IETF Logo Mail Archive

Re: [TLS] ticket lifetimes

David Benjamin <davidben@chromium.org> Tue, 29 January 2019 22:52 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B3EC131029 for <tls@ietfa.amsl.com>; Tue, 29 Jan 2019 14:52:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.082
X-Spam-Level:
X-Spam-Status: No, score=-11.082 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKSeL0GSO4yy for <tls@ietfa.amsl.com>; Tue, 29 Jan 2019 14:52:46 -0800 (PST)
Received: from mail-qt1-x834.google.com (mail-qt1-x834.google.com [IPv6:2607:f8b0:4864:20::834]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68C6D130FE5 for <tls@ietf.org>; Tue, 29 Jan 2019 14:52:46 -0800 (PST)
Received: by mail-qt1-x834.google.com with SMTP id t13so24244454qtn.3 for <tls@ietf.org>; Tue, 29 Jan 2019 14:52:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LVMTZL/+GvWcR4zVa34ej5VSO9Bf+SG+xO3/Ystk6Tw=; b=PLZIpBzR0oL52R/9oN0QpojN1NRE+iy8nMaSjKP/Gb7J9GIuFTY5fRFxI2jUiTtUUB D1hqINQ0BDBGLqwSCXHOgO3Jkwjs5B8F9WncL895+YYGiT22KzD5w+FqHUh/lT9AFnMT 6IfVh7C38KCYsIPmMwDK1KhABo9HHZh73yY/M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LVMTZL/+GvWcR4zVa34ej5VSO9Bf+SG+xO3/Ystk6Tw=; b=c9eHxKRKO6pxWVmYy5vtySrmVxr7tVqAV8DgcPfqYaQgcbPnp0ORE98otNYQrq/cf7 sHzAJpCetnx8GiF51Yms+D5k/z/ZMpzK4ixy5kpRFIwSf2krjbyNOf9Z2ry2Z/9GFo0O Xhozt5/GxoDu07WXaIAOu8YkrfnPmRWMHlxf/azYdYyNzIZiONGHZG0B54foRUQWWMvc rvGLPbEC+zhBxEUY5RVQoVlPx7IJ/QQZpaFhXN4REhsosOJaHb/Gd1AsYiNFqN+6TI0F QACyuJs7l/1aBVkypx3ayjU8jC9pUJKupvx+ZNfHU20+90aS6bOhlMa3j+gNZ5qDxWPX hWYw==
X-Gm-Message-State: AJcUukeGvR98PHHV/0Bz3X/13Cn35vJX/6ORAhFp0RsZ47lsgExeFfSX 0sSgRlkfu9rT8M+IoQ7ivBhBFH+Q0jmsuKmXyYM7axQ=
X-Google-Smtp-Source: ALg8bN5NrrK41xTnJpOkOgIBfKeOoDEvyZ7BBSAKzQ4CtCCBmCJ46XYH3cpjR8V/NYtTdC8zqF//3gRS4wjrWzOH/Mk=
X-Received: by 2002:aed:3482:: with SMTP id x2mr26811906qtd.72.1548802365196; Tue, 29 Jan 2019 14:52:45 -0800 (PST)
MIME-Version: 1.0
References: <MWHPR15MB182191E96C1A065B2396318EB6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAO8oSXkDqe9QQBj+9J928rwE-Cx5w6+oxoz4+dXfANccJEYxog@mail.gmail.com> <MWHPR15MB1821FCD14D0DBFDE0A1D8617B6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAO8oSX=+iwO8S8pGamUit+wmvb9ft4Zta+w1ag4vfNJ84Bd02Q@mail.gmail.com> <MWHPR15MB1821F11E2B857B4DE5B21CF6B6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAFDDyk8Tn9XNhdyshvpmHBq2Lusrc_9CtDOvjaqu-6NLf3T53A@mail.gmail.com> <CAF8qwaDpH04Ebq--XHGPFkyp81Pt=P7hmAXveF2FUH1joBKiPg@mail.gmail.com> <MWHPR15MB18215B0C046B3ADFA88F0FC4B6970@MWHPR15MB1821.namprd15.prod.outlook.com>
In-Reply-To: <MWHPR15MB18215B0C046B3ADFA88F0FC4B6970@MWHPR15MB1821.namprd15.prod.outlook.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 29 Jan 2019 16:52:32 -0600
Message-ID: <CAF8qwaDESi1Ed8D9+2GuR=+5sWtRtM6qLuLF7DbzQ1nqOLXOOg@mail.gmail.com>
To: Subodh Iyengar <subodh@fb.com>
Cc: Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000ceb18d0580a0a6b4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5u-IpV3K-8Ll3DJMIPftKtSWazY>
Subject: Re: [TLS] ticket lifetimes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 22:52:50 -0000

On Tue, Jan 29, 2019 at 4:14 PM Subodh Iyengar <subodh@fb.com> wrote:

> > Wouldn't this issue also be mitigated by requiring the server to
> re-authenticate during resumption with the certificate once in a while?
>
> I think it's probably just easier to drop the resumption completely.
>
> > This two-lifetime thing is actually already what we implement in
> BoringSSL. 😊
>
> Fantastic. Would it help to have an extension to set a lower bound on this
> value, or just make it more painful?
>

(Did you mean upper bound?)

I'd actually interpreted the RFC 8446 text to imply a 7 day upper bound on
the renewability, but apparently that's not how others read it! I don't
care strongly either way about an extension to set a renewal bound, I
think. A client is always free to tighten ticket lifetime policies
unilaterally. We don't need an extension to advertise its policies unless
we want to allow server to change their behavior in response. In the other
direction, if we think the server may also have an opinion on renewability
(you mention keyless things), a NewSessionTicket extension would be easy to
support. The client would then use the more restrictive of the server's
preferences and its local policy.

Though, I guess, having not specified it this way from the start, the
server can't be sure the client honors the extension. I don't know what
consequences that has for server-preference scenario.

(For completeness, BoringSSL doesn't allow TLS 1.2 ticket renewals to
extend lifetime at all, only TLS 1.3, and TLS 1.2 lifetimes are capped much
more tightly. Since TLS 1.2 resumption doesn't involve an ECDH operation,
any concerns about a stale online signature are overshadowed by how much
data the client is willing to make vulnerable to a single session secret.
We'd probably do something similar if we implemented TLS 1.3's
plain psk_ke, but we only do psk_dhe_ke.)

David


> Subodh
> ------------------------------
> *From:* David Benjamin <davidben@chromium.org>
> *Sent:* Tuesday, January 29, 2019 1:02 PM
> *To:* Nick Sullivan
> *Cc:* Subodh Iyengar; tls@ietf.org
>
> *Subject:* Re: [TLS] ticket lifetimes
> This two-lifetime thing is actually already what we implement in
> BoringSSL. :-) We track both a lifetime for the ticket (one day) and also
> for the original authentication the ticket roots up to (one week). The
> lifetime of the ticket is bounded by both these values, and the latter is
> not extendable on renew.
>
> On Tue, Jan 29, 2019 at 2:18 PM Nick Sullivan <nick=
> 40cloudflare.com@dmarc.ietf.org> wrote:
>
> Wouldn't this issue also be mitigated by requiring the server to
> re-authenticate during resumption with the certificate once in a while?
>
>
> Existing servers won't do this, so I see this less as a mitigation and
> more as an optimization to plug the one-week-cliff that the fix produces.
> But, yeah, that would be handy. (Probably something like: "re"-auth'd
> identity apply to tickets, PSK applies to connection. Client sends an
> extension to advertise we're nearing the unrenewable bound.)
>
> David
>
>
> Nick
>
> On Tue, Jan 29, 2019 at 11:00 AM Subodh Iyengar <subodh@fb.com> wrote:
>
> > If by "entire TLS session" you mean the resumed (and renewed)
> sessions, then yep!
>
> Ya I think that'd need a new draft either way. Can definitely write that up
> if people don't think it's the worst idea in the world.
>
> Subodh
> ------------------------------
> *From:* Christopher Wood <christopherwood07@gmail.com>
> *Sent:* Monday, January 28, 2019 10:13:36 PM
> *To:* Subodh Iyengar
> *Cc:* tls@ietf.org
> *Subject:* Re: [TLS] ticket lifetimes
>
> On Mon, Jan 28, 2019 at 10:04 PM Subodh Iyengar <subodh@fb.com> wrote:
> >
> > > Since clients already store tickets, could they not also store the
> > time of original ticket issuance and cap the resumption window to N
> > (7) days from that point? That is, it seems clients could implement
> > this behavior without any protocol support.
> >
> > Correct, however the server currently provides a value for this, and
> clients do not enforce a lower bound on this. 7 days is an upper bound.
> > Servers would provide a much lower value than 7 days practically.
> >
> > If I'm understanding your suggestion correctly, you're suggesting that
> clients change the meaning of ticket_lifetime_hint?
> > That is not just limit it to the scope of the ticket but the entire TLS
> session? That would be fine to by me, however might break some folks.
>
> If by "entire TLS session" you mean the resumed (and renewed)
> sessions, then yep!
>
> Best,
> Chris
>
> >
> > Subodh
> > ________________________________
> > From: Christopher Wood <christopherwood07@gmail.com>
> > Sent: Monday, January 28, 2019 9:57 PM
> > To: Subodh Iyengar
> > Cc: tls@ietf.org
> > Subject: Re: [TLS] ticket lifetimes
> >
> > On Mon, Jan 28, 2019 at 9:43 PM Subodh Iyengar <subodh@fb.com> wrote:
> > >
> > > In TLS 1.3 we added a maximum age to the ticket lifetime to be 7 days.
> This had several original motivations including reducing the time that a
> ticket is reused (for privacy or PFS). Another major motivation for this
> was to limit the exposure of servers that use keyless ssl like mechanisms,
> i.e. if they kept a STEK locally, but the keyless SSL server remotely, then
> the theft of a STEK would presumably limit the MITM capabilities to the
> ticket lifetime.
> > >
> > > However thinking about it some more because of the renewal capability
> of tickets in TLS 1.3, an entity owning the STEK could just re-issue new
> tickets forever on a resumed connection. This would look to the client as a
> new ticket and it would refresh its lifetime on the ticket. Thereby a MITM
> could intercept connections to users that have been to the server with the
> STEK. I'm wondering whether it might be useful to define a mechanism to
> limit the lifetime of all ticket resumption across all resumptions from the
> original connection instead of just the limited per ticket lifetime.
> >
> > Since clients already store tickets, could they not also store the
> > time of original ticket issuance and cap the resumption window to N
> > (7) days from that point? That is, it seems clients could implement
> > this behavior without any protocol support.
> >
> > Best,
> > Chris
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=AeHpkYXwQtF4DjfqdHNluOLIcTHODTihn7i4WBzucjA&s=B4zL6Emv0jyhAsuJyBnxMzO8l1w7SDu5OpB4m8jarMk&e=>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=AeHpkYXwQtF4DjfqdHNluOLIcTHODTihn7i4WBzucjA&s=B4zL6Emv0jyhAsuJyBnxMzO8l1w7SDu5OpB4m8jarMk&e=>
>
>

v2.23.0 | Report a Bug | By Email