[TLS] Fate of resumption
Eric Rescorla <ekr@rtfm.com> Sat, 18 October 2014 16:17 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CCD5A1A19FD for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 09:17:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cp-qZhI4a0fc for <tls@ietfa.amsl.com>; Sat, 18 Oct 2014 09:17:09 -0700 (PDT)
Received: from mail-wg0-f44.google.com (mail-wg0-f44.google.com [74.125.82.44]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25CF31A19E9 for <tls@ietf.org>; Sat, 18 Oct 2014 09:17:09 -0700 (PDT)
Received: by mail-wg0-f44.google.com with SMTP id y10so2739321wgg.27 for <tls@ietf.org>; Sat, 18 Oct 2014 09:17:07 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=shFjR86MfoINM0sVIv+quJ037eFPg3eO+oIYinyVYoA=; b=kM1OuLuh5ZOz1MB1iY3I3jwo96FDxNu/kVBS7eI1NIsrCydZU40Gt8xC+NW0eoe9C1 Xlyq0+Bil/Kl5ZZqAyC3E7EVPnvsR7myXTjLb0Rne6/qVLWUtNmZVjOqaAWdU13AUFIy kWHTs9SKzxw9u4LvSecxqEGtWBisWvdlLbtuYLr1yxkXLpJAC9szMtewOt4UK0Af9VyD mgnjWWSJn/gUTHLVzZU9O27uJNVmgff7ZLZGH5HN195xZq4BIz4vHqgkZhdQiRZjyV+Y DKeXTCDcFT+DXoul7lKnjqvWXn0HNEo/O10Lftph+XlyHZmz1S4gCI5qHUqNBrCexjL6 96SQ==
X-Gm-Message-State: ALoCoQkFTSPchc8G6iinu+oYM91bRBbf4M8bHU9xguIZ0OW7NV2eAnrCCuJ0LbVu/o+Iu7Ja2laG
X-Received: by 10.180.206.173 with SMTP id lp13mr5851162wic.78.1413649027771; Sat, 18 Oct 2014 09:17:07 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.49.198 with HTTP; Sat, 18 Oct 2014 09:16:27 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 18 Oct 2014 17:16:27 +0100
Message-ID: <CABcZeBP4=aXbQSFAhh4EenwRiTrv2LP=r50VeULm4f_0RR4swA@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c38c7c2360d10505b4d067"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/oT2npNeY7R1OKokLsW-q8-T-buw
Subject: [TLS] Fate of resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Oct 2014 16:17:12 -0000
Folks, I wanted to get the discussion going on whether we need resumption [0] or not for TLS 1.3. This may be a quick discussion as I suspect the answer is yes, but I figure we should decide it rather than just assuming it. The argument for resumption seems pretty straightforward: it requires significantly less computation (in the form of asymmetric operations) than a full handshake. I suspect that this argument is less powerful than it used to be for two reasons: - Increased computational power. - Faster algorithms in the form of ECC. Nevertheless, we still have constrained devices, both in the form of low-power phones and IOT-type devices. OTOH, it's not clear to me how many of those devices actually (a) do public key cryptography as opposed to PSK and (b) do session resumption. Conversely, resumption adds complexity to the protocol both since you have to implement both the full and resumed state machines and because the client has uncertainty about whether a server will accept resumption. Another problem with resumption is that it is a threat to PFS. In the current TLS resumption design, if a session is resumable, then both the client and the server retain the MS in their session caches [1]. Thus, even if you use a PFS cipher suite and destroy the traffic keys and the asymmetric keys after the connection is over, an attacker who attacks the session cache can decrypt your connection. As noted in my previous message, it's not too difficult to separate the MS stored in the session cache from the MS used for the initial connection that initiated the session, but it's much harder to do so between multiple resumptions of the same session, though perhaps we could do figure out how to do so [2]. I'm hoping to get people's opinions on this (and we can discuss more next week). How important is resumption to you as a performance optimization? Is it still important when you can do all-ECC (which it seems likely we will require clients to do for TLS 1.3). -Ekr [0] For purposes of this discussion I'm using "resumption" to mean both ordinary resumption [RFC 5246; Figure 2] and session tickets [RFC 5077]. I tend to agree with the comments from others that if we retain resumption we should unify these mechanisms, but that seems like a question to be answered after we have decided whether to retain resumption at all. [1] Technical note: with RFC 5077 tickets the server retains the ticket master key (TMK) in its memory, but since the attacker is assumed to have the ticket, an attacker who successfully attacks the server and recovers the TMK key can recover the MS. It's true that you could store the TMK in secure storage, but you could also implement a session cache where the entries are encrypted under some kind of master key which is in secure storage, so I would argue that the security properties vis-a-vis PFS are similar. [2] For clarity, what I mean here is: Connection 1 does a full asymmetric exchange and establishes session X with MS key M, storing M in the session cache and using M to generate its keys. Connection 2 resumes session X and uses M to generate its keys. Connection 3 resumes session X and uses M to generate its keys. It's fairly straightforward to have connection 1 generate two keys, M and M' from its PMS, use M to generate its keys and store M' in the session cache. But this still leaves both connection 2 and 3 sharing M'.
- [TLS] Fate of resumption Eric Rescorla
- Re: [TLS] Fate of resumption Yoav Nir
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Erik Nygren
- Re: [TLS] Fate of resumption Martin Thomson
- Re: [TLS] Fate of resumption Joseph Salowey
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Martin Thomson
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Tom Ritter
- Re: [TLS] Fate of resumption Martin Thomson
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Alex Elsayed
- Re: [TLS] Fate of resumption Viktor Dukhovni
- Re: [TLS] Fate of resumption Eric Rescorla
- Re: [TLS] Fate of resumption Watson Ladd
- Re: [TLS] Fate of resumption Eric Rescorla