Re: [TLS] Question on Stateless TLS Session Resumption
Eric Rescorla <ekr@networkresonance.com> Sat, 13 January 2007 21:53 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5qoV-0001Dg-7q; Sat, 13 Jan 2007 16:53:23 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H5qoU-0001Db-Nf for tls@ietf.org; Sat, 13 Jan 2007 16:53:22 -0500
Received: from raman.networkresonance.com ([198.144.196.3]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H5qoT-0008Nc-CO for tls@ietf.org; Sat, 13 Jan 2007 16:53:22 -0500
Received: by raman.networkresonance.com (Postfix, from userid 1001) id 70C211E8C28; Sat, 13 Jan 2007 13:53:18 -0800 (PST)
To: "Narayanan, Vidya" <vidyan@qualcomm.com>
Subject: Re: [TLS] Question on Stateless TLS Session Resumption
References: <C24CB51D5AA800449982D9BCB90325133C9A2E@NAEX13.na.qualcomm.com>
From: Eric Rescorla <ekr@networkresonance.com>
Date: Sat, 13 Jan 2007 13:53:18 -0800
In-Reply-To: <C24CB51D5AA800449982D9BCB90325133C9A2E@NAEX13.na.qualcomm.com> (Vidya Narayanan's message of "Sat, 13 Jan 2007 11:54:54 -0800")
Message-ID: <863b6eh9v5.fsf@raman.networkresonance.com>
User-Agent: Gnus/5.1007 (Gnus v5.10.7) XEmacs/21.4.19 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f4c2cf0bccc868e4cc88dace71fb3f44
Cc: tls@ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: EKR <ekr@networkresonance.com>
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org
[Re-sending to the mailing list...] "Narayanan, Vidya" <vidyan@qualcomm.com> writes: > All, > RFC4507 makes no mention of ticket replays at all, which I find to be a > bit surprising. It actually doesn't talk about message replays either, > but, since the protocol takes 1.5 RTs, both parties prove to be live > and so, that is not a problem. But, ticket replays seem to be of some > concern. Based on the fact that the ticket contains a timestamp, using > which expiry can be determined, it appears that a given ticket will be > accepted until its expiry time, even if a newer ticket may have been > issued after that. Right. There's nothing wrong with this. > This itself is not so much a problem, since, the > client really has no incentive in using an older ticket as opposed to > the latest one. However, if a new ticket is either not issued or if the > session is terminated by the server for some reason, this seems to be a > problem. Well, there are two separate issues here. There's no technical reason why a new TLS handshake between a client/server pair needs to invalidate and old session between them. Indeed, I don't know of any server which enforces this before and it would even in principle be rather difficult to do in the absence of client authentication, which is fairly rare. This leaves us with ticket invalidation which does, as you note, require server side state, though rather less than that required by an ordinary session cache. > Since there is really no means of ticket revocation or any > server state on the status of a ticket, there seems to be no way to > determine that the client is not supposed to be using that ticket to > resume a session. Also, the fact that the client is allowed to pick a > Session ID makes it infeasible to track a terminated session that must > not be allowed to resume. I don't think I understand this point. Both session IDs and tickets are generated by servers. > Am I missing something? Has this been talked about before? Yes, it's discussed extensively in the SBR04 paper on Client-Side Session Caching. Shacham, H., Boneh, D., and E. Rescorla, "Client-side caching for TLS", Transactions on Information and System Security (TISSEC) , Volume 7, Issue 4, November 2004. -Ekr _______________________________________________ TLS mailing list TLS@lists.ietf.org https://www1.ietf.org/mailman/listinfo/tls
- [TLS] Question on Stateless TLS Session Resumption Narayanan, Vidya
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- Re: [TLS] Question on Stateless TLS Session Resum… Eric Rescorla
- Re: [TLS] Question on Stateless TLS Session Resum… Lakshminath Dondeti
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] when is it ok to resume a cached SSL/TLS se… Martin Rex
- [TLS] Re: when is it ok to resume a cached SSL/TL… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Eric Rescorla
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Kyle Hamilton
- Re: [TLS] Re: when is it ok to resume a cached SS… home_pw
- Re: [TLS] Re: when is it ok to resume a cached SS… Martin Rex
- RE: [TLS] Question on Stateless TLS Session Resum… Narayanan, Vidya
- Re: [TLS] when is it ok to resume a cached SSL/TL… Martin Rex