Cryptology ePrint Archive: Report 2021/987

A Formal Security Analysis of Session Resumption Across Hostnames

Kai Gellert and Tobias Handirk

Abstract: The TLS 1.3 session resumption handshakes enables a client and a server to resume a previous connection via a shared secret, which was established during a previous session. In practice, this is often done via session tickets, where the server provides a "self-encrypted" ticket containing the shared secret to its clients. A client may resume its session by sending the ticket to the server, which allows the server to retrieve the shared secret stored within the ticket. Usually, a ticket is only accepted by the server that issued the ticket. However, in practice, servers that share the same hostname, often share the same key material for ticket encryption. The concept of a server accepting a ticket, which was issued by a different server, is known as session resumption across hostnames (SRAH). In 2020, Sy et al. showed in an empirical analysis that, by using SRAH, the time to load a webpage can be reduced by up to 31% when visiting the page for the very first time. Despite its performance advantages, the TLS 1.3 specification currently discourages the use of SRAH. In this work, we formally investigate which security guarantees can be achieved when using SRAH. To this end, we provide the first formalization of SRAH and analyze its security in the multi-stage key exchange model (Dowling et al.; JoC 2021), which proved useful in previous analyses of TLS handshakes. We find that an adversary can break authentication if clients do not specify the intended receiver of their first protocol message. However, if the intended receiver is specified by the client, we prove that SRAH is secure in the multi-stage key exchange model.

Category / Keywords: cryptographic protocols /

Original Publication (with minor differences): ESORICS 2021

Date: received 23 Jul 2021

Contact author: kai gellert at uni-wuppertal de, tobias handirk at uni-wuppertal de

Available format(s): PDF | BibTeX Citation

Version: 20210727:203910 (All versions of this report)

Short URL: ia.cr/2021/987


[ Cryptology ePrint archive ]