RE: [TLS] Question on Stateless TLS Session Resumption
"Narayanan, Vidya" <vidyan@qualcomm.com> Wed, 17 January 2007 03:52 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H71qL-0007v1-61; Tue, 16 Jan 2007 22:52:09 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H71qJ-0007uY-SZ for tls@ietf.org; Tue, 16 Jan 2007 22:52:07 -0500
Received: from numenor.qualcomm.com ([129.46.51.58]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H71qI-0006Kw-GX for tls@ietf.org; Tue, 16 Jan 2007 22:52:07 -0500
Received: from hamtaro.qualcomm.com (hamtaro.qualcomm.com [129.46.61.157]) by numenor.qualcomm.com (8.13.6/8.12.5/1.0) with ESMTP id l0H3q4vt029847 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Tue, 16 Jan 2007 19:52:05 -0800
Received: from sanexcas01.na.qualcomm.com (sanexcas01.qualcomm.com [172.30.36.175]) by hamtaro.qualcomm.com (8.13.6/8.13.6/1.0) with ESMTP id l0H3q3vB013489; Tue, 16 Jan 2007 19:52:04 -0800 (PST)
Received: from NAEX13.na.qualcomm.com ([129.46.51.248]) by sanexcas01.na.qualcomm.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 16 Jan 2007 19:52:03 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [TLS] Question on Stateless TLS Session Resumption
Date: Tue, 16 Jan 2007 19:52:02 -0800
Message-ID: <C24CB51D5AA800449982D9BCB90325133C9C62@NAEX13.na.qualcomm.com>
In-Reply-To: <86irfafo3j.fsf@raman.networkresonance.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [TLS] Question on Stateless TLS Session Resumption
Thread-Index: Acc3cv+1lLV9zb0ZSx2+3guP6EZJ7ACc8u2A
From: "Narayanan, Vidya" <vidyan@qualcomm.com>
To: EKR <ekr@networkresonance.com>, "Dondeti, Lakshminath" <ldondeti@qualcomm.com>
X-OriginalArrivalTime: 17 Jan 2007 03:52:03.0617 (UTC) FILETIME=[D96B5910:01C739EA]
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c1c65599517f9ac32519d043c37c5336
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
> Well, here's what 4507 says: > > > 5.1. Invalidating Sessions > > The TLS specification requires that TLS sessions be > invalidated when > errors occur. [CSSC] discusses the security implications > of this in > detail. In the analysis in this paper, failure to invalidate > sessions does not pose a security risk. This is because the TLS > handshake uses a non-reversible function to derive keys > for a session > so information about one session does not provide an advantage to > attack the master secret or a different session. If a session > invalidation scheme is used, the implementation should verify the > integrity of the ticket before using the contents to invalidate a > session to ensure that an attacker cannot invalidate a chosen > session. > > > [CSSC] is a reference to SBR04, which provides a fairly > detailed analysis of a variety of different ticket revocation schemes. > > -Ekr > I don't believe the above text captures all of what has been discussed in this thread. Let's separate the issues of invalidating sessions and subsequent ticket replays. The above text is referring to the fact that the hash functions used are not reversible and hence, failure to invalidate sessions is not a major problem. That is one aspect. However, as your paper documents, in order to prevent repeated use of invalidated tickets, the server must maintain a "black list" of sessions. The paper refers to this in the context of timing analysis of the master secret, which would involve an attacker different from the client. This also seems true when the client has been revoked priveleges, for instance - if the server invalidated a session because the client must no longer be allowed to access it, the client may continue to replay an unexpired ticket (essentially, the client becomes the attacker here) and without a black list on the server, it is impossible to keep track of that. That does not seem to be captured in the RFC. I think it would have been useful to explicitly state the need for some minimal state at the server in order to thwart these attacks. Vidya _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex