IETF Logo Mail Archive

Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt

Valery Smyslov <smyslov.ietf@gmail.com> Wed, 20 September 2023 11:18 UTC

Return-Path: <smyslov.ietf@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D76E1C153CBB for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 04:18:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4mjiXa0ArGNX for <radext@ietfa.amsl.com>; Wed, 20 Sep 2023 04:18:43 -0700 (PDT)
Received: from mail-lf1-x132.google.com (mail-lf1-x132.google.com [IPv6:2a00:1450:4864:20::132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8934BC1527A0 for <radext@ietf.org>; Wed, 20 Sep 2023 04:18:43 -0700 (PDT)
Received: by mail-lf1-x132.google.com with SMTP id 2adb3069b0e04-5041cc983f9so638436e87.3 for <radext@ietf.org>; Wed, 20 Sep 2023 04:18:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695208721; x=1695813521; darn=ietf.org; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:from:to:cc:subject:date:message-id :reply-to; bh=Apvnj8EyqCnxZ3Cyapj+BOUxhOFhZxvw7g7Fwh2FwL4=; b=afSEY8NXEPrsLBn3j3Q/lbN6r2lP9W3XXFe72rqiqPR6Ru77lNxiAu8zLNKBeaT2zH TwBpHYgPea+/zDKz9MFeqYQEPJnABIBg7rl8Y9PXvEmgOA7Wie4Yjifk1g/Zn/psL1wE Em4MczM9xEhNoqfM69wmmPj/o3Hs6ySue2csL89A/8Vx20MUg322FRlTtb6Lb5Vpyn7u dvmNUu4DG12QBB1r8uEWKnV16Ce7JFYm8ylMqZ4CFQExkDiAfhtmgwv0VacSuAIR1QiA 0MWN4NXqkGT9xIU9HFmrHe7w1y03Y7Yut2IeBB6gSOu+ldVWSBhB58i/f1pzFCSwuvtw E6Zg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695208721; x=1695813521; h=content-language:thread-index:mime-version:message-id:date:subject :in-reply-to:references:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Apvnj8EyqCnxZ3Cyapj+BOUxhOFhZxvw7g7Fwh2FwL4=; b=Hck4ZiLW6YwMhpxREni2J9asVcP1takz99j0pC7yEnc6eOshEOrBZYnoGDFnb71/Lj hXuARSHvkhsjIeaHQUTgBwdnh1omvK9Og9crE/9O+1y0IlaGVm/NRMtmBezPppl2x+d6 2DdPlW3bkwkJL46AJm8tcG0mj8vqhHKiIaEeIKAWROtYWDdSCG8KBgvsDkB4NP75usDu QHgfapyLALCEIYKRZNVxiMqkMU2fXz+dwNHkBm5nujGAHbNjvWsFsjH3Yxlg3sR8Ujs+ 6RacukdqEry0mtvfE/f8pcATOfj0TG0eGM18mTkotapVcfWulI4RXX6jRaRhoV9AO3ei NgCw==
X-Gm-Message-State: AOJu0YxNN19SA8tokiRwQ8u9fvS4zbqq46dYoth6hkdS1wWIFxrLfxeP vlUfZyWnCEInMUC2WTdU/zY=
X-Google-Smtp-Source: AGHT+IHu8eTAfvz3u1Kl3+wJrU3/n6Pgh1CDustgimal1Q0am4y2PNZ89AOsqyW8B6VYwxfh3nHdsg==
X-Received: by 2002:a05:6512:234d:b0:500:b9f3:1dc4 with SMTP id p13-20020a056512234d00b00500b9f31dc4mr2614884lfu.68.1695208720781; Wed, 20 Sep 2023 04:18:40 -0700 (PDT)
Received: from buildpc ([93.188.44.204]) by smtp.gmail.com with ESMTPSA id br38-20020a056512402600b0050318721b62sm1229943lfb.6.2023.09.20.04.18.40 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 20 Sep 2023 04:18:40 -0700 (PDT)
From: Valery Smyslov <smyslov.ietf@gmail.com>
To: 'Heikki Vatiainen' <hvn@radiatorsoftware.com>, radext@ietf.org
References: <169290062850.51444.4789101133837195921@ietfa.amsl.com> <EFF9D14C-6714-4168-8C2D-A03DCB9ADFFB@deployingradius.com> <B88BB843-C4C3-418F-A6CA-4F360EB67C95@deployingradius.com> <CAA7Lko_oL5Oy9T52JnwUiaZDvUhwed8hivysoSuqY1jhXF=Ziw@mail.gmail.com> <8081E8F9-3818-43ED-8C82-3EBB093BCDBB@deployingradius.com> <02aa01d9eb9a$1e9f5630$5bde0290$@gmail.com> <CAA7Lko--Db0vf-kObf_021aHh7WzVv6yF-0gPq8uh82MhP2CQA@mail.gmail.com>
In-Reply-To: <CAA7Lko--Db0vf-kObf_021aHh7WzVv6yF-0gPq8uh82MhP2CQA@mail.gmail.com>
Date: Wed, 20 Sep 2023 14:18:42 +0300
Message-ID: <02bd01d9ebb4$36cd38c0$a467aa40$@gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_02BE_01D9EBCD.5C1C6C90"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQJa5tJv5PII/yta85rxmkIHJQMYewGOEzf7ASCoHswBhBAcwwLVSuy8AThxCeMCt+/Ct67J1W2w
Content-Language: ru
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/dcNN-exHqzj-M5Nnm166UliQPpw>
Subject: Re: [radext] I-D Action: draft-ietf-radext-tls-psk-03.txt
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 20 Sep 2023 11:18:45 -0000

Hi Heikki,

 

On Wed, 20 Sept 2023 at 11:11, Valery Smyslov < <mailto:smyslov.ietf@gmail.com> smyslov.ietf@gmail.com> wrote:

 

> > OpenSSL 3.0 supports PSKs up to 512 octets (not bits)  which gives the possibility to have strong PSKs.
> The current text in the draft would at least require some justification if it is to be kept.
> 
>    Perhaps "Where TLS-PSK is used across the Internet, PSKs MUST contain at least 256 octets of
> entropy.".

I don't think that requiring the PSK to have 256 octets or more of entropy makes it stronger, at least for TLS 1.3.

The way PSK is used in TLS 1.3 always limits its entropy to the 
value of HKDF-Extract output size (*), it's 256 or 512 bits depending on the used hash function.

 

Is it 384 bits TLS_AES_256_GCM_SHA384 cipher suite, when considering cipher suites defined in RFC 8446? 

 

          Yes.

 

In other words, since the rest in the RFC use SHA256, they are limited to 256 bits. And if there were cipher suites with SHA512, then those would be limited to 512 bits? 

 

          Yes, that’s what I meant (I should have written “from 256 to 512” :-))

 

I'm just curious to understand how these things go, I don't think it matters for the draft.

 

          No problem :-)

 

All the rest of PSK entropy (if any) is immediately lost.

That said, it may make sense having longer PSKs, because the method they are generated
may be imperfect, so the entropy may be far less than their length.

 

Here's the reason why OpenSSL 3.0 started supporting PSKs up to 512 octets:

    https://github.com/openssl/openssl/pull/12777

There seem to be devices that only accept 512 octet long PSKs.

 

Related to PSKs, OpenSSL 3.0 also increased PSK identity maximum length to 256 octets:

    https://github.com/openssl/openssl/pull/12771

The pull request has a pointer to a specification that uses very long PSK identity values. A web search finds a slideset with an example that uses 120 octet long identity.

 

(*) I remember when Hugo Krawczyk explained this fact with regard to IKEv2 design - 
no matter how longer keys are used, the output of prf (HKDF-Extract in case of TLS 1.3)
limits the value of entropy in the protocol.

 

Thanks for this information. Sounds like it's worth recommending long PSKs but it's not useful to aim for 256 octets of entropy. RFC 9257 says 128 bits (not octets) is required.

 

          Yes.

 

          Regards,

          Valery.

 

-- 

Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email