Re: [TLS] PR #493: Multiple concurrent tickets
Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Mon, 06 June 2016 09:53 UTC
Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2667312B013 for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 02:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=delignat-lavaud.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id johRaMe0arxb for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 02:53:34 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201D312B068 for <tls@ietf.org>; Mon, 6 Jun 2016 02:53:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Message-ID:References:In-Reply-To:Subject:Cc:To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version; bh=w/X6brV1rrADGteFC3TVyPcd/RxTHXcQImwMznU9i1A=; b=cpNv+0RLJg7CK8OjquI+FtF9R3qQQs3sBq9u+aCzoUzfvOYGlPziWO+TbXUEMw2Oz/v2kaNraISYMmPK9Nr2uLV5bftkYRjeUEt1Wfj9BbZT9u1U8ixCc63hC0SZNhN+el863pHzIvoIVU2hl/rP/8srXDIZYc9vxC7r8+UQraCS3ZBpr4FBQjfK6AMtZnnUvt+5ypF9Qg6k5OTS9PxZtjVdJCDXhTWwY/NCCpp25192sFF0fhjW/RQEYRiU9uiuG9/ajFDU5sEQml32ImriwDQFCBYAwxxtHN9tRd+W3wTdKpiDYho/a7EOjT3VYST3SMkTTfWoE5MQXM7EOUVieg==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpa (envelope-from <antoine@delignat-lavaud.fr>) id 1b9rDv-0007X5-GB ; Mon, 06 Jun 2016 11:53:31 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Date: Mon, 06 Jun 2016 10:53:30 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
To: Eric Rescorla <ekr@rtfm.com>
Organization: Microsoft Research
In-Reply-To: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com>
References: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com>
Message-ID: <76cae24df17eb7fc89a9cc1a4b2f341d@maxg.info>
X-Sender: antoine@delignat-lavaud.fr
User-Agent: Roundcube Webmail/1.0.2
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LR0K-Q8HHaejwpIxwuDbpeBUO7g>
Cc: tls@ietf.org
Subject: Re: [TLS] PR #493: Multiple concurrent tickets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2016 09:53:36 -0000
Hi, Le 2016-06-04 16:51, Eric Rescorla a écrit : > I wanted to call out to cryptographers/analysts that this formalizes > the existing practice (going back to RFC 5077) of having multiple > ticket values tied to the same basic secret (though less so with 1.3 > because tickets issued on connection N+1 don't have the same RMS as > those on connection N). If there is a problem with this, that would be > good to know. Looking at the pull request, I don't think it will have much impact on the protocol analysis given that it doesn't introduce any adversarial capability that wasn't already present before. If anything, your change may enable a proof of session unlinkability for well-behaved clients connecting to honest servers, under a number of restrictions. My main complain about the current specification is that it doesn't clearly state that the specified restriction mechanisms for ticket lifetime and usage only partially bound the forward secrecy loss of PSK; implementations themselves must independently keep track of the lifetime of any given PSK in addition to managing the lifetime of tickets and ticket encryption keys by servers. For instance, if a server keeps re-issuing allow_psk_resumption tickets based on the same PSK it is up to the client to expire the session at some point even if still has valid ticket(s). Similarly, if servers do not store PSK lifetime information inside tickets it may end up using an ancient PSK although the ticket may have been encrypted under a recent ticket key. Best, Antoine
- [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Yaron Sheffer
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets David Benjamin
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Jim Schaad
- Re: [TLS] PR #493: Multiple concurrent tickets David Benjamin
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Kyle Rose
- Re: [TLS] PR #493: Multiple concurrent tickets Eric Rescorla
- Re: [TLS] PR #493: Multiple concurrent tickets Kyle Rose
- Re: [TLS] PR #493: Multiple concurrent tickets Antoine Delignat-Lavaud
- Re: [TLS] PR #493: Multiple concurrent tickets Felix Günther