Re: [TLS] Selfie attack
John Mattsson <john.mattsson@ericsson.com> Fri, 11 October 2019 07:38 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C73C120125 for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 00:38:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MJAGwSBwB6SJ for <tls@ietfa.amsl.com>; Fri, 11 Oct 2019 00:38:52 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00054.outbound.protection.outlook.com [40.107.0.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF3A2120123 for <tls@ietf.org>; Fri, 11 Oct 2019 00:38:51 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=b0d5ZPYrK+CN9uxtXA7eIdB/dbGr8fJRXNUhh7MW5Jn4jbB93u5SaRG2Cm174kGcVZDiXbhIGqm5k70HZ3omZ8TUM7rl+uJkgVGMqN9gwznAUO+DkQNP3WoHByiUsCHJ8gotzCMNrCtrm0IBnEXWQGDChywUlbGe8cWtQXNvNZ8+TCXb7mjR0HgKRZgF0osqNHsxF6nhh0exrxcJ3tYL5ciENSYjYqSKQ3SEq4ME1KpEadWgy6WqaNcc+npnMPo2nliEhZ8/lT0yE7r+Bo9OdP/xEXSpZz+9yuhrgP5hqEu8FDwbGs12iNfZYrxMhjR9sG3WnH5MBkVRhuWnGcxbIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zgs4SKRHshqI0qWAm/RWN5HjjgZ21guyHDN3MRbYmAk=; b=T+iMPRU0mtKNjsWfFdsCbbFOwaMDsvfLnOkZwFzcvr9A51Tl71BkwZnVQeOh6oLKSLNcUiO7L/r3DwJun/JS+NbmEfJgDlaF+cKQ3SStHdu1yHC/pTfb+89O/YVyhGRDYwSf8Hnb/8cvHqVAYgoLqBjZrQ+ooXCuJmoggrU9QsaL0pH2IpEqPoFno7qN2lzhu6LgHomyxD/dW8pinzo3uCfogiJWuFW/IAJYCQ0AriJC1VNqnTgJfQy53OMJIQ2xEzf7r31Wq/s8IEwxJLYr2KmhOXU0+CSLJuf5hacojZ+d7EDh6UcpYL2IGmfs3FwUQ6shB2L52bjw4ENpilkRCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Zgs4SKRHshqI0qWAm/RWN5HjjgZ21guyHDN3MRbYmAk=; b=HnI2C0j16FNtAea5yspYp/aCSw2RjGQvYoCbe4arC91lKu3ZZ1Q52fYHUMdhRAr1+i7FZf3BETeAiKYIQpw9MJG2sjOoAQKI0bAEhfKTAKE5npWrHTFKcg7arR1TIA+Wy1h7KaKC9c5HxvEBn6xHaR+CT3tZKJGeEBDwGi1+rE8=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3308.eurprd07.prod.outlook.com (10.170.246.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.10; Fri, 11 Oct 2019 07:38:49 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2347.021; Fri, 11 Oct 2019 07:38:49 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, Christian Huitema <huitema@huitema.net>, Christopher Wood <caw@heapingbits.net>, Mohit Sethi M <mohit.m.sethi@ericsson.com>, "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Selfie attack
Thread-Index: AQHVfb7LOQnBEvPvDUirCjFHsuP0MadQ9FsAgAAizgCAAAS6gIAEF/wA
Date: Fri, 11 Oct 2019 07:38:49 +0000
Message-ID: <C5ACF4AE-E2C9-41B3-BBF2-0122D35662DF@ericsson.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com> <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk> <896F89B2-37D0-4674-881D-FB9FE4874978@ericsson.com> <FE583332-1915-4B5A-AAAB-AD854CF336B8@live.warwick.ac.uk> <bb410c2a-6836-48a8-ac3d-de395f4c57d8@www.fastmail.com> <a0c560b0-8bca-d843-dac8-57c90c0488de@ericsson.com> <90ddc116-f5d9-4b22-8b80-e31835e09f10@www.fastmail.com> <a70e420c-eeab-b446-57a8-a496a0541f89@huitema.net> <28313e8d-48d1-723e-9548-1e9fb3718491@ericsson.com>
In-Reply-To: <28313e8d-48d1-723e-9548-1e9fb3718491@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 71da253a-d7fe-4040-61aa-08d74e1e0e6c
x-ms-traffictypediagnostic: HE1PR07MB3308:|HE1PR07MB3308:
x-ms-exchange-purlcount: 1
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <HE1PR07MB33080D036904FB9AD0AF586A89970@HE1PR07MB3308.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6108;
x-forefront-prvs: 0187F3EA14
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(366004)(396003)(346002)(376002)(189003)(199004)(66066001)(478600001)(25786009)(86362001)(606006)(966005)(14454004)(2501003)(71190400001)(8936002)(8676002)(81166006)(81156014)(7736002)(2906002)(790700001)(6116002)(71200400001)(3846002)(66946007)(66476007)(66556008)(64756008)(66446008)(14444005)(229853002)(36756003)(6246003)(6512007)(54896002)(6436002)(6306002)(236005)(33656002)(76116006)(99286004)(6486002)(58126008)(6506007)(53546011)(102836004)(110136005)(76176011)(5660300002)(256004)(91956017)(446003)(316002)(26005)(186003)(11346002)(44832011)(476003)(2616005)(486006); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3308; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: q7uE4F1d+44KRh8oZ9gX3NcXFCh4p33XQaSOwu3A8rfaLt8OsTWgQIhnF1xuXVV/Ok9r4h89mgSgXVoQtHRrD3emQ1aBazRrC+J2rVti02jjH0yeRKbsgwfYt4kCh4L3spmEf2FH0pQbeWL+3jyddSn9TS09Qy+jZhrytrJ+po6R6HyM2nzFT4qoJdoNExv4RZW4UyNAB0XStt5Cq5eCT8Pef1h/FSurBO952vuD5GnQ+1bK+3kn1LFEPFdfrT5A/JLqu3+KVKrC82cO+aH/I7dFelxOa1que9wyDWY9+tbvin3ZYDe4HQ/DI5HybWFtOJtm9TJQxPzzWpZJ7Cb/kJ655mKe6oZaJi7sgqI1a3TlwxA9INd3KBi24GHUNct6cdETiWG7R1oj+Dou3jBYhj9LlRYgpaHcO4JGB+C2WRINoQPxtj7uDcg6eaMqeWKTMocEDsRHp2rdQSuNZj6uKA==
Content-Type: multipart/alternative; boundary="_000_C5ACF4AEE2C941B3BBF20122D35662DFericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 71da253a-d7fe-4040-61aa-08d74e1e0e6c
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2019 07:38:49.2794 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EHtAxUCin/LV2TQsi/gPaDfyp22hGR4cwlA9lrVdtCh1mh8x5mj7+c9Xh2HJVXe8eXMX7Sy0qhn/3WDYJaCCBrhoCBT42tQpirFSrGw+qdg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3308
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2xdM1c6ApbwQKlZ7sJZt1vQGdiM>
Subject: Re: [TLS] Selfie attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 07:38:57 -0000
Thanks Mohit, Re-reading the Selfie paper I see that the authors define Client Alice and Server Alice as different members of the group. That makes things clearer. I think there are three cases: 1. Use cases where only Client Alice and Server Bob shares the PSK are not vulnerable to the Selfie attack. 1. Cases where Alice, Bob, and Caesar share an external PSK seem like misconfiguration, I assume TLS 1.3 just forgot to explicitly forbid them. 1. The interesting use case if where Client Alice, Server Alice, Client Bob, and Server Bob shares a PSK. That is a very valid use case and one that is currently deployed in several systems. To do as the Selfie authors suggest “A PSK MUST NOT be shared between more than one client and one server” seems way too drastic as is forbids 3 above. For 3 I think the Selfie attack can be very easily mitigated by forcing clients to check incoming ServerHello.random. I think something like the following updates for RFC 8446 would be enough: “A PSK MUST NOT be shared between more than two endpoints” “An endpoint receiving a ClientHello with PSK authentication MUST check that the ClientHello.random is not equal to a ClientHello.random that the endpoint previously sent and has not received a ServerHello.” Cheers, John From: TLS <tls-bounces@ietf.org> on behalf of Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org> Date: Tuesday, 8 October 2019 at 21:08 To: Christian Huitema <huitema@huitema.net>, Christopher Wood <caw@heapingbits.net>, Mohit Sethi M <mohit.m.sethi@ericsson.com>, "TLS@ietf.org" <tls@ietf.org> Subject: Re: [TLS] Selfie attack Hi Christian, It was my poor attempt at explaining the attack. The attack can happen as long as a node sends outbound connections (as a TLS client) and accepts inbound connections (as a TLS server) with the same external PSK and identity. This is likely to happen in some form of group communication but not necessarily. In such a scenario, a malicious node Eve can fool Alice to open a connection to herself (hence the name Selfie). Admittedly, UKS/misbinding/selfie are somewhat hard to comprehend sometimes (at least for me). --Mohit On 10/8/19 9:51 PM, Christian Huitema wrote: On 10/8/2019 9:46 AM, Christopher Wood wrote: On Tue, Oct 8, 2019, at 2:55 AM, Mohit Sethi M wrote: Hi Chris, For the benefit of the list, let me summarize that the selfie attack is only relevant where multiple parties share the same PSK and use the same PSK for outgoing and incoming connections. These situations are rather rare, but I accept that TLS is widely used (and sometimes misused) in many places. I may be getting old but the way Mohit writes it, it seems that the attack happens when the security of a group relies on a secret shared by all members of the group, and can then be compromised when one of the group members misbehaves. How is that a new threat? If groups are defined by a shared secret, then corruption of a group member reveals that shared secret to the attacker and open the path for all kinds of exploitation. In what sense is the "selfie" attack different from that generic threat? -- Christian Huitema _______________________________________________ TLS mailing list TLS@ietf.org<mailto:TLS@ietf.org> https://www.ietf.org/mailman/listinfo/tls
- [TLS] Distinguishing between external/resumption … Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Christian Huitema
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Mohit Sethi M
- Re: [TLS] Distinguishing between external/resumpt… Nikos Mavrogiannopoulos
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- [TLS] Selfie attack was Re: Distinguishing betwee… Mohit Sethi M
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… John Mattsson
- Re: [TLS] Selfie attack was Re: Distinguishing be… Viktor Dukhovni
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… Christopher Wood
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack Christian Huitema
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson