IETF Logo Mail Archive

Re: [TLS] Fate of resumption

Eric Rescorla <ekr@rtfm.com> Tue, 21 October 2014 07:05 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58EF61AD09D for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 00:05:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h0OZ3tuqjtDO for <tls@ietfa.amsl.com>; Tue, 21 Oct 2014 00:05:38 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A69E51AD069 for <tls@ietf.org>; Tue, 21 Oct 2014 00:05:36 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id y10so572448wgg.3 for <tls@ietf.org>; Tue, 21 Oct 2014 00:05:35 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=A+PYMF26/PtfFVWOiBqtNCTOTUNZeYMjachy8yxLilE=; b=jiMH9jq/3HF33xmIrDEHwUeYuuc+YIcfQZq3egGm2Fp9/KAwY1+1uRbU03XgzQ/s4n cdyUpQJJ2ercHhQZCLXfh3lE/hJJO/0atfvbvto/v8jYHko0zC4T99Q604+D5Dwp67X6 3oWyDG3QTrMJGD1Nd95uWiVgbFo/FSUGk4QLh7fzPvHkaR1DNvIoKIAu5GYXnt4ODRkh usOcfoAJVk3s7LeIDKg7jCMe1qPdRH1/LJ62fVJqM/anzhHOxh+XpdFcp6GIVnneLaFL HJyyEdabX2Jws0Nahhm0K6TtvVxAhpXOS/CzjEFZ7fEeWdJMNC3/ictdtQRmD6tUUEIy CwBA==
X-Gm-Message-State: ALoCoQnJZoSoYnptX3nfsqL8pLo/tCa8BA5skaV8reFKZXyToOMnb80D7X+nDICuC5l8MQLgWjeu
X-Received: by 10.180.104.8 with SMTP id ga8mr25854349wib.78.1413875134844; Tue, 21 Oct 2014 00:05:34 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Tue, 21 Oct 2014 00:04:54 -0700 (PDT)
In-Reply-To: <CACsn0cnjRQELhmt5AqtVPU1OzpGcza4gbVpYfcj1CEBfWOnHaA@mail.gmail.com>
References: <CABcZeBP4=aXbQSFAhh4EenwRiTrv2LP=r50VeULm4f_0RR4swA@mail.gmail.com> <m24qqc$355$1@ger.gmane.org> <20141021054118.GN19158@mournblade.imrryr.org> <CACsn0cnjRQELhmt5AqtVPU1OzpGcza4gbVpYfcj1CEBfWOnHaA@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Oct 2014 09:04:54 +0200
Message-ID: <CABcZeBM_y-22JZbhZBRr4bs+UtMJht+B8Nrr2AWQm-7sNpu1Tw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="f46d044271302b841e0505e97511"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/_q4KeCCf9v8Onfe9y-UtKobZye8
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fate of resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 07:05:43 -0000

On Tue, Oct 21, 2014 at 8:05 AM, Watson Ladd <watsonbladd@gmail.com> wrote:

> On Mon, Oct 20, 2014 at 10:41 PM, Viktor Dukhovni
> <ietf-dane@dukhovni.org> wrote:
> > On Mon, Oct 20, 2014 at 10:26:33PM -0700, Alex Elsayed wrote:
> >
> >> > It's fairly straightforward to have connection 1 generate two keys,
> >> > M and M' from its PMS, use M to generate its keys and store M'
> >> > in the session cache. But this still leaves both connection 2 and
> >> > 3 sharing M'.
> >>
> >> One thing I wonder - do we need to support multiple resumption of the
> same
> >> state, or do we simply need to allow a session to die and revive?
> >
> > In terms of existing practice Postfix resumes cached sessions
> > independently in parallel.  When a cached a resumed session completes,
> > no new session replaces the original cache entry.  The code assumes
> > that session resumption is non-destructive, and cached state can
> > be re-used multiple times.  I imagine similar behaviour patterns
> > apply to browsers, and other applications.
> >
> > If TLS 1.3 changes session re-use semantics, it will be substantially
> > more difficult to deploy (changes will impact not just SSL library,
> > but also application code).
>
> In a little over an hour a meeting on this topic will be starting, so
> let me put in my two cents. There is no reason a resumed session needs
> to use the same keys as the record layer of the session that was
> resumed. (Actually, there is, namely 0-RTT, but lets forget that for
> the time being/solve it some other way). In particular having a
> connection generate a resumption key, and deriving from the resumption
> key new, distinct, keys for each direction of the new communication
> solves the PFS problem, while still enabling multiple resumption.
>

It solves the PFS problem between the connection that established
the session and the next session. However, as long as the keys
for resumed connection 1 and connection 2 are derived from the
same keying material, then you have a PFS problem between
connections #1 and #2.

-Ekr

v2.23.0 | Report a Bug | By Email