IETF Logo Mail Archive

Re: [TLS] Session resumption ticket reuse considered harmful

Nico Williams <nico@cryptonector.com> Thu, 05 March 2020 22:12 UTC

Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 176333A0D1E for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 14:12:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cryptonector.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PLad_cqSV6-8 for <tls@ietfa.amsl.com>; Thu, 5 Mar 2020 14:12:54 -0800 (PST)
Received: from dragonfly.birch.relay.mailchannels.net (dragonfly.birch.relay.mailchannels.net [23.83.209.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDA003A0D1D for <tls@ietf.org>; Thu, 5 Mar 2020 14:12:53 -0800 (PST)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 4BD076015F5; Thu, 5 Mar 2020 22:12:53 +0000 (UTC)
Received: from pdx1-sub0-mail-a85.g.dreamhost.com (100-96-219-30.trex.outbound.svc.cluster.local [100.96.219.30]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A5FA4601636; Thu, 5 Mar 2020 22:12:52 +0000 (UTC)
X-Sender-Id: dreamhost|x-authsender|nico@cryptonector.com
Received: from pdx1-sub0-mail-a85.g.dreamhost.com ([TEMPUNAVAIL]. [64.90.62.162]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384) by 0.0.0.0:2500 (trex/5.18.5); Thu, 05 Mar 2020 22:12:53 +0000
X-MC-Relay: Neutral
X-MailChannels-SenderId: dreamhost|x-authsender|nico@cryptonector.com
X-MailChannels-Auth-Id: dreamhost
X-Thoughtful-Bottle: 61cec41b15f18e7a_1583446372982_94322306
X-MC-Loop-Signature: 1583446372982:2349358539
X-MC-Ingress-Time: 1583446372982
Received: from pdx1-sub0-mail-a85.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a85.g.dreamhost.com (Postfix) with ESMTP id 6BA1A80A4B; Thu, 5 Mar 2020 14:12:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h=date :from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=cryptonector.com; bh=vlj+RtOtzI4Toz g6ru13GGM9fXg=; b=TO5yilwbYGicLh9sDDvUxQyq7SD8nh1hhkmStQBYVQpGph GlOBCBCkOOf0V5VdTcm/e9xWO41w5f8oWznMAf18Pnd1tX4dlEFUox2zG0CqcIcz uRGtSOfTt7Q7rPH2FMcSRsz7KhSpl7QHhrl9ykKWJ8WwzK2AvQjlWzIQVR2BU=
Received: from localhost (unknown [24.28.108.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by pdx1-sub0-mail-a85.g.dreamhost.com (Postfix) with ESMTPSA id 6EBBB80A51; Thu, 5 Mar 2020 14:12:47 -0800 (PST)
Date: Thu, 05 Mar 2020 16:12:45 -0600
X-DH-BACKEND: pdx1-sub0-mail-a85
From: Nico Williams <nico@cryptonector.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Message-ID: <20200305221244.GS18021@localhost>
References: <20200305205524.GR18021@localhost> <78240ee1-20ea-45b2-bd0e-e967077c509e@www.fastmail.com> <6A4F6E0C-A1A5-44E8-8045-6D11CDBE939B@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <6A4F6E0C-A1A5-44E8-8045-6D11CDBE939B@akamai.com>
User-Agent: Mutt/1.9.4 (2018-02-28)
X-VR-OUT-STATUS: OK
X-VR-OUT-SCORE: -100
X-VR-OUT-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedugedruddutddgudeivdcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucggtfgfnhhsuhgsshgtrhhisggvpdfftffgtefojffquffvnecuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpeffhffvuffkfhggtggujggfsehttdertddtredvnecuhfhrohhmpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqnecukfhppedvgedrvdekrddutdekrddukeefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmohguvgepshhmthhppdhhvghloheplhhotggrlhhhohhsthdpihhnvghtpedvgedrvdekrddutdekrddukeefpdhrvghtuhhrnhdqphgrthhhpefpihgtohcuhghilhhlihgrmhhsuceonhhitghosegtrhihphhtohhnvggtthhorhdrtghomheqpdhmrghilhhfrhhomhepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomhdpnhhrtghpthhtohepnhhitghosegtrhihphhtohhnvggtthhorhdrtghomh
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uT8Ti-9gnrcOY8YIrmFyXmCJyTY>
Subject: Re: [TLS] Session resumption ticket reuse considered harmful
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Mar 2020 22:12:57 -0000

On Thu, Mar 05, 2020 at 09:40:24PM +0000, Salz, Rich wrote:
> I think several participants in these threads are taking SHOULD NOT
> re-use as a MUST NOT.  Servers in datacenters seem to fall outside
> that concern, no?

Indeed, RFC2119 defines SHOULD NOT:

   4. SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that
      there may exist valid reasons in particular circumstances when the
      particular behavior is acceptable or even useful, but the full
      implications should be understood and the case carefully weighed
      before implementing any behavior described with this label.

And SMTP and your use case have "valid reasons" because they are "in
particular circumstances when the particular behavior is acceptable or
even useful" and "the full implications" _are_ "understood" and "the
case" has been "carefully weighed".

Even if RFC8446 said MUST NOT, we could update it, but as it is we don't
need to because it does say SHOULD NOT:

   C.4.  Client Tracking Prevention

      Clients SHOULD NOT reuse a ticket for multiple connections.  Reuse of
      a ticket allows passive observers to correlate different connections.
      Servers that issue tickets SHOULD offer at least as many tickets as
      the number of connections that a client might use; for example, a web
      browser using HTTP/1.1 [RFC7230] might open six connections to a
      server.  Servers SHOULD issue new tickets with every connection.
      This ensures that clients are always able to use a new ticket when
      creating a new connection.

and that makes very clear that the SHOULD NOT is specifically about
"Client Tracking".  And it follows that if you have an application that
doesn't find have a client tracking concern, then this SHOULD NOT should
be inapplicable.

The onus might be on us to demonstrate that there are use cases where
client tracking is a non-issue.  But it should be quite clear that there
are cases where client tracking is indeed a non-issue.

Now, maybe one might want to say that this is like PFS: we want to
always require PFS (and we do!), so we should always require session
ticket non-reuse.  That would require an update to RFC8446.  Note that
the issues with RSA key transport and the client tracking issues are
vastly different, and that's almost certainly why PFS became a hard
requirement while ticket non-reuse was only made a SHOULD NOT.

Nico
--

v2.23.0 | Report a Bug | By Email