| blob | 8e1c2d9d4d1ce0fe2e4c3db61fcdc088e3669cee |
4 Network Working Group J. Salowey
5 Internet-Draft H. Zhou
6 Expires: April 21, 2006 Cisco Systems
7 P. Eronen
8 Nokia
9 H. Tschofenig
10 Siemens
11 October 18, 2005
14 Transport Layer Security Session Resumption without Server-Side State
15 draft-salowey-tls-ticket-05.txt
17 Status of this Memo
19 By submitting this Internet-Draft, each author represents that any
20 applicable patent or other IPR claims of which he or she is aware
21 have been or will be disclosed, and any of which he or she becomes
22 aware will be disclosed, in accordance with Section 6 of BCP 79.
24 Internet-Drafts are working documents of the Internet Engineering
25 Task Force (IETF), its areas, and its working groups. Note that
26 other groups may also distribute working documents as Internet-
27 Drafts.
29 Internet-Drafts are draft documents valid for a maximum of six months
30 and may be updated, replaced, or obsoleted by other documents at any
31 time. It is inappropriate to use Internet-Drafts as reference
32 material or to cite them other than as "work in progress."
34 The list of current Internet-Drafts can be accessed at
35 http://www.ietf.org/ietf/1id-abstracts.txt.
37 The list of Internet-Draft Shadow Directories can be accessed at
38 http://www.ietf.org/shadow.html.
40 This Internet-Draft will expire on April 21, 2006.
42 Copyright Notice
44 Copyright (C) The Internet Society (2005).
46 Abstract
48 This document describes a mechanism which enables the Transport Layer
49 Security (TLS) server to resume sessions and avoid keeping per-client
50 session state. The TLS server encapsulates the session state into a
51 ticket and forwards it to the client. The client can subsequently
55 Salowey, et al. Expires April 21, 2006 [Page 1]
56 \f
57 Internet-Draft Stateless TLS Session Resumption October 2005
60 resume a session using the obtained ticket.
62 Table of Contents
64 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
65 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
66 3. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
67 3.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . 3
68 3.2 SessionTicket TLS extension . . . . . . . . . . . . . . . 5
69 3.3 SessionTicket handshake message . . . . . . . . . . . . . 5
70 3.4 Interaction with TLS session ID . . . . . . . . . . . . . 6
71 4. Recommended Ticket Construction . . . . . . . . . . . . . . . 7
72 5. Security Considerations . . . . . . . . . . . . . . . . . . . 8
73 5.1 Invalidating Sessions . . . . . . . . . . . . . . . . . . 9
74 5.2 Stolen Tickets . . . . . . . . . . . . . . . . . . . . . . 9
75 5.3 Forged Tickets . . . . . . . . . . . . . . . . . . . . . . 9
76 5.4 Denial of Service Attacks . . . . . . . . . . . . . . . . 9
77 5.5 Ticket Protection Key Lifetime . . . . . . . . . . . . . . 9
78 5.6 Alternate Ticket Formats and Distribution Schemes . . . . 10
79 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 10
80 7. IANA considerations . . . . . . . . . . . . . . . . . . . . . 10
81 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
82 8.1 Normative References . . . . . . . . . . . . . . . . . . . 10
83 8.2 Informative References . . . . . . . . . . . . . . . . . . 11
84 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 12
85 Intellectual Property and Copyright Statements . . . . . . . . 13
111 Salowey, et al. Expires April 21, 2006 [Page 2]
112 \f
113 Internet-Draft Stateless TLS Session Resumption October 2005
116 1. Introduction
118 This document defines a way to resume a Transport Layer Security
119 (TLS) [RFC2246] session without requiring session-specific state at
120 the TLS server. This mechanism may be used with any TLS ciphersuite.
121 The mechanism makes use of TLS extensions defined in [I-D.ietf-tls-
122 rfc3546bis] and defines a new TLS message type.
124 This mechanism is useful in the following types of situations
125 (1) servers that handle a large number of transactions from
126 different users
127 (2) servers that desire to cache sessions for a long time
128 (3) ability to load balance requests across servers
129 (4) embedded servers with little memory
131 2. Terminology
133 Within this document the term 'ticket' refers to a cryptographically
134 protected data structure which is created by the server and consumed
135 by the server to rebuild session specific state.
137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
139 document are to be interpreted as described in [RFC2119].
141 3. Protocol
143 This specification describes a mechanism to distribute encrypted
144 session state information in a ticket from a TLS server to a TLS
145 client and for a TLS client to present a ticket to a TLS server to
146 resume a session. Implementations of this specification are expected
147 to support both mechanism. Other specifications can take advantage
148 of the session tickets, perhaps specifying alternative means for
149 distribution or selection. For example a separate specification may
150 describe an alternate way to distribute a ticket and use the TLS
151 extension in this document to resume the session. This behavior is
152 beyond the scope of the document and would need to be described in a
153 separate specification.
155 3.1 Overview
157 The client indicates that it supports this mechanism by including a
158 SessionTicket TLS extension in the ClientHello message. The
159 extension will be empty if the client does not already possess a
160 ticket for the server. The extension is described in Section 3.2
162 If the server wants to use this mechanism, it stores its session
163 state (such as ciphersuite and master secret) to a ticket that is
167 Salowey, et al. Expires April 21, 2006 [Page 3]
168 \f
169 Internet-Draft Stateless TLS Session Resumption October 2005
172 encrypted and integrity-protected by a key known only to the server.
173 The ticket is distributed to the client using the SessionTicket TLS
174 handshake message described in Section 3.3. This message is sent
175 during the TLS handshake before the ChangeCipherSpec message after
176 the server has successfully verified the client's Finished message.
179 Client Server
181 ClientHello -------->
182 (empty SessionTicket extension)
183 ServerHello
184 Certificate*
185 ServerKeyExchange*
186 CertificateRequest*
187 <-------- ServerHelloDone
188 Certificate*
189 ClientKeyExchange
190 CertificateVerify*
191 [ChangeCipherSpec]
192 Finished -------->
193 SessionTicket
194 [ChangeCipherSpec]
195 <-------- Finished
196 Application Data <-------> Application Data
198 The client caches this ticket along with the master secret and other
199 parameters associated with the current session. When the client
200 wishes to resume the session, it includes the ticket in the
201 SessionTicket extension within ClientHello message. The server then
202 verifies that the ticket has not been tampered with, decrypts the
203 contents, retrieves the session state from the contents of the ticket
204 and uses this state to resume the session. The interaction with the
205 TLS Session ID is described in Section 3.4. If the server
206 successfully verifies the client's ticket then it may renew the
207 ticket by including a SessionTicket handshake message after the
208 ServerHello.
211 ClientHello
212 (SessionTicket extension) -------->
213 ServerHello
214 SessionTicket
215 [ChangeCipherSpec]
216 <-------- Finished
217 [ChangeCipherSpec]
218 Finished -------->
219 Application Data <-------> Application Data
223 Salowey, et al. Expires April 21, 2006 [Page 4]
224 \f
225 Internet-Draft Stateless TLS Session Resumption October 2005
228 A recommended ticket format is given in Section 4. If the server
229 cannot or does not want to honor the ticket then it can initiate a
230 full handshake with the client.
232 3.2 SessionTicket TLS extension
234 The SessionTicket TLS extension is based on [I-D.ietf-tls-
235 rfc3546bis]. The format of the ticket is an opaque structure used to
236 carry session specific state information. This extension is sent in
237 the ClientHello. If the client posses a ticket that it wants to use
238 to resume a session then it includes it in the SessionTicket
239 extension in the ClientHello. If the client does not have a ticket
240 and it is prepared to receive one in the SessionTicket handshake
241 message then it MUST include a zero length ticket in the
242 SessionTicket extension. If the client is not prepared to receive a
243 ticket in the SessionTicket handshake message then it MUST NOT
244 include a zero length SessionTicket extension.
246 If the server fails to verify the ticket then it falls back to
247 performing a full handshake. If the ticket is accepted by the server
248 but the handshake fails the client SHOULD delete the ticket.
250 The SessionTicket extension has been assigned the number TBD1. The
251 format of the SessionTicket extension is given below.
254 struct {
255 opaque ticket<0..2^16-1>;
256 } SessionTicket;
259 3.3 SessionTicket handshake message
261 This message is sent during the TLS handshake before the
262 ChangeCipherSpec message. This message MUST only be sent if either
263 the client included a SessionTicket extension with a zero length
264 ticket in the ClientHello or if the client included a ticket that was
265 previously issued in a SessionTicket handshake message. In the case
266 of a full handshake, the server MUST verify the client's Finished
267 message before sending the ticket. The client MUST NOT treat the
268 ticket as valid until it has verified the server's Finished message.
270 If the server successfully verifies the client's ticket then it MAY
271 renew the ticket by including a SessionTicket handshake message after
272 the ServerHello in the abbreviated handshake. The client should
273 start using the new ticket as soon as possible after it verifies the
274 Server's finished message for new connections. Note that since the
275 updated ticket is issued before the handshake completes it is
279 Salowey, et al. Expires April 21, 2006 [Page 5]
280 \f
281 Internet-Draft Stateless TLS Session Resumption October 2005
284 possible that the client may not put the new ticket into use before
285 it initiates new connections. The server MUST NOT assume the client
286 actually received the updated ticket until it successfully verifies
287 the client's finished message.
289 The SessionTicket handshake message has been assigned the number
290 TBD2. The definition of the SessionTicket handshake message is given
291 below.
294 struct {
295 HandshakeType msg_type;
296 uint24 length;
297 select (HandshakeType) {
298 case hello_request: HelloRequest;
299 case client_hello: ClientHello;
300 case server_hello: ServerHello;
301 case certificate: Certificate;
302 case server_key_exchange: ServerKeyExchange;
303 case certificate_request: CertificateRequest;
304 case server_hello_done: ServerHelloDone;
305 case certificate_verify: CertificateVerify;
306 case client_key_exchange: ClientKeyExchange;
307 case finished: Finished;
308 case new_session_ticket: SessionTicket; /* NEW */
309 } body;
310 } Handshake;
313 struct {
314 opaque ticket<0..2^16-1>;
315 } SessionTicket;
318 3.4 Interaction with TLS session ID
320 If a server is planning on issuing a SessionTicket to a client that
321 does not present one it SHOULD include an empty Session ID in the
322 ServerHello. If the server includes a non-empty session ID then it
323 is indicating intent to use stateful session resume. If the client
324 receives a SessionTicket from the server then it discards any Session
325 ID that was sent in the ServerHello.
327 When presenting a ticket the client MAY generate and include a
328 Session ID in the TLS ClientHello. If the server accepts the ticket
329 and the Session ID is not empty then it MUST respond with the same
330 Session ID present in the ClientHello. This allows the client to
331 easily differentiate when the server is resuming a session or falling
335 Salowey, et al. Expires April 21, 2006 [Page 6]
336 \f
337 Internet-Draft Stateless TLS Session Resumption October 2005
340 back to a full handshake. Since the client generates a Session ID
341 the server MUST NOT rely upon the Session ID having a particular
342 value when validating the ticket. If a ticket is presented by the
343 client the server MUST NOT attempt to use the Session ID in the
344 ClientHello for stateful session resume. Alternatively, the client
345 MAY include an empty Session ID in the ClientHello. In this case the
346 client ignores the Session ID sent in the ServerHello and must
347 determine if the server is resuming a session by the subsequent
348 handshake messages.
350 4. Recommended Ticket Construction
352 This section describes a recommended format and protection for the
353 ticket. Note that the ticket is opaque to the client so the
354 structure is not subject to interoperability concerns, so
355 implementations may diverge from this format. If implementations do
356 diverge from this format they must take security concerns seriously.
357 Clients MUST NOT examine the ticket under the assumption that it
358 complies with this document.
360 The server uses two different keys, one 128-bit key for AES
361 encryption and one 128-bit key for HMAC-SHA1.
363 The ticket is structured as follows:
365 struct {
366 uint32 key_version;
367 opaque iv[16]
368 opaque encrypted_state<0..2^16-1>;
369 opaque mac[20];
370 } Ticket;
372 Here key_version identifies a particular set of keys. One
373 possibility is to generate new random keys every time the server is
374 started, and use the timestamp as the key version. The same
375 mechanisms known from a number of other protocols can be reused for
376 this purpose.
378 The actual state information in encrypted_state is encrypted using
379 128-bit AES in CBC mode with the given IV. The MAC is calculated
380 using HMAC-SHA1 over key_version (4 octets)and IV (16 octets),
381 followed by the length of the encrypted_state field (2 octets) and
382 its contents (variable length).
391 Salowey, et al. Expires April 21, 2006 [Page 7]
392 \f
393 Internet-Draft Stateless TLS Session Resumption October 2005
396 struct {
397 ProtocolVersion protocol_version;
398 CipherSuite cipher_suite;
399 CompressionMethod compression_method;
400 opaque master_secret[48];
401 ExampleClientIdentity client_identity;
402 uint32 timestamp;
403 } StatePlaintext;
405 enum {
406 anonymous(0),
407 certificate_based(1),
408 psk(2)
409 } ClientAuthenticationType;
411 struct {
412 ClientAuthenticationType client_authentication_type;
413 select (ClientAuthenticationType) {
414 case anonymous: struct {};
415 case certificate_based:
416 ASN.1Cert certificate_list<0..2^24-1>;
417 case psk:
418 opaque psk_identity<0..2^16-1>;
420 }
421 } ClientIdentity;
423 The structure StatePlaintext stores the TLS session state including
424 the master_secret. The timestamp within this structure allows the
425 TLS server to expire tickets. To cover the authentication and key
426 exchange protocols provided by TLS the ClientIdentity structure
427 contains the authentication type of the client used in the initial
428 exchange (see ClientAuthenticationType). To offer the TLS server
429 with the same capabilities for authentication and authorization a
430 certificate list is included in case of public key based
431 authentication. The TLS server is therefore able to inspect a number
432 of different attributes within these certificates. A specific
433 implementation might choose to store a subset of this information or
434 additional information. Other authentication mechanism such as
435 Kerberos [RFC2712] would require different client identity data.
437 5. Security Considerations
439 This section addresses security issues related to the usage of a
440 ticket. Tickets must be sufficiently authenticated and encrypted to
441 prevent modification or eavesdropping by an attacker. Several
442 attacks described below will be possible if this is not carefully
443 done.
447 Salowey, et al. Expires April 21, 2006 [Page 8]
448 \f
449 Internet-Draft Stateless TLS Session Resumption October 2005
452 Implementations should take care to ensure that the processing of
453 tickets does not increase the chance of denial of serve as described
454 below.
456 5.1 Invalidating Sessions
458 The TLS specification requires that TLS sessions be invalidated when
459 errors occur. [CSSC] discusses the security implications of this in
460 detail. In the analysis in this paper, failure to invalidate
461 sessions does not pose a security risk. This is because the TLS
462 handshake uses a non-reversible function to derive keys for a session
463 so information about one session does not provide an advantage to
464 attack the master secret or a different session. If a session
465 invalidation scheme is used the implementation should verify the
466 integrity of the ticket before using the contents to invalidate a
467 session to ensure an attacker cannot invalidate a chosen session.
469 5.2 Stolen Tickets
471 An eavesdropper or man-in-the-middle may obtain the ticket and
472 attempt to use the ticket to establish a session with the server,
473 however since the ticket is encrypted and the attacker does not know
474 the secret key a stolen key does not help an attacker resume a
475 session. A TLS server MUST use strong encryption and integrity
476 protection for the ticket to prevent an attacker from using a brute
477 force mechanism to obtain the tickets contents.
479 5.3 Forged Tickets
481 A malicious user could forge or alter a ticket in order to resume a
482 session, to extend its lifetime, to impersonate as another user or
483 gain additional privileges. This attack is not possible if the
484 ticket is protected using a strong integrity protection algorithm
485 such as a keyed HMAC.
487 5.4 Denial of Service Attacks
489 An adversary could store or forge a large number of tickets to send
490 to the TLS server for verification. To minimize the possibility of a
491 denial of service the verification of the ticket should be
492 lightweight (e.g., using efficient symmetric key cryptographic
493 algorithms).
495 5.5 Ticket Protection Key Lifetime
497 The management of the keys used to protect the ticket is beyond the
498 scope of this document. It is advisable to limit the lifetime of
499 these keys to ensure they are not overused.
503 Salowey, et al. Expires April 21, 2006 [Page 9]
504 \f
505 Internet-Draft Stateless TLS Session Resumption October 2005
508 5.6 Alternate Ticket Formats and Distribution Schemes
510 If a different ticket format or distribution scheme than the ones
511 defined in this document is used then great care must be taken in
512 analyzing the security of the solution. In particular if a secret is
513 transferred to the client it MUST be done using secure communication
514 so as to prevent attackers from obtaining or modifying the key. Also
515 the ticket MUST have its integrity and privacy protected with strong
516 cryptographic techniques to prevent a breach in the security of the
517 system.
519 6. Acknowledgments
521 The authors would like to thank the following people for their help
522 with preparing and reviewing this document: Eric Rescorla, Mohamad
523 Badra, Tim Dierks, Nelson Bolyard, Nancy Cam-Winget, David McGrew,
524 Rob Dugal and members of the TLS working group.
526 [CSSC] describes a solution that is very similar to the one described
527 in this document and gives a detailed analysis of the security
528 considerations involved. [RFC2712] describes a mechanism for using
529 Kerberos ([RFC1510]) in TLS ciphersuites, which helped inspire the
530 use of tickets to avoid server state. [I-D.cam-winget-eap-fast]
531 makes use of a similar mechanism to avoid maintaining server state
532 for the cryptographic tunnel. [SC97] also investigates the concept
533 of stateless sessions.
535 7. IANA considerations
537 IANA has assigned a TLS extension number of TBD1 (the value 35 is
538 suggested) to the SessionTicket TLS extension from the TLS registry
539 of ExtensionType values defined in [I-D.ietf-tls-rfc3546bis].
541 IANA has assigned a TLS HandshakeType number TBD2 to the
542 SessionTicket handshake type from the TLS registry of HandshakeType
543 values defined in [I-D.ietf-tls-rfc2246-bis].
545 8. References
547 8.1 Normative References
549 [AES] National Institute of Standards and Technology, "Advanced
550 Encryption Standard (AES)", Federal Information
551 Processing Standards (FIPS) Publication 197,
552 November 2001.
554 [CBC] National Institute of Standards and Technology,
555 "Recommendation for Block Cipher Modes of Operation -
559 Salowey, et al. Expires April 21, 2006 [Page 10]
560 \f
561 Internet-Draft Stateless TLS Session Resumption October 2005
564 Methods and Techniques", NIST Special Publication 800-38A,
565 December 2001.
567 [I-D.ietf-tls-rfc2246-bis]
568 Dierks, T. and E. Rescorla, "The TLS Protocol Version
569 1.1", draft-ietf-tls-rfc2246-bis-13 (work in progress),
570 June 2005.
572 [I-D.ietf-tls-rfc3546bis]
573 Blake-Wilson, S., "Transport Layer Security (TLS)
574 Extensions", draft-ietf-tls-rfc3546bis-02 (work in
575 progress), October 2005.
577 [RFC2104] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
578 Hashing for Message Authentication", RFC 2104,
579 February 1997.
581 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
582 Requirement Levels", BCP 14, RFC 2119, March 1997.
584 [RFC2246] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
585 RFC 2246, January 1999.
587 [SHA1] National Institute of Standards and Technology, "Secure
588 Hash Standard (SHS)", Federal Information Processing
589 Standards (FIPS) Publication 180-2, August 2002.
591 8.2 Informative References
593 [CSSC] Shacham, H., Boneh, D., and E. Rescorla, "Client-side
594 caching for TLS", Transactions on Information and
595 System Security (TISSEC) , Volume 7, Issue 4,
596 November 2004.
598 [I-D.cam-winget-eap-fast]
599 Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "EAP
600 Flexible Authentication via Secure Tunneling (EAP-FAST)",
601 draft-cam-winget-eap-fast-02 (work in progress),
602 April 2005.
604 [I-D.ietf-tls-psk]
605 Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites
606 for Transport Layer Security (TLS)", draft-ietf-tls-psk-09
607 (work in progress), June 2005.
609 [RFC1510] Kohl, J. and B. Neuman, "The Kerberos Network
610 Authentication Service (V5)", RFC 1510, September 1993.
615 Salowey, et al. Expires April 21, 2006 [Page 11]
616 \f
617 Internet-Draft Stateless TLS Session Resumption October 2005
620 [RFC2712] Medvinsky, A. and M. Hur, "Addition of Kerberos Cipher
621 Suites to Transport Layer Security (TLS)", RFC 2712,
622 October 1999.
624 [SC97] Aura, T. and P. Nikander, "Stateless Connections",
625 Proceedings of the First International Conference on
626 Information and Communication Security (ICICS '97) , 1997.
629 Authors' Addresses
631 Joseph Salowey
632 Cisco Systems
633 2901 3rd Ave
634 Seattle, WA 98121
635 US
637 Email: jsalowey@cisco.com
640 Hao Zhou
641 Cisco Systems
642 4125 Highlander Parkway
643 Richfield, OH 44286
644 US
646 Email: hzhou@cisco.com
649 Pasi Eronen
650 Nokia Research Center
651 P.O. Box 407
652 FIN-00045 Nokia Group
653 Finland
655 Email: pasi.eronen@nokia.com
658 Hannes Tschofenig
659 Siemens
660 Otto-Hahn-Ring 6
661 Munich, Bayern 81739
662 Germany
664 Email: Hannes.Tschofenig@siemens.com
671 Salowey, et al. Expires April 21, 2006 [Page 12]
672 \f
673 Internet-Draft Stateless TLS Session Resumption October 2005
676 Intellectual Property Statement
678 The IETF takes no position regarding the validity or scope of any
679 Intellectual Property Rights or other rights that might be claimed to
680 pertain to the implementation or use of the technology described in
681 this document or the extent to which any license under such rights
682 might or might not be available; nor does it represent that it has
683 made any independent effort to identify any such rights. Information
684 on the procedures with respect to rights in RFC documents can be
685 found in BCP 78 and BCP 79.
687 Copies of IPR disclosures made to the IETF Secretariat and any
688 assurances of licenses to be made available, or the result of an
689 attempt made to obtain a general license or permission for the use of
690 such proprietary rights by implementers or users of this
691 specification can be obtained from the IETF on-line IPR repository at
692 http://www.ietf.org/ipr.
694 The IETF invites any interested party to bring to its attention any
695 copyrights, patents or patent applications, or other proprietary
696 rights that may cover technology that may be required to implement
697 this standard. Please address the information to the IETF at
698 ietf-ipr@ietf.org.
701 Disclaimer of Validity
703 This document and the information contained herein are provided on an
704 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
705 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
706 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
707 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
708 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
709 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
712 Copyright Statement
714 Copyright (C) The Internet Society (2005). This document is subject
715 to the rights, licenses and restrictions contained in BCP 78, and
716 except as set forth therein, the authors retain all their rights.
719 Acknowledgment
721 Funding for the RFC Editor function is currently provided by the
722 Internet Society.
727 Salowey, et al. Expires April 21, 2006 [Page 13]
728 \f