Re: Session Ticket Support in Openssl TLS 1.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thanks Ben for all the replies and your comments. They are extremely useful for my study

On Mon, Jun 19, 2017 at 9:21 PM, Benjamin Kaduk <bkaduk@xxxxxxxxxx> wrote:
On 06/19/2017 04:12 PM, Neetish Pathak wrote:


On Mon, Jun 19, 2017 at 11:11 AM, Neetish Pathak <npathak2@xxxxxxxx> wrote:
Hi Matt,
Thanks
Could you help with following queries

1) On the blogpost for TLS1.3, you mentions the following in the session section
The specification recommends that applications only use a session once (although this is not enforced). For this reason some servers send multiple session messages to a client. To enforce the “use once” recommendation applications could use SSL_CTX_remove_session() to mark a session as non-resumable (and remove it from the cache) once it has been used.

I am a bit confused here as to why "use once" is recommended. How will resumption be ensured then ? I get a PSK in first connection and use it again for all the other connections.


"use once" is recommended in a limited circumstance, to prevent an attacker listening on the network from associating the (multiple) resumed sessions as being derived from the initial session.
This is a new possibility in TLS 1.3, since in TLS 1.2 the session ticket was given to the client in cleartext (and presented back to the server in cleartext), so all uses of the ticket were traceable back to the original connection and linkable to each other.

Using a given ticket more than once in TLS 1.3 just brings things back to basically the TLS 1.2 state in terms of linkability; it's not a catastrophic failure or anything like that.


On Mon, Jun 19, 2017 at 5:49 AM, Matt Caswell <matt@xxxxxxxxxxx> wrote:


Yes Matt, when I switch to remote machines and test my application programs, I see that TLS 1.3 is faster than TLS 1.2 in the first connection (around same time as resumption time in TLS 1.2) itself and there is marginal or no improvement in the subsequent connections even on using resumption. Does this mean that resumption in TLS 1.3 is bringing not much benefit in terms of latency. It makes sense because round trips count for resumption or no resumption is 1 in TLS 1.3. 

The only benefit with resumption is that the client can now send zero-RTT data. (early data). However, if we consider the overall latency in handshake, it is going to be the same equivalent to 1 round trip.
Is my understanding correct ?

Is there any way to enable early data or it gets activated by default once the pre-shared keys are available at both the client and server ends ?


No no no no no, many times no.
You really must not blindly enable early data without a proper protocol analysis to determine what would happen if an attacker replayed the early data millions of times, as is possible with the current TLS 1.3 draft specification.  There are a lot of ways to hurt yourself and your users with it, and I strongly recommend against trying to enable it just because it looks faster.
(There are separate APIs from the normal read/write APIs to use early data, to make you explicitly think about whether it's safe when adding support to an application.)



The comments give me much food for thought. I am still wondering on  on the possibility for replay attacks when early data is enabled. Sorry, I am new to OpenSSL or TLS and have so many doubts. So, I understood replay attacks are possible as in early data enabled mode, data will go in the cleartext form along with clientHello, so a middleman can look into the data and replay it later. I was thinking if we use some kind of sequence number/ timestamps (as possible solution) to avoid this or it has been implemented in OpenSSL ?
I am using the application for an internal project which is not going to be public. So, I am wondering if it can be used. Nevertheless, your recommendation is duly noted. 
 
I believe session resumption as a concept doesn't hold that much value from TLS 1.3 onwards since 1-RTT is directly achieved in TLS 1.3 first connection. Do you agree?


No.  Resumption saves on transferring (and validating!) certificates and can be done without incurring the cost of an additional diffie-hellman exchange, among other things.

-Ben

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux