Re: [TLS] Unifying tickets and sessions
Richard Fussenegger <richard@fussenegger.info> Thu, 23 October 2014 18:18 UTC
Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD6341A90FC for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:18:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rQw82FTtSGKH for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:18:31 -0700 (PDT)
Received: from mx204.easyname.com (mx204.easyname.com [212.232.28.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3C021ACE47 for <tls@ietf.org>; Thu, 23 Oct 2014 11:18:02 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XhMxS-000648-0E for tls@ietf.org; Thu, 23 Oct 2014 20:18:00 +0200
Message-ID: <5449463D.7080904@fussenegger.info>
Date: Thu, 23 Oct 2014 20:17:33 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org>
In-Reply-To: <20141023174537.GW19158@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms060705090600070209080101"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/179Mn7DP5hN6eWrilkPokRe1cro
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 18:18:34 -0000
On 10/23/2014 7:45 PM, Viktor Dukhovni wrote: > There are only ever two keys sets in memory: the current encryption > key set and prior encryption (additional decryption) keyset. I > say key set because we need an encryption key and an HMAC key and > both are rotated together, with these is associated a 16 octent id > (could be a counter or simply random). I like the wording 'key set' and it's actually what I was referring to too. The key sets that are generated in my script for nginx are simply 48 B of random data (key_name, iv, key, mac): https://github.com/Fleshgrinder/nginx-session-ticket-key-rotation/blob/master/config.sh#L420-L457 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_session_ticket_key > Actually two key sets are sufficient. There is no need for a third > key set. Take a look at postfix/src/tls/tls_scache.c the relevant > functions are tls_scache_key() and tls_scache_key_rotate(). > > This is used in postfix/src/tls/tls_mgr.c tls_mgr_key(). > > https://github.com/vdukhovni/postfix I adopted the three key idea from Twitter[1] and yes two key sets are sufficient. I thought that Twitters rational behind the three keys was to extend the lifetime of tickets on the client side (as in my drawing http://pastebin.com/1iAatbWm) without extending the lifetime of the encryption key. Of course I could be terribly wrong here but Jacob Hoffman-Andrews for sure had some idea behind this rational. If the upper limit is said to be two tickets, Twitter has to adopt there system. Since we already have a prominent example that uses three tickets, its imho a good idea to let them continue doing so. Note that your approach would still be perfectly valid because you're below the hard limit of three tickets. Hence if one decides to use a single key and simply send it to nirvana after 24h then that's okay as well. The goal is that we don't botch PFS and not to dictate how keys are implemented. That said, I have no problem with two keys especially if there is an argument against using three keys in regards to security. Maybe I should ask Jacob Hoffman-Andrews from Twitter why they are using three keys? Richard [1] https://blog.twitter.com/2013/forward-secrecy-at-twitter
- [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Douglas Stebila
- Re: [TLS] Unifying tickets and sessions Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Stephen Checkoway
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Joseph Salowey
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions David Leon Gil