Re: [TLS] Resuming a session as part of a renegotiation.

Alfredo Pironti <alfredo.pironti@inria.fr> Thu, 19 September 2013 19:07 UTC

Return-Path: <alfredo@pironti.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E133021F943C for <tls@ietfa.amsl.com>; Thu, 19 Sep 2013 12:07:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.479
X-Spam-Level:
X-Spam-Status: No, score=0.479 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, RCVD_IN_PBL=0.905, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qv4PO5ECJ85p for <tls@ietfa.amsl.com>; Thu, 19 Sep 2013 12:07:17 -0700 (PDT)
Received: from mail-qa0-x230.google.com (mail-qa0-x230.google.com [IPv6:2607:f8b0:400d:c00::230]) by ietfa.amsl.com (Postfix) with ESMTP id AB70021F9433 for <tls@ietf.org>; Thu, 19 Sep 2013 12:07:16 -0700 (PDT)
Received: by mail-qa0-f48.google.com with SMTP id hu16so3909111qab.0 for <tls@ietf.org>; Thu, 19 Sep 2013 12:07:15 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pironti.eu; s=google; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type:content-transfer-encoding; bh=3VJYH6gVwlC28jzVO+pyu9PyIr+JY1TLwSS6s26bhg8=; b=Wy7CRYJ0Wsf3xsnetucr28kZ3drAXYMVp/VnIwPS36e18zXgNdfzz+C74V+r+0hJla FoFGXbeExXHwRRy5NlhVXI5fpqbxhp71Z667Xj29zleJ6z+HnGay2DSy7hQIC/vENK8K WcMvCTk41iTTRGOcFSOd5ZlpEl3ejGOdLhx4M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:sender:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=3VJYH6gVwlC28jzVO+pyu9PyIr+JY1TLwSS6s26bhg8=; b=VlZ7KJ4ApAJ+DVHbo1MCo3wN41cOunWIHq+g91HhQUm9cN/wbNhPdeSYCsSSXx3hWQ GsvFbpbDY5F57bSOcmCgAwKcNBjiss6xpS89UHEDrV6ab7Ou1r4Y7dVZeCNMlmNEnYOl CoNJq80Q8D3BC4PK+BCHcIFc4DGKk+hvMAI8sfGN5jCPmocfAgCVt8CwvYPmavSiGcZE Fsz56qz/tWo7TnI3xixksbX0cG96ipkqdMIcUk5lP33w5MfCyj3a8MImOjOjJMoKfq4f gVB6onoEdWSFHkttb09wgkQSC0Ti8D728Q9p0h+pcbt7LQpmWzByha7VBS6duCsU/1jv LxqQ==
X-Gm-Message-State: ALoCoQlZcC5sI6hVVtx7pOVH10KLlKN3OB1EMnY4a+e9KHQjMpOdbKH74Q4ywQE3I1kKAmYDn8M0
MIME-Version: 1.0
X-Received: by 10.224.92.81 with SMTP id q17mr302019qam.92.1379617635611; Thu, 19 Sep 2013 12:07:15 -0700 (PDT)
Sender: alfredo@pironti.eu
Received: by 10.49.108.103 with HTTP; Thu, 19 Sep 2013 12:07:15 -0700 (PDT)
X-Originating-IP: [82.224.193.99]
In-Reply-To: <582A57A2-C452-463D-8B79-6CF6E3804732@checkpoint.com>
References: <CANOyrg99G7YULLbC4MgjXNDLqb5AXQXvqSQDqBm095BqBDNRBA@mail.gmail.com> <523B2EDF.7010501@pobox.com> <CANOyrg_GVPtsd-LyrT78QDfwFFyoWzJpf_1D6xkVPOJY0oSd0w@mail.gmail.com> <582A57A2-C452-463D-8B79-6CF6E3804732@checkpoint.com>
Date: Thu, 19 Sep 2013 21:07:15 +0200
X-Google-Sender-Auth: huzr4xZq6DuNUdsrply1VtnhTR4
Message-ID: <CALR0uiLOWk5LGk1EKC-A_t_-=1uHcoskby1bTkwhJ1Xy1TjaZQ@mail.gmail.com>
From: Alfredo Pironti <alfredo.pironti@inria.fr>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Resuming a session as part of a renegotiation.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2013 19:07:33 -0000

I'd say that, over an existing connection, you'd mostly run an
abbreviated handshake resuming the current session to refresh keys.
You could also use it to reset sequence numbers, in case they're soon
going to overflow. I know no implementation doing that; all of them
seem to happily let the sequence number overflow, assuming the
connection will be tear down way sooner this happens (which is
probably true in most scenarios).

According to the spec, you could even run an abbreviated handshake
resuming a different connection form the current one. In a scenario
which I discourage (because it's asking for trouble confusing the
application), you could have a pool of established TLS sessions, each
using a different identity, and "swap" between them with abbreviated
re-handshakes over the same connection. Again, I'd take this as a
non-forbidden behavior, rather than a largely useful one.

On Thu, Sep 19, 2013 at 8:50 PM, Yoav Nir <ynir@checkpoint.com> wrote:
>
> On Sep 19, 2013, at 9:29 PM, Fabrice Gautier <fabrice.gautier@gmail.com> wrote:
>>> One possible use case: if you negotiated a block cipher with a
>>> small internal state and are sending large quantities of data,
>>> security might be improved by periodically renegotiating.
>>
>> Thats only benefit a full handshake renegotiation.
>>
>> The way I understand it, renegotiation allows you to have several
>> session in the same connection, and session resumption allows you to
>> have the same session across multiple connections.
>
> Renegotiation just means doing the handshake again. The end result is new keys. So if you believe that 3DES keys should not be used for more than 0.5GB of data, just doing a renegotiation gives you fresh keys (because they are mixed with the new nonces). If you resume the session, you don't get new client and/or server identities, you don't get re-authentication, and you don't get a new master key, so someone who has managed to get your old master key can figure out both your old and new encryption keys. But if the only reason you're renegotiating is that you need fresh keys, that's good enough.
>
> So renegotiation+resumption gives you the same session, but new keys. Sort of like "phase II" in IKE.
>
> Yoav
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls