<b>Can TLS session resumption silently break the forward secrecy your ephemeral key exchange just bought you?</b>
TLS 1.3 mandates ephemeral (EC)DHE key exchange so that compromising a server's long-term key cannot retroactively decrypt past sessions — that is forward secrecy. But session resumption via tickets reintroduces a long-lived secret, and a careless deployment quietly undoes the guarantee.
The mechanism: when a server issues a session ticket (NewSessionTicket, RFC 8446 §4.6.1), it typically encrypts the session's resumption secret under a Session Ticket Encryption Key (STEK) and hands the ciphertext to the client to hold. The STEK is a long-term server-side secret. If it is compromised, an attacker who recorded past traffic can decrypt every ticket ever issued under it, recover the resumption PSKs, and unravel the resumed sessions — defeating forward secrecy for exactly those connections.
The magnitude depends entirely on STEK rotation. A server that never rotates its STEK has a single key whose compromise exposes months of resumed sessions; a server rotating hourly bounds the exposure to an hour. This is the under-appreciated cost of the resumption-rate optimization: each cached STEK is a window of non-forward-secret history.
Worse, multi-server deployments often share a static STEK across a fleet so any node can resume any session — turning one extracted key into a fleet-wide, long-horizon decryption capability. The CloudFlare "Keyless" and STEK-rotation discussions documented this tension explicitly.
Evidence vs. speculation: the STEK-compromise risk is inherent to ticket-based resumption (RFC 8446 §8.1, §C.4 advise frequent rotation); the fleet-wide-static-STEK anti-pattern is a documented operational mistake, not a hypothetical.
<b>Further reading:</b> RFC 8446 §4.6.1, §8.1, Appendix C.4; RFC 5077 (legacy tickets).
<b>Bottom line:</b> Resumption tickets reintroduce a long-term secret behind your ephemeral handshake — forward secrecy survives only if STEKs are rotated aggressively and never shared statically fleet-wide, because an unrotated STEK is a master key over all the sessions it ever wrapped.
Handshake Papers
@HandshakePapers
<b>Can TLS session resumption silently break the forward secrecy your ephemeral key exchange just bought you?<
Этот пост опубликован в Telegram-канале Handshake Papers. Подписаться можно по ссылке: @HandshakePapers.