Session ticket attack

Question

Scenario: Server uses session tickets with tls.
If the client sends the session ticket to the server with the ClientHello. What happens if this message is captured? Is it not possible that you can perform MITM attacks like this? Or even worse impersonate the client? This should be possible because the ClientHello with the session ticket is not encrypted. Or am I getting something wrong?

Answer 1

If an attacker captures a ticket (i.e., by intercepting the CH) that is not an issue.

The ticket is encrypted with the server's STEK, so an attacker cannot decrypt it. This prevents the attacker from recovering the server's state and impersonating either the server or the client. Recall that the client and server immediately send finished messages using the secrets from the previous session, which the attacker does not have (even when replaying a captured ticket)

One security guarantee disappears, though: Forward Secrecy

An attacker that gains access to the potentially long-lived STEK of the server can decrypt all session tickets encrypted under that STEK. Hence, STEK rotation is highly recommended!

If you are interested in Session Ticket Security, you can check out Sven's paper on it: https://www.usenix.org/system/files/usenixsecurity23-hebrok.pdf

Best,
Niklas

Comments

Thank you. Yes, I forgot the finished messages.