Abstract:
Transport Layer Security (TLS) is pivotal in ensuring secure communication. Session tickets enable accelerated connection setup by reusing negotiated parameters, including key material. Servers encrypt session tickets using the Session Ticket Encryption Key to protect the ticket contents. If compromised, this key jeopardizes the session state within the tickets, enabling attackers to decrypt or manipulate captured connections. In 2021, a new kind of Chosen-Ciphertext Attacks called Partitioning Oracle Attacks was introduced. They use the properties of Carter-Wegman-MACs in AEAD schemes like AES-GCM or ChaCha20-Poly1305 to recover the key used by those systems. We test six TLS implementations using those schemes to encrypt session tickets to determine whether they are susceptible to Partitioning Oracle Attacks. We identified three libraries that provide an oracle and one that provides a limited oracle. We investigate the practical limitations of sending unusually long session tickets and determine the low market share of the affected libraries using large-scale scans. Through our analysis, we concluded that the proposed attack does not provide an advantage over simple brute-force decryption due to the format requirements of session tickets.