IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

David Leon Gil <coruus@gmail.com> Wed, 22 October 2014 14:28 UTC

Return-Path: <coruus@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB3E31ACCE3 for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 07:28:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rPFkmLZJlvPQ for <tls@ietfa.amsl.com>; Wed, 22 Oct 2014 07:28:11 -0700 (PDT)
Received: from mail-lb0-x22a.google.com (mail-lb0-x22a.google.com [IPv6:2a00:1450:4010:c04::22a]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 039881ACCDF for <tls@ietf.org>; Wed, 22 Oct 2014 07:27:55 -0700 (PDT)
Received: by mail-lb0-f170.google.com with SMTP id u10so2974610lbd.15 for <tls@ietf.org>; Wed, 22 Oct 2014 07:27:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=y17wkwrL4WToBRKXy8yAp3ZbueBybKyx8PMmplrAZ6U=; b=pmll8Wt4ndhWcA9RbPPlhQJI//qIwlKKyQYiUjpFMq94HNWgYVFUiRb6Y7ysVweUlo BsqLtVvIQ2It7bLMn/FAEqAvqo93Jdw2T2ZkTTw8MxEz6qTKsXPE2ziU1v9nk0267bKI d8yUdshyUGZsRtvK+1Q9e5nMMLis+TDbUv97l9iTjWl5fTtSwicgxDF9Zwh7r/niRVSi 7qeIHpE7Ka6I7vsymoWmXSbCMqB2mvhwcv003kQJehDqz4J/BkVCOuWh3GLIkOBPb7Mv GyS9rjT9snxTjL/Xhcyjhv2Y+sygw59bcFAhTzzIv1LSOiJ8Zg+JBzXgZVBAB2nsnoJD ns1w==
X-Received: by 10.112.11.201 with SMTP id s9mr23735757lbb.79.1413988074193; Wed, 22 Oct 2014 07:27:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.25.218.145 with HTTP; Wed, 22 Oct 2014 07:27:32 -0700 (PDT)
In-Reply-To: <1659862.HPNNz8lRhl@pintsize.usersys.redhat.com>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <544606E5.2070807@fussenegger.info> <CAA7UWsVmxAmBtdCvpE_+c2e7brJNkPrQ5_69FDXzy2csg6EsyA@mail.gmail.com> <1659862.HPNNz8lRhl@pintsize.usersys.redhat.com>
From: David Leon Gil <coruus@gmail.com>
Date: Wed, 22 Oct 2014 10:27:32 -0400
Message-ID: <CAA7UWsUbxDyh_yxn2t+tghHhLOhuBH+SqiLELJRFq9g=w=OAXw@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/lG2QyHDvLOvuV_NoRWS2WOYkvCA
Cc: tls@ietf.org
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Oct 2014 14:28:14 -0000

There are, obviously, two things a server should be able to use for a
unified session id/ticket:

 - An opaque identifier
 - Encrypted session state using a construction like RFC 5077's.

Right now, RFC 5077 recommends: AES-128 with a 128-bit key and
HMAC-SHA256 with a 256-bit key.

Or, uselessly high 256-bit security against active attackers, and
uselessly low 128-bit security strength against global passive
adversaries.

There should be a recommended session ticket construction at a 256 bit
security strength for privacy to replace RFC 5077 s.4's.

--

On Wed, Oct 22, 2014 at 8:56 AM, Hubert Kario <hkario@redhat.com> wrote:
> That assumes that you have the space to store all those communications,

I frankly don't understand this.

According to the newspapers, at least, the NSA *does* store *all*
encrypted communications pending eventual decryption. So evidently
they do, at least.

> then you need to have the ability to reference all those 2^50 keys in close to real time.

This is a few petabytes of data, or a few thousand 1 TB SSDs. This is
not a large amount of data.

> Yes, it doesn't require "hard" computation, but it does require massive
> amounts of relatively fast memory.

No. It doesn't. It requires less than one cipher block per key for
most of the computation. (The main expense is memory bandwidth.)

> It's a classic memory-time tradeoff, isn't it?

No. The gains are better than linear. See
http://cr.yp.to/snuffle/bruteforce-20050425.pdf, but for "circuit"
read "graphics card/SPU/MIC".

v2.23.0 | Report a Bug | By Email