[Ach] TLS session tickets "break" PFS

Hanno Böck hanno at hboeck.de
Wed Sep 24 10:42:09 CEST 2014


On Wed, 24 Sep 2014 10:09:03 +0200
Aaron Zauner <azet at azet.org> wrote:

> While
> there is no problem with session IDs, there is a problem for forward
> secure ciphersuites with session tickets. The way session tickets
> work makes the forward secrecy of any forward secure ciphersuite
> obsolete. This is because the master secret (key) is reused -
> which wouldn't be the case without session tickets.

I am not familiar with the exact details, but as far as I understand it
this statement is exaggerated.

The master secret is reused for a limited amount of time, however this
is usually in the range of minutes or hours. Afterwards it should be
destroyed. That means your forward secrecy property is weakened, but it
is still much more secure than an RSA handshake where the lifetime of a
key is years.

My apache's session ticket lifetime is 300 seconds. I haven't done any
special configuration on this, so I assume this is the default. That's 5
minutes. Nothing I worry too much about.

Hanno Böck

mail/jabber: hanno at hboeck.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.cert.at/pipermail/ach/attachments/20140924/c0356e7f/attachment.sig>

More information about the Ach mailing list