IETF Logo Mail Archive

Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt

Heikki Vatiainen <hvn@radiatorsoftware.com> Wed, 20 September 2023 11:10 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AA0C151536 for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 04:10:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.908
X-Spam-Level:
X-Spam-Status: No, score=-6.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BAAnC_Yh_yPx for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 04:10:50 -0700 (PDT)
Received: from mail-lf1-x129.google.com (mail-lf1-x129.google.com [IPv6:2a00:1450:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 343DEC14CE33 for <radext@ietf.org>; Wed, 20 Sep 2023 04:10:49 -0700 (PDT)
Received: by mail-lf1-x129.google.com with SMTP id 2adb3069b0e04-5041cc983f9so625568e87.3 for <radext@ietf.org>; Wed, 20 Sep 2023 04:10:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20230601.gappssmtp.com; s=20230601; t=1695208248; x=1695813048; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=j1yxYWYhjR2fA1kwnsuFYNkf9lUm1CVCTJMOFeZIaXQ=; b=FtLeQYb4nsv9wm3+S22WSiWMI6VrVzOc62fSts58cU+xUp7lU7Bl9J2dh8By4Cc+ia yROP3WxnD1JqipZ2UeLG/SEmw6K74FNL8E+k0Eq4T+ddU2HU8W9q9IgaLjf/6agpJF0h gA1HKQ81n0EY1kfit0aEgq+enTz9+rPyGCQhFeDsguj2P55dbDXvweJ+S+da5IjoJ/W/ HTH7XwEqkwXB6NJ7RgvTUjj17u8ECkCDEb0z0U3/mjJK8MemUaG5g5uRF3NV4ZJQ0f0e 2QzzlTgRT6ixSes9HT4DGvoKe1wJvAP9zCmtfLIujKI2a8Jcj8b+foAtUxgoi7vWncyg gQDw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695208248; x=1695813048; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=j1yxYWYhjR2fA1kwnsuFYNkf9lUm1CVCTJMOFeZIaXQ=; b=KKdyJ5DOkjB/grFBeTYpU8vk5wPETLpKzFN0+AdY5aUdj9Iatbn+/iSHFfwVHXcHFQ crT5zv5hUBWu5ZL259vPg3nHGjfuDcWMKYVBxswdnZlwAs4Asc59vISoSQWFEZMUQdYl VEwitdGPxuxwZLHODVgV7kyyDZ2sewhvXq7XDjka4Vxjzmp4bXcoIj4axLHq1i3EaAtI rafJODayffJtdPujvRTTMntBPi5dNJYjScHgQyloI7g4brIprGkJbIJzCSoX8WiVn1Qw wkCXb/uXY88s3/8Oh16O3o6zTdZK9XKhkRVYo7PVuYSzB/+7GKL41joLOjYUx4xCsTU9 v5TQ==
X-Gm-Message-State: AOJu0YxnHPz02ruBbSCpqMJsZ2L2HOZSak6N8dWjTv595QPmwtI5iuWJ F//75RGAnT8jXApEtlr77TmWF9bDi9QNyGL0/QR9+zXXNQOdeqLcY4s=
X-Google-Smtp-Source: AGHT+IE4/zCt/QRzfFBszWpKcbcP6hasTCRjQ716IZqGBhAJAqaRpxT22+KMBypa19GKqgwQ07GPE7Xz9D8VYY+g18E=
X-Received: by 2002:a05:6512:4002:b0:4fe:25bc:71f5 with SMTP id br2-20020a056512400200b004fe25bc71f5mr2349040lfb.11.1695208247911; Wed, 20 Sep 2023 04:10:47 -0700 (PDT)
MIME-Version: 1.0
References: <169290062850.51444.4789101133837195921@ietfa.amsl.com> <EFF9D14C-6714-4168-8C2D-A03DCB9ADFFB@deployingradius.com> <B88BB843-C4C3-418F-A6CA-4F360EB67C95@deployingradius.com> <CAA7Lko_oL5Oy9T52JnwUiaZDvUhwed8hivysoSuqY1jhXF=Ziw@mail.gmail.com> <8081E8F9-3818-43ED-8C82-3EBB093BCDBB@deployingradius.com> <02aa01d9eb9a$1e9f5630$5bde0290$@gmail.com>
In-Reply-To: <02aa01d9eb9a$1e9f5630$5bde0290$@gmail.com>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Wed, 20 Sep 2023 14:10:31 +0300
Message-ID: <CAA7Lko--Db0vf-kObf_021aHh7WzVv6yF-0gPq8uh82MhP2CQA@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000007001320605c86d8c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/WgMDxetUkAkh5T_1EATIjpP47qg>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 11:10:53 -0000

On Wed, 20 Sept 2023 at 11:11, Valery Smyslov <smyslov.ietf@gmail.com>
wrote:


> > > OpenSSL 3.0 supports PSKs up to 512 octets (not bits)  which gives the
> possibility to have strong PSKs.
> > The current text in the draft would at least require some justification
> if it is to be kept.
> >
> >    Perhaps "Where TLS-PSK is used across the Internet, PSKs MUST contain
> at least 256 octets of
> > entropy.".
>
> I don't think that requiring the PSK to have 256 octets or more of entropy
> makes it stronger, at least for TLS 1.3.
>
> The way PSK is used in TLS 1.3 always limits its entropy to the
> value of HKDF-Extract output size (*), it's 256 or 512 bits depending on
> the used hash function.
>

Is it 384 bits TLS_AES_256_GCM_SHA384 cipher suite, when considering cipher
suites defined in RFC 8446? In other words, since the rest in the RFC use
SHA256, they are limited to 256 bits. And if there were cipher suites with
SHA512, then those would be limited to 512 bits? I'm just curious to
understand how these things go, I don't think it matters for the draft.


> All the rest of PSK entropy (if any) is immediately lost.
>
> That said, it may make sense having longer PSKs, because the method they
> are generated
> may be imperfect, so the entropy may be far less than their length.
>

Here's the reason why OpenSSL 3.0 started supporting PSKs up to 512 octets:
    https://github.com/openssl/openssl/pull/12777
There seem to be devices that only accept 512 octet long PSKs.

Related to PSKs, OpenSSL 3.0 also increased PSK identity maximum length to
256 octets:
    https://github.com/openssl/openssl/pull/12771
The pull request has a pointer to a specification that uses very long PSK
identity values. A web search finds a slideset with an example that uses
120 octet long identity.

(*) I remember when Hugo Krawczyk explained this fact with regard to IKEv2
> design -
> no matter how longer keys are used, the output of prf (HKDF-Extract in
> case of TLS 1.3)
> limits the value of entropy in the protocol.
>

Thanks for this information. Sounds like it's worth recommending long PSKs
but it's not useful to aim for 256 octets of entropy. RFC 9257 says 128
bits (not octets) is required.

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email