[Cryptography] At what point should people not use TLS?
Viktor Dukhovni
cryptography at dukhovni.org
Sun Apr 17 03:02:46 EDT 2016
On Tue, Apr 12, 2016 at 05:35:17PM -0400, Jerry Leichter wrote:
> I haven't looked at the whole protocol so may well be missing something
> essential, but the forward secrecy part seems easy to fix: Rather than
> caching the original session's master secret, cache its one-way hash.
> Assuming both ends do this, any further communication continues exactly
> as before, for better or worse - as long as both ends do the same thing,
> they agree on the cached value and it's just as good a master secret as
> the original. But compromise of the cached value now provides no
> information about previous messages.
This fails to account for the fact that a single cached session is
generally used for multiple resumptions.
The solution, already widely practice, is a reasonably short cap
the lifetime of server session state.
Recommended server-side configuration in Postfix is no server-side
session cache, with all state stored on clients via session tickets.
The server instantiates a new session ticket key once an hour, and
discards a previous key an hour after that. So server compromise
yields at most 2 hours of sessions. If you can generally detect
and stop successful intrusion or long-term-key compromise in well
under two hours, and the additional disclosure window from extant
session keys is not acceptable, you probably need to build your
own silicon, and run a formally verified stack from the bare metal
on up.
For the rest of world, session reuse is a non-problem that is
fashionable to get all worked about.
--
Viktor.
More information about the cryptography
mailing list