IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Nico Williams <nico@cryptonector.com> Wed, 22 October 2014 18:46 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E613C1ACFC4 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:46:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.444
X-Spam-Level:
X-Spam-Status: No, score=-0.444 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_15=0.6, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x7xPCqacmUDa for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 11:46:09 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (sub4.mail.dreamhost.com [69.163.253.135]) by ietfa.amsl.com (Postfix) with ESMTP id A2B091ACFB9 for <tls@ietf.org>; Wed, 22 Oct 2014 11:46:09 -0700 (PDT)
Received: from homiemail-a86.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTP id 64610360078 for <tls@ietf.org>; Wed, 22 Oct 2014 11:46:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:content-type; s=cryptonector.com; bh=W3h+diJhhDvRUhheB297X7S Pfek=; b=y5EVjW6iPMsd1xhQ40dr/279e5d49FeyEETWYqwY6Q06ULV/7qBR3cR T1H6f+qgjz4t5aLYXhm+oCXLuI4huXGV3y1jlWfNFNDmLk6QyVnA0K6cV7nS8B0p iQK2G0wB1hLe+jjGYe+ln0AQPlDANk2sUNdrDXX1cMKj+KGqU+8A=
Received: from mail-wg0-f43.google.com (mail-wg0-f43.google.com [74.125.82.43]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a86.g.dreamhost.com (Postfix) with ESMTPSA id 19FCE360075 for <tls@ietf.org>; Wed, 22 Oct 2014 11:46:08 -0700 (PDT)
Received: by mail-wg0-f43.google.com with SMTP id m15so4378970wgh.26 for <tls@ietf.org>; Wed, 22 Oct 2014 11:46:07 -0700 (PDT)
MIME-Version: 1.0
X-Received: by 10.181.8.98 with SMTP id dj2mr7633689wid.70.1414003567820; Wed, 22 Oct 2014 11:46:07 -0700 (PDT)
Received: by 10.216.32.135 with HTTP; Wed, 22 Oct 2014 11:46:07 -0700 (PDT)
In-Reply-To: <20141020235832.GK19158@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <5445775E.3050108@fussenegger.info> <54458113.1050304@polarssl.org> <20141020235832.GK19158@mournblade.imrryr.org>
Date: Wed, 22 Oct 2014 13:46:07 -0500
Message-ID: <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/cNIV1DT6BFDsrqhEfYYNg9kEyys
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 18:46:12 -0000

On Mon, Oct 20, 2014 at 6:58 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> On Mon, Oct 20, 2014 at 11:39:31PM +0200, Manuel P?gouri?-Gonnard wrote:
>> > The RFC should clarify that the negotiated cipher **MUST** be honored
>> > when encrypting the state that will be sent to the client. [1]
>
> I am having trouble parsing the original suggestion above.

Even parsed as the context implies, there's problems: a) the client
can't verify that the ticket is encrypted in any given cipher, b) why
on Earth should the server let the client choose what cipher is used
for the Ticket?, c) given (a), what is to be gained by any party from
the server using the client's desired cipher for encrypting the
ticket?

>> While I'm sympathetic with the goal, I'm afraid that will complicate
>> implementations more than necessary. How about requiring to use a key length at
>> least a high as the highest supported ciphersuite instead?

This is just as silly.  The server should choose what cipher to use, full stop.

> Does it mean (as I think you're saying) that session tickets MUST
> be encrypted with the session's negotiated ciphersuite?  That seems
> rather unmanageable.  A single sufficiently strong key is likely
> far more realistic.

Yes.

> With keys for clusters of servers rotated by code external to the
> TLS library, asking for a key for every algorith/size is impractical.

One would derive keys for all ciphers from a single cluster master
key.  Nonetheless, it's just plain silly to let the client/connection
dictate how to encrypt the ticket -- that's the server's prerogative.

Nico
--

v2.23.0 | Report a Bug | By Email