IETF Logo Mail Archive

Re: [TLS] Unifying tickets and sessions

"Richard Fussenegger, BSc" <richard@fussenegger.info> Mon, 20 October 2014 20:58 UTC

Return-Path: <richard@fussenegger.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 672481ACE82 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 13:58:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fxDvU2jxO3JN for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 13:58:33 -0700 (PDT)
Received: from mx204.easyname.com (mx204.easyname.com [212.232.28.125]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BE47A1ACE75 for <tls@ietf.org>; Mon, 20 Oct 2014 13:58:32 -0700 (PDT)
Received: from 89-26-76-175.goll.dyn.salzburg-online.at ([89.26.76.175] helo=[192.168.0.11]) by mx.easyname.eu with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <richard@fussenegger.info>) id 1XgK26-0006fx-4N; Mon, 20 Oct 2014 22:58:28 +0200
Message-ID: <5445775E.3050108@fussenegger.info>
Date: Mon, 20 Oct 2014 22:58:06 +0200
From: "Richard Fussenegger, BSc" <richard@fussenegger.info>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "Salz, Rich" <rsalz@akamai.com>, "TLS@ietf.org (tls@ietf.org)" <tls@ietf.org>
References: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com>
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D3A8C48AF@USMBX1.msg.corp.akamai.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms030309040101020205020100"
X-ACL-Warn: X-DNSBL-v4bl
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/modYI7q0O1XQt-OUad9QY9H3MHY
Subject: Re: [TLS] Unifying tickets and sessions
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 20:58:36 -0000

Nice to see this merge and I directly +1 the token wording.

How about **MUST NOT** for more than 24 hours for the encryption key and 
**MUST NOT** for more than 3 x 24 hours for decryption keys? That should 
account for all possibilities and one can use three keys to achieve it 
that rotate at the same intervals.

The RFC should clarify that the negotiated cipher **MUST** be honored 
when encrypting the state that will be sent to the client. [1]

Regards
Richard

[1] https://media.blackhat.com/us-13/US-13-Daigniere-TLS-Secrets-WP.pdf

On 10/20/2014 10:11 PM, Salz, Rich wrote:
> It's proposed that we unify tickets and sessions at the protocol level.
>
> --------------------------------
>
> For 1.3 we bring in the extension definitions from 5077. For the wire format, it doesn't matter if the information is a session identifier (a short string, referring to state maintained on the server) or a ticket (the actual crypto state, stored on the client). Perhaps to be general, we call it session token.
>
> A TLS 1.3 client MUST send an empty session_id field. It may send a ticket extension. If the server is willing to accept the crypto state, it sends a "1" in the returned session_id field, otherwise it sends an empty session_id. This is the only use of session_id in TLS 1.3.
>
> The session token may either be an opaque identifier of local server state, or a serialization of the state the server needs, encrypted with some key. General security considerations require that this information not be kept on long-lived media, and that the identifier or encryption key be rotated periodically. These are server-side implementation details.
>
> The session token can be used to tie together multiple transactions with a loss of forward secrecy. Clients can always omit the session token. Servers SHOULD set the lifetime to an appropriate value (and MUST NOT be more than nn hours).  [Where nn is TBD; either 24 or 48.]
>
> "MUST NOT" for more than 24 hours seems to strict. If you rotate keys every 24 hours, session tickets end up being valid for up to 2 * 24 hours (+ fudge) unless you start to reject them while the server still has the key, which seems pointless. Depending on how you set up cron, that could be 49 hours+ in practice due to DST.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email