Re: [TLS] Unifying tickets and sessions
Nico Williams <nico@cryptonector.com> Wed, 22 October 2014 19:43 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC8081AD3E4 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 12:43:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.266
X-Spam-Level:
X-Spam-Status: No, score=-0.266 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFwAIT4VDH4X for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 12:43:10 -0700 (PDT)
Received: from homiemail-a90.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id 19CB51AD3CC for <tls@ietf.org>; Wed, 22 Oct 2014 12:43:05 -0700 (PDT)
Received: from homiemail-a90.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTP id D128B2AC06E; Wed, 22 Oct 2014 12:43:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=5mTJOs8ilpmAu+ vKeazTeCKww2M=; b=h4kvhSCzIrsZ0jJIZuEH9tMRDbGN5eoJeQjbfY54mHIZKg qbsR7Fk3yvCnmchj9u6btbfbhJ936P1aNGgJ+ljgprKAj9HiADR8zCaPHSpzYvAC CX0MXPe41eTzpFJQVAir/Z5ef6nGPe891wGLPLEFWXTYG7IOrV49Fn5NOwTd4=
Received: from localhost (108-207-244-174.lightspeed.austtx.sbcglobal.net [108.207.244.174]) (Authenticated sender: nico@cryptonector.com) by homiemail-a90.g.dreamhost.com (Postfix) with ESMTPA id 8D4B22AC059; Wed, 22 Oct 2014 12:43:04 -0700 (PDT)
Date: Wed, 22 Oct 2014 14:43:03 -0500
From: Nico Williams <nico@cryptonector.com>
To: Richard Fussenegger <richard@fussenegger.info>
Message-ID: <20141022194302.GA6170@localhost>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <5445775E.3050108@fussenegger.info> <54458113.1050304@polarssl.org> <20141020235832.GK19158@mournblade.imrryr.org> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <5447FE79.1050008@fussenegger.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5447FE79.1050008@fussenegger.info>
User-Agent: Mutt/1.5.21 (2010-09-15)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/SFcXm8LUjmv7DBMIcAJqMHLUavM
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 19:43:13 -0000
On Wed, Oct 22, 2014 at 08:59:05PM +0200, Richard Fussenegger wrote: > On 10/22/2014 8:46 PM, Nico Williams wrote: > >Even parsed as the context implies, there's problems: a) the client > >can't verify that the ticket is encrypted in any given cipher, b) why > >on Earth should the server let the client choose what cipher is used > >for the Ticket?, c) given (a), what is to be gained by any party from > >the server using the client's desired cipher for encrypting the > >ticket? > > [erm] That was not the original suggestion and 'negotiated cipher' > doesn't imply that the cipher was chosen by the client. It's merely > [...] It does imply that the client at least constrained the choice of cipher. This is unnecessary complexity. I thought we were all for simplifying. > If the two of us agree upon using AES-256, wouldn't you be a little > bit disappointed if I send you an encrypted ticket of that stuff we > agreed upon to encrypt with AES-256 that is actually encrypted with > AES-128? You wouldn't notice, because you can't read the ticket and No: because I couldn't prove that it isn't AES-256, because the server couldn't prove that it is, because the only way to do so would be for the server to give me its ticket encryption key, which would defeat the purpose. Well, I tell a lie: the server could give the client the ticket encryption key for expired tickets issued to the same client. But this means having a per-client set of keys, which means having some client ID to derive keys from, probably a public key that the client can demonstrate it has possession of the corresponding private key, and so on and so forth -- all much, much too complex. The client already has to trust the server for all sorts of things. Having to trust it to handle ticket encryption appropriately is not much more to ask, especially since any reasonable choice on the server's part is such a large optimization/win over not having session resumption that it's worth the risks of the complexity of session resumption (because the alternative is risking less deployment). > [...] > > >>>While I'm sympathetic with the goal, I'm afraid that will complicate > >>>implementations more than necessary. How about requiring to use a key length at > >>>least a high as the highest supported ciphersuite instead? > >This is just as silly. The server should choose what cipher to use, full stop. > It does. > > >>Does it mean (as I think you're saying) that session tickets MUST > >>be encrypted with the session's negotiated ciphersuite? That seems > >>rather unmanageable. A single sufficiently strong key is likely > >>far more realistic. > >Yes. > I already agreed upon the single key solution. So you want the server to say "fine, I'm using the XYZ cipher that you wanted", and now what changes? The server can't prove that it did / the client can't prove that the server didn't. What did we gain, besides more [in this case worth-less] complexity? One answer: someone could audit the server's compliance with this. But who?! Not the client. Some authority perhaps, which then opens a can of worms. And then what do we gain? What about clients who end up getting weaker ticket encryption ciphers than the server's preference? Nico --
- [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Douglas Stebila
- Re: [TLS] Unifying tickets and sessions Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Stephen Checkoway
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Joseph Salowey
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions David Leon Gil