search

tlsnotary / tlsn

Rust implementation of the TLSNotary protocol
https://tlsnotary.org
277 stars 70 forks source link

TLS1.3 0-RTT EarlyData #31

Closed sinui0 closed 2 years ago

sinui0 commented 2 years ago

Does 0-RTT in TLS1.3 pose any threats or benefits to our protocol? We should study the scheme to make sure we understand the answer to it.

General questions/thoughts:

  1. How is the PSK determined?
  2. Is this an attack vector on our protocol?
  3. Would it actually be advantageous to the protocol somehow? Eg. speed it up when using a resumption configuration to perform 2PC in the offline phase.
  4. It complicates the handshake interface.
themighty1 commented 2 years ago

tls 1.3 rfc says PSK (a pre-shared key established externally or derived from the resumption_master_secret value from a previous connection)

So, in order to derive it, the Prover has to run a special "res master" derivation which requires inputting Master Secret. Since the Prover does not know Master Secret, the PSK cannot be generated unilaterally.

sinui0 commented 2 years ago

Ok, thanks. I misunderstood how the PSK was derived. I will remove support for EarlyData as it only serves to complicate the protocol with not much benefit.