IETF Logo Mail Archive

Re: [TLS] #445: Enhanced New Session Ticket

Martin Thomson <martin.thomson@gmail.com> Fri, 29 April 2016 06:52 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4229212D547 for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 23:52:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Y4sRhDDpoj5d for <tls@ietfa.amsl.com>; Thu, 28 Apr 2016 23:52:08 -0700 (PDT)
Received: from mail-ig0-x22b.google.com (mail-ig0-x22b.google.com [IPv6:2607:f8b0:4001:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C239212D535 for <tls@ietf.org>; Thu, 28 Apr 2016 23:52:08 -0700 (PDT)
Received: by mail-ig0-x22b.google.com with SMTP id u10so14073548igr.1 for <tls@ietf.org>; Thu, 28 Apr 2016 23:52:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=a4NKjlZ+7F9ZQep4mbjiqRDMkCK1NiGoOU9+N/zcYJ4=; b=RQJtKLgp6sbIpaiW7drXssd4HYac7v7QJ2hm1RGZNq2nnzkW29yMOIrYuSG1EldZlm xuQ6r3jYKvPqwG2IqzUKjPE3w+q0/JRJDrGW0YeV8tXEGthIApvGLjbUbCTWYPuQxDd7 4DmMDQd9VHjuUe4MwFqwHWIlkJWUHr5UgoQI8I2LKF8IL8/q1b4DIuZH7knZQWBR6yOv bWQQIEmVrTI4PHuLt71gDe6e6JezV+GONmG/sP/xkQpUbN4bTBv3B4GWUk+0cYYV5T/2 FbvkiLbEGjEBDhtG/gnjjIqLFl2FvVolIzoAPkUINtXlhMS27zQOw239OYC64Q6fSULx usLQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=a4NKjlZ+7F9ZQep4mbjiqRDMkCK1NiGoOU9+N/zcYJ4=; b=IpI9audPh7I+O5FzT2hn93lhXravaQYuksRYi+0Q8xZlVJ0g0Z3JJBV1x1I5IFuBza UtfOFmIYXLPdQtxxNcluAT53unCRrYxk+aWEZDfPMLDHULyBJ7cIhuMDSiUTL0NmVmBY 8YENLKEQ2TcRl1jI0lp8TtMY3TYkdIoDtddqN46k8LlsvGzORxZrg7gumyd3NdH15/lE U7WmBFpZSg2+VfGW7zq5SX8tezq+cA7breV+xkjO5q79hFad52guRN1V6l6qwm2H47cm saoTovxqnyhHeGi1p8yEwhRnez8h/rBOd8HTDT+w24GD/hDhLV0mnQiE8jdVV0MDj9ZE Cfkw==
X-Gm-Message-State: AOPr4FVxv56XgEaFwJwts1nMswljxfgNcEmegQ5wzM8h4eUHhY7czPRuCRjrumt7/BWclc/IE8XYmKuHwSqKiA==
MIME-Version: 1.0
X-Received: by 10.50.111.15 with SMTP id ie15mr2554903igb.94.1461912728178; Thu, 28 Apr 2016 23:52:08 -0700 (PDT)
Received: by 10.36.43.82 with HTTP; Thu, 28 Apr 2016 23:52:08 -0700 (PDT)
In-Reply-To: <20160429055831.GA16405@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com> <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBMFg4iC-EN9DocqTpmjp46EYrTBdfi-G5nNMKN_xiHxVA@mail.gmail.com> <20160429055831.GA16405@LK-Perkele-V2.elisa-laajakaista.fi>
Date: Fri, 29 Apr 2016 16:52:08 +1000
Message-ID: <CABkgnnUFn_UrUFro-yLmn9wf7YkTpRf8anm7LK-bKgYBBkUVNg@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/6ZPp90tbX8nFYhIR6Qz6ELLzX7U>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 06:52:10 -0000

On 29 April 2016 at 15:58, Ilari Liusvaara <ilariliusvaara@welho.com> wrote:
>> [HRR state]
>
> That enlarges the state that needs to be kept. If one keeps extensions,
> one only needs ~40 bytes. Whereas saving full hash state needs IIRC 114
> bytes (SHA-256) or 228 bytes (SHA-384). And cookies are max. 255 bytes.

Cookies are as yet undefined, but I would imagine that these would be
just the same size as the pre-shared-key identity for all the same
reasons.

> And not many hash implementations support dumping and reloading state.

What would you prefer?  We could specify some very strict rules about
what changes a client can make to their ClientHello so that the server
can simply store things that might change (like the early_data
extension, which will disappear on the second attempt, and whether a
key share was needed, and so forth).

>> [client auth]
>
> The problem being that
> client and server end up being confused about authority the data is sent
> as, resulting exploitable security issues (avoiding this in HTTP/2 takes
> application-layer coordination).

The confused deputy problem, yes.  That's a "feature" that we have to
retain, so I don't see much point bellyaching over it.  That said, we
can (and are) improving things in HTTP/2.


>> [extension checking on resumption]
>
> So the 'etc' stands for "whatever will be defined by future extensions"?
> One might want to make that clearer.
>
> Also, things get screwy with SNI, and I think it is better not to try to
> use SNI with PSK.

The primary function of SNI is routing.  Remove it and stuff breaks.
Thus, I would say include it, but make sure it doesn't result in a
change in configuration.  The simplest thing to do is reject PSK if
the old SNI != the new SNI.

> The rest besides ALPN and SNI looks to me those are either meaningless
> or should be taken anew.

That is probably true for a lot of them.  But we can't say that for
certain.  For instance, when we defined EMS, which is irrelevant here,
it was important that it be present when resuming or bad things
happened.  I'm not suggesting that exact thing will happen again, but
we can't presume that we won't need this.

> I mean for the subsequent handshake. Since 0-RTT ALPN and connection
> ALPN needs to match, either:
>
> 1) Take the 0-RTT ALPN implicitly as connection ALPN.
> 2) Signal the same ALPN again, and have that client MUST check it matches
>    and abort otherwise.

I believe that we have to do the latter.  Since we can't be sure that
the server knows the ALPN from before if it has to reject 0-RTT.  My
plan for this is:

1. store ALPN in the ticket/session
2. if doing 0-RTT, before accepting 0-RTT data, perform the normal
ALPN negotiation
3. check the negotiated ALPN with the stored value, and if they don't
match reject the 0-RTT data

Note that this means that clients will have to deal with having to
change protocols when 0-RTT data is rejected.  But I don't see any
other way to do this.

This also assumes that TLS session resumption is not carrying over
application state in addition to TLS state.  I believe that is
reasonable, though it's worth stating.

v2.23.0 | Report a Bug | By Email