Re: [TLS] Question on Stateless TLS Session Resumption
Eric Rescorla <ekr@networkresonance.com> Sun, 14 January 2007 00:28 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5tEy-00064e-KI; Sat, 13 Jan 2007 19:28:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5tEx-00063V-PC for tls@ietf.org; Sat, 13 Jan 2007 19:28:51 -0500
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H5tEv-0008S3-CU for tls@ietf.org; Sat, 13 Jan 2007 19:28:51 -0500
Received: by raman.networkresonance.com (Postfix, from userid 1001) id 93AC81E8C28; Sat, 13 Jan 2007 16:28:48 -0800 (PST)
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: [TLS] Question on Stateless TLS Session Resumption
References: <C24CB51D5AA800449982D9BCB90325133C9A2E@NAEX13.na.qualcomm.com> <863b6eh9v5.fsf@raman.networkresonance.com> <45A973A0.4000105@qualcomm.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Sat, 13 Jan 2007 16:28:48 -0800
In-Reply-To: <45A973A0.4000105@qualcomm.com> (Lakshminath Dondeti's message of "Sat, 13 Jan 2007 16:04:48 -0800")
Message-ID: <86irfafo3j.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
Lakshminath Dondeti <ldondeti@qualcomm.com> writes: > Eric Rescorla wrote: > >> Well, there are two separate issues here. There's no technical >> reason why a new TLS handshake between a client/server pair >> needs to invalidate and old session between them. Indeed, >> I don't know of any server which enforces this before and it >> would even in principle be rather difficult to do in the >> absence of client authentication, which is fairly rare. > > The issue is that of revocation. If a client's credentials are > revoked, a full exchange will ensure that the client gets service only > after it acquires/renews its certificate or whatever. If there is an > old ticket that the client can use to get service then it is able to > get around having to reauthenticate with new credentials. Yes, as I said there are *two* issues. One issue is about what happens when a client simply initiates a full handshake. In that case there is no general need to invalidate an old ticket. TLS is quite capable of having two parallel sessions between any pair of communicating parties. However, as you indicate, you might want to explicitly terminate a session. As Vidya indicated, this requires server side state, though less than a session cache would require. > Right, that's as per 4346. However, 4507 says "When presenting a > ticket, the client MAY generate and include a Session ID in the TLS > ClientHello." Given that the client can change the session id, it > becomes difficult (not impossible as I initially thought) for the > server to track and invalidate old tickets. It's not difficult at all. You invalidate the ticket, not the session ID. The details are described in the SBR04 reference cited below. > But, perhaps as you say, > this is generally not an issue in practice. If the ticket lifetime is > generally short enough, it is probably not a big deal (although it > would have been nice to have stated it in 4507). Well, here's what 4507 says: 5.1. Invalidating Sessions The TLS specification requires that TLS sessions be invalidated when errors occur. [CSSC] discusses the security implications of this in detail. In the analysis in this paper, failure to invalidate sessions does not pose a security risk. This is because the TLS handshake uses a non-reversible function to derive keys for a session so information about one session does not provide an advantage to attack the master secret or a different session. If a session invalidation scheme is used, the implementation should verify the integrity of the ticket before using the contents to invalidate a session to ensure that an attacker cannot invalidate a chosen session. [CSSC] is a reference to SBR04, which provides a fairly detailed analysis of a variety of different ticket revocation schemes. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex