IETF Logo Mail Archive

Re: [TLS] Cookie reuse subsequent connections

Jānis Čoders <janis.coders@gmail.com> Mon, 30 October 2017 09:51 UTC

Return-Path: <janis.coders@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E9CB13B133 for <tls@ietfa.amsl.com>; Mon, 30 Oct 2017 02:51:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JjjV1AG3xMJv for <tls@ietfa.amsl.com>; Mon, 30 Oct 2017 02:51:57 -0700 (PDT)
Received: from mail-oi0-x22c.google.com (mail-oi0-x22c.google.com [IPv6:2607:f8b0:4003:c06::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAE3E13F85D for <tls@ietf.org>; Mon, 30 Oct 2017 02:51:57 -0700 (PDT)
Received: by mail-oi0-x22c.google.com with SMTP id m198so20941598oig.5 for <tls@ietf.org>; Mon, 30 Oct 2017 02:51:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=H7OMxUEwa0kV2fzPC2od5oMAYN7970zvk2G/QfB6H5Y=; b=dHNArVrAe2ZsHUIe+f2OUqtiPdbmBzQXLMHlMid5lrhad//VDw4zzCxs5dZydQjU/U 0B9DXPIaUNbUnLErBsrB33EQ7NuDZnGGTQ4M5K2+Ax8jK3hIW18Uk+TTwXAI07oj97rj f6+eUvKw4wTrCRN2vL1xfT1y2u2yPQpUgSwSpu7ra5JL73+0oCfMCs5CfRXFl8dPa1wI tfQ/zUzKdEG/7B8r1YodID9xdO6s7H6s+Rew6wnFvFsQme+5eTiSdSFwU4Dr6Qr+QTeD XJFBI/iZVebLoQ++gRPrUW9URzOrtElL7e3bwtRtU9QlxOTOJhkiCF/MFJR2kDBUdzhO 3rTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=H7OMxUEwa0kV2fzPC2od5oMAYN7970zvk2G/QfB6H5Y=; b=o4sKjRbRsQZTMKOQa8HzJ29Nmy35Oiq+ee0mI+F0PzkBJJ5r19icYOVEBxnBNavvNR jm30kEpOKSvGd11aPRF81uTkFiAfvPfEDt+jvJ5VANjWzDntshRHOdPeZ/ocakAUSGSr ZnpTqmDPzsalLrz4JhLgUe6okL666IaHmF63xmtYin044f4uYn+lwN4dD9YaKickVBF9 hXftujj+IAlBx8f8UhMhdtDyPDSRobW1l+C9x870q5bxW3RhEv3g/sRcusWKZPyXktqM JlYs1P6TM0x2t6QwW2PpdvdRMj5WQex4hGs+ZBt8d3aej2ay/7Z2daY6KmjBs3oHYJIc Sd4g==
X-Gm-Message-State: AMCzsaU4T24m6pJghKckP9LzkdeQIJrlx8JJWgrfj+6Az0Ihueich90A AU5jAJxBa66CrmDcdzQFtvI+hExl8SnR/tvvA+g=
X-Google-Smtp-Source: ABhQp+Q6XsD8dv0XG88VkXLwDyQEgD0J9+JjUMx9QH1YX5yELLSyxPb1zUPkUbqFx05IN2C/4SjP27K2R47q1ss2rT4=
X-Received: by 10.157.41.206 with SMTP id g14mr4534628otd.42.1509357116956; Mon, 30 Oct 2017 02:51:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.74.88.141 with HTTP; Mon, 30 Oct 2017 02:51:56 -0700 (PDT)
In-Reply-To: <CABkgnnWPGomdhb8+t1P5jhR5XV+4CKFRRHHExZ=FcHPieM-WkA@mail.gmail.com>
References: <CA+tEvRTBGj0JwQVh66DiFQhrYXdV2h0zOTzAE5MS-yykHe3dLw@mail.gmail.com> <CABkgnnWPGomdhb8+t1P5jhR5XV+4CKFRRHHExZ=FcHPieM-WkA@mail.gmail.com>
From: Jānis Čoders <janis.coders@gmail.com>
Date: Mon, 30 Oct 2017 11:51:56 +0200
Message-ID: <CA+tEvRQovU=4NHwbm17Wubo1My5vdbH5hG-jjVMCZWPDUMEp7Q@mail.gmail.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/P-2hQO5uAZEi5q-TdIHfaVWjNPY>
Subject: Re: [TLS] Cookie reuse subsequent connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 09:51:59 -0000

Thank you. Ok, I understand that some servers could not allow reuse of
cookie, but why is it FORBIDDEN by standard? It could be suggested to
not reuse in general cases, but if I wanted to use TLS 1.3 with my
custom server, which uses cookies to only prevent spoofing attacks (in
UDP (DTLS) case). And clients know that they can reuse previous
cookies for fast handshake, then why would it be prohibited?

On 30 October 2017 at 11:31, Martin Thomson <martin.thomson@gmail.com> wrote:
> What is most likely to happen is that the cookie will be invalid and
> the connection will be rejected.
>
> Many TLS servers assume that presence of a cookie means that they
> previously sent a HelloRetryRequest on that connection.  For instance,
> NSS packs a hash of the original ClientHello into the cookie so that
> it can restore the handshake transcript.  Reusing the cookie will just
> lead to the server restoring the handshake transcript from the wrong
> handshake.  And that's even assuming that it accepts the cookie in the
> first place.
>
> On Mon, Oct 30, 2017 at 6:07 PM, Jānis Čoders <janis.coders@gmail.com> wrote:
>> Hi, is there ANY security issue with reusing Cookie from previous TLS
>> connection? In current draft there is text: "Clients MUST NOT use
>> cookies in their initial ClientHello in subsequent connections." I
>> can't think of any security implication, but can think of situations
>> where it could be useful.
>>
>> --
>> Ar cieņu,
>> Jānis Čoders
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls



-- 
Ar cieņu,
Jānis Čoders

v2.23.0 | Report a Bug | By Email