IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Richard Fussenegger <richard@fussenegger.info> Thu, 23 October 2014 09:43 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 154311A89FA for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 02:43:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f3u0-wMYD0mP for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 02:43:03 -0700 (PDT)
Received: from mx201.easyname.com (mx201.easyname.com [212.232.28.122]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 713711A89AF for <tls@ietf.org>; Thu, 23 Oct 2014 02:43:02 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XhEv3-0000Nm-I3; Thu, 23 Oct 2014 11:42:59 +0200
Message-ID: <5448CD89.1070903@fussenegger.info>
Date: Thu, 23 Oct 2014 11:42:33 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Martin Thomson <martin.thomson@gmail.com>, "tls@ietf.org" <tls@ietf.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <5445775E.3050108@fussenegger.info> <54458113.1050304@polarssl.org> <20141020235832.GK19158@mournblade.imrryr.org> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <2A0EFB9C05D0164E98F19BB0AF3708C71D3AF64EE4@USMBX1.msg.corp.akamai.com> <54483976.6090300@fussenegger.info> <CABkgnnVN1zEpvZguVGrkaW1wRB3qtFw2RPD9bx+qnQP3HnbBCQ@mail.gmail.com>
In-Reply-To: <CABkgnnVN1zEpvZguVGrkaW1wRB3qtFw2RPD9bx+qnQP3HnbBCQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms030907010206060608080505"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/OdApoEtZ7Pk-Lo-jlUOuDW2BBbA
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 09:43:06 -0000

On 10/23/2014 5:56 AM, Martin Thomson wrote:
> On 22 October 2014 16:10, Richard Fussenegger <richard@fussenegger.info> wrote:
>> MUST
> The only concern here is your insistence on the use of that word,
> particularly in the captilized form.

Not insisting, you're the first to raise concerns in this regard and we 
should of course discuss that if it's the problem with the proposal.

> ...and RFC 5077 pretty much says that (and more).

Yes, but the result of these recommendations is that implementations are 
always using AES-128-CBC and ignoring any supported ciphers (that's the 
concern here at hand).

> But your requirement remains completely unverifiable and therefore
> unenforceable.

What exactly is unverifiable?

> “[…] the ticket key might be weaker than the cipher used for the 
> connection. For example, OpenSSL uses 128-bit AES keys for this purpose.”
> —Ivan Ristić: “Bulletproof SSL and TLS”, p. 58, online: 
> https://www.feistyduck.com/books/bulletproof-ssl-and-tls/

> “128 bit of security is all you get (at best), regardless of the 
> cipher which has been negociated” [sic!]
> —Florent Daigniere: “TLS “Secrets””, p. 8, online: 
> https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf

> “The encryption of the SessionTicket depends on 128-bit AES with the 
> IV field.”
> —Joey Dreijer and Sean Rijs: “Perfect forward not so secrecy”, p. 6, 
> online: 
> https://os3.nl/_media/2013-2014/courses/ssn/projects/perfect_forward_not_so_secrecy_report.pdf

Richard

v2.23.0 | Report a Bug | By Email