-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not clear why 0-RTT doesn't provide perfect forward secrecy #1235
Comments
This is following issue tlswg#1235. 0-RTT data may sometimes be forward-secret, and sometimes not. This commit attempts to clarify that in Sections 2.3 and 8.1.
Forward secrecy is something of a relative property; a given connection X gains forward secrecy with respect to future compromise of entity Y when secret Z is discarded. There are further subtleties, such as if X is still active when Y is compromised then X might still actually be compromised even if Z has already been discarded, but considering all three of X, Y, and Z are necessary to make statements about forward secrecy with any precision. 0-RTT data is protected by a PSK associated with a session ticket, and when the server is using stateless session tickets, the PSK itself is encrypted to the server using the STEK. So the only forward secrecy available to such 0-RTT data is when the STEK is discarded, which we typically recommend to be on an hours to days timescale (but could in principle be much longer, and there are no doubt many sites that essentially never rotate their STEK); given the lack of knowledge of the peer/server behavior, clients should not assume that they have any forward secrecy guarantee for 0-RTT data they send in this case. |
Thanks! It's much clearer to me now. |
Section 2.3 states that "This [0-RTT] data is not forward secret, as it is encrypted solely under keys derived using the offered PSK."
However, Section 8.1 states "If the tickets are not self-contained but rather are database keys, and the corresponding PSKs are deleted upon use, then connections established using PSKs enjoy forward secrecy. This improves security for all 0-RTT data."
What does "improves security" mean here? Does it mean that the 0-RTT data is forward secret in this case? If not, why not?
The text was updated successfully, but these errors were encountered: