IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 October 2014 17:45 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 484131A8AD2 for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 10:45:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6bVz4ln8AjM for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 10:45:40 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 32ADD1A8AA9 for <tls@ietf.org>; Thu, 23 Oct 2014 10:45:40 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 3E46F2AB2BB; Thu, 23 Oct 2014 17:45:38 +0000 (UTC)
Date: Thu, 23 Oct 2014 17:45:38 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141023174537.GW19158@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <54493904.7010807@fussenegger.info>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eexJvHVaFboajwXmpn5Q-fo1ySU
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 17:45:42 -0000

On Thu, Oct 23, 2014 at 07:21:08PM +0200, Richard Fussenegger wrote:

> To answer Rich Salz's initial question, if we'd have 24h encryption and 72h
> decryption on the server-side (as I proposed and nobody said anything pro or
> contra)

There is another variable at play here, in many implementations
there is a potentially independent upper bound on the lifetime of
resumed sessions, whether stateful or otherwise.

In Postfix (which is based on OpenSSL) I arrange for the session
lifetime limit to be double the key rotation interval.  Say that
is 1 hour, then the session lifetime is set to 2 hours.  Each key
is used to encrypt new traffic for an hour, then it becomes the
cached decryption key and a new encryption key is used.

There are only ever two keys sets in memory: the current encryption
key set and prior encryption (additional decryption) keyset.  I
say key set because we need an encryption key and an HMAC key and
both are rotated together, with these is associated a 16 octent id
(could be a counter or simply random).

> the MUST NOT for ticket/token lifetime would become 48h.
> 
> server-side key:
>          24h enc
> |------------------------|         24h denc
>                          |------------------------|        24h denc
> |------------------------|
> client:
>                                                 48h
> |-------------------------------------------------|

The set of sessions encrypted under a single key is still 24 hours,
but the length of time for which the key is exposed on the server
is 48 hours.  And indeed a session is valid for anywhere between
24 and 48 hours depending on when in the encryption key's lifetime
it got created.

> If the client receives a ticket/token just before the first rotation, it can
> revisit within 48h and the ticket/token is still valid if three keys are in
> use.

Actually two key sets are sufficient.  There is no need for a third
key set.  Take a look at postfix/src/tls/tls_scache.c the relevant
functions are tls_scache_key() and tls_scache_key_rotate().

This is used in postfix/src/tls/tls_mgr.c tls_mgr_key().

    https://github.com/vdukhovni/postfix

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email