IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Richard Fussenegger <richard@fussenegger.info> Thu, 23 October 2014 18:18 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD6341A90FC for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQw82FTtSGKH for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:18:31 -0700 (PDT)
Received: from mx204.easyname.com (mx204.easyname.com [212.232.28.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3C021ACE47 for <tls@ietf.org>; Thu, 23 Oct 2014 11:18:02 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XhMxS-000648-0E for tls@ietf.org; Thu, 23 Oct 2014 20:18:00 +0200
Message-ID: <5449463D.7080904@fussenegger.info>
Date: Thu, 23 Oct 2014 20:17:33 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org>
In-Reply-To: <20141023174537.GW19158@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms060705090600070209080101"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/179Mn7DP5hN6eWrilkPokRe1cro
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 18:18:34 -0000

On 10/23/2014 7:45 PM, Viktor Dukhovni wrote:
> There are only ever two keys sets in memory: the current encryption
> key set and prior encryption (additional decryption) keyset.  I
> say key set because we need an encryption key and an HMAC key and
> both are rotated together, with these is associated a 16 octent id
> (could be a counter or simply random).

I like the wording 'key set' and it's actually what I was referring to 
too. The key sets that are generated in my script for nginx are simply 
48 B of random data (key_name, iv, key, mac):

https://github.com/Fleshgrinder/nginx-session-ticket-key-rotation/blob/master/config.sh#L420-L457
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key

> Actually two key sets are sufficient.  There is no need for a third
> key set.  Take a look at postfix/src/tls/tls_scache.c the relevant
> functions are tls_scache_key() and tls_scache_key_rotate().
>
> This is used in postfix/src/tls/tls_mgr.c tls_mgr_key().
>
>      https://github.com/vdukhovni/postfix

I adopted the three key idea from Twitter[1] and yes two key sets are 
sufficient. I thought that Twitters rational behind the three keys was 
to extend the lifetime of tickets on the client side (as in my drawing 
http://pastebin.com/1iAatbWm) without extending the lifetime of the 
encryption key. Of course I could be terribly wrong here but Jacob 
Hoffman-Andrews for sure had some idea behind this rational.

If the upper limit is said to be two tickets, Twitter has to adopt there 
system. Since we already have a prominent example that uses three 
tickets, its imho a good idea to let them continue doing so. Note that 
your approach would still be perfectly valid because you're below the 
hard limit of three tickets. Hence if one decides to use a single key 
and simply send it to nirvana after 24h then that's okay as well. The 
goal is that we don't botch PFS and not to dictate how keys are implemented.

That said, I have no problem with two keys especially if there is an 
argument against using three keys in regards to security. Maybe I should 
ask Jacob Hoffman-Andrews from Twitter why they are using three keys?

Richard

[1] https://blog.twitter.com/2013/forward-secrecy-at-twitter

v2.23.0 | Report a Bug | By Email