Re: [TLS] PR #493: Multiple concurrent tickets

Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr> Mon, 06 June 2016 09:53 UTC

Return-Path: <antoine@delignat-lavaud.fr>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2667312B013 for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 02:53:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=delignat-lavaud.fr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id johRaMe0arxb for <tls@ietfa.amsl.com>; Mon, 6 Jun 2016 02:53:34 -0700 (PDT)
Received: from argon.maxg.info (argon.maxg.info [IPv6:2001:41d0:2:7f22::1]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 201D312B068 for <tls@ietf.org>; Mon, 6 Jun 2016 02:53:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=delignat-lavaud.fr; s=dkim; h=Message-ID:References:In-Reply-To:Subject:Cc:To:From:Date:Content-Transfer-Encoding:Content-Type:MIME-Version; bh=w/X6brV1rrADGteFC3TVyPcd/RxTHXcQImwMznU9i1A=; b=cpNv+0RLJg7CK8OjquI+FtF9R3qQQs3sBq9u+aCzoUzfvOYGlPziWO+TbXUEMw2Oz/v2kaNraISYMmPK9Nr2uLV5bftkYRjeUEt1Wfj9BbZT9u1U8ixCc63hC0SZNhN+el863pHzIvoIVU2hl/rP/8srXDIZYc9vxC7r8+UQraCS3ZBpr4FBQjfK6AMtZnnUvt+5ypF9Qg6k5OTS9PxZtjVdJCDXhTWwY/NCCpp25192sFF0fhjW/RQEYRiU9uiuG9/ajFDU5sEQml32ImriwDQFCBYAwxxtHN9tRd+W3wTdKpiDYho/a7EOjT3VYST3SMkTTfWoE5MQXM7EOUVieg==;
Received: from localhost (authenticated.user.IP.removed [::1]) by argon.maxg.info with esmtpa (envelope-from <antoine@delignat-lavaud.fr>) id 1b9rDv-0007X5-GB ; Mon, 06 Jun 2016 11:53:31 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Date: Mon, 06 Jun 2016 10:53:30 +0100
From: Antoine Delignat-Lavaud <antoine@delignat-lavaud.fr>
To: Eric Rescorla <ekr@rtfm.com>
Organization: Microsoft Research
In-Reply-To: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com>
References: <CABcZeBMo9U7_wZeXpEosPFa4KiC4eq3LGOvDtSAy5NNz7jc0dQ@mail.gmail.com>
Message-ID: <76cae24df17eb7fc89a9cc1a4b2f341d@maxg.info>
X-Sender: antoine@delignat-lavaud.fr
User-Agent: Roundcube Webmail/1.0.2
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LR0K-Q8HHaejwpIxwuDbpeBUO7g>
Cc: tls@ietf.org
Subject: Re: [TLS] PR #493: Multiple concurrent tickets
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jun 2016 09:53:36 -0000

Hi,

Le 2016-06-04 16:51, Eric Rescorla a écrit :
> I wanted to call out to cryptographers/analysts that this formalizes
> the existing practice (going back to RFC 5077) of having multiple
> ticket values tied to the same basic secret (though less so with 1.3
> because tickets issued on connection N+1 don't have the same RMS as
> those on connection N). If there is a problem with this, that would be
> good to know.

Looking at the pull request, I don't think it will have much impact on 
the protocol analysis given that it doesn't introduce any adversarial 
capability that wasn't already present before. If anything, your change 
may enable a proof of session unlinkability for well-behaved clients 
connecting to honest servers, under a number of restrictions.

My main complain about the current specification is that it doesn't 
clearly state that the specified restriction mechanisms for ticket 
lifetime and usage only partially bound the forward secrecy loss of PSK; 
implementations themselves must independently keep track of the lifetime 
of any given PSK in addition to managing the lifetime of tickets and 
ticket encryption keys by servers.
For instance, if a server keeps re-issuing allow_psk_resumption tickets 
based on the same PSK it is up to the client to expire the session at 
some point even if still has valid ticket(s). Similarly, if servers do 
not store PSK lifetime information inside tickets it may end up using an 
ancient PSK although the ticket may have been encrypted under a recent 
ticket key.

Best,

Antoine