[cryptography] SSL session resumption defective (Re: What project would you finance? [WAS: Potential funding for crypto-related projects])

Nico Williams nico at cryptonector.com
Wed Jul 3 13:13:41 EDT 2013

On Tue, Jul 2, 2013 at 10:07 AM, Adam Back <adam at cypherspace.org> wrote:
> On Tue, Jul 02, 2013 at 11:48:02AM +0100, Ben Laurie wrote:
>> On 2 July 2013 11:25, Adam Back <adam at cypherspace.org> wrote:
>>> does it provide forward secrecy (via k' = H(k)?).
>> Resumed [SSL] sessions do not give forward secrecy. Sessions should be
>> expired regularly, therefore.
> That seems like an SSL protocol bug no?  With the existence of forward
> secret ciphersuites, the session resumption cache mechanism itself MUST
> exhibit forward secrecy.

The whole point of session resumption is to make that fast.  It can't
be too fast if it implies public key cryptography.  Now, with ECC DH
it's probably fast enough anyways, so, yes, we should do this.

> Do you think anyone would be interested in fixing that?

It's already possible to resume then renegotiate with an anon ECC DH
cipher suite.  Oh, wait, no, anon ECC DH with AES cipher suites were
left out (by accident).  So the fix might just be to register the
missing cipher suites and always renego with one of those immediately
after resuming a session.  We could then work on a round-trip
optimized session resumption with PFS feature.

But first we'd have to get users to use cipher suites with PFS.  We're
not really there.


More information about the cryptography mailing list