[Cryptography] TLS 1.3 PSK 0-RTT with replay protection seems pretty safe
Bill Cox
waywardgeek at gmail.com
Wed Apr 13 19:12:48 EDT 2016
>From email discussions on multiple lists it appears that there is a
misconception that 0-RTT is unsafe in many ways regardless of how it is
used in TLS 1.3. Almost all discussion seems to focus on 0-RTT when used
with stateless servers. However, severs with "replay protection" can
provide solid perfect forward secrecy, in addition to replay protection.
An initial 1-RTT handshake can do full client auth. Master secrets are not
reused between connections, and instead a resumption master secret is used
that ratchets secrets forward to resume. Replay protection based PSK 0-RTT
which essentially emulates TLS 1.2 session resumption from cache, provides
similar security with some differences, some better, some worse.
I think we should discuss PSK 0-RTT enabled servers with replay protection
more. I think this should become the default 0-RTT mode supported by TLS
server libraries. The stateless version is needed for improved scalability
by some expert users, but the safer stateful mode with replay protection
should be used by most organisations. It deserves more attention than it
is getting IMO.
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160413/675d8ca1/attachment-0001.html>
More information about the cryptography
mailing list