[radext] Re: Selfie Attack on TLS-PSK
Fabian Mauchle <fabian.mauchle@switch.ch> Thu, 25 July 2024 09:19 UTC
Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D32B0C1840D1 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 02:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hOXEslWhqtv for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 02:19:41 -0700 (PDT)
Received: from mx3.switch.ch (mx3.switch.ch [85.235.88.34]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27365C1840D6 for <radext@ietf.org>; Thu, 25 Jul 2024 02:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=1690; s=selector1; t=1721899181; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=AVbcrOXDDfL2J/HuU5iEdFufJLudMVtWIS09TY6y9+0=; b=pUN5mKvhexIeW7oIPN3++pLkWzCH198VAEMvBtY5pw8iuVzYI4W4jJUK T/nZL5q8cE2Mzk3UAzdtjxfbi6A4CG/H5cTG5i7NX+xyc+QwkJUp6B2Qo nEkRZ9h/OeNMYlUGvZ7f85zKW7w/4Z9rH1MXjuger7u3bjxKUAf7zZ1PU 5aAIi2eA3fZWbZbihQ85iR935iYTMaZLj+wSkaLc7Kaf3YnVn64WQZiBj /qkfs46jUQgwjqczY5tWaH4P5tOwYFUewSgio1NpLM/oJTcEWUhKjmGZg zc3l8wYsalxMyiIpA7hPd9zNMuQ4+8/0QmUi7FbeiqHtTxcSrRSyqHCmc w==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-AV: E=Sophos;i="6.09,235,1716242400"; d="scan'208";a="9064006"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx3int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jul 2024 11:19:39 +0200
Received: from [130.59.24.78] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Thu, 25 Jul 2024 11:19:39 +0200
Message-ID: <03e9f1c9-5f41-4e4c-a2ae-7f73c8aeab1e@switch.ch>
Date: Thu, 25 Jul 2024 11:19:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
Content-Language: en-US, de-CH
From: Fabian Mauchle <fabian.mauchle@switch.ch>
In-Reply-To: <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S05-EXC3.swd.switch.ch (172.16.60.14) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Message-ID-Hash: C5ONZQ4I6QUJP6TBXJXEDYSJDQJ72ILT
X-Message-ID-Hash: C5ONZQ4I6QUJP6TBXJXEDYSJDQJ72ILT
X-MailFrom: fabian.mauchle@switch.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/SE3OkVPC7EHPHYR6FvbHK7Y9kis>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
On 25.07.2024 00:00, Alan DeKok wrote: > On Jul 24, 2024, at 1:37 PM, Margaret Cullen <mrcullen42@gmail.com> wrote: >> >> On a separate but related noteā¦. >> >> I came across this attack while reading about TLS mutual authentication: >> >> https://eprint.iacr.org/2019/347.pdf >> > Nice! And :( > >> Is this something we should consider before we recommend the use of TLS-PSK with TLS 1.3? Or has this issues already been addressed? > > This is discussed in RFC 9527: > > https://datatracker.ietf.org/doc/html/rfc9257#section-8 > > I'll have to do a deeper dive to see how this affects the TLS-PSK document. Unless I missed something... TLS-PSK the server identifies (and authorizes) the client based on the PSK identity, and authenticates it by the PSK key. The client authenticates the server by the PSK key, and authorizes it by the sole fact that it knew the key. So what we want to avoid is for servers accepting connections from clients that 'impersonate' the servers identity (it would itself use for outgoing connections). Maybe we should add something to section 4.3. 'PSK and PSK Identity Sharing' like: "Nodes that act both as client and server at the same time MUST NOT share or reuse PSK identities between incoming and outgoing connections." This might also have implications on radiusdtls-bis, since current proposals allow skipping the identity check and authorize e.g. based on policy OID. Such a scenario might also be susceptible to to Selfie. -- Fabian Mauchle Network NOC: +41 44 268 15 30 Direct: +41 44 268 15 39 Switch Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen