented properly, both a single-use ticket and a > > strike-register style mechanism make it possible to limit > > the number of 0-RTT copies which are processed to 1 within > > a given zone (where a zone is defined as having consistent > > storage), so the number of accepted copies of the 0-RTT > > data is N where N is the number of zones. > > > > Correct. Session caches are inherently bound to a single zone. Which together with "multi-server" attacks imply that 0-RTT tickets need to be bound to a zone (when doing 0-RTT). Of course, even only using tickets for 0-RTT in one zone, while accepting them to skip signatures on others would still leave the FS problems. > > 5. Implementing the level of coherency to get #4 is a pain. > > > > Yes. Interestingly, the required coherency is quite easy for small sites (run off VPS or container), it is large sites (multiple datacenters) that have problems. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls