Going STEK-less with QUIC?
Christian Huitema <huitema@huitema.net> Tue, 27 July 2021 21:05 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: quic@ietfa.amsl.com
Delivered-To: quic@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6899F3A058F for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 14:05:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ult95Iv73vWt for <quic@ietfa.amsl.com>; Tue, 27 Jul 2021 14:05:03 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A1C3B3A073E for <quic@ietf.org>; Tue, 27 Jul 2021 14:02:17 -0700 (PDT)
Received: from xse307.mail2web.com ([66.113.197.53] helo=xse.mail2web.com) by mx136.antispamcloud.com with esmtp (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m8UDJ-000sYv-IR for quic@ietf.org; Tue, 27 Jul 2021 23:02:13 +0200
Received: from xsmtp21.mail2web.com (unknown [10.100.68.60]) by xse.mail2web.com (Postfix) with ESMTPS id 4GZ8P95M7Rz9hK for <quic@ietf.org>; Tue, 27 Jul 2021 14:02:05 -0700 (PDT)
Received: from [10.5.2.14] (helo=xmail04.myhosting.com) by xsmtp21.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1m8UDF-0000Mv-Jv for quic@ietf.org; Tue, 27 Jul 2021 14:02:05 -0700
Received: (qmail 25724 invoked from network); 27 Jul 2021 21:02:03 -0000
Received: from unknown (HELO [192.168.1.104]) (Authenticated-user:_huitema@huitema.net@[172.58.43.253]) (envelope-sender <huitema@huitema.net>) by xmail04.myhosting.com (qmail-ldap-1.03) with ESMTPA for <quic@ietf.org>; 27 Jul 2021 21:02:03 -0000
To: IETF QUIC WG <quic@ietf.org>
From: Christian Huitema <huitema@huitema.net>
Subject: Going STEK-less with QUIC?
Message-ID: <7265bac0-f54b-0e5b-d5b6-572550809f0f@huitema.net>
Date: Tue, 27 Jul 2021 14:02:02 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Originating-IP: 66.113.197.53
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Pt3MvcO5N4iKaDQ5O6lkdGlMVN6RH8bjRMzItlySaT9WLQux0N3HQm8ltz8rnu+BPUtbdvnXkggZ 3YnVId/Y5jcf0yeVQAvfjHznO7+bT5x6h2yQpzTslcOqazQkKtAFKj/EwzSHE5FGYwwjsNRPCFuk ndnN2aDJHZ0R47GZf4jmD6wdmZPcItWbGe10hXJtXL4FsauCVkDjmcYJdU3yWp7KuHNaaKdg7iBE ZefdsNUFWKwa/wzJUjmazeC7Imcapebr0kNyYC289u5HlaNj1BQ6V51u76v35b1wNe/MvdLom48E g3of4Y9DlgiJ0nAJ2+J9PgaoF8SQHto3le4zsHTaeQtlKubP6iUTjj6yPARK6buALVaA782LKxg6 vRmng8N1aLhXqdc+jC1RcnVud53D5caUhbVtvqItBqoizkEt9O20UjkwI0v+LOlw05G4BS+iyyNq bT8dUMXMJ4tUCMj6G37ZfAMLceP5aNHPt26RBupu5v1nytoNnc138GfEJRQ2qC7jjynPIHPNqSn4 QTXUjLjYWQt1/5xnQymMoPsgr/U0flMcy2Vi/IcBgY4arPaiJ1W6hAyiRC61jekdwIcXNugoOEbH RyFULpSjm7jZ1h/HfDRQ5Ig8VhPsPE8NQ/T3Op6Um662jkOH4Bxha8DXp7t2nLqCQxvxn0YNWXt7 iaP94jQ0L+PPwaVMUrI3DRojSVizNl0ce/s7u0P9b7Oijoc3SCZfWp1RjkjWCw/vIUzTXkDAiiJi mGhLUFuS2lhaIetXfCg1JdAVrOwKfIqjM80MFYqlqNOV9u2EoihUoFIvD3sIcP1fhJPM6B/8I0VL rIJhJreqC/pzOHciYPAE8Oz/GnuW3OXD6TBl9cE37Fo9Xqg2bQC831cpDah18ru0C+tRoHYWhmrw YaubXW0AuXq0T17woJo3avKeADIsy647Mn0zwmGzAi3Zn+YdthRNgs7Ig4l/XErpYn3glZTKFuaT l19W3ISq9+1KiLsESGU+y+fjdgjudZxiTPi+MG1QP35nsYfP84c+RFK3KiZuZ5OAUoGBziSYFLZu u6zX3xxsmqT8l9ARlsTalAaf
X-Report-Abuse-To: spam@quarantine11.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic/sYmqxTzvFIz4iPcSJn5o2ZovGeM>
X-BeenThere: quic@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Main mailing list of the IETF QUIC working group <quic.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic>, <mailto:quic-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic/>
List-Post: <mailto:quic@ietf.org>
List-Help: <mailto:quic-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic>, <mailto:quic-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Jul 2021 21:05:07 -0000
In theory, TLS 1.3 provides strong future secrecy guarantees, but the handling of session tickets can compromise that. In theory, the session Ticket could be a simple identifier, used by the server to retrieve the context of a past session. In practice, many servers encode the relevant session context data in the session ticket itself, using a Session Ticket Encryption Key (STEK). For server farms, there is no guarantee that the resumed session will hit the same server as the initial session, so in practice all servers in the farm share the STEK. And then, we have a serious future secrecy issue: if the STEK leaks, the attackers can decrypt all the sessions that were encrypted with that STEK, and might also be able to decrypt the initial sessions. In short, STEKs are convenient but risky. The load balancing draft defines Connection ID formats that assure that packets get routed to the right server in a pool. I think that we could use these connection IDs to ensure that a resumed connection goes back to the same server as the initial server. The simplest implementation would be for the client to remember one of the "New connection IDs" received in the initial session, and use that as Initial Connection ID in the resumed session. Once we do that, we get options. The server could for example have a server specific STEK, which reduces the impact of leaking STEk to just the sessions handled by that server, instead of all the sessions by servers sharing the STEK. Or, the server could just remember contexts of past sessions locally, and just place an identifier of that context in the session ticket, effectively going STEK-less. Would there be any interest in pursuing that idea? -- Christian Huitema
- Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: [EXTERNAL] Going STEK-less with QUIC? Christian Huitema
- RE: [EXTERNAL] Going STEK-less with QUIC? Andrei Popov
- Re: Going STEK-less with QUIC? Kazuho Oku
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Thomson
- Re: Going STEK-less with QUIC? Christian Huitema
- Re: Going STEK-less with QUIC? Martin Duke