IETF Logo Mail Archive

Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 20 September 2023 08:11 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B06E0C14CE4D for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 01:11:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aOlyRrkM6OQ2 for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 01:11:55 -0700 (PDT)
Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49B13C14CEED for <radext@ietf.org>; Wed, 20 Sep 2023 01:11:55 -0700 (PDT)
Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-40472c3faadso65726035e9.2 for <radext@ietf.org>; Wed, 20 Sep 2023 01:11:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695197513; x=1695802313; darn=ietf.org; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=0Z5Cq/EqBXU7xGQKxNib4T0rYzgWKR5P2QTo8eKmErs=; b=DLDqDDsG42I7OGF2jnw+MWSQr2xVk2U0guBJAXCKp46I9Zi62BJ01lXppzpNHXIJI9 S/yN5/jb4S+Um8qUIWiXZ0l57jenqIEfEOfqQyL9skWfUpqEPTB0d+mQelsfkUVvMNh+ I/Z1ct4D6nMRBX3mQmSowlJAQP94RHb3rW/ZHR8lWfDcQAiijOxXlzZ0Gkhj5oWFLz/j B/yQ3jpEs8ly2uYSXIkiDU67kYCLlNhw9PeGL6Zse0pHaOZ5WKiTHnIrC8RXOrtT+s6X VRy6biTKy2ucc03oQ75VNZ0AbT0MTp0zPW8RwlK3yLjWLV4iCrY3Onl2opQ86e6kqMYJ L+kw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695197513; x=1695802313; h=content-language:thread-index:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=0Z5Cq/EqBXU7xGQKxNib4T0rYzgWKR5P2QTo8eKmErs=; b=FfPhTcb75dHXLA6qbVUQfVxKgJ/tZaXs9Or3XbtrqqWZnabs8iLxc+bGMMj+CjPasK QP6oqQs1EFDcq5NS3YkeSAWN8CjUNkCGQ4lNXu5P2TrNiHxYhiyjrPD3kpexDs7BJ7pu xYBCgEdL+KIk0e01YVTnuUo4fblaZIzisxhCM7VoKfjxoDlndK/SrBu6DHnseIYu6GaR WqC14lNtrU+SyaRyvhZdMgEb2iozf4K09P8ZJHDx38zfjl74UibaW4GkNJuJTn7tnI9j UfWvkxQJJ+f4/PopuR4yQ12FxmMXaTtIwA1Ie+atgYgCPlZjuGLVIwCa0Y/i9h7saFbf NkMA==
X-Gm-Message-State: AOJu0Yy4HrxeWP3p+UHvHMBCLyqsuWM0agW+jBQQB1g+2RFUbJIak4yx HrB4DdKy5h+Oab7ZvSvvT4c=
X-Google-Smtp-Source: AGHT+IH2JyqdDdtBtOX1D5a7QAnETSjw9aY7As855a2/cJt1Nhjwcro5irvX9pNgVykL0Q3ybYMNQQ==
X-Received: by 2002:a05:600c:230c:b0:3fc:dd9:91fd with SMTP id 12-20020a05600c230c00b003fc0dd991fdmr1686053wmo.40.1695197513404; Wed, 20 Sep 2023 01:11:53 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id l18-20020a1c7912000000b003fef3180e7asm1235129wme.44.2023.09.20.01.11.52 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Sep 2023 01:11:52 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Alan DeKok' <aland@deployingradius.com>, 'Heikki Vatiainen' <hvn@radiatorsoftware.com>
Cc: radext@ietf.org
References: <169290062850.51444.4789101133837195921@ietfa.amsl.com> <EFF9D14C-6714-4168-8C2D-A03DCB9ADFFB@deployingradius.com> <B88BB843-C4C3-418F-A6CA-4F360EB67C95@deployingradius.com> <CAA7Lko_oL5Oy9T52JnwUiaZDvUhwed8hivysoSuqY1jhXF=Ziw@mail.gmail.com> <8081E8F9-3818-43ED-8C82-3EBB093BCDBB@deployingradius.com>
In-Reply-To: <8081E8F9-3818-43ED-8C82-3EBB093BCDBB@deployingradius.com>
Date: Wed, 20 Sep 2023 11:11:54 +0300
Message-ID: <02aa01d9eb9a$1e9f5630$5bde0290$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJa5tJv5PII/yta85rxmkIHJQMYewGOEzf7ASCoHswBhBAcwwLVSuy8rukb5pA=
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/Tg31XjypXnAzzuX2iZwfyGgc_IM>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 08:11:59 -0000

[speaking as individual]

Hi Alan, Heikki,

one minor point.

> > OpenSSL 3.0 supports PSKs up to 512 octets (not bits)  which gives the possibility to have strong PSKs.
> The current text in the draft would at least require some justification if it is to be kept.
> 
>    Perhaps "Where TLS-PSK is used across the Internet, PSKs MUST contain at least 256 octets of
> entropy.".

I don't think that requiring the PSK to have 256 octets or more of entropy makes it stronger, at least for TLS 1.3.

The way PSK is used in TLS 1.3 always limits its entropy to the 
value of HKDF-Extract output size (*), it's 256 or 512 bits depending on the used hash function.
All the rest of PSK entropy (if any) is immediately lost.

That said, it may make sense having longer PSKs, because the method they are generated
may be imperfect, so the entropy may be far less than their length.

Regards,
Valery.

(*) I remember when Hugo Krawczyk explained this fact with regard to IKEv2 design - 
no matter how longer keys are used, the output of prf (HKDF-Extract in case of TLS 1.3)
limits the value of entropy in the protocol.

>   Alan DeKok.
> 
> _______________________________________________
> radext mailing list
> radext@ietf.org
> https://www.ietf.org/mailman/listinfo/radext

v2.23.0 | Report a Bug | By Email