diff options
author | Simon Josefsson <simon@josefsson.org> | 2005-10-21 07:33:05 +0000 |
---|---|---|
committer | Simon Josefsson <simon@josefsson.org> | 2005-10-21 07:33:05 +0000 |
commit | 7960e7a82162bfd4f6cdf2ed62e5d61d971b9ee8 (patch) | |
tree | 8443c3564280bdca1c1672e983a9908e0ccbe680 /doc/protocol/draft-salowey-tls-ticket-05.txt | |
parent | a806a750ed633ab653ebf6c5cbf8bc21c5b1fbe1 (diff) | |
download | gnutls-7960e7a82162bfd4f6cdf2ed62e5d61d971b9ee8.tar.gz |
Add.
Diffstat (limited to 'doc/protocol/draft-salowey-tls-ticket-05.txt')
-rw-r--r-- | doc/protocol/draft-salowey-tls-ticket-05.txt | 728 |
1 files changed, 728 insertions, 0 deletions
diff --git a/doc/protocol/draft-salowey-tls-ticket-05.txt b/doc/protocol/draft-salowey-tls-ticket-05.txt new file mode 100644 index 0000000000..8e1c2d9d4d --- /dev/null +++ b/doc/protocol/draft-salowey-tls-ticket-05.txt @@ -0,0 +1,728 @@ + + + +Network Working Group J. Salowey +Internet-Draft H. Zhou +Expires: April 21, 2006 Cisco Systems + P. Eronen + Nokia + H. Tschofenig + Siemens + October 18, 2005 + + + Transport Layer Security Session Resumption without Server-Side State + draft-salowey-tls-ticket-05.txt + +Status of this Memo + + By submitting this Internet-Draft, each author represents that any + applicable patent or other IPR claims of which he or she is aware + have been or will be disclosed, and any of which he or she becomes + aware will be disclosed, in accordance with Section 6 of BCP 79. + + Internet-Drafts are working documents of the Internet Engineering + Task Force (IETF), its areas, and its working groups. Note that + other groups may also distribute working documents as Internet- + Drafts. + + Internet-Drafts are draft documents valid for a maximum of six months + and may be updated, replaced, or obsoleted by other documents at any + time. It is inappropriate to use Internet-Drafts as reference + material or to cite them other than as "work in progress." + + The list of current Internet-Drafts can be accessed at + http://www.ietf.org/ietf/1id-abstracts.txt. + + The list of Internet-Draft Shadow Directories can be accessed at + http://www.ietf.org/shadow.html. + + This Internet-Draft will expire on April 21, 2006. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + This document describes a mechanism which enables the Transport Layer + Security (TLS) server to resume sessions and avoid keeping per-client + session state. The TLS server encapsulates the session state into a + ticket and forwards it to the client. The client can subsequently + + + +Salowey, et al. Expires April 21, 2006 [Page 1] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + resume a session using the obtained ticket. + +Table of Contents + + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 3 + 3.2 SessionTicket TLS extension . . . . . . . . . . . . . . . 5 + 3.3 SessionTicket handshake message . . . . . . . . . . . . . 5 + 3.4 Interaction with TLS session ID . . . . . . . . . . . . . 6 + 4. Recommended Ticket Construction . . . . . . . . . . . . . . . 7 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8 + 5.1 Invalidating Sessions . . . . . . . . . . . . . . . . . . 9 + 5.2 Stolen Tickets . . . . . . . . . . . . . . . . . . . . . . 9 + 5.3 Forged Tickets . . . . . . . . . . . . . . . . . . . . . . 9 + 5.4 Denial of Service Attacks . . . . . . . . . . . . . . . . 9 + 5.5 Ticket Protection Key Lifetime . . . . . . . . . . . . . . 9 + 5.6 Alternate Ticket Formats and Distribution Schemes . . . . 10 + 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10 + 7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 10 + 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 + 8.1 Normative References . . . . . . . . . . . . . . . . . . . 10 + 8.2 Informative References . . . . . . . . . . . . . . . . . . 11 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12 + Intellectual Property and Copyright Statements . . . . . . . . 13 + + + + + + + + + + + + + + + + + + + + + + + + + +Salowey, et al. Expires April 21, 2006 [Page 2] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + +1. Introduction + + This document defines a way to resume a Transport Layer Security + (TLS) [RFC2246] session without requiring session-specific state at + the TLS server. This mechanism may be used with any TLS ciphersuite. + The mechanism makes use of TLS extensions defined in [I-D.ietf-tls- + rfc3546bis] and defines a new TLS message type. + + This mechanism is useful in the following types of situations + (1) servers that handle a large number of transactions from + different users + (2) servers that desire to cache sessions for a long time + (3) ability to load balance requests across servers + (4) embedded servers with little memory + +2. Terminology + + Within this document the term 'ticket' refers to a cryptographically + protected data structure which is created by the server and consumed + by the server to rebuild session specific state. + + The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", + "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this + document are to be interpreted as described in [RFC2119]. + +3. Protocol + + This specification describes a mechanism to distribute encrypted + session state information in a ticket from a TLS server to a TLS + client and for a TLS client to present a ticket to a TLS server to + resume a session. Implementations of this specification are expected + to support both mechanism. Other specifications can take advantage + of the session tickets, perhaps specifying alternative means for + distribution or selection. For example a separate specification may + describe an alternate way to distribute a ticket and use the TLS + extension in this document to resume the session. This behavior is + beyond the scope of the document and would need to be described in a + separate specification. + +3.1 Overview + + The client indicates that it supports this mechanism by including a + SessionTicket TLS extension in the ClientHello message. The + extension will be empty if the client does not already possess a + ticket for the server. The extension is described in Section 3.2 + + If the server wants to use this mechanism, it stores its session + state (such as ciphersuite and master secret) to a ticket that is + + + +Salowey, et al. Expires April 21, 2006 [Page 3] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + encrypted and integrity-protected by a key known only to the server. + The ticket is distributed to the client using the SessionTicket TLS + handshake message described in Section 3.3. This message is sent + during the TLS handshake before the ChangeCipherSpec message after + the server has successfully verified the client's Finished message. + + + Client Server + + ClientHello --------> + (empty SessionTicket extension) + ServerHello + Certificate* + ServerKeyExchange* + CertificateRequest* + <-------- ServerHelloDone + Certificate* + ClientKeyExchange + CertificateVerify* + [ChangeCipherSpec] + Finished --------> + SessionTicket + [ChangeCipherSpec] + <-------- Finished + Application Data <-------> Application Data + + The client caches this ticket along with the master secret and other + parameters associated with the current session. When the client + wishes to resume the session, it includes the ticket in the + SessionTicket extension within ClientHello message. The server then + verifies that the ticket has not been tampered with, decrypts the + contents, retrieves the session state from the contents of the ticket + and uses this state to resume the session. The interaction with the + TLS Session ID is described in Section 3.4. If the server + successfully verifies the client's ticket then it may renew the + ticket by including a SessionTicket handshake message after the + ServerHello. + + + ClientHello + (SessionTicket extension) --------> + ServerHello + SessionTicket + [ChangeCipherSpec] + <-------- Finished + [ChangeCipherSpec] + Finished --------> + Application Data <-------> Application Data + + + +Salowey, et al. Expires April 21, 2006 [Page 4] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + A recommended ticket format is given in Section 4. If the server + cannot or does not want to honor the ticket then it can initiate a + full handshake with the client. + +3.2 SessionTicket TLS extension + + The SessionTicket TLS extension is based on [I-D.ietf-tls- + rfc3546bis]. The format of the ticket is an opaque structure used to + carry session specific state information. This extension is sent in + the ClientHello. If the client posses a ticket that it wants to use + to resume a session then it includes it in the SessionTicket + extension in the ClientHello. If the client does not have a ticket + and it is prepared to receive one in the SessionTicket handshake + message then it MUST include a zero length ticket in the + SessionTicket extension. If the client is not prepared to receive a + ticket in the SessionTicket handshake message then it MUST NOT + include a zero length SessionTicket extension. + + If the server fails to verify the ticket then it falls back to + performing a full handshake. If the ticket is accepted by the server + but the handshake fails the client SHOULD delete the ticket. + + The SessionTicket extension has been assigned the number TBD1. The + format of the SessionTicket extension is given below. + + + struct { + opaque ticket<0..2^16-1>; + } SessionTicket; + + +3.3 SessionTicket handshake message + + This message is sent during the TLS handshake before the + ChangeCipherSpec message. This message MUST only be sent if either + the client included a SessionTicket extension with a zero length + ticket in the ClientHello or if the client included a ticket that was + previously issued in a SessionTicket handshake message. In the case + of a full handshake, the server MUST verify the client's Finished + message before sending the ticket. The client MUST NOT treat the + ticket as valid until it has verified the server's Finished message. + + If the server successfully verifies the client's ticket then it MAY + renew the ticket by including a SessionTicket handshake message after + the ServerHello in the abbreviated handshake. The client should + start using the new ticket as soon as possible after it verifies the + Server's finished message for new connections. Note that since the + updated ticket is issued before the handshake completes it is + + + +Salowey, et al. Expires April 21, 2006 [Page 5] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + possible that the client may not put the new ticket into use before + it initiates new connections. The server MUST NOT assume the client + actually received the updated ticket until it successfully verifies + the client's finished message. + + The SessionTicket handshake message has been assigned the number + TBD2. The definition of the SessionTicket handshake message is given + below. + + + struct { + HandshakeType msg_type; + uint24 length; + select (HandshakeType) { + case hello_request: HelloRequest; + case client_hello: ClientHello; + case server_hello: ServerHello; + case certificate: Certificate; + case server_key_exchange: ServerKeyExchange; + case certificate_request: CertificateRequest; + case server_hello_done: ServerHelloDone; + case certificate_verify: CertificateVerify; + case client_key_exchange: ClientKeyExchange; + case finished: Finished; + case new_session_ticket: SessionTicket; /* NEW */ + } body; + } Handshake; + + + struct { + opaque ticket<0..2^16-1>; + } SessionTicket; + + +3.4 Interaction with TLS session ID + + If a server is planning on issuing a SessionTicket to a client that + does not present one it SHOULD include an empty Session ID in the + ServerHello. If the server includes a non-empty session ID then it + is indicating intent to use stateful session resume. If the client + receives a SessionTicket from the server then it discards any Session + ID that was sent in the ServerHello. + + When presenting a ticket the client MAY generate and include a + Session ID in the TLS ClientHello. If the server accepts the ticket + and the Session ID is not empty then it MUST respond with the same + Session ID present in the ClientHello. This allows the client to + easily differentiate when the server is resuming a session or falling + + + +Salowey, et al. Expires April 21, 2006 [Page 6] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + back to a full handshake. Since the client generates a Session ID + the server MUST NOT rely upon the Session ID having a particular + value when validating the ticket. If a ticket is presented by the + client the server MUST NOT attempt to use the Session ID in the + ClientHello for stateful session resume. Alternatively, the client + MAY include an empty Session ID in the ClientHello. In this case the + client ignores the Session ID sent in the ServerHello and must + determine if the server is resuming a session by the subsequent + handshake messages. + +4. Recommended Ticket Construction + + This section describes a recommended format and protection for the + ticket. Note that the ticket is opaque to the client so the + structure is not subject to interoperability concerns, so + implementations may diverge from this format. If implementations do + diverge from this format they must take security concerns seriously. + Clients MUST NOT examine the ticket under the assumption that it + complies with this document. + + The server uses two different keys, one 128-bit key for AES + encryption and one 128-bit key for HMAC-SHA1. + + The ticket is structured as follows: + + struct { + uint32 key_version; + opaque iv[16] + opaque encrypted_state<0..2^16-1>; + opaque mac[20]; + } Ticket; + + Here key_version identifies a particular set of keys. One + possibility is to generate new random keys every time the server is + started, and use the timestamp as the key version. The same + mechanisms known from a number of other protocols can be reused for + this purpose. + + The actual state information in encrypted_state is encrypted using + 128-bit AES in CBC mode with the given IV. The MAC is calculated + using HMAC-SHA1 over key_version (4 octets)and IV (16 octets), + followed by the length of the encrypted_state field (2 octets) and + its contents (variable length). + + + + + + + + +Salowey, et al. Expires April 21, 2006 [Page 7] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + struct { + ProtocolVersion protocol_version; + CipherSuite cipher_suite; + CompressionMethod compression_method; + opaque master_secret[48]; + ExampleClientIdentity client_identity; + uint32 timestamp; + } StatePlaintext; + + enum { + anonymous(0), + certificate_based(1), + psk(2) + } ClientAuthenticationType; + + struct { + ClientAuthenticationType client_authentication_type; + select (ClientAuthenticationType) { + case anonymous: struct {}; + case certificate_based: + ASN.1Cert certificate_list<0..2^24-1>; + case psk: + opaque psk_identity<0..2^16-1>; + + } + } ClientIdentity; + + The structure StatePlaintext stores the TLS session state including + the master_secret. The timestamp within this structure allows the + TLS server to expire tickets. To cover the authentication and key + exchange protocols provided by TLS the ClientIdentity structure + contains the authentication type of the client used in the initial + exchange (see ClientAuthenticationType). To offer the TLS server + with the same capabilities for authentication and authorization a + certificate list is included in case of public key based + authentication. The TLS server is therefore able to inspect a number + of different attributes within these certificates. A specific + implementation might choose to store a subset of this information or + additional information. Other authentication mechanism such as + Kerberos [RFC2712] would require different client identity data. + +5. Security Considerations + + This section addresses security issues related to the usage of a + ticket. Tickets must be sufficiently authenticated and encrypted to + prevent modification or eavesdropping by an attacker. Several + attacks described below will be possible if this is not carefully + done. + + + +Salowey, et al. Expires April 21, 2006 [Page 8] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + Implementations should take care to ensure that the processing of + tickets does not increase the chance of denial of serve as described + below. + +5.1 Invalidating Sessions + + The TLS specification requires that TLS sessions be invalidated when + errors occur. [CSSC] discusses the security implications of this in + detail. In the analysis in this paper, failure to invalidate + sessions does not pose a security risk. This is because the TLS + handshake uses a non-reversible function to derive keys for a session + so information about one session does not provide an advantage to + attack the master secret or a different session. If a session + invalidation scheme is used the implementation should verify the + integrity of the ticket before using the contents to invalidate a + session to ensure an attacker cannot invalidate a chosen session. + +5.2 Stolen Tickets + + An eavesdropper or man-in-the-middle may obtain the ticket and + attempt to use the ticket to establish a session with the server, + however since the ticket is encrypted and the attacker does not know + the secret key a stolen key does not help an attacker resume a + session. A TLS server MUST use strong encryption and integrity + protection for the ticket to prevent an attacker from using a brute + force mechanism to obtain the tickets contents. + +5.3 Forged Tickets + + A malicious user could forge or alter a ticket in order to resume a + session, to extend its lifetime, to impersonate as another user or + gain additional privileges. This attack is not possible if the + ticket is protected using a strong integrity protection algorithm + such as a keyed HMAC. + +5.4 Denial of Service Attacks + + An adversary could store or forge a large number of tickets to send + to the TLS server for verification. To minimize the possibility of a + denial of service the verification of the ticket should be + lightweight (e.g., using efficient symmetric key cryptographic + algorithms). + +5.5 Ticket Protection Key Lifetime + + The management of the keys used to protect the ticket is beyond the + scope of this document. It is advisable to limit the lifetime of + these keys to ensure they are not overused. + + + +Salowey, et al. Expires April 21, 2006 [Page 9] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + +5.6 Alternate Ticket Formats and Distribution Schemes + + If a different ticket format or distribution scheme than the ones + defined in this document is used then great care must be taken in + analyzing the security of the solution. In particular if a secret is + transferred to the client it MUST be done using secure communication + so as to prevent attackers from obtaining or modifying the key. Also + the ticket MUST have its integrity and privacy protected with strong + cryptographic techniques to prevent a breach in the security of the + system. + +6. Acknowledgments + + The authors would like to thank the following people for their help + with preparing and reviewing this document: Eric Rescorla, Mohamad + Badra, Tim Dierks, Nelson Bolyard, Nancy Cam-Winget, David McGrew, + Rob Dugal and members of the TLS working group. + + [CSSC] describes a solution that is very similar to the one described + in this document and gives a detailed analysis of the security + considerations involved. [RFC2712] describes a mechanism for using + Kerberos ([RFC1510]) in TLS ciphersuites, which helped inspire the + use of tickets to avoid server state. [I-D.cam-winget-eap-fast] + makes use of a similar mechanism to avoid maintaining server state + for the cryptographic tunnel. [SC97] also investigates the concept + of stateless sessions. + +7. IANA considerations + + IANA has assigned a TLS extension number of TBD1 (the value 35 is + suggested) to the SessionTicket TLS extension from the TLS registry + of ExtensionType values defined in [I-D.ietf-tls-rfc3546bis]. + + IANA has assigned a TLS HandshakeType number TBD2 to the + SessionTicket handshake type from the TLS registry of HandshakeType + values defined in [I-D.ietf-tls-rfc2246-bis]. + +8. References + +8.1 Normative References + + [AES] National Institute of Standards and Technology, "Advanced + Encryption Standard (AES)", Federal Information + Processing Standards (FIPS) Publication 197, + November 2001. + + [CBC] National Institute of Standards and Technology, + "Recommendation for Block Cipher Modes of Operation - + + + +Salowey, et al. Expires April 21, 2006 [Page 10] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + Methods and Techniques", NIST Special Publication 800-38A, + December 2001. + + [I-D.ietf-tls-rfc2246-bis] + Dierks, T. and E. Rescorla, "The TLS Protocol Version + 1.1", draft-ietf-tls-rfc2246-bis-13 (work in progress), + June 2005. + + [I-D.ietf-tls-rfc3546bis] + Blake-Wilson, S., "Transport Layer Security (TLS) + Extensions", draft-ietf-tls-rfc3546bis-02 (work in + progress), October 2005. + + [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed- + Hashing for Message Authentication", RFC 2104, + February 1997. + + [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate + Requirement Levels", BCP 14, RFC 2119, March 1997. + + [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0", + RFC 2246, January 1999. + + [SHA1] National Institute of Standards and Technology, "Secure + Hash Standard (SHS)", Federal Information Processing + Standards (FIPS) Publication 180-2, August 2002. + +8.2 Informative References + + [CSSC] Shacham, H., Boneh, D., and E. Rescorla, "Client-side + caching for TLS", Transactions on Information and + System Security (TISSEC) , Volume 7, Issue 4, + November 2004. + + [I-D.cam-winget-eap-fast] + Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "EAP + Flexible Authentication via Secure Tunneling (EAP-FAST)", + draft-cam-winget-eap-fast-02 (work in progress), + April 2005. + + [I-D.ietf-tls-psk] + Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites + for Transport Layer Security (TLS)", draft-ietf-tls-psk-09 + (work in progress), June 2005. + + [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network + Authentication Service (V5)", RFC 1510, September 1993. + + + + +Salowey, et al. Expires April 21, 2006 [Page 11] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + + [RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher + Suites to Transport Layer Security (TLS)", RFC 2712, + October 1999. + + [SC97] Aura, T. and P. Nikander, "Stateless Connections", + Proceedings of the First International Conference on + Information and Communication Security (ICICS '97) , 1997. + + +Authors' Addresses + + Joseph Salowey + Cisco Systems + 2901 3rd Ave + Seattle, WA 98121 + US + + Email: jsalowey@cisco.com + + + Hao Zhou + Cisco Systems + 4125 Highlander Parkway + Richfield, OH 44286 + US + + Email: hzhou@cisco.com + + + Pasi Eronen + Nokia Research Center + P.O. Box 407 + FIN-00045 Nokia Group + Finland + + Email: pasi.eronen@nokia.com + + + Hannes Tschofenig + Siemens + Otto-Hahn-Ring 6 + Munich, Bayern 81739 + Germany + + Email: Hannes.Tschofenig@siemens.com + + + + + + +Salowey, et al. Expires April 21, 2006 [Page 12] + +Internet-Draft Stateless TLS Session Resumption October 2005 + + +Intellectual Property Statement + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at + ietf-ipr@ietf.org. + + +Disclaimer of Validity + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + + +Copyright Statement + + Copyright (C) The Internet Society (2005). This document is subject + to the rights, licenses and restrictions contained in BCP 78, and + except as set forth therein, the authors retain all their rights. + + +Acknowledgment + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + +Salowey, et al. Expires April 21, 2006 [Page 13] + |