We are especially interested in the question how replay attacks, enabled through the lack of contribution from the server, affect security in the 0-RTT case. Whereas the first proposal of QUIC uses state on the server side to thwart such attacks, the latest version of QUIC and TLS 1.3 rather accept them as inevitable. We analyze what this means for the key secrecy of both the preshared-key-based 0-RTT handshake in draft-14 of TLS 1.3 as well as the Diffie-Hellman-based 0-RTT handshake in TLS 1.3 draft-12. As part of this we extend previous security models to capture such cases, also shedding light on the limitations and options for 0-RTT security under replay attacks.
Category / Keywords: cryptographic protocols / Transport Layer Security (TLS), key exchange, protocol analysis, zero round-trip time, composition Original Publication (with major differences): 2nd IEEE European Symposium on Security and Privacy (EuroS&P 2017) Date: received 2 Feb 2017 Contact author: guenther at cs tu-darmstadt de Available format(s): PDF | BibTeX Citation Version: 20170206:190224 (All versions of this report) Short URL: ia.cr/2017/082 Discussion forum: Show discussion | Start new discussion