IETF Logo Mail Archive

[TLS] Comments on the session ticket format in TLS 1.3

Ivan Ristic <ivan.ristic@gmail.com> Sun, 12 March 2017 22:23 UTC

Return-Path: <ivan.ristic@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C91F1129487 for <tls@ietfa.amsl.com>; Sun, 12 Mar 2017 15:23:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0OqT47Ngg-Cm for <tls@ietfa.amsl.com>; Sun, 12 Mar 2017 15:23:54 -0700 (PDT)
Received: from mail-it0-x236.google.com (mail-it0-x236.google.com [IPv6:2607:f8b0:4001:c0b::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0EE4129467 for <TLS@ietf.org>; Sun, 12 Mar 2017 15:23:54 -0700 (PDT)
Received: by mail-it0-x236.google.com with SMTP id m27so22354100iti.1 for <TLS@ietf.org>; Sun, 12 Mar 2017 15:23:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=IwGopiv1mzptUWD4cUqpSaQsUwozUbRpqO/R+GqwYYg=; b=aljogpQvA1itWIjY9EsG1vYnNxTC5YKMldmRGv2kmvJIU1fi/4LPgxtk3uwZJ1LAaY ltzyv80TX1qALv6j0+xJr0o2SHyUn5oDjYwGAiorFDNeiJymk17NvsvCjoGYEbz8YJAN 5gmoVhQDPA0apz3WivZECAl7wGY2t51vvFk415YKvRJUOq1QU7qIiReLY+3XzFWAfk1G 5vJn+yCLKaFjoy9Y3eTE/H4BFcMH7SPJ1pPcNUUzXk+Oaz+peST+p8k/yfwbm4Xh+rm5 uGZSYPYZ9DD3v3KhZRoWnNGQ1EGYM2JdLs79uwYJZa7ghgupdxzDMAQF1OGrl6JR+y31 sWYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=IwGopiv1mzptUWD4cUqpSaQsUwozUbRpqO/R+GqwYYg=; b=SqQl1mvMRuqTxaHGVbUZuYBZhIk77exiuJLtqPJWA4ru7wrSX2333S0MfuK3Qqt0g/ anCp+C0tzrVIc1Tm7KE2YI3qGzJc08a3pzM8KXOE71faUIDnHGvRQH8VLpn1N9HqYYvt hBeARZrIXUMJLyrDpZu3ojTPPVQfgqzr3D5LsdemxKU6xQWbjkBIn+VFAk7/x+Acjxhk F9aF88ktCz8zjVhTr/OVuLi1qeuFZ4JxZiSlaRq6F/khcpZCO2Cy4CNAF5sdA9nCz6OH SdZ6USV+IRqI824P3NczFFkHNjz4grO0h016DFeup9/PAK2akP9OCrZS8KXKNj+w64ZP bzGA==
X-Gm-Message-State: AFeK/H24R6FRiWl8ZzHRPpotWr8Ns3aFOWh7o4DgRFcSJ7fvnhZ/Ta3f6swcP1GEWAUHHH+TRq+s3mY+YjmQVA==
X-Received: by 10.36.76.205 with SMTP id a196mr8371398itb.52.1489357433908; Sun, 12 Mar 2017 15:23:53 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.62.69 with HTTP; Sun, 12 Mar 2017 15:23:53 -0700 (PDT)
From: Ivan Ristic <ivan.ristic@gmail.com>
Date: Sun, 12 Mar 2017 15:23:53 -0700
Message-ID: <CANHgQ8EEJeTVvyQH8SosO4M3Ecz2=ZE-UPGndcu=XfB1f+1Zgg@mail.gmail.com>
To: "tls@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="001a11431eb6cab761054a900c9b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/RZDlj7aQkSut6w3tWGXbvnH3wEk>
Subject: [TLS] Comments on the session ticket format in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Mar 2017 22:23:55 -0000

The "ticket" field in NewSessionTicket is opaque and can hold an identifier
or an actual encrypted ticket. I think this is problematic, for a couple of
reasons:

- Field and meaning overloading/reuse is a bad practice in general and
leads to programming errors. I feel that protocol design should encourage
good practices, not the other way round. Implementations that decide to
support both behaviours (IDs and tickets) will have to use an indicator to
differentiate between the two. In that light, I think it would be less
error prone to provide more detail at the protocol level.

- The opaque nature of this field also makes connection auditing more
difficult. For example, I'd like to know if session tickets are used to
resume for a particular connection. Perhaps more importantly, it would be
useful to identify specific ticket keys (to track their usage, rotation,
etc), age, encryption algorithm, and their strength.

- As a matter of approach, I think the protocol shouldn't leave design
decisions to implementors. These decisions (session ID/ticket usage, ticket
keys, ticket formats, and so on) will need to be made, and I think it's
better to make them part of the protocol, where they can be audited, etc.

- Finally, I feel that the effective removal of (visible) session IDs is a
regression. Being able to track sessions and resumption is useful to
understand traffic patterns. So, I'd prefer to bring session IDs back, and
to arrange things so that they're always server-generated.

I know these are not big problems (especially given the improvements made
to session tickets), but whatever is specified now will be used for a very
long time, and it would be a shame to leave these around.

-- 
Ivan

v2.23.0 | Report a Bug | By Email