Tls
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Tls as PDF for free.
More details
- Words: 952
- Pages: 4
Transport Layer Security (TLS) Session Resumption without Server-Side State
Introduction Developing a mechanism which enables the transport layer security server to resume sessions and avoid keeping per client session state. The TLS server encapsulates the session state into a ticket which is forwarded to the client for it to resume the session. Here we would define a TLS session without requiring a session specific state at the TLS server. As it’s the establishment of connection a primary criteria, we make use of TLS cipher suites and we implement TLS connections with a TLS message type. Then mechanism which would be developed can be implemented in the following situations: • • •
Servers handling a large number of transactions from different users Servers that desire to cache sessions for a long time Embedded servers with little memory
Terminology- Ticket A ‘TICKET’ is defined as a cryptographically protected data structure that is created by a server and consumed by it to rebuild session-specific state. Protocol As the word suggests, it is the set of rules which would specify the mechanism of distribution of encrypted session state information in the form of a ticket (as defined above). The ticket is created by the TLS server and sent to the TLS client, when the TLS client wants to resume a session it presents the ticket to the TLS server. The ticket is distributed to the client using the “NewSessionTicket” TLS handshake message, this message is sent during the TLS handshake before the “ChangeCipherSpec” message, after the server has successfully verified the client's Finished message. Overview The client states that the mechanism implemented is supported by including a SessionTicket TLS extension in its messages (eg.
ClientHello). This extension will be empty if the client does not posses a ticket for the server. If the server wants to use this mechanism, it stores its session state (such as cipher suite and master secret) to a ticket that is encrypted and integrity-protected by a key known only to the server. When the client sends the ticket to the server it includes the SessionTicket extension with its message, then the server decrypts the received ticket and verifies the tickets validity, retrieves the current session state and resumes the client session. Now, if the server verifies the client’s ticket successfully then it may renew the ticket by the “NewSessionTicket” Handshake message. It may also be possible that the server does not want to issue a session ticket to the client at that point of time, in this case it just finishes the handshake without issuing a session ticket or a new session ticket. If the server rejects the ticket, it may still wish to give a new session ticket after performing the full handshake.
Session Ticket Extension If the client possesses a ticket that it wants to use to resume a session, then it includes the ticket in the SessionTicket extension in the ClientHello. If the client does not have a ticket and is prepared to receive one in the NewSessionTicket handshake message, then it MUST include a zero-length ticket in the SessionTicket extension. If the client is not prepared to receive a ticket in the NewSessionTicket handshake message then it MUST NOT include a SessionTicket extension unless it is sending a non-empty ticket it received through some other means from the server. If the server fails to verify the ticket, then it falls back to performing a full handshake. If the ticket is accepted by the server but the handshake fails, the client SHOULD delete the ticket. The “ticket_lifetime_hint” field contains a hint from the server about how long the ticket should be stored. The value indicates the lifetime in seconds as a 32-bit unsigned integer in network byte order. A value of zero is reserved to indicate that the lifetime of the ticket is unspecified. A client SHOULD delete the ticket and associated state when the time expires.
Security Considerations Failure to invalidate sessions does not pose a security risk. This is because the TLS handshake uses a non-reversible function to derive keys for a session so information about one session does not provide an advantage to attack the master secret or a different session. If a session invalidation scheme is used, the implementation should verify the integrity of the ticket before using the contents to invalidate a session to ensure that an attacker cannot invalidate a chosen session. 2. Stolen Tickets, Forged Tickets An eavesdropper or man-in-the-middle may obtain the ticket and attempt to use the ticket to establish a session with the server; however, since the ticket is encrypted and the attacker does not know the secret key, a stolen ticket does not help an attacker resume a session. A TLS server MUST use strong encryption and integrity protection for the ticket to prevent an attacker from using a brute force mechanism to obtain the ticket's contents. 1.
Ticket Protection Key Management A full description of the management of the keys used to protect the ticket is beyond the scope of this document. A list of RECOMMENDED practices is given below. • • •
• •
The keys should be generated securely following the randomness The keys and cryptographic protection algorithms should be at least 128 bits in strength. The keys should not be used for any other purpose than generating and verifying tickets. The keys should be changed regularly. The keys should be changed if the ticket format or cryptographic protection algorithms change.
Expected Execution It can be done using a single system where we can open multiple CHILDS (clients) and using the connection program we can restrict one of the child’s from accessing the server and then we can resume the connection using our mechanism.
Introduction Developing a mechanism which enables the transport layer security server to resume sessions and avoid keeping per client session state. The TLS server encapsulates the session state into a ticket which is forwarded to the client for it to resume the session. Here we would define a TLS session without requiring a session specific state at the TLS server. As it’s the establishment of connection a primary criteria, we make use of TLS cipher suites and we implement TLS connections with a TLS message type. Then mechanism which would be developed can be implemented in the following situations: • • •
Servers handling a large number of transactions from different users Servers that desire to cache sessions for a long time Embedded servers with little memory
Terminology- Ticket A ‘TICKET’ is defined as a cryptographically protected data structure that is created by a server and consumed by it to rebuild session-specific state. Protocol As the word suggests, it is the set of rules which would specify the mechanism of distribution of encrypted session state information in the form of a ticket (as defined above). The ticket is created by the TLS server and sent to the TLS client, when the TLS client wants to resume a session it presents the ticket to the TLS server. The ticket is distributed to the client using the “NewSessionTicket” TLS handshake message, this message is sent during the TLS handshake before the “ChangeCipherSpec” message, after the server has successfully verified the client's Finished message. Overview The client states that the mechanism implemented is supported by including a SessionTicket TLS extension in its messages (eg.
ClientHello). This extension will be empty if the client does not posses a ticket for the server. If the server wants to use this mechanism, it stores its session state (such as cipher suite and master secret) to a ticket that is encrypted and integrity-protected by a key known only to the server. When the client sends the ticket to the server it includes the SessionTicket extension with its message, then the server decrypts the received ticket and verifies the tickets validity, retrieves the current session state and resumes the client session. Now, if the server verifies the client’s ticket successfully then it may renew the ticket by the “NewSessionTicket” Handshake message. It may also be possible that the server does not want to issue a session ticket to the client at that point of time, in this case it just finishes the handshake without issuing a session ticket or a new session ticket. If the server rejects the ticket, it may still wish to give a new session ticket after performing the full handshake.
Session Ticket Extension If the client possesses a ticket that it wants to use to resume a session, then it includes the ticket in the SessionTicket extension in the ClientHello. If the client does not have a ticket and is prepared to receive one in the NewSessionTicket handshake message, then it MUST include a zero-length ticket in the SessionTicket extension. If the client is not prepared to receive a ticket in the NewSessionTicket handshake message then it MUST NOT include a SessionTicket extension unless it is sending a non-empty ticket it received through some other means from the server. If the server fails to verify the ticket, then it falls back to performing a full handshake. If the ticket is accepted by the server but the handshake fails, the client SHOULD delete the ticket. The “ticket_lifetime_hint” field contains a hint from the server about how long the ticket should be stored. The value indicates the lifetime in seconds as a 32-bit unsigned integer in network byte order. A value of zero is reserved to indicate that the lifetime of the ticket is unspecified. A client SHOULD delete the ticket and associated state when the time expires.
Security Considerations Failure to invalidate sessions does not pose a security risk. This is because the TLS handshake uses a non-reversible function to derive keys for a session so information about one session does not provide an advantage to attack the master secret or a different session. If a session invalidation scheme is used, the implementation should verify the integrity of the ticket before using the contents to invalidate a session to ensure that an attacker cannot invalidate a chosen session. 2. Stolen Tickets, Forged Tickets An eavesdropper or man-in-the-middle may obtain the ticket and attempt to use the ticket to establish a session with the server; however, since the ticket is encrypted and the attacker does not know the secret key, a stolen ticket does not help an attacker resume a session. A TLS server MUST use strong encryption and integrity protection for the ticket to prevent an attacker from using a brute force mechanism to obtain the ticket's contents. 1.
Ticket Protection Key Management A full description of the management of the keys used to protect the ticket is beyond the scope of this document. A list of RECOMMENDED practices is given below. • • •
• •
The keys should be generated securely following the randomness The keys and cryptographic protection algorithms should be at least 128 bits in strength. The keys should not be used for any other purpose than generating and verifying tickets. The keys should be changed regularly. The keys should be changed if the ticket format or cryptographic protection algorithms change.
Expected Execution It can be done using a single system where we can open multiple CHILDS (clients) and using the connection program we can restrict one of the child’s from accessing the server and then we can resume the connection using our mechanism.
Related Documents
Tls
November 2019 14
Contracts Outline - Tls
May 2020 3
Tls In Mail
June 2020 9
Report On Ssl & Tls
May 2020 5
