Re: [TLS] Cookie reuse subsequent connections
Benjamin Kaduk <bkaduk@akamai.com> Mon, 30 October 2017 13:52 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1E6513F9D8 for <tls@ietfa.amsl.com>; Mon, 30 Oct 2017 06:52:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQRa65DFIZ2a for <tls@ietfa.amsl.com>; Mon, 30 Oct 2017 06:52:25 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86DB513F9FC for <tls@ietf.org>; Mon, 30 Oct 2017 06:52:25 -0700 (PDT)
Received: from pps.filterd (m0050095.ppops.net [127.0.0.1]) by m0050095.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v9UDkiwI016245; Mon, 30 Oct 2017 13:52:24 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=subject : to : cc : references : from : message-id : date : mime-version : in-reply-to : content-type : content-transfer-encoding; s=jan2016.eng; bh=alYdS2h6vY3h95yJ9Z5Mxo67VDtzE1SidLTu0bn1i0U=; b=U1ZrG8hrBLSd00gLQAtflgpRug17D6CZpIRhm9XIe7c6ykRDHWei/9XZGVXWwRARqHvH oAuSok5XluiCjcih5xeZ/8QTvrrxTyP0K1BI34EhUmGG8XHUUVJLHt4Nfhq2nSY+3ryd nB3I0IhKAYKelwaYB/SD3QQfHh4qC2xpHXhUDNAWw3Aq1VsUabngnuUs1ks0WyI1ADlT 87Ewc1Ya6Sh2Vj38CSxTJFvFsiC00kI6VzDhgmlw/yY6S3RL0Xzhr5FMdKvYMEQqUNjA Try/9Siml1bGmDEPWiz9V75OG7dhdadjjrWo1DyImiqdxTjO8o5nS+wLYRAashqzI7kv tw==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by m0050095.ppops.net-00190b01. with ESMTP id 2dvmnt6wqj-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 30 Oct 2017 13:52:24 +0000
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id v9UDow30029100; Mon, 30 Oct 2017 09:52:23 -0400
Received: from prod-mail-relay14.akamai.com ([172.27.17.39]) by prod-mail-ppoint4.akamai.com with ESMTP id 2dvn7vx314-1; Mon, 30 Oct 2017 09:52:23 -0400
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay14.akamai.com (Postfix) with ESMTP id E45A38005C; Mon, 30 Oct 2017 07:52:22 -0600 (MDT)
To: Jānis Čoders <janis.coders@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <CA+tEvRTBGj0JwQVh66DiFQhrYXdV2h0zOTzAE5MS-yykHe3dLw@mail.gmail.com> <CABkgnnWPGomdhb8+t1P5jhR5XV+4CKFRRHHExZ=FcHPieM-WkA@mail.gmail.com> <CA+tEvRQovU=4NHwbm17Wubo1My5vdbH5hG-jjVMCZWPDUMEp7Q@mail.gmail.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <d488f6e9-ca7f-0c30-1d37-11deaa8f54e2@akamai.com>
Date: Mon, 30 Oct 2017 08:52:22 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <CA+tEvRQovU=4NHwbm17Wubo1My5vdbH5hG-jjVMCZWPDUMEp7Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-30_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710300189
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-10-30_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000 definitions=main-1710300188
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VuQcR23ifA68eY7yCvrmu1n7a50>
Subject: Re: [TLS] Cookie reuse subsequent connections
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Oct 2017 13:52:27 -0000
On 10/30/2017 04:51 AM, Jānis Čoders wrote: > Thank you. Ok, I understand that some servers could not allow reuse of > cookie, but why is it FORBIDDEN by standard? It could be suggested to > not reuse in general cases, but if I wanted to use TLS 1.3 with my > custom server, which uses cookies to only prevent spoofing attacks (in > UDP (DTLS) case). And clients know that they can reuse previous > cookies for fast handshake, then why would it be prohibited? > > The standard must ensure that compliant clients interoperate with compliant servers. Compliant servers are permitted (expected, even, for DTLS!) to offload state such as the handshake hash into the cookie. A client that reused a cookie from an old connection on a new connection to such a server would fail to interoperate, as the server would use the wrong handshake transcript. Ergo, the spec strictly forbids clients from implementing this behavior in order to preserve interoperability. There is "nothing" to stop some actor from deploying a noncompliant implementation on their own private network where interoperability with compliant implementations is not needed, but of course then that actor must take responsibility for any changes to the security and privacy properties as a result of those noncompliant modifications. In this case, for example, the routability proof embedded in the cookie could become stale with time (in case of readdressing), and the repeated cookie provides linkability between ClientHellos from the same client (to an adversary observing at some point in the middle of the network), for a start. No one could guarantee that there are not more changes to the security and privacy properties than those already listed, of course. -Ben
- [TLS] Cookie reuse subsequent connections Jānis Čoders
- Re: [TLS] Cookie reuse subsequent connections Martin Thomson
- Re: [TLS] Cookie reuse subsequent connections Jānis Čoders
- Re: [TLS] Cookie reuse subsequent connections Eric Rescorla
- Re: [TLS] Cookie reuse subsequent connections Benjamin Kaduk
- Re: [TLS] Cookie reuse subsequent connections Jānis Čoders