IETF Logo Mail Archive

Re: [TLS] ticket lifetimes

Nick Sullivan <nick@cloudflare.com> Tue, 29 January 2019 20:18 UTC

Return-Path: <nick@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2245130FF2 for <tls@ietfa.amsl.com>; Tue, 29 Jan 2019 12:18:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.572
X-Spam-Level:
X-Spam-Status: No, score=-5.572 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fPjW4hmDDb85 for <tls@ietfa.amsl.com>; Tue, 29 Jan 2019 12:18:27 -0800 (PST)
Received: from mail-oi1-x234.google.com (mail-oi1-x234.google.com [IPv6:2607:f8b0:4864:20::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75C60130EAE for <tls@ietf.org>; Tue, 29 Jan 2019 12:18:27 -0800 (PST)
Received: by mail-oi1-x234.google.com with SMTP id r62so17331653oie.1 for <tls@ietf.org>; Tue, 29 Jan 2019 12:18:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Cbx/94Co4E90W7epMzLCfR927NLe1J75PESfwj+JCIg=; b=xDCLAvSdM3rzA8axzvPaJZUdCllISEg/DvjD+rUWMd4OlW5EJlEpKg0PrEe/nj73/R VmyVRHbNYK0OR72xzGb/rhveSChV5y2Y11vZecTHU+qmSw9xzpmWHQmoV4N/OSoSjYaF qm5Vsm8wCqfv4tFQrTE4Wp0U0KOM87JNqmCAI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Cbx/94Co4E90W7epMzLCfR927NLe1J75PESfwj+JCIg=; b=OxVfg4LkAt7BhIuPtSw7Y7RnsJWxI9nxL74L6x83y0T7v3Knyhb4pn5cxRmk1h3exL 8trjH0p9vCPxKCg45v3NrBZaqPQ2G1KuqbiAmLu5tbCz5UT2oBzIBojTe7sc9tuYv7v+ FZju9Yk3gRTNXS71bUodeTsh3FrEsez2BJ8qgHnVTeKPRAMbYSNtj7iL1f+DZk1Bxqix KHjw90SViiI2fNWkt9dXOKT0CxvMqXW3faiSljV4+47yRs61TEWFR9jzZz0wnRsWdpJD k22N3OPpHoDNuWn1dzyeJqWFaf+rK/kXOX1jUUIztyLMiWJ+U4JP1tFpuzOpKQtOjlON cI0g==
X-Gm-Message-State: AHQUAub1b+aFGCpNV+no252iCc+aKlm1iLG0PnK9wcgZsuXebIXjSc9F gevtuWhzzEQZWvlEyC7x7wl7lMzW3bGLcE7CwJo51w==
X-Google-Smtp-Source: ALg8bN5uwy0WLaOD9arvYcTIt+Lninv/gAzqQcOVja92UzoOQvYFnXQM8drmHbRDs/yntvP2SlXChW6CS3FrVMRF+z4=
X-Received: by 2002:aca:1c04:: with SMTP id c4mr10079259oic.191.1548793106256; Tue, 29 Jan 2019 12:18:26 -0800 (PST)
MIME-Version: 1.0
References: <MWHPR15MB182191E96C1A065B2396318EB6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAO8oSXkDqe9QQBj+9J928rwE-Cx5w6+oxoz4+dXfANccJEYxog@mail.gmail.com> <MWHPR15MB1821FCD14D0DBFDE0A1D8617B6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAO8oSX=+iwO8S8pGamUit+wmvb9ft4Zta+w1ag4vfNJ84Bd02Q@mail.gmail.com> <MWHPR15MB1821F11E2B857B4DE5B21CF6B6970@MWHPR15MB1821.namprd15.prod.outlook.com>
In-Reply-To: <MWHPR15MB1821F11E2B857B4DE5B21CF6B6970@MWHPR15MB1821.namprd15.prod.outlook.com>
From: Nick Sullivan <nick@cloudflare.com>
Date: Tue, 29 Jan 2019 12:18:14 -0800
Message-ID: <CAFDDyk8Tn9XNhdyshvpmHBq2Lusrc_9CtDOvjaqu-6NLf3T53A@mail.gmail.com>
To: Subodh Iyengar <subodh@fb.com>
Cc: Christopher Wood <christopherwood07@gmail.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ee03ee05809e7e5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/4yyjMVruOxRvaMtVuIDD-s3Skss>
Subject: Re: [TLS] ticket lifetimes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 20:18:31 -0000

Wouldn't this issue also be mitigated by requiring the server to
re-authenticate during resumption with the certificate once in a while?

Nick

On Tue, Jan 29, 2019 at 11:00 AM Subodh Iyengar <subodh@fb.com> wrote:

> > If by "entire TLS session" you mean the resumed (and renewed)
> sessions, then yep!
>
> Ya I think that'd need a new draft either way. Can definitely write that up
> if people don't think it's the worst idea in the world.
>
> Subodh
> ------------------------------
> *From:* Christopher Wood <christopherwood07@gmail.com>
> *Sent:* Monday, January 28, 2019 10:13:36 PM
> *To:* Subodh Iyengar
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] ticket lifetimes
>
> On Mon, Jan 28, 2019 at 10:04 PM Subodh Iyengar <subodh@fb.com> wrote:
> >
> > > Since clients already store tickets, could they not also store the
> > time of original ticket issuance and cap the resumption window to N
> > (7) days from that point? That is, it seems clients could implement
> > this behavior without any protocol support.
> >
> > Correct, however the server currently provides a value for this, and
> clients do not enforce a lower bound on this. 7 days is an upper bound.
> > Servers would provide a much lower value than 7 days practically.
> >
> > If I'm understanding your suggestion correctly, you're suggesting that
> clients change the meaning of ticket_lifetime_hint?
> > That is not just limit it to the scope of the ticket but the entire TLS
> session? That would be fine to by me, however might break some folks.
>
> If by "entire TLS session" you mean the resumed (and renewed)
> sessions, then yep!
>
> Best,
> Chris
>
> >
> > Subodh
> > ________________________________
> > From: Christopher Wood <christopherwood07@gmail.com>
> > Sent: Monday, January 28, 2019 9:57 PM
> > To: Subodh Iyengar
> > Cc: tls@ietf.org
> > Subject: Re: [TLS] ticket lifetimes
> >
> > On Mon, Jan 28, 2019 at 9:43 PM Subodh Iyengar <subodh@fb.com> wrote:
> > >
> > > In TLS 1.3 we added a maximum age to the ticket lifetime to be 7 days.
> This had several original motivations including reducing the time that a
> ticket is reused (for privacy or PFS). Another major motivation for this
> was to limit the exposure of servers that use keyless ssl like mechanisms,
> i.e. if they kept a STEK locally, but the keyless SSL server remotely, then
> the theft of a STEK would presumably limit the MITM capabilities to the
> ticket lifetime.
> > >
> > > However thinking about it some more because of the renewal capability
> of tickets in TLS 1.3, an entity owning the STEK could just re-issue new
> tickets forever on a resumed connection. This would look to the client as a
> new ticket and it would refresh its lifetime on the ticket. Thereby a MITM
> could intercept connections to users that have been to the server with the
> STEK. I'm wondering whether it might be useful to define a mechanism to
> limit the lifetime of all ticket resumption across all resumptions from the
> original connection instead of just the limited per ticket lifetime.
> >
> > Since clients already store tickets, could they not also store the
> > time of original ticket issuance and cap the resumption window to N
> > (7) days from that point? That is, it seems clients could implement
> > this behavior without any protocol support.
> >
> > Best,
> > Chris
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email