IETF Logo Mail Archive

Re: [TLS] The future of external PSK in TLS 1.3

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sun, 20 September 2020 11:19 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CAC743A127E for <tls@ietfa.amsl.com>; Sun, 20 Sep 2020 04:19:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=eFtUeP/d; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=eFtUeP/d
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Es5fVTUW9veW for <tls@ietfa.amsl.com>; Sun, 20 Sep 2020 04:19:01 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2076.outbound.protection.outlook.com [40.107.22.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CEF43A127D for <TLS@ietf.org>; Sun, 20 Sep 2020 04:19:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iY7xRXnwRMdt5xkd1IpxTupJyGQxCb03PYpJqjRJbJw=; b=eFtUeP/dAnnzZ++rLk7SC476nvg79MAzJeyxbLrb0LbjDX0AFZOmUcorERwTo6JkhBrcjaDMa0/v0MYb5QZpraJX03Lnq32mU5JWXMYTz+6PjHo2TQ5KbrE9MMK9OF7iZKkTkvgLouvHyQJoCLgJtt8jwBDeTkuhahu5zOlyQ9w=
Received: from DB6PR0202CA0030.eurprd02.prod.outlook.com (2603:10a6:4:a5::16) by VE1PR08MB5725.eurprd08.prod.outlook.com (2603:10a6:800:1b0::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.14; Sun, 20 Sep 2020 11:18:58 +0000
Received: from DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com (2603:10a6:4:a5:cafe::b8) by DB6PR0202CA0030.outlook.office365.com (2603:10a6:4:a5::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13 via Frontend Transport; Sun, 20 Sep 2020 11:18:58 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by DB5EUR03FT022.mail.protection.outlook.com (10.152.20.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.15 via Frontend Transport; Sun, 20 Sep 2020 11:18:57 +0000
Received: ("Tessian outbound 195a290eb161:v64"); Sun, 20 Sep 2020 11:18:57 +0000
X-CR-MTA-TID: 64aa7808
Received: from f68fe8b1d347.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id D3D764D4-573F-4D80-8692-CBF0223A93B9.1; Sun, 20 Sep 2020 11:18:52 +0000
Received: from EUR03-DB5-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f68fe8b1d347.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Sun, 20 Sep 2020 11:18:52 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bglAtoloo8wRDc2nncn2O5GT8pJ2CgtSTNu4DULlGCLYnCCzou7jjAZW0dE87CoTpxPNkoV2szHITV9IWwKcVOXWgPDg7iqpWRD2DvYgg4hdppNDdOMdoMFJA3pCl5h4edLQWwExY58f0fUDrVu6qNkIHI0TV99zCdc8sKtlRTg94Kjc5r0HSELBAK+20e9S7gmHWVh2nHe47qG/9ZFB5yCkoxShpC6gkdin2OzxWL/KZQsSKB0HKIXRF63eLiwvWd4KPZMZnEHYZOys4gt9zFMFAWKt08vFFfuJ6DcnwUKKsBxVBaiYwrE1z5h3O3kcqOdh5lwnNfGyM5pi/BVR/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iY7xRXnwRMdt5xkd1IpxTupJyGQxCb03PYpJqjRJbJw=; b=QPV3CMfkmGGjFNmhN5oDKujZYzsP939IMrxf4YiKtMiJma+KhmwK+4juRXw8EVSrvzfAK/xNmXw2Mb3nGbMZE7pP1AXi2l9sMYYKi2yhVUoVjIAUvx93N8aavPDMHcqBgUdp+XB6UGUvKEdm+RxhslpZbAyG8aGCiQhBp8wqcS4WYt9cg1iaWaeLs3SP6BgJQ4aJZmdabOPXm0FwuneBXwOew/wRT7OOB8E3/E28r+bKxrgWeJGE5WOpa5QopgOXvUNcweGcGSDhDtxsVpNnbqhonATsogc4Sb8Hzo4pyrszLpkJyYWZrw6m33Yce/9gN3uGkA3GeGHdG7p9cwFEzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iY7xRXnwRMdt5xkd1IpxTupJyGQxCb03PYpJqjRJbJw=; b=eFtUeP/dAnnzZ++rLk7SC476nvg79MAzJeyxbLrb0LbjDX0AFZOmUcorERwTo6JkhBrcjaDMa0/v0MYb5QZpraJX03Lnq32mU5JWXMYTz+6PjHo2TQ5KbrE9MMK9OF7iZKkTkvgLouvHyQJoCLgJtt8jwBDeTkuhahu5zOlyQ9w=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM0PR08MB4289.eurprd08.prod.outlook.com (2603:10a6:208:148::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.15; Sun, 20 Sep 2020 11:18:51 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860%6]) with mapi id 15.20.3391.015; Sun, 20 Sep 2020 11:18:51 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: The future of external PSK in TLS 1.3
Thread-Index: AQHWjng9Pwzr8fTsOkSjvpJZy/djPKlxXIkg
Date: Sun, 20 Sep 2020 11:18:51 +0000
Message-ID: <AM0PR08MB3716290E5BA677DA88625042FA3D0@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <77039F11-188E-4408-8B39-57B908DDCB80@ericsson.com>
In-Reply-To: <77039F11-188E-4408-8B39-57B908DDCB80@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: ACC4CE55C046084AADB9977B72187342.0
x-checkrecipientchecked: true
Authentication-Results-Original: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.122.149]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 4d4fb824-fe2a-47f6-1c7c-08d85d56f7dc
x-ms-traffictypediagnostic: AM0PR08MB4289:|VE1PR08MB5725:
X-Microsoft-Antispam-PRVS: <VE1PR08MB57256A614ED4D228191006E4FA3D0@VE1PR08MB5725.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:9508;OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: WYWKl+7bKZWlDA7zq0GLM3shpokNs6JIBFfqPE8wPOUWynf/E1BA7AI+Pix9rbOq8X23FKakCM6Zlk6vL5p350gUZiop3QUN8iyMSuQvzmPdyTD8vmsgMNc+O54WdPNPqXs30ZFieMl8YPIF9kR24ugA9ran1e2OVZ5hzHxUuEWdaJePZ8aVL4TY3vJUNAP2IdB3li2mptmfpfEEe9g58tYoLMnDb4/xbsjAZjWKYSQlX7Jj1eCPBWtDjCaS68YxsQDLuabEYWp805td9v03fFLOIDa5e+vye/jvLBSC06g4cFCzDiv5XmQHefbUMCPWy8JKxBHA5zzGz7geX5qfOkrRH8sLehsw2WbBly/jvETzrA59L47m254T8A+yAPTxHbvcEPdATzuxFvn+BUG29w==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(136003)(39850400004)(396003)(366004)(71200400001)(33656002)(478600001)(5660300002)(6506007)(86362001)(83380400001)(8936002)(52536014)(186003)(26005)(2906002)(110136005)(7696005)(53546011)(316002)(66446008)(66946007)(76116006)(8676002)(64756008)(66556008)(66476007)(966005)(55016002)(9686003); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: F6KEuVgH4yEF3rLcgcd5CN4/SZtCP5p/T92+nI4HbVuC3DNLJKWGpseV+f9dur7lm1kYnCcDHhRLNu+/Gt2/5rN75GCOGu6vpn0B647Yw22jXmztb7tKnYBYFLZuBY8FYucxchfVKJOnxHMCo1RTigkEOb6Lj6h7r8TmqTNVPljbv5e+JggTu0wXGZAJudRufHifrF0R5ijBoI1F54TOC5l++gPaH9+vR9jckWBlvzNAoMIlrAsGhvpOcOlS1QbeG2TD18wHKR3+6MpUhmpznmC5NCxrZ1GxeAzF+TsPPdYqAw5+s6fZ/QSJ/ytsDwuL3AtsalbDMX1Y6ncanLzxuTADhwO7ENYYo7AzWy62Qkwx1FcVW4nG41BdeWo/Z07pO5ZTgP6sApVV/2SKqmgw191GBjaptjMcVhkuDo2L804kWsIKQlUfi/LIwyQSmq02aU/KzWBqLElQT+Wx86R47l2SQiVEyDij84LH/12SCuE35CUVj0TIZVYEfLDABw+oKDexZdBcAAIt2+ND5pJd+PVWf27wGVcUTn4cTr6WXWd0oPWQI6pVYHzJmekzYoiYJ9p5KO2eK/QxcIcWvNRVHwKsD3Pkb0y985kny2ONBHKeYcK8eai+V3CjIgJEPpadEmRftqb8XIF9E93eMep20Q==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0PR08MB4289
Original-Authentication-Results: dmarc.ietf.org; dkim=none (message not signed) header.d=none; dmarc.ietf.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: e9417ca3-c3d8-447d-1394-08d85d56f416
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qjMUvREB6+s/sfy0Gl1AYSd4vXb56dLAP6KYiJVVllxuZ+5bQwsdQ25CrmamHWy/Z/XK55WYuO9+uhA1l7VrBEDauXQvH27DuKptBf1Usph6EBXvytkLNjfOhMgKEeckYfzz2LDHkpdHarduom7UO7Zb3yMa9kYDOz+HhNyLpfVb1tTd8nC5eQv8DKH4AsC+P7sPC5puCp+T9Tv0AIRQo/MWZwdQ7A7KDG2bfcF23mgY7chtNUjDzx38iASL5CmmHwUHJHLo+OIyc+u4UKC8SfSc/69hQUk7XS+zlzEHDXqvJcb9uW9+5AjXXyAoGMUzTk/w9ksO9IMbMBMJ1Cb+tvYCayoc37HcS+ghcnrTJN6H8RA4rHfNUTlT5hlpTZ9zAxky5JBxkWVwv+WHe/C0LB7s46WuU6Pr6vqJMD5iMf4uEcptVcPgYHQJOLrRmiu4cdxNq3a6J7lXu/jX7DrT4Io0dLMnbb2PSPI1p58z7S/nlC9XDhYSOD4pTLNDvkp5fxYMXWBMXNyrY6xGcbGPsA==
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(39850400004)(396003)(376002)(346002)(136003)(46966005)(70586007)(33656002)(6506007)(53546011)(2906002)(8676002)(8936002)(7696005)(70206006)(47076004)(5660300002)(82310400003)(316002)(52536014)(86362001)(966005)(186003)(478600001)(336012)(26005)(9686003)(356005)(81166007)(55016002)(110136005)(83380400001)(82740400003); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Sep 2020 11:18:57.9763 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 4d4fb824-fe2a-47f6-1c7c-08d85d56f7dc
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: DB5EUR03FT022.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB5725
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jslvU7osPWUOUJFwqe5EXWJdoWk>
Subject: Re: [TLS] The future of external PSK in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 20 Sep 2020 11:19:04 -0000

John,

The use of plain PSK makes a lot of sense because it provides the lowest footprint solution for really constrained systems. Given that the LAKE group wanted to focus on constrained IoT devices makes the decision by the group questionable.

As you know, TLS 1.3 merged the handling of PSKs previously found in three different RFCs, namely session resumption, ciphersuites with PSK, and session resumption without server-side state into one solution. As such, there is not even extra cost associated with external PSKs.

I have been arguing that a solution that uses PSKs with ECDHE, as you proposed in RFC 8442, is less useful because very constrained are not going to use the asymmetric crypto needed for the ECDHE. Those deployments could instead go directly to a raw public key solution instead.

Ciao
Hannes

-----Original Message-----
From: TLS <tls-bounces@ietf.org> On Behalf Of John Mattsson
Sent: Saturday, September 19, 2020 1:30 PM
To: TLS@ietf.org
Subject: [TLS] The future of external PSK in TLS 1.3

Hi,

Recent discussions in 3GPP, ACE, and LAKE about the use of symmetric keys for authentication and key exchange made me think about the future role of external PSK in TLS.

https://mailarchive.ietf.org/arch/msg/ace/A60CFIvUohBwAXi_JuMKkQanZak/

I authored RFC 8442 because I believe PSK+ECDHE is needed for legacy systems. Due to the major privacy, security, and deployment limitations with PSK, I see little need to use PSK (besides resumption) in new systems, except for the use case in RFC 8773.

LAKE recently removed PSK authentication completely as it does not produce smaller messages and comes with severe privacy and deployments problems. Increasing code size (a few kB) and slightly increased computation/latency was not seen as a big problems.

Looking at the IANA TLS registry, I am surprised to see that psk_dhe_ke and especially psk_ke are both marked as RECOMMENDED. If used in the initial handshake, both modes have severe privacy problems, and psk_ke does not give PFS, thus making pervasive monitoring much easier. If groups keys are used, additional security problems arise. All TLS 1.2 cipher suites without (EC)DHE has for good reasons been marked as NOT RECOMMENDED.

I have recently seen several people arguing that the inclusion of PSK in TLS 1.3 means that the use external PSKs are now recommended. I don't think that was the intension of the TLS WG.

I strongly think psk_ke should be NOT RECOMMENDED, except for resumption. Irrespectively of what ‘Y’ in the recommended column actually means, people are and will read it as recommended to use.

Cheers,
John

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

v2.23.0 | Report a Bug | By Email