IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 23 October 2014 18:36 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3061E1A1A38 for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:36:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xaxU0L8bF-Tj for <tls@ietfa.amsl.com>; Thu, 23 Oct 2014 11:36:39 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52D6D1A1A31 for <tls@ietf.org>; Thu, 23 Oct 2014 11:36:39 -0700 (PDT)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 950752AB2BB; Thu, 23 Oct 2014 18:36:37 +0000 (UTC)
Date: Thu, 23 Oct 2014 18:36:37 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <20141023183637.GX19158@mournblade.imrryr.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com> <CAK3OfOj9bZcSDdWhHGeGT0STg6XBkYaExW+rQFN-FFE4oaPLrw@mail.gmail.com> <54483C33.4000702@polarssl.org> <11886639.VyNDkQ3oKj@pintsize.usersys.redhat.com> <54493904.7010807@fussenegger.info> <20141023174537.GW19158@mournblade.imrryr.org> <5449463D.7080904@fussenegger.info>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <5449463D.7080904@fussenegger.info>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/mAD2jKBVXN6oj6h55Kwa5XM4884
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tls@ietf.org
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Oct 2014 18:36:41 -0000

On Thu, Oct 23, 2014 at 08:17:33PM +0200, Richard Fussenegger wrote:

> I like the wording 'key set' and it's actually what I was referring to too.
> The key sets that are generated in my script for nginx are simply 48 B of
> random data (key_name, iv, key, mac):

The iv should not be part of the persistent key set.  It is a new
random value for each client, returned to the server as part of
the ticket.  The key set is just (name, key, mac).  The in memory
version in Postfix also holds a timeout:

    typedef struct TLS_TICKET_KEY {
	unsigned char name[TLS_TICKET_NAMELEN];
	unsigned char bits[TLS_TICKET_KEYLEN];
	unsigned char hmac[TLS_TICKET_MACLEN];
	time_t  tout;
    } TLS_TICKET_KEY;

> I adopted the three key idea from Twitter[1] and yes two key sets are
> sufficient. I thought that Twitters rationale behind the three keys was to
> extend the lifetime of tickets on the client side (as in my drawing
> http://pastebin.com/1iAatbWm) without extending the lifetime of the
> encryption key. Of course I could be terribly wrong here but Jacob
> Hoffman-Andrews for sure had some idea behind this rationale.

There is no particular advantage to three keys,  it just means that
the range of session lifetimes is between 2T and 3T, rather than
between T and 2T, if that's compelling (less variance) go for it.

> If the upper limit is said to be two tickets, Twitter has to adopt there
> system. Since we already have a prominent example that uses three tickets,
> its imho a good idea to let them continue doing so. Note that your approach
> would still be perfectly valid because you're below the hard limit of three
> tickets.

I think you mean "key sets" not "tickets", and still I have no idea
what the above is talking about.  There is no "hard limit".  One
can use 24 keysets each good for encryption for 1 hour and decryption
for 23 after that.  It just means more data to shuffle in memory.
I used 2 key sets because it was simpler.

> That said, I have no problem with two keys especially if there is an
> argument against using three keys in regards to security. Maybe I should ask
> Jacob Hoffman-Andrews from Twitter why they are using three keys?

The number of key sets is irrelevant, all that matters is how long
each one is retained.  Postfix defaults to 2 hours (1 hour encrypt
and 1 hour decrypt).  With N keysets, you'd have (T encrypt, (N-1)*T
decrypt).

-- 
	Viktor.

v2.23.0 | Report a Bug | By Email