[Ach] TLS session tickets "break" PFS

Aaron Zauner azet at azet.org
Wed Sep 24 10:09:03 CEST 2014


Hi,

TBH: I neglected to send tons of cool research, attacks and projects
on TLS security to this list, but I've been quite busy and there's
zero (0) traffic left on this list although many people are
subscribed.

We totally missed this:
In the IETF TLS Working Group there is/was a discussion going on to
decide between TLS session tickets and session IDs for TLS 1.3 [0].

There are currently two extensions to improve performance in TLS
handshakes; session IDs (server side) and session tickets (client
side) [1]. Both are used to resume a previous TLS handshake. While
there is no problem with session IDs, there is a problem for forward
secure ciphersuites with session tickets. The way session tickets
work makes the forward secrecy of any forward secure ciphersuite
obsolete. This is because the master secret (key) is reused -
which wouldn't be the case without session tickets. A sort of fix for
this has been written by Emilia Kaesper of Google and will be available
in OpenSSL 1.1.0 [2]. But essentially that's a protocol issue - not an
implementation issue, and not all TLS stacks nor server daemons will
adopt a similar fix. So our question in this case has to be: how can
we avoid TLS session tickets in our configurations and get the
knowledge about the issue out to administrators and developers?
Everybody is talking about forward secrecy these days. I guess most
people do not know this. I'm confident that this will be fixed with
TLS 1.3, but that's still a long road to go.

Every feedback welcome.

Aaron


[0] - Thread starts here: https://www.ietf.org/mail-archive/web/tls/current/msg13430.html
[1] - https://en.wikipedia.org/wiki/Transport_Layer_Security#Resumed_TLS_handshake
[2] - http://marc.info/?l=openssl-cvs&m=128283567020551
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20140924/6a3e61d4/attachment.sig>


More information about the Ach mailing list