IETF Logo Mail Archive

Re: [TLS] Fate of resumption

Eric Rescorla <ekr@rtfm.com> Tue, 21 October 2014 05:42 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CEDB1AD05B for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 22:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BIFCc1DtaCVZ for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 22:42:34 -0700 (PDT)
Received: from mail-wi0-f178.google.com (mail-wi0-f178.google.com [209.85.212.178]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D62841A6F91 for <tls@ietf.org>; Mon, 20 Oct 2014 22:42:33 -0700 (PDT)
Received: by mail-wi0-f178.google.com with SMTP id r20so741835wiv.11 for <tls@ietf.org>; Mon, 20 Oct 2014 22:42:32 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=8fXKhhpko0h/1KmDyRTV5efguSfJuNvIlc6QW2qbALw=; b=a1MHAenH/RWJv2q3e9yv9P+RvWz0eYKbIEGu1djFUPXSb0kLlM6NTWblOUZ8OEKWpe VK5w1HfoNAtU8jshPjH0fn8jqGu5X2IJFEITobb6qDdRu8W4y0Thcm3vnJe6ugDne7VV w/fcWuOFvlQp25x+Jp6Y1nqFQSUvjCdLL8GcxbAKAJJnprw79Krth/utL5y4QQaKQZxa WOj/3nXqE8RyO7zCGYSvFZN0TvfUyImEV758DqpMNg6yWv6JJ4xCmPtRwEyS11S1PxE8 vPGJ9KVcmGQYgbWTzOYWoHpQALAZQWWCsQw2A4ugwxOYXA90v0pZveJAC6wzPyOWPIzO Zo9Q==
X-Gm-Message-State: ALoCoQnVpUtQYJJhz+klNtJSkr1UF1YfPhlUoqKRzwr2NaYawmXO9mKV8SRZRCF95JSLHK9jUg5W
X-Received: by 10.194.200.36 with SMTP id jp4mr10627734wjc.114.1413870152447; Mon, 20 Oct 2014 22:42:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Mon, 20 Oct 2014 22:41:52 -0700 (PDT)
In-Reply-To: <m24qqc$355$1@ger.gmane.org>
References: <CABcZeBP4=aXbQSFAhh4EenwRiTrv2LP=r50VeULm4f_0RR4swA@mail.gmail.com> <m24qqc$355$1@ger.gmane.org>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 21 Oct 2014 07:41:52 +0200
Message-ID: <CABcZeBPr6+8BSL0DPMZEz7n-stBO3rU4Cv7Zwx=xPF4btYm+pA@mail.gmail.com>
To: Alex Elsayed <eternaleye@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b8743f6322b340505e84c79"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eKfCxdgKhfZbuapI0YF4u49d5bw
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Fate of resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 05:42:36 -0000

On Tue, Oct 21, 2014 at 7:26 AM, Alex Elsayed <eternaleye@gmail.com> wrote:

> Eric Rescorla wrote:
>
> <snip>
>
> > Another problem with resumption is that it is a threat to PFS.  In the
> > current TLS resumption design, if a session is resumable, then both
> > the client and the server retain the MS in their session caches [1].
> > Thus, even if you use a PFS cipher suite and destroy the traffic keys
> > and the asymmetric keys after the connection is over, an attacker who
> > attacks the session cache can decrypt your connection. As noted in my
> > previous message, it's not too difficult to separate the MS stored in
> > the session cache from the MS used for the initial connection that
> > initiated the session, but it's much harder to do so between multiple
> > resumptions of the same session, though perhaps we could do figure out
> > how to do so [2].
>
> <snip>
>
> >
> >     Connection 1 does a full asymmetric exchange and establishes
> >     session X with MS key M, storing M in the session cache and
> >     using M to generate its keys.
> >
> >     Connection 2 resumes session X and uses M to generate its keys.
> >
> >     Connection 3 resumes session X and uses M to generate its keys.
> >
> > It's fairly straightforward to have connection 1 generate two keys,
> > M and M' from its PMS, use M to generate its keys and store M'
> > in the session cache. But this still leaves both connection 2 and
> > 3 sharing M'.
>
> One thing I wonder - do we need to support multiple resumption of the same
> state, or do we simply need to allow a session to die and revive?
>
> The difference is that, in the latter case, we may be able to just evolve
> the MS using some variety of one-way function between each reincarnation of
> a session:
>
>      Connection 1 does a full asymmetric exchange and establishes
>      session X with MS key M, storing M' in the session cache and
>      using M to generate its keys.
>
>      Connection 2 resumes session X as session X' and uses M' to
>      generate its keys, storing M'' in the session cache.
>      M' is erased.
>
>      Connection 3 resumes session X' as session X'' and uses M''
>      to generate its keys, storing M''' in the session cache.
>      M'' is erased.
>
> And so forth.


How would erasing the session interact with RFC 5077 tickets?

-Ekr


> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.35.0 | Report a Bug | By Email | System Status