Re: [TLS] Unifying tickets and sessions

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 October 2014 20:07 UTC

Date: Thu, 23 Oct 2014 20:07:02 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141023200702.GZ19158@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org> <5449463D.7080904@fussenegger.info> <20141023183637.GX19158@mournblade.imrryr.org> <54494F20.7060002@fussenegger.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54494F20.7060002@fussenegger.info>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/F2DzTe8Hi2qBt2ZpI0q2H8h4LIw
Subject: Re: [TLS] Unifying tickets and sessions
Precedence: list
Reply-To: tls@ietf.org

On Thu, Oct 23, 2014 at 08:55:28PM +0200, Richard Fussenegger wrote:

> On 10/23/2014 8:36 PM, Viktor Dukhovni wrote:
> >The iv should not be part of the persistent key set.  It is a new
> >random value for each client, returned to the server as part of
> >the ticket.  The key set is just (name, key, mac).  The in memory
> >version in Postfix also holds a timeout:
> >
> >     typedef struct TLS_TICKET_KEY {
> >	unsigned char name[TLS_TICKET_NAMELEN];
> >	unsigned char bits[TLS_TICKET_KEYLEN];
> >	unsigned char hmac[TLS_TICKET_MACLEN];
> >	time_t  tout;
> >     } TLS_TICKET_KEY;
> 
> I didn't implement it but nginx requires 48 B otherwise it's not working and
> that's definitely more than only key and mac. Maybe the complete thing is
> broken in nginx then? [1]

The reason nginx has 48 bytes is that it stores a 16 byte name,
followed by a 16-byte (AES-128) key and a 16-byte HMAC secret.

Postfix uses 16 + 32 + 32 = 80, because the key is for AES-256 and
the HMAC key for SHA2-256 is also chosen to be 256 bits.

The nginx implementation can be "strengthened" from AES-128 to
AES-256 just in case someone wants to burn a few million years of
a 4GW power plant to brute force a session ticket on a classical
computer, or future quantum computers can search a 2^128 key space
in 2^64 time.

-- 
	Viktor.

[TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Brian Smith
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Martin Thomson
Re: [TLS] Unifying tickets and sessions Brian Smith
Re: [TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
Re: [TLS] Unifying tickets and sessions Martin Thomson
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions David Leon Gil
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions David Leon Gil
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Ryan Carboni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Ryan Carboni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Salz, Rich
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Martin Thomson
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Aaron Zauner
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Aaron Zauner
Re: [TLS] Unifying tickets and sessions Douglas Stebila
Re: [TLS] Unifying tickets and sessions Blumenthal, Uri - 0558 - MITLL
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Stephen Checkoway
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
Re: [TLS] Unifying tickets and sessions Richard Fussenegger
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Joseph Salowey
Re: [TLS] Unifying tickets and sessions Hubert Kario
Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
Re: [TLS] Unifying tickets and sessions Nico Williams
Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
Re: [TLS] Unifying tickets and sessions David Leon Gil