IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Hubert Kario <hkario@redhat.com> Fri, 24 October 2014 17:18 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E40081A1B3C for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 10:18:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.912
X-Spam-Level:
X-Spam-Status: No, score=-6.912 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5FTJTSa1tJN for <tls@ietfa.amsl.com>; Fri, 24 Oct 2014 10:18:14 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82FE91A87C6 for <tls@ietf.org>; Fri, 24 Oct 2014 10:18:14 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9OHHwUq029707 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Fri, 24 Oct 2014 13:17:58 -0400
Received: from pintsize.usersys.redhat.com (dhcp-0-150.brq.redhat.com [10.34.0.150]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9OHHumg019700 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO); Fri, 24 Oct 2014 13:17:58 -0400
From: Hubert Kario <hkario@redhat.com>
To: Joseph Salowey <joe@salowey.net>
Date: Fri, 24 Oct 2014 19:17:56 +0200
Message-ID: <7731083.j7JnX2pS4Y@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.1 (Linux/3.16.6-200.fc20.x86_64; KDE/4.14.1; x86_64; ; )
In-Reply-To: <CAOgPGoCfVyDL=Bz--=TWCGLJnizxH2C34JQ+GieZsnddttUaVg@mail.gmail.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <1730049.IgUL0REWQP@pintsize.usersys.redhat.com> <CAOgPGoCfVyDL=Bz--=TWCGLJnizxH2C34JQ+GieZsnddttUaVg@mail.gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/HlD6lgL4v0LZ0hLzkEO31aGU8f8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Oct 2014 17:18:17 -0000

On Friday 24 October 2014 09:58:54 Joseph Salowey wrote:
> On Fri, Oct 24, 2014 at 3:50 AM, Hubert Kario <hkario@redhat.com> wrote:
> > On Thursday 23 October 2014 19:21:08 Richard Fussenegger wrote:
> > > On 10/23/2014 4:03 PM, Hubert Kario wrote:
> > > > While it may negotiate AES-256 (because it wants to interoperate with
> > > > clients that are configured to not to present weaker ciphers), doesn't
> > > > mean that it as a whole is configured to the 256 bit level of
> > > > security. With TLS1.2 it may sign the (EC)DHE parameters using SHA-1,
> > > > it may use RSA key exchange using only 2048 bit keys, it may be just a
> > > > local proxy server that is hard coded to connect using AES-128 with
> > > > the backed servers over open Internet. Yes, server should encrypt the
> > > > tickets with as strong algorithm as its most secure cipher, but there
> > > > are many situations where it's not necessary. "MUST" is certainly not
> > > > applicable.
> > > 
> > > Those are good and valid arguments for a RECOMMENDED regarding session
> > > ticket/token key algorithms or simply dropping one word and uppercasing
> > 
> > > another does the trick (?):
> > yes, I agree.
> > 
> > > https://tools.ietf.org/html/rfc5077#section-5.5
> > > 
> > > >    o  The keys and cryptographic protection algorithms should be at
> > > >    
> > > >       least 128 bits in strength.  Some ciphersuites and applications
> > > > 
> > > > -     may require cryptographic protection greater than 128 bits in
> > > > +     REQUIRE cryptographic protection greater than 128 bits in
> > > > 
> > > >       strength.
> > > 
> > > But the MUST regarding key rotation, key discarding, and key count hard
> > > limits is still appropriate in my opinion because PFS is a MUST in TLS
> > > 1.3 (unless this has changed and I didn't read about it).
> > 
> > Yes, while a large key size is recommended ("SHOULD"), a frequent key
> > rotation
> > (in order of days) is a "MUST" with shorter time scales recommended, given
> > other parts of TLS 1.3.
> 
> [Joe] Personally, I don't think that PFS is a MUST for session resumption.
>   I think an implementation can attempt to provide PFS like behavior, but
> if one is really interested in PFS I think the full handshake is the way to
> go.
> 
> I'm a bit concerned that we're going down the path of trying to mandate a
> particular implementation.  I think we have the following areas under
> discussion:
> 
> 1.  Hard RFC 2119 requirements for things that are verifiable.  For
> example, perhaps you would want to make sure that the client could request
> the server issue a new ticket (the client can actually verify that the
> ticket is different).

We already have ticket lifetime hints and basically nobody sets them higher 
than 48h (>99%), vast majority limit to 24h(>96%)[1]. That's including servers 
that don't use tickets at all! Of servers that do enable tickets, over 70% 
leave them at a 300s default. Nearly half of servers don't enable them at all.

That clearly means that server administrators don't consider renegotiation of 
clients that connect less often than once a day to be a burden on servers...

> 2.  Strong guidelines for the ticket and key management.  RFC 5077 has some
> of these, they can be improved upon.  These would not necessarily be RFC
> 2119 language.

...so if the actual use agrees with theory, nearly no one will be negatively 
impacted if all the frameworks actually started to enforce those limits (not 
that I think this should, let alone will happen). As such, I don't see why we 
shouldn't use the RFC 2119 language.
 
> 3.  Implementation guidance for ticket and key management.  Again RFC 5077
> has some of this, but it can be improved upon.
> 
> I think we should be focusing first on 1 because it is normative and
> affects interop.  2 is also important, but it should not force a particular
> implementation.   3 is useful, but I do not think it should be normative
> and I think it may be difficult to come to consensus on what the guidance
> should be.  A discussion on 3 may help us with 1 and 2, but I think its a
> secondary part of the discussion.

As it was pointed out, proper key management of server is non-verifiable by 
client, it may only be verified by auditing. Definite language there does 
help.

 1 - https://securitypitfalls.wordpress.com/2014/09/29/scan-results-for-september-2014/

-- 
Regards,
Hubert Kario

v2.23.0 | Report a Bug | By Email