IETF Logo Mail Archive

Re: [TLS] ticket lifetimes

Subodh Iyengar <subodh@fb.com> Tue, 29 January 2019 22:14 UTC

Return-Path: <prvs=7932b70017=subodh@fb.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C751112E7C1 for <tls@ietfa.amsl.com>; Tue, 29 Jan 2019 14:14:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.425
X-Spam-Level:
X-Spam-Status: No, score=-2.425 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIMWL_WL_MED=-0.142, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_FONT_FACE_BAD=0.981, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=ZZT5uIP3; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=QhV47V8R
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AXzGN__1Th0q for <tls@ietfa.amsl.com>; Tue, 29 Jan 2019 14:14:08 -0800 (PST)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6505D130EDB for <tls@ietf.org>; Tue, 29 Jan 2019 14:14:08 -0800 (PST)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0TM5cT5013685; Tue, 29 Jan 2019 14:14:06 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=RsJHoYtOwXreE/Ds6DwUSVD+V1HGqEVZSapbCQ+pLFo=; b=ZZT5uIP3Ob+GgaI7iFgAynHmMwMe21ViS5ZUWLP7JGuixcnk8aX6Ax0EcvQGN7y3AmYA 4sP5LdbHLLVPLr61pLjnWFkRKnGI0Wo9EZOeJ6268UerzBztyy0/zn7UFRTsMkbn8Typ E946lvusfEjypfn4hmyaUfzNPW/8T1dpMZc=
Received: from maileast.thefacebook.com ([199.201.65.23]) by mx0a-00082601.pphosted.com with ESMTP id 2qavr8gk0q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 29 Jan 2019 14:14:06 -0800
Received: from frc-mbx02.TheFacebook.com (2620:10d:c0a1:f82::26) by frc-hub06.TheFacebook.com (2620:10d:c021:18::176) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Tue, 29 Jan 2019 14:14:05 -0800
Received: from frc-hub03.TheFacebook.com (2620:10d:c021:18::173) by frc-mbx02.TheFacebook.com (2620:10d:c0a1:f82::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Tue, 29 Jan 2019 14:14:04 -0800
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (192.168.183.28) by o365-in.thefacebook.com (192.168.177.73) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3 via Frontend Transport; Tue, 29 Jan 2019 14:14:04 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=RsJHoYtOwXreE/Ds6DwUSVD+V1HGqEVZSapbCQ+pLFo=; b=QhV47V8RjOttwkZVHXgpuVt5HqAwCpRZWw3F83Q2zsxHLvBcb7ZUmqGaLE87mBh/NMOgzTIAP7nSxHTuveXrkAiPMdFPPeD1cr6KIb/DYQh1NFRIwi29CVqv0bPvQUppGolgJVYEaTA5ux9W6Tl/jhpMoQp3nPvf/QW94sNVhl0=
Received: from MWHPR15MB1821.namprd15.prod.outlook.com (10.174.255.137) by MWHPR15MB1790.namprd15.prod.outlook.com (10.174.255.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1558.17; Tue, 29 Jan 2019 22:14:02 +0000
Received: from MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::e4f1:9986:a3d:178b]) by MWHPR15MB1821.namprd15.prod.outlook.com ([fe80::e4f1:9986:a3d:178b%7]) with mapi id 15.20.1558.023; Tue, 29 Jan 2019 22:14:02 +0000
From: Subodh Iyengar <subodh@fb.com>
To: David Benjamin <davidben@chromium.org>, Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] ticket lifetimes
Thread-Index: AQHUt5PbJPg1BCv4IU2K+uhv0WevMqXFv9eAgAAArOaAAAPeAIAA1cE8gAAWPACAAAw/AIAAE3Gs
Date: Tue, 29 Jan 2019 22:14:02 +0000
Message-ID: <MWHPR15MB18215B0C046B3ADFA88F0FC4B6970@MWHPR15MB1821.namprd15.prod.outlook.com>
References: <MWHPR15MB182191E96C1A065B2396318EB6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAO8oSXkDqe9QQBj+9J928rwE-Cx5w6+oxoz4+dXfANccJEYxog@mail.gmail.com> <MWHPR15MB1821FCD14D0DBFDE0A1D8617B6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAO8oSX=+iwO8S8pGamUit+wmvb9ft4Zta+w1ag4vfNJ84Bd02Q@mail.gmail.com> <MWHPR15MB1821F11E2B857B4DE5B21CF6B6970@MWHPR15MB1821.namprd15.prod.outlook.com> <CAFDDyk8Tn9XNhdyshvpmHBq2Lusrc_9CtDOvjaqu-6NLf3T53A@mail.gmail.com>, <CAF8qwaDpH04Ebq--XHGPFkyp81Pt=P7hmAXveF2FUH1joBKiPg@mail.gmail.com>
In-Reply-To: <CAF8qwaDpH04Ebq--XHGPFkyp81Pt=P7hmAXveF2FUH1joBKiPg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2620:10d:c090:200::6:7d31]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1790; 20:R/r4PdLTCsUD8bB1WC4H6LLrzjRVW6kHS8Y1Ru67brIlhymmHZcbxaGVXSlz2E694pX6HzshwrH0sQnmXatzb2eDH9bewE8PH8FJgmtm4vhIZt90dPlWSIx09QvpwuMsZxFewDpJux06cQSieq55zkbTpqiI9oFOv5XvLaDc5vk=
x-ms-office365-filtering-correlation-id: e270f98d-8287-4ce3-ef84-08d686371366
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1790;
x-ms-traffictypediagnostic: MWHPR15MB1790:
x-microsoft-antispam-prvs: <MWHPR15MB1790CCDA1CB506CAFC72A9EDB6970@MWHPR15MB1790.namprd15.prod.outlook.com>
x-forefront-prvs: 093290AD39
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(39860400002)(136003)(376002)(396003)(346002)(51444003)(199004)(189003)(19627405001)(76176011)(110136005)(33656002)(6306002)(2906002)(105586002)(229853002)(7696005)(71190400001)(97736004)(53936002)(9686003)(86362001)(236005)(99286004)(106356001)(93886005)(55016002)(6436002)(71200400001)(186003)(81156014)(105004)(81166006)(46003)(74316002)(966005)(4326008)(102836004)(478600001)(54896002)(606006)(8936002)(486006)(8676002)(256004)(14444005)(476003)(7736002)(5070765005)(6506007)(25786009)(6246003)(53546011)(11346002)(68736007)(14454004)(446003)(6116002)(316002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1790; H:MWHPR15MB1821.namprd15.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: HKS9Ug8NJO4nHgzicKNTpa6mX0u5l3jFRX3ASIUxV7n//lrlm3CuXKnyMQoJRyXWwmNjCCBwQHA3kaGSZiB0NC9tU2YykF8J/L7+mSVoORibBmLmR08zWamHP2QvBCpvJ0ynkv+mK6V1pLDqAJdSWzW3dMrBtIF9Qa8AeeNwW7BBtNTeOJuXAtOo8IE1ZWjcooTVwVjSxV5SgBf+Vg05xv6+NKkEC68i9Ppv57u2uH3R3da/xK0VmR/ATqNOF+dpGkXdDugClh/sN4cbXVPr3Fwt1yufpZvxaMc6nDw5zamVGEfB5t0bJlfEqT39RL4tED0rLW6jQyf8jgIK72jF7bgMv2jeTQ27I0dcDN5yEzq7F43XUcxXRGxt5xMFjQHDcax7sFmm+wms7cDLBuklOD6jmH/i4qHJxXRxZmX/TmM=
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB18215B0C046B3ADFA88F0FC4B6970MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e270f98d-8287-4ce3-ef84-08d686371366
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2019 22:14:02.4777 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1790
X-OriginatorOrg: fb.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-29_17:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/dNs1TK3hwt0GluQJnozTmadSrp4>
Subject: Re: [TLS] ticket lifetimes
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Jan 2019 22:14:12 -0000

> Wouldn't this issue also be mitigated by requiring the server to re-authenticate during resumption with the certificate once in a while?

I think it's probably just easier to drop the resumption completely.

> This two-lifetime thing is actually already what we implement in BoringSSL. 😊

Fantastic. Would it help to have an extension to set a lower bound on this value, or just make it more painful?

Subodh
________________________________
From: David Benjamin <davidben@chromium.org>
Sent: Tuesday, January 29, 2019 1:02 PM
To: Nick Sullivan
Cc: Subodh Iyengar; tls@ietf.org
Subject: Re: [TLS] ticket lifetimes

This two-lifetime thing is actually already what we implement in BoringSSL. :-) We track both a lifetime for the ticket (one day) and also for the original authentication the ticket roots up to (one week). The lifetime of the ticket is bounded by both these values, and the latter is not extendable on renew.

On Tue, Jan 29, 2019 at 2:18 PM Nick Sullivan <nick=40cloudflare.com@dmarc.ietf.org<mailto:40cloudflare.com@dmarc.ietf.org>> wrote:
Wouldn't this issue also be mitigated by requiring the server to re-authenticate during resumption with the certificate once in a while?

Existing servers won't do this, so I see this less as a mitigation and more as an optimization to plug the one-week-cliff that the fix produces. But, yeah, that would be handy. (Probably something like: "re"-auth'd identity apply to tickets, PSK applies to connection. Client sends an extension to advertise we're nearing the unrenewable bound.)

David

Nick

On Tue, Jan 29, 2019 at 11:00 AM Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:
> If by "entire TLS session" you mean the resumed (and renewed)
sessions, then yep!

Ya I think that'd need a new draft either way. Can definitely write that up
if people don't think it's the worst idea in the world.

Subodh
________________________________
From: Christopher Wood <christopherwood07@gmail.com<mailto:christopherwood07@gmail.com>>
Sent: Monday, January 28, 2019 10:13:36 PM
To: Subodh Iyengar
Cc: tls@ietf.org<mailto:tls@ietf.org>
Subject: Re: [TLS] ticket lifetimes

On Mon, Jan 28, 2019 at 10:04 PM Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:
>
> > Since clients already store tickets, could they not also store the
> time of original ticket issuance and cap the resumption window to N
> (7) days from that point? That is, it seems clients could implement
> this behavior without any protocol support.
>
> Correct, however the server currently provides a value for this, and clients do not enforce a lower bound on this. 7 days is an upper bound.
> Servers would provide a much lower value than 7 days practically.
>
> If I'm understanding your suggestion correctly, you're suggesting that clients change the meaning of ticket_lifetime_hint?
> That is not just limit it to the scope of the ticket but the entire TLS session? That would be fine to by me, however might break some folks.

If by "entire TLS session" you mean the resumed (and renewed)
sessions, then yep!

Best,
Chris

>
> Subodh
> ________________________________
> From: Christopher Wood <christopherwood07@gmail.com<mailto:christopherwood07@gmail.com>>
> Sent: Monday, January 28, 2019 9:57 PM
> To: Subodh Iyengar
> Cc: tls@ietf.org<mailto:tls@ietf.org>
> Subject: Re: [TLS] ticket lifetimes
>
> On Mon, Jan 28, 2019 at 9:43 PM Subodh Iyengar <subodh@fb.com<mailto:subodh@fb.com>> wrote:
> >
> > In TLS 1.3 we added a maximum age to the ticket lifetime to be 7 days. This had several original motivations including reducing the time that a ticket is reused (for privacy or PFS). Another major motivation for this was to limit the exposure of servers that use keyless ssl like mechanisms, i.e. if they kept a STEK locally, but the keyless SSL server remotely, then the theft of a STEK would presumably limit the MITM capabilities to the ticket lifetime.
> >
> > However thinking about it some more because of the renewal capability of tickets in TLS 1.3, an entity owning the STEK could just re-issue new tickets forever on a resumed connection. This would look to the client as a new ticket and it would refresh its lifetime on the ticket. Thereby a MITM could intercept connections to users that have been to the server with the STEK. I'm wondering whether it might be useful to define a mechanism to limit the lifetime of all ticket resumption across all resumptions from the original connection instead of just the limited per ticket lifetime.
>
> Since clients already store tickets, could they not also store the
> time of original ticket issuance and cap the resumption window to N
> (7) days from that point? That is, it seems clients could implement
> this behavior without any protocol support.
>
> Best,
> Chris
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=AeHpkYXwQtF4DjfqdHNluOLIcTHODTihn7i4WBzucjA&s=B4zL6Emv0jyhAsuJyBnxMzO8l1w7SDu5OpB4m8jarMk&e=>
_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMFaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=AeHpkYXwQtF4DjfqdHNluOLIcTHODTihn7i4WBzucjA&s=B4zL6Emv0jyhAsuJyBnxMzO8l1w7SDu5OpB4m8jarMk&e=>

v2.23.0 | Report a Bug | By Email