Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
Eric Rescorla <ekr@rtfm.com> Thu, 26 July 2018 18:48 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3E6413115B for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 11:48:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-jT7ePQBROf for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 11:48:09 -0700 (PDT)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 499AF130F3B for <tls@ietf.org>; Thu, 26 Jul 2018 11:48:08 -0700 (PDT)
Received: by mail-lf1-x133.google.com with SMTP id a4-v6so1894466lff.5 for <tls@ietf.org>; Thu, 26 Jul 2018 11:48:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=eX6bPgS4Y+VfzaAkB69AgczHLKJJkU1oAb/+1xsnhR0=; b=duDhxfCEkIHiuE+j8Ysko6IGYqhp6dsacHaBnavzaU0dBfx7GSzrrG5MHgQ8IuniHQ HIF7PKSigrRiBbOOaHcMOv25GNrCuKi1p12Y9JekajwqJcERgZZ+ozTtLhfxT9KB7v3T ++3JjPHliZyTcfNiDFgeL0tjVUTAdWeBB53R4qTKytwGhFIUpm2s4Tn6Bu7qDcbzPIPE D9PhfsmUhVF/jTfFuGV1U5naG93LGKytBgZo5h0cvJ9577fjWDLXlvN0jE1LKiqME2Q0 L2iCgjf0C7Lm5k7I/uV+QYLfUDDkvMo28iUMyZtiJ4IXRK9ZZRWfdVZZHsKCS+NkMfJt HTbQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=eX6bPgS4Y+VfzaAkB69AgczHLKJJkU1oAb/+1xsnhR0=; b=mBm6UTHN7Wi36166CgfUqFEtbb1MfsqwY5ybLqjpi3pAaNdd4RHBw31U9p1ojbvARX YwRkVWr/h0oUa2aaDxTH6dxwhsx2LCLhwYmgrIZMUVjExSOwj+TMXDk5MHBbYejqCuDH 1edSeZVeYs5+lz8tz9IfqxxRnj3FqDZqbsPt44U7wG2u/QDFJfmoGreCqcKMaD6frIg+ eTp0KmWhqG1vDTRzlLmQ6JDn/4EMCZUqv0dx12//tFBcF6EU3Dz7nfGSghVQutjDeSwA VL5DdFymhrah3xgfk4fLYubv45v38wAAv+sgDYGi04NZfg/KwX1IA1Ecs2lWukH2KGy0 sbsA==
X-Gm-Message-State: AOUpUlFgDUVLnUy4vt6+zmItmOylacFia9Z1Zqq4ezCYf7lyIjHf5RuM rId1314fDp7mwhvv1yL10/vrAQ74ullAJ18RL0YfDA==
X-Google-Smtp-Source: AAOMgpcgg2L6pApP1y9ovKkxpMQeHXvgcpHOf0ydaN2YK/qyLJWvuZQsf6oIl5vJhRangx+NPioPpXR2IWLA2JUyitU=
X-Received: by 2002:a19:1460:: with SMTP id k93-v6mr2035614lfi.15.1532630886044; Thu, 26 Jul 2018 11:48:06 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Thu, 26 Jul 2018 11:47:25 -0700 (PDT)
In-Reply-To: <20180726183835.GQ14551@akamai.com>
References: <20180719230009.GD14551@akamai.com> <CABcZeBO=LnxybFq2uog3UYoGgnb0KiE3oG=hGY5UWYauOtwMBw@mail.gmail.com> <20180726183835.GQ14551@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 26 Jul 2018 11:47:25 -0700
Message-ID: <CABcZeBNJUU0VKYeXrtjG6tOGKjG-u_Q+nVAmzx0r_=SvQGZG2A@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000088ecfd0571eb6f1f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2ABrvjsNmc5EJaNkUb4Es4-35jQ>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 18:48:20 -0000
On Thu, Jul 26, 2018 at 11:38 AM, Benjamin Kaduk <bkaduk@akamai.com> wrote: > On Thu, Jul 26, 2018 at 10:58:05AM -0700, Eric Rescorla wrote: > > Ben, > > > > Thanks for focusing on this issue. > > Just trying to make sure loose ends get wrapped up before TLS 1.3 goes > final... > > > Chris and I have been discussing an alternative design which we think > > is more consistent with the existing structure, which we call PSK > > Importers. As with your design, we have an input universal PSK, but > > (I think you mean David Benjamin's design?) > Oh, yeah. I originally meant to be responding to davidben and then forgot to edit the msg. > > > instead of using explicitly as part of the connection, we just use it > > as the base key to import a set of new PSKs into TLS. > > > > As with Universal PSKs (UPSKs), each input key is a triplet of > > (BaseIdentity, BaseKey, KDF), where a BaseIdentity is a PSK identity > > as used today. To use a UPSK, an implementation takes the set of KDF > > hashes it knows about H_i and derives a set of PSKs: > > > > Hash_i: H_i > > Identity_i: BaseIdentity || H_i > > Key_i: Derived from BaseKey and Identity_i > > > > This gives you a set of keys which you can offer simultaneously on the > > TLS connection in independent psk_identity blocks. (Note that the hash > > algorithm is what differentiates each derived key.) This is a bit > > ugly, but with the current TLS 1.3 ciphers, this basically just means > > SHA-256, but even in the worst case it’s probably only 2-3. > > > > The nice thing about this design is that if you know the set of hash > > functions, you can just compute all the imported PSKs in advance, and > > there’s no need to touch the internals of the TLS stack. This also > > means that if you have decided you don’t like old hash X, you don’t > > need to use it to compute PSK binders, you just use it do the KDF, > > which seems like it has weakersecurity requirements. > > > > Here’s a specific construction, but we’re flexible about the details: > > > > struct { > > opaque base_identity<1...2^16-1>; > > HashAlgorithm hash; > > } imported_psk_identity; > > > > UPSKx = HKDF-Extract(0, UPSK) // UPSK is the input universal PSK > > PSK = HKDF-Expand-Label(UPSKx, "derived psk", BaseKDF(psk_identity), > > TargetHash.length) // Might need to shorten label > > > > These functions would be executed with the KDF associated with the UPSK, > > but produce > > a key the size of the desired hash. > > > > This brings us to the question of TLS 1.2. I found Ilari’s analyis > > pretty persuasive, so I would suggest we add the following text to the > > TLS 1.3 spec: > > > > TLS 1.3 takes a conservative approach to PSKs by binding them to a > > specific KDF. TLS 1.2 allows PSKs to be used with any hash function > > (I know it's awkward to write about, but we don't really get away with > pretending that 1.2 1.3 are the only versions in the rest of the document.) > Fair enough. > > and the TLS 1.2 PRF. The constructions in TLS 1.2 and TLS 1.3, > > although both based on HMAC, are very different and there is no known > > way in which reuse of the same PSK in TLS 1.3 and TLS 1.2 would > > produce related output, although only limited formal analysis has > been > > done. Implementations MAY wish to avoid reuse of keys between TLS 1.3 > > and TLS 1.2, or use a key derivation proposal such as [Informative > ref > > to this email or a draft]. > > I might add "to avoid the risk of using under-analyzed cryptographic > constructions" > (or similar), but implicit might be good enough. > I like that. -Ekr > > > > Other than this, we wouldn’t make any changes to the document. > > > > What do people think? > > This seems like a good sort of approach to take (that is, make the key > derivation > for hash specificity something that happens outside of the TLS mechanics > itself), > given the context in which we're thinking about it. > > It might be worth going even farther, and including the target TLS version > in the > (derived) identities and keys. Though maybe the negotiation process means > that > doesn't actually protect against an attack; I haven't thought it through > enough. > > Thanks for putting this together, > > Ben (no hats) >
- [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3 Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… David Benjamin
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Jonathan Hoyland
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla