Re: [TLS] Unifying tickets and sessions
Richard Fussenegger <richard@fussenegger.info> Wed, 22 October 2014 19:24 UTC
Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1D4DD1AD371 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 12:24:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dJr3w2KTVQLI for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 12:24:37 -0700 (PDT)
Received: from mx207.easyname.com (mx207.easyname.com [212.232.25.163]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9AEB11AD021 for <tls@ietf.org>; Wed, 22 Oct 2014 12:24:37 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1Xh1WL-0001dp-DD for tls@ietf.org; Wed, 22 Oct 2014 21:24:35 +0200
Message-ID: <5448045C.3010108@fussenegger.info>
Date: Wed, 22 Oct 2014 21:24:12 +0200
From: Richard Fussenegger <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: tls@ietf.org
References: <CAO7N=i38zutXpmuMKuv1CHrc3hO-zm6U+nsGgE6NF4YmC54tDQ@mail.gmail.com> <5447FA87.40007@fussenegger.info> <20141022190937.GI19158@mournblade.imrryr.org>
In-Reply-To: <20141022190937.GI19158@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms020001000909050900080908"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/TjE7LJjqrKlwvihxco5itr8gLgg
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 19:24:45 -0000
On 10/22/2014 9:09 PM, Viktor Dukhovni wrote: > On Wed, Oct 22, 2014 at 08:42:15PM +0200, Richard Fussenegger wrote: > >> Viktor Dukhovni already mentioned that >> OpenSSL is actually supporting different key strengths, but for instance >> nginx isn't exposing this setting to administrators. > For the record OpenSSL makes it possible for applications to use > some other block cipher than aes-128-cbc, but this is not as easy > as it sounds. The application needs to register appropriate > callbacks and take over key life-cycle management. So simply using > some other cipher-suite is not a trivial exercise, rather only once > one is already managing key rotation via the callbacks, making the > cipher configurable is trivial: > > The code for this is roughly: > > #define TLS_TICKET_NAMELEN 16 /* RFC 5077 ticket key name length */ > #define TLS_TICKET_IVLEN 16 /* RFC 5077 ticket IV length */ > #define TLS_TICKET_KEYLEN 32 /* AES-256-CBC key size */ > #define TLS_TICKET_MACLEN 32 /* RFC 5077 HMAC key size */ > > typedef struct TLS_TICKET_KEY { > unsigned char name[TLS_TICKET_NAMELEN]; > unsigned char bits[TLS_TICKET_KEYLEN]; > unsigned char hmac[TLS_TICKET_MACLEN]; > time_t tout; > } TLS_TICKET_KEY; > > #define NOENGINE ((ENGINE *) 0) > #define TLS_TKT_NOKEYS -1 /* No keys for encryption */ > #define TLS_TKT_STALE 0 /* No matching keys for decryption */ > #define TLS_TKT_ACCEPT 1 /* Ticket decryptable and re-usable */ > #define TLS_TKT_REISSUE 2 /* Ticket decryptable, not re-usable */ > > static int ticket_cb(SSL *con, unsigned char name[], unsigned char iv[], > EVP_CIPHER_CTX * ctx, HMAC_CTX * hctx, int create) > { > static const EVP_MD *sha256; > static const EVP_CIPHER *ciph; > TLS_TICKET_KEY *key; > int timeout = ((int) SSL_CTX_get_timeout(SSL_get_SSL_CTX(con))) / 2; > > if ((!sha256 && (sha256 = EVP_sha256()) == 0) > || (!ciph && (ciph = EVP_get_cipherbyname(var_tls_tkt_cipher)) == 0) > || (key = tls_mgr_key(create ? 0 : name, timeout)) == 0 > || (create && RAND_bytes(iv, TLS_TICKET_IVLEN) <= 0)) > return (create ? TLS_TKT_NOKEYS : TLS_TKT_STALE); > > HMAC_Init_ex(hctx, key->hmac, TLS_TICKET_MACLEN, sha256, NOENGINE); > > if (create) { > EVP_EncryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv); > memcpy((char *) name, (char *) key->name, TLS_TICKET_NAMELEN); > } else { > EVP_DecryptInit_ex(ctx, ciph, NOENGINE, key->bits, iv); > } > return (TLS_TKT_ACCEPT); > } > > Plus additional supporting functions to fetch encryption/decryption > keys, subject to appopriate key rotation policies, (in the above > case tls_mgr_key() whose implementation is rather application > specific). > > Perhaps I'll donate a variant of this code to OpenSSL, and then we > can ask users to just provide algorithm name, and either a key > lifetime for automatic in memory keys or callbacks to access > externally managed keys. > That would be great and exactly what the world needs. It's also the reason for my proposed changes that should be made during merge of RFC5077, so that OpenSSL will finally implement proper configurable rotation and configurable ticket ciphers. Applications like nginx wouldn't have to start implementing cryptographic stuff (which is a dangerous game), rather simply exposing the configuration options of OpenSSL which handles everything internally. A nice to have above this would be some warning that is emitted if ciphers are configured that are actually stronger than the key used for the tickets. But that's already implementation specific stuff and has nothing to do with the RFC. Richard
- [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Brian Smith
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger, BSc
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions David Leon Gil
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Ryan Carboni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Salz, Rich
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Martin Thomson
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Manuel Pégourié-Gonnard
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Aaron Zauner
- Re: [TLS] Unifying tickets and sessions Douglas Stebila
- Re: [TLS] Unifying tickets and sessions Blumenthal, Uri - 0558 - MITLL
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Stephen Checkoway
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Viktor Dukhovni
- Re: [TLS] Unifying tickets and sessions Richard Fussenegger
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Joseph Salowey
- Re: [TLS] Unifying tickets and sessions Hubert Kario
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions Nico Williams
- Re: [TLS] Unifying tickets and sessions Daniel Kahn Gillmor
- Re: [TLS] Unifying tickets and sessions David Leon Gil