Re: [TLS] Resuming a session as part of a renegotiation.

Fabrice Gautier <fabrice.gautier@gmail.com> Thu, 19 September 2013 20:01 UTC

Return-Path: <fabrice.gautier@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B101F21F866E for <tls@ietfa.amsl.com>; Thu, 19 Sep 2013 13:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1VZAZD8DYgGz for <tls@ietfa.amsl.com>; Thu, 19 Sep 2013 13:01:56 -0700 (PDT)
Received: from mail-wg0-x236.google.com (mail-wg0-x236.google.com [IPv6:2a00:1450:400c:c00::236]) by ietfa.amsl.com (Postfix) with ESMTP id EA8AA21F864D for <tls@ietf.org>; Thu, 19 Sep 2013 13:01:54 -0700 (PDT)
Received: by mail-wg0-f54.google.com with SMTP id m15so8673712wgh.9 for <tls@ietf.org>; Thu, 19 Sep 2013 13:01:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type:content-transfer-encoding; bh=JAPPI3vAfH5czzb0vvcx4dHZqbsnItSjXMasVVlnQfw=; b=ULMkf5DeGesL88d75vdtUUTAakpa5lfeGqvsdOBTrkTGjcjwi1QKSeFhxWqnqM6xgv jfnbNj8jAB5UgOBbYMhVXiLAaQ9ws3yNX0SLl/Z3Lt0l56cHIsvV5Jr1v6AEfT3s1hFl XNM7lv92wZHpM+fre3iUh3D2oNdkziQoMyFO4HKVEioD5kDmjoSyz2j/V12c9wb7AZpH MD3mc9h4KJlroerLJ6iGZBtWaLpNaiT3uCTUUM8og65jwq14eJd9PwmGld2ysXAnugLo XZgx4Xo4UN1ug1iKd7Vdgn9YtVtfH0/VvKqcDY1OgN8mJOvaAj7+B+YT7kGAOmTpbd3A K6PQ==
X-Received: by 10.194.63.228 with SMTP id j4mr2922576wjs.34.1379620914124; Thu, 19 Sep 2013 13:01:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.50.12 with HTTP; Thu, 19 Sep 2013 13:01:34 -0700 (PDT)
In-Reply-To: <582A57A2-C452-463D-8B79-6CF6E3804732@checkpoint.com>
References: <CANOyrg99G7YULLbC4MgjXNDLqb5AXQXvqSQDqBm095BqBDNRBA@mail.gmail.com> <523B2EDF.7010501@pobox.com> <CANOyrg_GVPtsd-LyrT78QDfwFFyoWzJpf_1D6xkVPOJY0oSd0w@mail.gmail.com> <582A57A2-C452-463D-8B79-6CF6E3804732@checkpoint.com>
From: Fabrice Gautier <fabrice.gautier@gmail.com>
Date: Thu, 19 Sep 2013 13:01:34 -0700
Message-ID: <CANOyrg9obY61n8hw1m-28NDUy5H7Mn8afCGe=2rv4PE-KeCytQ@mail.gmail.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Resuming a session as part of a renegotiation.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2013 20:01:56 -0000

On Thu, Sep 19, 2013 at 11:50 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>
> On Sep 19, 2013, at 9:29 PM, Fabrice Gautier <fabrice.gautier@gmail.com> wrote:
>>> One possible use case: if you negotiated a block cipher with a
>>> small internal state and are sending large quantities of data,
>>> security might be improved by periodically renegotiating.
>>
>> Thats only benefit a full handshake renegotiation.
>>
>> The way I understand it, renegotiation allows you to have several
>> session in the same connection, and session resumption allows you to
>> have the same session across multiple connections.
>
> Renegotiation just means doing the handshake again. The end result is new keys. So if you believe that 3DES keys should not be used for more than 0.5GB of data, just doing a renegotiation gives you fresh keys (because they are mixed with the new nonces). If you resume the session, you don't get new client and/or server identities, you don't get re-authentication, and you don't get a new master key, so someone who has managed to get your old master key can figure out both your old and new encryption keys. But if the only reason you're renegotiating is that you need fresh keys, that's good enough.
>
> So renegotiation+resumption gives you the same session, but new keys. Sort of like "phase II" in IKE.

Oh I see... Same master secret but refreshed cipher keys.

Thanks

-- Fabrice