Re: [TLS] Fate of resumption
Alex Elsayed <eternaleye@gmail.com> Tue, 21 October 2014 05:26 UTC
Return-Path: <ietf-ietf-tls@m.gmane.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 306481AD052 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 22:26:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.536
X-Spam-Level:
X-Spam-Status: No, score=-0.536 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, FREEMAIL_FROM=0.001, NML_ADSP_CUSTOM_MED=0.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_NUMERIC_HELO=1.164, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_FSL_HELO_BARE_IP_2=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NnsZDlJEJ-5e for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 22:26:51 -0700 (PDT)
Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 420301AD051 for <tls@ietf.org>; Mon, 20 Oct 2014 22:26:50 -0700 (PDT)
Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from <ietf-ietf-tls@m.gmane.org>) id 1XgRy4-0002Yp-GK for tls@ietf.org; Tue, 21 Oct 2014 07:26:48 +0200
Received: from 66.87.138.59 ([66.87.138.59]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Tue, 21 Oct 2014 07:26:48 +0200
Received: from eternaleye by 66.87.138.59 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for <tls@ietf.org>; Tue, 21 Oct 2014 07:26:48 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: tls@ietf.org
From: Alex Elsayed <eternaleye@gmail.com>
Date: Mon, 20 Oct 2014 22:26:33 -0700
Lines: 52
Message-ID: <m24qqc$355$1@ger.gmane.org>
References: <CABcZeBP4=aXbQSFAhh4EenwRiTrv2LP=r50VeULm4f_0RR4swA@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: 66.87.138.59
User-Agent: KNode/4.14
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/svYzugCqYPvBOAVbV9BVpZc2760
X-Mailman-Approved-At: Mon, 20 Oct 2014 22:31:43 -0700
Subject: Re: [TLS] Fate of resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 05:26:53 -0000
Eric Rescorla wrote:
<snip>
> Another problem with resumption is that it is a threat to PFS. In the
> current TLS resumption design, if a session is resumable, then both
> the client and the server retain the MS in their session caches [1].
> Thus, even if you use a PFS cipher suite and destroy the traffic keys
> and the asymmetric keys after the connection is over, an attacker who
> attacks the session cache can decrypt your connection. As noted in my
> previous message, it's not too difficult to separate the MS stored in
> the session cache from the MS used for the initial connection that
> initiated the session, but it's much harder to do so between multiple
> resumptions of the same session, though perhaps we could do figure out
> how to do so [2].
<snip>
>
> Connection 1 does a full asymmetric exchange and establishes
> session X with MS key M, storing M in the session cache and
> using M to generate its keys.
>
> Connection 2 resumes session X and uses M to generate its keys.
>
> Connection 3 resumes session X and uses M to generate its keys.
>
> It's fairly straightforward to have connection 1 generate two keys,
> M and M' from its PMS, use M to generate its keys and store M'
> in the session cache. But this still leaves both connection 2 and
> 3 sharing M'.
One thing I wonder - do we need to support multiple resumption of the same
state, or do we simply need to allow a session to die and revive?
The difference is that, in the latter case, we may be able to just evolve
the MS using some variety of one-way function between each reincarnation of
a session:
Connection 1 does a full asymmetric exchange and establishes
session X with MS key M, storing M' in the session cache and
using M to generate its keys.
Connection 2 resumes session X as session X' and uses M' to
generate its keys, storing M'' in the session cache.
M' is erased.
Connection 3 resumes session X' as session X'' and uses M''
to generate its keys, storing M''' in the session cache.
M'' is erased.
And so forth.
- [TLS] Fate of resumption Eric Rescorla
- Re: [TLS] Fate of resumption Yoav Nir
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Erik Nygren
- Re: [TLS] Fate of resumption Martin Thomson
- Re: [TLS] Fate of resumption Joseph Salowey
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Martin Thomson
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Tom Ritter
- Re: [TLS] Fate of resumption Martin Thomson
- Re: [TLS] Fate of resumption Peter Gutmann
- Re: [TLS] Fate of resumption Alex Elsayed
- Re: [TLS] Fate of resumption Viktor Dukhovni
- Re: [TLS] Fate of resumption Eric Rescorla
- Re: [TLS] Fate of resumption Watson Ladd
- Re: [TLS] Fate of resumption Eric Rescorla