IETF Logo Mail Archive

Re: [TLS] Session resumption ticket reuse considered harmful

Watson Ladd <watson@cloudflare.com> Thu, 05 March 2020 22:49 UTC

Return-Path: <watson@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C3873A0DCD for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 14:49:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mi9tv52tCoF9 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 14:49:36 -0800 (PST)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 244AA3A0DC6 for <tls@ietf.org>; Thu, 5 Mar 2020 14:49:36 -0800 (PST)
Received: by mail-qt1-x833.google.com with SMTP id e20so381792qto.5 for <tls@ietf.org>; Thu, 05 Mar 2020 14:49:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LdSerDUxYVVmWteAoXEDHpf9w3R2uecPKV9PV1BfLO4=; b=XeN/YZzo87uNXEqToo+GAmr2S761zqENsF/xqtRnLJVpUn1c6omVZiDrVRL61FI9HC BifyYlT3YM33JXPRS56/4PCcC/GUSi65rM6pVKu9gjAq242aqtfU1MOSHOFgGO/sT+0v RMlZlIaC+gn0KoruW5XICf/tMbbIpeLqDa8zw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LdSerDUxYVVmWteAoXEDHpf9w3R2uecPKV9PV1BfLO4=; b=OzV/cUWVSmFX1E72Oc+i8M9KpNTuBHc6ISmNiHAWhiBjp2QPR/lufH8mWMLQ6U7NLA phQkLJ2sqrmTyFpPbaY4iHZgHPox7tnY1K9jjheAD1tsAdzlDrLzpb+txYzPKQNQYrwo jI7rRSGCUDVl7Y9RKTxJm8BqHx/MOdlIO2sLxfNH505V53dUh9hh7nQ3QxmiZJszz9ik fCNBdskY8Q7bUDJca1PSliPy2aXwcby8+4H1E1Et5r3TXpg/oFmU/3G1Y5CnZ8M7zbQE M4yDBgCOByrY+k4L9LH/HheD7f4X+Iw95BCneiQvHM9UZWlkJJFrwp1k4Ip9LQ8o5A8o VSng==
X-Gm-Message-State: ANhLgQ2i7cDIbjjjP5X3NnfhCX6cCkc8C7syVlXxhtdQLeCr1MatoJIG 6WHHg3a8pIjEgh63NrcLHcJ6H5CEDX1nol8pND0SoA==
X-Google-Smtp-Source: ADFU+vuMeqUvakDsDoO01BNBuqoOXlcbqV2E8u8C7UC6vzshpGOymPTh2heff0f2KwZeqDvSKH8FfLa9/prOCCuMVdM=
X-Received: by 2002:ac8:7493:: with SMTP id v19mr457339qtq.318.1583448574234; Thu, 05 Mar 2020 14:49:34 -0800 (PST)
MIME-Version: 1.0
References: <20200305205524.GR18021@localhost>
In-Reply-To: <20200305205524.GR18021@localhost>
From: Watson Ladd <watson@cloudflare.com>
Date: Thu, 05 Mar 2020 14:49:23 -0800
Message-ID: <CAN2QdAGja9JoXsSSnmdkjHk7kNbDpEiMVkPpA6VDCfRjo9DRVw@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: IETF TLS <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mf4P0qUVhFBO3O8EWpZC6jYt6Ws>
Subject: Re: [TLS] Session resumption ticket reuse considered harmful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 22:49:45 -0000

On Thu, Mar 5, 2020 at 12:55 PM Nico Williams <nico@cryptonector.com> wrote:
>
> .... unless both parties agree.  It takes two to agree.

As far as I am aware session tickets being single use isn't enforced
by any server right now: it's a desirable but theoretical property for
0-RTT.

My skepticism is entirely a function of this being a late breaking
change to a relatively simple proposal, with not very much in the way
of quantifiable evidence to back up the concern that shared cache
contention is a big overhead. Is it 1%? .5? 10%? of the total time to
use a connection. At 10% we definitely need to do something, at .01%
we almost certainly don't.

>
> What are the problems with ticket reuse?  Well:
>
> 1) session linkage
>
> 2) early data doesn't get rekeyed, so you get key reuse and the early
>    data is replayable
>
> In the case of SMTP, however, (1) is not a problem for obvious reasons,
> and (2) is N/A.
>
> For SUBMIT, (1) is a problem, so don't allow it, and (2) is N/A.
>
> SMTP doesn't care about session linkage because it's MTA<->MTA traffic
> that is already aggregating multiple users' traffic, plus email is
> store-and-forward, so there is no real privacy loss for users.
>
> Nico
> --
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email