On Tue, Jun 13, 2017 at 4:32 AM, Ilari Liusvaara <[email protected]>
wrote:
> Also:
>
> - Note that 0-RTT exporters are not safe for authentication unless
> the server does global anti-replay on 0-RTT.
I do not think this is the case. Nick Harper has proposed an RFC for token
binding over 0-RTT:
https://tools.ietf.org/html/draft-nharper-0-rtt-token-binding-02
In the same way servers can ensure tickets are single-use (by binding them
to a server/metro/orbit and having local ticket caches), we can ensure that
each retransmission carries a unique auth signature. I would state the
situation like this:
- Note that 0-RTT exporters are not safe for authentication on servers
that do not enforce single-use tickets, or for clients that do not
recompute authentication signatures on retransmission of early data.
Even this is only partially true. Anti-replay can be built above the TLS
layer. I'm considering doing token-binding replay defense in the
authentication backend, to help ensure the token-binding guarantee: that
auth tokens taken from one device cannot be used from another device
without continued access to the first device's signing oracle.
Unfortunately, 0-RTT master resumption secrets are a new kind of auth
bearer token, and the token binding spec does not cover them.
Bill
_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls
