Is there any other difference except the session cache?
Will only Session ID based Session Resumption update symmetric TLS session key ?
Asked
Active
Viewed 9,334 times
4
-
1I recommend the ["Session Resumption" section](https://hpbn.co/transport-layer-security-tls/#tls-session-resumption) of the "High Performance Browser Networking" book by Ilya Grigorik. – StackzOfZtuff Jan 03 '17 at 08:16
-
Thanks @StackzOfZtuff, I want to know about, Will only session ID based session resumption update symmetric TLS session key ?, "High Performance Browser Networking" book didn't talk about that. – Devang Kubavat Jan 03 '17 at 08:21
-
I think NEITHER of the schemes will do that. (But I don't have a good source.) What makes you think otherwise? – StackzOfZtuff Jan 03 '17 at 08:56
-
Have you sample code in which session ID based Session resumption is used ? I want deep understanding of the both methods...? according to memory constrain as well as security parameters. @StackzOfZtuff – Devang Kubavat Jan 03 '17 at 09:13
1 Answers
5
Update: Warning: my understanding of this is botchy. See Dave Thompson’s comment.
——————————————
Will only Session ID based Session Resumption update symmetric TLS session key ?
Neither method will do that.
To quote Adam Langley: (line breaks mine)
TLS offers two session resumption mechanisms: session IDs (where the server and client each store their own secret state) and session tickets (where the client stores the server's state, encrypted by the server).
If an attacker can obtain the session resumption information for a connection then they can decrypt the connection.
(This needn't be completely true, but it is for TLS because of the way that TLS is designed.)
Source: How to botch TLS forward secrecy (27 Jun 2013) (Archived here.)
Further reading
- https://blog.cloudflare.com/tls-session-resumption-full-speed-and-secure/
- https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
TLS 1.2 has never provided any Forward Secrecy against a compromise of the Session Ticket key at all, so even with 0-RTT 1.3 is an improvement upon 1.2. - Added 2017-01-04: See section 2.2 "Session Resumption" here: Springall, Drew and Durumeric, Zakir and Halderman, J. Alex, 2016, Measuring the Security Harm of TLS Crypto Shortcuts
StackzOfZtuff
- 17,783
- 1
- 50
- 86
-
Thanks. But, still i have lots of question regarding to TLS Session Resumption. i will go through it first... Thanks for support. @StackzOfZtuff – Devang Kubavat Jan 03 '17 at 12:41
-
1@DevangKubavat: See also section 2.2 in this PDF: https://dl.acm.org/citation.cfm?id=2987480 – StackzOfZtuff Jan 04 '17 at 13:50
-
Yes, @StackzOfZtuff. After session resume, It is not updated Session key.. Same Previous session key is used in both the methods as per the paper. – Devang Kubavat Jan 05 '17 at 06:33
-
http://security.stackexchange.com/questions/147322/session-ticket-based-session-resumption. posted new question.Can u give me answer if you have an idea.. @StackzOfZtuff – Devang Kubavat Jan 05 '17 at 09:45
-
-
Okay... Thank you! @StackzOfZruff. I have one conceptual question, What happens if attacker got the session ticket ? Attacker can try to reconnect to server. How Server will come to know that THIS IS NOT CORRECT CLIENT.? – Devang Kubavat Jan 05 '17 at 10:32
-
-
2To be exact, the _master secret_ is reused; the actual keys, plural (at least 2, often 4) are re-derived with new nonces, which does help with things like sweet32 and RC4 bias (or did before 3DES and RC4 were obsoleted), but (as you describe) does not provide forward secrecy. – dave_thompson_085 Apr 05 '18 at 05:42