[Cryptography] At what point should people not use TLS?
Jerry Leichter
leichter at lrw.com
Tue Apr 12 17:35:17 EDT 2016
> Abbreviated handshake
> ---------------------------------
> TLS session resumption is based on caching the original session's
> master secret. So forward secrecy and resistance to "key-compromise
> impersonation" is reduced: if the cached master secret is stolen from
> the client or server, older sessions can be decrypted and the server
> can be impersonated.
I haven't looked at the whole protocol so may well be missing something essential, but the forward secrecy part seems easy to fix: Rather than caching the original session's master secret, cache its one-way hash. Assuming both ends do this, any further communication continues exactly as before, for better or worse - as long as both ends do the same thing, they agree on the cached value and it's just as good a master secret as the original. But compromise of the cached value now provides no information about previous messages.
-- Jerry
More information about the cryptography
mailing list