IETF Logo Mail Archive

Re: [TLS] Question on Stateless TLS Session Resumption

Eric Rescorla <ekr@networkresonance.com> Sun, 14 January 2007 00:28 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5tEy-00064e-KI; Sat, 13 Jan 2007 19:28:52 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5tEx-00063V-PC for tls@ietf.org; Sat, 13 Jan 2007 19:28:51 -0500
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H5tEv-0008S3-CU for tls@ietf.org; Sat, 13 Jan 2007 19:28:51 -0500
Received: by raman.networkresonance.com (Postfix, from userid 1001) id 93AC81E8C28; Sat, 13 Jan 2007 16:28:48 -0800 (PST)
To: Lakshminath Dondeti <ldondeti@qualcomm.com>
Subject: Re: [TLS] Question on Stateless TLS Session Resumption
References: <C24CB51D5AA800449982D9BCB90325133C9A2E@NAEX13.na.qualcomm.com> <863b6eh9v5.fsf@raman.networkresonance.com> <45A973A0.4000105@qualcomm.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Sat, 13 Jan 2007 16:28:48 -0800
In-Reply-To: <45A973A0.4000105@qualcomm.com> (Lakshminath Dondeti's message of "Sat, 13 Jan 2007 16:04:48 -0800")
Message-ID: <86irfafo3j.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Lakshminath Dondeti <ldondeti@qualcomm.com> writes:

> Eric Rescorla wrote:
>
>> Well, there are two separate issues here. There's no technical
>> reason why a new TLS handshake between a client/server pair
>> needs to invalidate and old session between them. Indeed,
>> I don't know of any server which enforces this before and it
>> would even in principle be rather difficult to do in the
>> absence of client authentication, which is fairly rare.
>
> The issue is that of revocation.  If a client's credentials are
> revoked, a full exchange will ensure that the client gets service only
> after it acquires/renews its certificate or whatever.  If there is an
> old ticket that the client can use to get service then it  is able to
> get around having to reauthenticate with new credentials.

Yes, as I said there are *two* issues. One issue is about what
happens when a client simply initiates a full handshake. In
that case there is no general need to invalidate an old ticket.
TLS is quite capable of having two parallel sessions between any
pair of communicating parties.

However, as you indicate, you might want to explicitly terminate
a session. As Vidya indicated, this requires server side state,
though less than a session cache would require.

> Right, that's as per 4346.  However, 4507 says "When presenting a
> ticket, the client MAY generate and include a Session ID in the TLS
> ClientHello."  Given that the client can change the session id, it
> becomes difficult (not impossible as I initially thought) for the
> server to track and invalidate old tickets.

It's not difficult at all. You invalidate the ticket, not the
session ID. The details are described in the SBR04 reference
cited below.

> But, perhaps as you say,
> this is generally not an issue in practice.  If the ticket lifetime is
> generally short enough, it is probably not a big deal (although it
> would have been nice to have stated it in 4507).

Well, here's what 4507 says:


5.1.  Invalidating Sessions

   The TLS specification requires that TLS sessions be invalidated when
   errors occur.  [CSSC] discusses the security implications of this in
   detail.  In the analysis in this paper, failure to invalidate
   sessions does not pose a security risk.  This is because the TLS
   handshake uses a non-reversible function to derive keys for a session
   so information about one session does not provide an advantage to
   attack the master secret or a different session.  If a session
   invalidation scheme is used, the implementation should verify the
   integrity of the ticket before using the contents to invalidate a
   session to ensure that an attacker cannot invalidate a chosen
   session.


[CSSC] is a reference to SBR04, which provides a fairly detailed
analysis of a variety of different ticket revocation schemes.

-Ekr

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email