[gnutls-devel] GnuTLS | Clarify documentation of session ticket keys (#1097)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Oct 3 13:18:32 CEST 2020

Airtower created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1097

The [documentation on session
currently says this:

> Those will be the initial keys, but GnuTLS will rotate them
> regularly. [...] Every such interval, new keys will be generated
> from those initial keys. This is a necessary mechanism to prevent
> the keys from becoming long-term keys and as such preserve
> forward-secrecy in the issued session tickets.

However, no _rotation_, only key derivation. The initial key is never
wiped and does in fact become a long term key. Someone who is able to
steal it from server memory can derive TOTP keys for any round they
want, and decrypt the associated tickets.

I'm not sure how useful the rotation is at all with this limitation:
It doesn't protect against server memory compromise, but I don't know
if there could be any cryptanalysis attacks that would allow deriving
keys or other secrets after collecting many tickets encrypted with the
same key. In that case the TOTP key derivation would protect against
attackers on the network.

The limitation should be made clear in the documentation, so people
with forward secrecy requirements stronger than "keys wiped during
server restart" will know to either disable tickets altogether or
implement their own rotation.

Related to this, two functions are missing details in the API
documentation that are important when implementing a full rotation
that also replaces the initial key:

### `gnutls_session_ticket_key_generate()`

Looking at the code the size of the key in memory is strictly
fixed. There is however no mention of the size in the
documentation. Would it be acceptable to guarantee a fixed key size
during application runtime, that is, create one key, and it'll be safe
to assume that keys generated by the same process have the same size?
This would be helpful in cases like mod_gnutls, where the Apache HTTPD
is made up of multiple processes, which would have to use a common key
e.g. using shared memory.

### `gnutls_session_ticket_enable_server()`

When replacing the intial key it's obviously important to wipe and
`free()` the previous one as soon as possible. The current code copies
the initial key into the session structure during
`gnutls_session_ticket_enable_server()`. This should be documented as
API, so applications can wipe old keys as soon as all calls to
`gnutls_session_ticket_enable_server()` that may have referenced the
old key have completed.

I'd be happy to update the documentation if those things can be relied
on as API.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1097
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20201003/7c5de9d2/attachment.html>

More information about the Gnutls-devel mailing list