Re: [TLS] #445: Enhanced New Session Ticket
Eric Rescorla <ekr@rtfm.com> Fri, 29 April 2016 16:16 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E72BB12D186 for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 09:16:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2gqRe5NxW9kD for <tls@ietfa.amsl.com>; Fri, 29 Apr 2016 09:16:47 -0700 (PDT)
Received: from mail-yw0-x236.google.com (mail-yw0-x236.google.com [IPv6:2607:f8b0:4002:c05::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A20ED12D0B8 for <tls@ietf.org>; Fri, 29 Apr 2016 09:16:47 -0700 (PDT)
Received: by mail-yw0-x236.google.com with SMTP id g133so174489076ywb.2 for <tls@ietf.org>; Fri, 29 Apr 2016 09:16:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=m/UmRWIxYpSiieneeVF0K6kBmAi/PKSpc7Dfi6zZz/k=; b=jWeYP1If3c+0FHolW+C+oYqbfwsCIBZYvyNqX2FUJmbnZxQhutCd0iREbdZZ1tLqjU VzLLNISzLu36aEvRnVPolBobNKrrmARXfup3eQAxmyKg96QIps7vfQwGdeIjnU60Dte1 /QpyrdVyU+Y5wW1z3f0PbV9AzKxdEhboG8PJvdr2sx7a6PnH0MedA39bs8MqrcJtJqP2 yw5m5tFIrp+FQ6vban9GskBMdbVfx3ibuFEWILiE/hM9jmuUIWjiBaAF34K+84rz4i22 7hPjjgFzZjJBjNHxagHxtiBGbpkOk73jta5zqlJ5ZqnntPOMS1LXI9GevhAj2VbBI30g ++UA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=m/UmRWIxYpSiieneeVF0K6kBmAi/PKSpc7Dfi6zZz/k=; b=X0j4pA1tHokaJaoiB+UhjBEQoqVtHVn2an9ELPQDrphIx1OKSkk346c43bKCJKWYcP Exb1lCsXrmhQSUf8d6D8Vs8X/VYF0xFHthYVueiQrA0bzxyI0TcGNgqYMC01D7E4FbM2 OMjfq50l7v7+utN8Q1Pv+jZARMi5U1WW+Z0qnqm0eecVHcDRGwAUwxSwJeYYmJ8wb1KE nXM4nLC4rzsdoG6GBjg6MzFthJG/bXIeqtuinxnpHi6hbk0G0ix2/NjxEKx7nS51vddQ J3s9GYhVihlwohOOP3Nc/XdoXmlA+lqpqz/zePinfRoHSuOICTklTkvGSvJoCwdonuHQ 6v2w==
X-Gm-Message-State: AOPr4FXgjUw3+PkIo5EJ1cgnr+INwWb9pIokU+bqPL7G+b81f9HsG+r4qmRj5FeTBUfSk0yRyT6H/euTDCaWPw==
X-Received: by 10.129.163.146 with SMTP id a140mr5109142ywh.254.1461946606853; Fri, 29 Apr 2016 09:16:46 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.132.12 with HTTP; Fri, 29 Apr 2016 09:16:07 -0700 (PDT)
In-Reply-To: <20160429153831.GA16797@LK-Perkele-V2.elisa-laajakaista.fi>
References: <20160428193252.GA16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBO2aFuq7PbxLimUoez66u0MkE3_qQi9fdfMS33dFVh_+Q@mail.gmail.com> <20160428214046.GB16096@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBMFg4iC-EN9DocqTpmjp46EYrTBdfi-G5nNMKN_xiHxVA@mail.gmail.com> <20160429055831.GA16405@LK-Perkele-V2.elisa-laajakaista.fi> <CABkgnnUFn_UrUFro-yLmn9wf7YkTpRf8anm7LK-bKgYBBkUVNg@mail.gmail.com> <20160429153831.GA16797@LK-Perkele-V2.elisa-laajakaista.fi>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 29 Apr 2016 09:16:07 -0700
Message-ID: <CABcZeBO-C5+93b5qax0wCaUhrKgjVeziphHbQse7NuBCwhdSgA@mail.gmail.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Content-Type: multipart/alternative; boundary="94eb2c1287ee2ed19e0531a1f821"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/eL60BrjkwxZFbwgyfWtsIPmyvBE>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] #445: Enhanced New Session Ticket
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 16:16:50 -0000
On Fri, Apr 29, 2016 at 8:38 AM, Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Fri, Apr 29, 2016 at 04:52:08PM +1000, Martin Thomson wrote: > > On 29 April 2016 at 15:58, Ilari Liusvaara <ilariliusvaara@welho.com> > wrote: > > >> [HRR state] > > > > > > That enlarges the state that needs to be kept. If one keeps extensions, > > > one only needs ~40 bytes. Whereas saving full hash state needs IIRC 114 > > > bytes (SHA-256) or 228 bytes (SHA-384). And cookies are max. 255 bytes. > > > > Cookies are as yet undefined, but I would imagine that these would be > > just the same size as the pre-shared-key identity for all the same > > reasons. > > Well, this is about the size one needs for the required state. > > > > And not many hash implementations support dumping and reloading state. > > > > What would you prefer? We could specify some very strict rules about > > what changes a client can make to their ClientHello so that the server > > can simply store things that might change (like the early_data > > extension, which will disappear on the second attempt, and whether a > > key share was needed, and so forth). > > That ~40 bytes (IIRC, it was actually 37) was done by exploiting every- > thing I could out of the rules in WIP #344 and relied on EDI being > preserved. > > EDI looks like rather sizable structure currently (even after compressing > the configuration_id by obvious means). > Are you looking at a different document than I am: EDI currently is: struct { select (Role) { case client: opaque context<0..255>; case server: struct {}; } } EarlyDataIndication; And the context is basically a placeholder. > >> [extension checking on resumption] > > > > > > So the 'etc' stands for "whatever will be defined by future > extensions"? > > > One might want to make that clearer. > > > > > > Also, things get screwy with SNI, and I think it is better not to try > to > > > use SNI with PSK. > > > > The primary function of SNI is routing. Remove it and stuff breaks. > > Thus, I would say include it, but make sure it doesn't result in a > > change in configuration. The simplest thing to do is reject PSK if > > the old SNI != the new SNI. > > That kind of non-obvious stuff really needs to be included. > > They way it is right now written, I think very few TLS stacks are going > to get it right. > Proposed text would be welcome here. > > I mean for the subsequent handshake. Since 0-RTT ALPN and connection > > > ALPN needs to match, either: > > > > > > 1) Take the 0-RTT ALPN implicitly as connection ALPN. > > > 2) Signal the same ALPN again, and have that client MUST check it > matches > > > and abort otherwise. > > > > I believe that we have to do the latter. Since we can't be sure that > > the server knows the ALPN from before if it has to reject 0-RTT. My > > plan for this is: > > > > 1. store ALPN in the ticket/session > > 2. if doing 0-RTT, before accepting 0-RTT data, perform the normal > > ALPN negotiation > > 3. check the negotiated ALPN with the stored value, and if they don't > > match reject the 0-RTT data > > 4. If 0-RTT is accepted, client checks the ALPN server sent and > compares it with value it impiled. If those don't match, the client > MUST abort. > > > 1) would be: > > 1. store ALPN in the ticket/session > 2. if doing 0-RTT, before accepting 0-RTT data, check if the 0-RTT > ALPN is acceptable. If it isn't, reject 0-RTT. > 3. If 0-RTT was rejected, select new ALPN, signal it in Encrypted > Extensions. > > That would make ALPN and EDI mutually exclusive in EncryptedExtensions. > This doesn't seem awesome from the client's perspective. I'm trying to make the ordinary PSK-resumption design less of a special case. -Ekr > > Note that this means that clients will have to deal with having to > > change protocols when 0-RTT data is rejected. But I don't see any > > other way to do this. > > Well, the applications obviously have to be able to deal with the > protocol possibly changing. > > > > This also assumes that TLS session resumption is not carrying over > > application state in addition to TLS state. I believe that is > > reasonable, though it's worth stating. > > Well, any state they can't recover. > > > -Ilari >
- [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Martin Thomson
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara
- Re: [TLS] #445: Enhanced New Session Ticket Eric Rescorla
- Re: [TLS] #445: Enhanced New Session Ticket Ilari Liusvaara