IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Richard Fussenegger <richard@fussenegger.info> Thu, 23 October 2014 18:56 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C441A1A13 for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:56:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cP6-DpCwrLea for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:55:58 -0700 (PDT)
Received: from mx204.easyname.com (mx204.easyname.com [212.232.28.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71E921A0AF8 for <tls@ietf.org>; Thu, 23 Oct 2014 11:55:58 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XhNYA-0001wo-Og for tls@ietf.org; Thu, 23 Oct 2014 20:55:57 +0200
Message-ID: <54494F20.7060002@fussenegger.info>
Date: Thu, 23 Oct 2014 20:55:28 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org> <5449463D.7080904@fussenegger.info> <20141023183637.GX19158@mournblade.imrryr.org>
In-Reply-To: <20141023183637.GX19158@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms040806080800050906090402"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/BPp3T7bRjQz-LfdMPP-YyCyPcfY
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 18:56:01 -0000

On 10/23/2014 8:36 PM, Viktor Dukhovni wrote:
> The iv should not be part of the persistent key set.  It is a new
> random value for each client, returned to the server as part of
> the ticket.  The key set is just (name, key, mac).  The in memory
> version in Postfix also holds a timeout:
>
>      typedef struct TLS_TICKET_KEY {
> 	unsigned char name[TLS_TICKET_NAMELEN];
> 	unsigned char bits[TLS_TICKET_KEYLEN];
> 	unsigned char hmac[TLS_TICKET_MACLEN];
> 	time_t  tout;
>      } TLS_TICKET_KEY;

I didn't implement it but nginx requires 48 B otherwise it's not working 
and that's definitely more than only key and mac. Maybe the complete 
thing is broken in nginx then? [1]

> I think you mean "key sets" not "tickets", and still I have no idea
> what the above is talking about.  There is no "hard limit".  One
> can use 24 keysets each good for encryption for 1 hour and decryption
> for 23 after that.  It just means more data to shuffle in memory.
> I used 2 key sets because it was simpler.

Absolutely, I meant 'key sets' not tickets. Well, I proposed that three 
key sets could become a hard limit and was referring to that proposition 
[2] because: [3]

> otherwise there's a hole in the RFC that allows people to keep keys 
> until their storage runs out

You may swap 'storage' with 'RAM' in that sentence, doesn't matter.

Richard

[1] 
https://github.com/nginx/nginx/blob/bb8c0683da773566e09797ef8a4ee00ad1e0f956/src/event/ngx_event_openssl.c#L2628-L2739
[2] http://www.ietf.org/mail-archive/web/tls/current/msg14168.html
[3] http://www.ietf.org/mail-archive/web/tls/current/msg14188.html

v2.23.0 | Report a Bug | By Email