[skex] Re: Updates
Eric Rescorla <ekr@rtfm.com> Tue, 07 May 2024 16:55 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: skex@ietfa.amsl.com
Delivered-To: skex@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56EA4C14CE3B for <skex@ietfa.amsl.com>; Tue, 7 May 2024 09:55:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.894
X-Spam-Level:
X-Spam-Status: No, score=-6.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UjwQMVsQTUie for <skex@ietfa.amsl.com>; Tue, 7 May 2024 09:55:31 -0700 (PDT)
Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED783C151077 for <skex@ietf.org>; Tue, 7 May 2024 09:55:30 -0700 (PDT)
Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-61df496df01so26024537b3.3 for <skex@ietf.org>; Tue, 07 May 2024 09:55:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20230601.gappssmtp.com; s=20230601; t=1715100930; x=1715705730; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=FAgyL1mgGF3ugnZq5os9h8oo2pjaosexLHwez35JwQM=; b=0We1PS13OONTIKRO0rBnmGQkdmHut74ti5daaAMYQz+Uyz42/QzWpr/Knzw7OsPd5k 39pgVk+Dldaq5r3Y2s1XHheMMFuemuB1YBZlq/UpQci9k5PkajioTPrhKtLTL/efWGvZ W1g3YqGdS3wuMGzRYoqsv8D2iGIQNUARX/AdYelJrSRGADCozlXuLwH+wMwEglOa7qOz V15iAE5g9WpDMKChbcghxVaFR943W+kHuAHL3MNwSHbTdFGEnA8cD1XybqlMwR0U7AEF 3Ckndr2A57EIZaUNoDAgGiXOZC0Fje8sjLHOX1xjJVXY07OneaFBcy68k8ZmAS9fiYty OFMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715100930; x=1715705730; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=FAgyL1mgGF3ugnZq5os9h8oo2pjaosexLHwez35JwQM=; b=vYGHTM9AFT5lvdVuuNaHDA6u1VO9qXCe0lRa1C23XFFglWXET+fwm2sLRc5azAAAcU cXlRekEOAd6xTkh7ZWdTNaYECUH98VBpUkA16cjKUja0+aSXhYT57ZhRCddxp2xN/RbJ t4SXaEScsxsrF+7/MMwFQIP5yCqCD0w9ZelAmr6BfK7O7Not4jbOEoheSbXHmT+lMorg oXSo1UcXKjL7nYTop6IBd0l60Y6lHX+1Vmj81WO4TbvRfsPhaujnAdhIVZUIb2C74Z30 Bh3B28xU4RCq0/J2ptju6zFUzOeIBkhSXMTnHv1+Du8pvPvqCtutYsl5du08jcbHN+pm 2+uA==
X-Forwarded-Encrypted: i=1; AJvYcCWL6Xbkxdqe//+v57FPWgof+tg4URiGNcKFQwA3qbPj1yNuXhEdrVHyer3FJU/zIKxCbXgLSxIimd/stujL
X-Gm-Message-State: AOJu0YyltEPkkQP3hb9Lq0nkWJx82AdlI2XSA/ZBXchFUpc8H0K44leh eDn8+Y/TAWpVb9L56luqcMOjVkRUYFkZ6UMOeXDby+IIbuivO8I0JJ2RXUyfJKFP8AQ3LnVbEYN IKSLeYSItLaUj+d11R2g+Nex7XNA8c6hrXZ41DXQ2wmyw9uj3
X-Google-Smtp-Source: AGHT+IFeaGVCp7pDKUiVvCG75iQBbsPFpgyaRdn9rebx65ROBs8UKu5P6ofSIJbgALCb1ySb2yhCILBJ0yImBFgn7Gk=
X-Received: by 2002:a81:a1d5:0:b0:61a:cf94:97a6 with SMTP id 00721157ae682-62085d1f4f3mr4400737b3.8.1715100929725; Tue, 07 May 2024 09:55:29 -0700 (PDT)
MIME-Version: 1.0
References: <CAL96d54YVBVT-EmEWM91koEo+3peH4Bd7sR6tn+6ANx52UE1iQ@mail.gmail.com> <a8f08ac6ec5444328e1791ff6118b368@huawei.com> <CABcZeBMOQe1oW3Z4R1YXU9x1yS3KhA5zoLDzo9me3TrFFFh6xA@mail.gmail.com> <CAL96d57DKxRShCas6AfR2dApFP4htcmpJuBk0j41+FAmAy8Q_A@mail.gmail.com> <CABcZeBNqApLgewOPFO00k7yUpii13VcOYRQKz7S3vzqNedr1wA@mail.gmail.com> <YT4P288MB0279D24AA090FE8FA532ECF48DE42@YT4P288MB0279.CANP288.PROD.OUTLOOK.COM>
In-Reply-To: <YT4P288MB0279D24AA090FE8FA532ECF48DE42@YT4P288MB0279.CANP288.PROD.OUTLOOK.COM>
From: Eric Rescorla <ekr@rtfm.com>
Message-ID: <CABcZeBOYUJ2XYVzjhdd_M1QKgA7nh1eNughyBQx8k2=ckG3P5A@mail.gmail.com>
To: Tony Rosati <tony.rosati@evolutionq.com>
Content-Type: multipart/alternative; boundary="000000000000abb2a90617e00df6"
Message-ID-Hash: H4ZEEG6IOHMD5IUJLOTL3GKTLTMOBG3M
X-Message-ID-Hash: H4ZEEG6IOHMD5IUJLOTL3GKTLTMOBG3M
X-MailFrom: ekr@rtfm.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Manfred von Willich <manfred.vonwillich@quantumbridge.io>, "skex@ietf.org" <skex@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [skex] Re: Updates
List-Id: Symmetric Key Exchange <skex.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/skex/bLbgSfMAo2ztQIVJkTXowZmzP2o>
List-Archive: <https://mailarchive.ietf.org/arch/browse/skex>
List-Help: <mailto:skex-request@ietf.org?subject=help>
List-Owner: <mailto:skex-owner@ietf.org>
List-Post: <mailto:skex@ietf.org>
List-Subscribe: <mailto:skex-join@ietf.org>
List-Unsubscribe: <mailto:skex-leave@ietf.org>
Date: Tue, 21 May 2024 17:26:42 -0000
X-Original-Date: Tue, 7 May 2024 09:54:52 -0700
On Tue, May 7, 2024 at 7:00 AM Tony Rosati <tony.rosati@evolutionq.com> wrote: > Hi guys, > > > > To clarify, in RFC 8446, TLS-PSK only offers no FS. > Unfortunately, the situation is slightly more complicated than this. If you use a long-term PSK then knowledge of the PSK allows you to decrypt traffic. However, one of the main uses of PSK is for resumption, in which you establish a key in connection A using ECDHE and then use it in connection B. In TLS 1.2, these keys were the same, but in TLS 1.3 they are instead derived from the same original secret, but are otherwise independent, with the key needed for B being called the "Resumption Main (Master) Secret (RMS)". An attacker who learns the RMS is not able to decrypt connection A but could decrypt connection B, so you have FS for A. However, if the client and server delete the RMS after connection B is complete, then an attacker who compromises the client or server will not be able to decrypt B. So, in this case you do get FS for B. However, many TLS implementations do not have a database of the PSK/RMS pairs but instead have a single static key K_ticket, which they use to encrypt the RMS to form the PSK label. I.e., PSK-label = E(K_ticket, RMS). In this case, compromise of K_ticket leads to recovery of the RMS and so you don't get FS for B (though you still do for A,) But there is a PSK with ECDHE mode that does provide FS, correct? > Yes, though any 0-RTT data has the properties I mentioned above. -Ekr > > > Thanks > > Tony > > > > *From: *skex <skex-bounces@ietf.org> on behalf of Eric Rescorla < > ekr@rtfm.com> > *Date: *Monday, May 6, 2024 at 10:23 AM > *To: *Manfred von Willich <manfred.vonwillich@quantumbridge.io> > *Cc: *skex@ietf.org <skex@ietf.org> > *Subject: *Re: [skex] Updates > > > > > > On Mon, May 6, 2024 at 6:07 AM Manfred von Willich < > manfred.vonwillich@quantumbridge.io> wrote: > > > > On Mon, May 6, 2024 at 8:42 AM Eric Rescorla <ekr@rtfm.com> wrote: > > > > On Mon, May 6, 2024 at 5:34 AM Yanlei(Ray) <ray.yanlei= > 40huawei.com@dmarc.ietf.org> wrote: > > 1. In the new version of use cases, the use cases are divided into "PSK > for use in tandem with asymmetric key agreement" and "Standalone and other > key establishment". TLS belongs to the first kind of use cases. However, I > think TLS 1.3 also supports PSK-only key exchange mode and also belongs to > the second category. > > > > TLS 1.3 does in fact support a PSK-only mode, though it is not in wide use > because it does not provide PFS. > > > > Surely that is not quite true? As I understand it, TLS PSK-only allows > negotiation of which PSK to use with each session, providing PFS given a > suitable key establishment. Seen this way, the PFS limitation is not in > the PSK-only version of TLS, but in the mindset of the implementer. > > > > Yes, under the hypothesis that the PSK itself was created with some > mechanism that provides PFS, then TLS-PSK provides PFS. > > > > However, as a practical matter, TLS-PSK tends to get used in two modes: > > > > 1. A pre-arranged mostly static key. > > 2. TLS session resumption > > > > The first mode obviously doesn't offer PFS. The second mode has some > somewhat complicated properties depending on exactly how the Resumption > Main Secret is handled and whether you are using tickets or storing the > PSKs in a database, how you delete them, etc. (see > https://www.rfc-editor.org/rfc/rfc8446#section-8.1) > > > > As a practical matter, the implementor consensus seems to be to just use > PSK with a public key exchange. > > > > -Ekr > > > > > > Thanks for the reminder. I have now added the TLS PSK-only into my fork > of the use cases repo (still not merged to original). > > > > Manfred > > -- > skex mailing list > skex@ietf.org > https://www.ietf.org/mailman/listinfo/skex > >
- [skex] Updates Manfred von Willich
- Re: [skex] Updates Eric Rescorla
- Re: [skex] Updates Yanlei(Ray)
- Re: [skex] Updates Manfred von Willich
- Re: [skex] Updates Eric Rescorla
- [skex] Re: Updates RJ A
- [skex] Re: Updates Tony Rosati
- [skex] Re: Updates Eric Rescorla
- [skex] Re: Updates Christian Huitema
- [skex] Re: Updates Eric Rescorla
- [skex] Re: Updates Russ Housley