IETF Logo Mail Archive

Re: [TLS] Fate of resumption

Watson Ladd <watsonbladd@gmail.com> Tue, 21 October 2014 06:05 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C63DB1AD065 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 23:05:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f-bej__XSCsh for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 23:05:23 -0700 (PDT)
Received: from mail-yh0-x236.google.com (mail-yh0-x236.google.com [IPv6:2607:f8b0:4002:c01::236]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72A991AD064 for <tls@ietf.org>; Mon, 20 Oct 2014 23:05:23 -0700 (PDT)
Received: by mail-yh0-f54.google.com with SMTP id 29so888841yhl.13 for <tls@ietf.org>; Mon, 20 Oct 2014 23:05:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=8/bL49P0Sv6w6v1BbXBjDqG3zciLKF/14ZvN4BCm+p4=; b=Jid9ldZ7HzCvnoodlEM0OLN85G1d9SPMaH3AHFcITJECfsHoQvRv/zc0VsqymWFoqi gIBFIY0U0AFHFf9OQMeBkPM++70ezLL7JaUF3ldVTYebSd07ElbJM2vErJECMv5oMIee 4/E1M+kk48jol4O/7+mpN85F/1/PwHih7p7u1CGQ9IEmhf3tGeFbpXJY6aVo2jlRqbzP F0knF492PtqY4az17w5VQ3PxbjBwfyAMFkik7jScAQBMOjqBRDrOz5BeA4dA6oQT2657 u2IbAKaYjtII+Qi5IHvOwB1CZTEqMG5Vk5U7DVhvfmPO8YeJUV4B9rSdr+Bnle+BEKh2 2niw==
MIME-Version: 1.0
X-Received: by 10.236.199.46 with SMTP id w34mr46666144yhn.20.1413871522762; Mon, 20 Oct 2014 23:05:22 -0700 (PDT)
Received: by 10.170.195.149 with HTTP; Mon, 20 Oct 2014 23:05:22 -0700 (PDT)
In-Reply-To: <20141021054118.GN19158@mournblade.imrryr.org>
References: <CABcZeBP4=aXbQSFAhh4EenwRiTrv2LP=r50VeULm4f_0RR4swA@mail.gmail.com> <m24qqc$355$1@ger.gmane.org> <20141021054118.GN19158@mournblade.imrryr.org>
Date: Mon, 20 Oct 2014 23:05:22 -0700
Message-ID: <CACsn0cnjRQELhmt5AqtVPU1OzpGcza4gbVpYfcj1CEBfWOnHaA@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/uLzd0lNkE3hLSjV7kM_Imm1yW7I
Subject: Re: [TLS] Fate of resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Oct 2014 06:05:26 -0000

On Mon, Oct 20, 2014 at 10:41 PM, Viktor Dukhovni
<ietf-dane@dukhovni.org> wrote:
> On Mon, Oct 20, 2014 at 10:26:33PM -0700, Alex Elsayed wrote:
>
>> > It's fairly straightforward to have connection 1 generate two keys,
>> > M and M' from its PMS, use M to generate its keys and store M'
>> > in the session cache. But this still leaves both connection 2 and
>> > 3 sharing M'.
>>
>> One thing I wonder - do we need to support multiple resumption of the same
>> state, or do we simply need to allow a session to die and revive?
>
> In terms of existing practice Postfix resumes cached sessions
> independently in parallel.  When a cached a resumed session completes,
> no new session replaces the original cache entry.  The code assumes
> that session resumption is non-destructive, and cached state can
> be re-used multiple times.  I imagine similar behaviour patterns
> apply to browsers, and other applications.
>
> If TLS 1.3 changes session re-use semantics, it will be substantially
> more difficult to deploy (changes will impact not just SSL library,
> but also application code).

In a little over an hour a meeting on this topic will be starting, so
let me put in my two cents. There is no reason a resumed session needs
to use the same keys as the record layer of the session that was
resumed. (Actually, there is, namely 0-RTT, but lets forget that for
the time being/solve it some other way). In particular having a
connection generate a resumption key, and deriving from the resumption
key new, distinct, keys for each direction of the new communication
solves the PFS problem, while still enabling multiple resumption.

Furthermore, resumption has always been optional. TLS 1.2 states that
a client does not know if a server will permit resumption. Likewise, a
server doesn't know if a client supports resumption. That said, adding
mutability to something that wasn't mutable is a major change in
multithreaded code, and should be avoided.

Sincerely,
Watson Ladd
>
> --
>         Viktor.
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

v2.23.0 | Report a Bug | By Email