IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Hubert Kario <hkario@redhat.com> Thu, 23 October 2014 14:03 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B05CF1A9119 for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 07:03:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.312
X-Spam-Level:
X-Spam-Status: No, score=-6.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xdv_ntLb_wJm for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 07:03:20 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DB671A90E7 for <tls@ietf.org>; Thu, 23 Oct 2014 07:03:20 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s9NE3IrC017841 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <tls@ietf.org>; Thu, 23 Oct 2014 10:03:19 -0400
Received: from pintsize.usersys.redhat.com (dhcp-0-150.brq.redhat.com [10.34.0.150]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s9NE3HnZ032216 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <tls@ietf.org>; Thu, 23 Oct 2014 10:03:18 -0400
From: Hubert Kario <hkario@redhat.com>
To: tls@ietf.org
Date: Thu, 23 Oct 2014 16:03:16 +0200
Message-ID: <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com>
User-Agent: KMail/4.14.1 (Linux/3.16.6-200.fc20.x86_64; KDE/4.14.1; x86_64; ; )
In-Reply-To: <54483C33.4000702@polarssl.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/QxfsVSTBWwvugDOmOArdjIRvIoI
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 14:03:22 -0000

On Thursday 23 October 2014 01:22:27 Manuel Pégourié-Gonnard wrote:
> On 22/10/2014 20:46, Nico Williams wrote:
> > On Mon, Oct 20, 2014 at 6:58 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> 
wrote:
> >> On Mon, Oct 20, 2014 at 11:39:31PM +0200, Manuel P?gouri?-Gonnard wrote:
> >>> While I'm sympathetic with the goal, I'm afraid that will complicate
> >>> implementations more than necessary. How about requiring to use a key
> >>> length at least a high as the highest supported ciphersuite instead?
> > 
> > This is just as silly.  The server should choose what cipher to use, full
> > stop.
> I'm afraid you didn't understand what I was actually trying to suggest, but
> my sentence was ambiguous: my suggestion was that the server choose what
> cipher to use, by looking at what ciphersuites it is prepared to negotiate,
> and then picking the most secure symetric cipher from this list (or one of
> those with maximal key size).
> 
> Eg, if a server is only going to negotiate 128-bit suites because it thinks
> it's enough and doesn't want to waste cycles on more than that, then
> encrypting the tickets with a 128-bit key is fine. If it is prepared to
> negotiate 256-bit suite with some clients, it should encrypt the tickets
> with a 256-bit key.

While it may negotiate AES-256 (because it wants to interoperate with clients 
that are configured to not to present weaker ciphers), doesn't mean that it as 
a whole is configured to the 256 bit level of security.

With TLS1.2 it may sign the (EC)DHE parameters using SHA-1, it may use RSA key 
exchange using only 2048 bit keys, it may be just a local proxy server that is 
hard coded to connect using AES-128 with the backed servers over open 
Internet.

Yes, server should encrypt the tickets with as strong algorithm as its most 
secure cipher, but there are many situations where it's not necessary. "MUST" 
is certainly not applicable.

-- 
Regards,
Hubert Kario

v2.23.0 | Report a Bug | By Email