IETF Logo Mail Archive

Re: [TLS] Comments on the session ticket format in TLS 1.3

Brian Smith <brian@briansmith.org> Sun, 12 March 2017 23:55 UTC

Return-Path: <brian@briansmith.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4E7D129426 for <tls@ietfa.amsl.com>; Sun, 12 Mar 2017 16:55:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=briansmith-org.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q4zC-QVu-rnY for <tls@ietfa.amsl.com>; Sun, 12 Mar 2017 16:55:09 -0700 (PDT)
Received: from mail-it0-x232.google.com (mail-it0-x232.google.com [IPv6:2607:f8b0:4001:c0b::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5C60512940C for <TLS@ietf.org>; Sun, 12 Mar 2017 16:55:09 -0700 (PDT)
Received: by mail-it0-x232.google.com with SMTP id m27so20832368iti.0 for <TLS@ietf.org>; Sun, 12 Mar 2017 16:55:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=briansmith-org.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oJedbwhPWyNTIcWAWSNt0qpgUJiaoUz7eGw6wPQJ7dM=; b=dYzDIzJHsKhrUrXAgMK3KR3+ek0DPMqqjwUcAwrWKjGbKT3m1hM52PNQ2gILKUx3Lm uCT/ftnuFHIKFs4ovmVDWt14H5Xwf0ri9jXe72bOuNDZfoxwupTk0qozCkiFkAEm18jC +Tt4godyDDIYxJspNHzXTXyDD8f1GkB+ACjL7kX2z0w0pY4WiI0Xf8jTuPTqdqcH+xkO GIHpH4FXtXc0QwY1684Y+1lCSDmxhtogNdiaHAdEGBeRo+rYoRlgrsrDGE0PG80VGgkC DT7buC2oSnPwtnX8ohB8tVq/q8ZeAbwAGTfezV0/ifEEUbPyJv22uQeYfa2H8FKll/Da u/Sw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oJedbwhPWyNTIcWAWSNt0qpgUJiaoUz7eGw6wPQJ7dM=; b=KynVW8p/GxUAIYl1x9G0xHAy3sc2QWKBFJglGUWumLhcrYkG2Urxh9/70HiF7e8B5S KISM9odxf9EYlurgOkDAUCKKf7J+OeB+jmfv4z8AHEt4OdO+DJdJpNNxYV79g7pVOEIZ OuVDDtwmTtaMjeQc8bMN89lAMRn2a0zCCU3nIvEUOj5YtrqHLrr5Hi5OJ7SCuc22mK3P U+0cdKJSwKHTyyyxYdIc7hZvguNVx6cystRscCwrF2KS6q7ST7JU7Pwp1aD9err51TU8 PKstq648Zlc6+psReTmGrN4Am0ffaQtA4E3o6ix6S5wcwGsM66Pr1Vx8d3Vk5KAC3/pO wi6w==
X-Gm-Message-State: AFeK/H1vG60FGWBxTJerOTgLCz72BYurmwlGwWw5fiI9RWQEMHk8h/8A2cQVFvuNA/pN8F/GqjCdFBxGyI0qVQ==
X-Received: by 10.36.60.211 with SMTP id m202mr7930616ita.58.1489362908599; Sun, 12 Mar 2017 16:55:08 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.36.87.82 with HTTP; Sun, 12 Mar 2017 16:55:08 -0700 (PDT)
In-Reply-To: <CANHgQ8EEJeTVvyQH8SosO4M3Ecz2=ZE-UPGndcu=XfB1f+1Zgg@mail.gmail.com>
References: <CANHgQ8EEJeTVvyQH8SosO4M3Ecz2=ZE-UPGndcu=XfB1f+1Zgg@mail.gmail.com>
From: Brian Smith <brian@briansmith.org>
Date: Sun, 12 Mar 2017 13:55:08 -1000
Message-ID: <CAFewVt558LB_QTb56i2hQA+pY5HEM7LCLuzEOsMAhq23sa+EMg@mail.gmail.com>
To: Ivan Ristic <ivan.ristic@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/059rizXOiHgntCT8thGk4r2yNIo>
Cc: "tls@ietf.org" <TLS@ietf.org>
Subject: Re: [TLS] Comments on the session ticket format in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 23:55:11 -0000

Ivan Ristic <ivan.ristic@gmail.com> wrote:
> - The opaque nature of this field also makes connection auditing more
> difficult.

This is intentional.

> For example, I'd like to know if session tickets are used to
> resume for a particular connection. Perhaps more importantly, it would be
> useful to identify specific ticket keys (to track their usage, rotation,
> etc), age, encryption algorithm, and their strength.

The server knows this information. if it wants you to know it, then it
can share it with you. If it doesn't, then you shouldn't be able to
know it, ideally.

> - Finally, I feel that the effective removal of (visible) session IDs is a
> regression. Being able to track sessions and resumption is useful to
> understand traffic patterns.

This is an attack on the client and server, which the protocol ideally
should prevent. In fact, I know at least one implementation is doing
extra work specifically to frustrate this kind of attack. Also the
charter says "Develop a mode that encrypts as much of the handshake as
is possible to reduce the amount of observable data to both passive
and active attackers."

> So, I'd prefer to bring session IDs back, and
> to arrange things so that they're always server-generated.

Even in earlier versions, session IDs were not required with
resumption using tickets. The server sends an empty session ID and the
client may (should, IMO) send an empty session ID in the resumption
hello.

> I know these are not big problems (especially given the improvements made to
> session tickets), but whatever is specified now will be used for a very long
> time, and it would be a shame to leave these around.

This I agree with, except I think it's worth spending extra effort to
standardize the methods for preventing the thing you are asking for.

BTW, I understand you are asking for this for diagnostic reasons, not
for malicious reasons.

Cheers,
Brian
-- 
https://briansmith.org/

v2.23.0 | Report a Bug | By Email