IETF Logo Mail Archive

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Thu, 26 July 2018 16:22 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 83C2D1311E6 for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 09:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mz_tSaSFq-jr for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 09:22:09 -0700 (PDT)
Received: from mail-qt0-x236.google.com (mail-qt0-x236.google.com [IPv6:2607:f8b0:400d:c0d::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E30D0131129 for <tls@ietf.org>; Thu, 26 Jul 2018 09:22:08 -0700 (PDT)
Received: by mail-qt0-x236.google.com with SMTP id e19-v6so2123836qtp.8 for <tls@ietf.org>; Thu, 26 Jul 2018 09:22:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=4qpksDxbEAgpi7qCzJbQh0HpJfqEUuM7orDaRMyv0o4=; b=e+M5wYm0JpnvupKI2ypKM08HTPwBo0UCNPac+7BhxHsF2arBM/g22DcMhEjnwFOKdp zMuxAeePVogPvsZzlzt4UtTHMLOCSGh4SueKKXli9feMMM1gGIYdR8gZ1HrHMUscSO6O D9Z1Le4sTr2R3P1TzCdUwfBAceiOeFmgvpVVkJqMw1i+59WNawitw0x7Nqz2MhnjjPnN 1C6jNpU+ZUgQQTHydxb4cMqw/niszFpG8PAoc2hZZTgGrmNe++QxLwYalGa+QkQokbqm g+B2YKoSIl5lBIy1gWXf9+Nx4RtFGqDDtV12fRqIA2Ihl/tVlMgJIPoUvPQZc4hygz1p hmLA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=4qpksDxbEAgpi7qCzJbQh0HpJfqEUuM7orDaRMyv0o4=; b=A2/6L5bLDwGD+RKt3C3PTQAizSxKwQjvZAgj2NYkCgKuser1FZc8w7TIcpHKFNnWxv UL4Zc/De4G9LmplXbUB8QCaQVg4hhVH6R6eUfSbfn0JB+NRqJRucqNNyO6PPaAE0wvCa mfH/pVk1FNP/bK/+mqd0TPmXe3owAaiG45oBvlriFgyXwETHJ5Io/xZX4sJnSrRmMxdn vDY5AJsRLFaI5sd0NrZnkilPiDvf0tjte2IUJ9lGZz+BB3y30sRRCho+16eutlEDK5ay JrITKOVsH7OMP4xGGt06FD0qcpSdCImmdm6doclfZG91ESFgjWzSJjTqqsoQTS29NKQV Nsrw==
X-Gm-Message-State: AOUpUlFpdkWJp3kw4RqTWcX7QmDBJe7ev79k9ri3dMke/7c2Sn9L8S/V O/wLOZCLKWsmZ7Yy1P4J5zg=
X-Google-Smtp-Source: AAOMgpe8FEMxULR7t1vSNor+lJhMsiDvvbL+V4Hm1vSWBURVeSe2ELyNQxtJ9euD3L8rciw0YsO8gA==
X-Received: by 2002:ac8:1834:: with SMTP id q49-v6mr2574908qtj.223.1532622128021; Thu, 26 Jul 2018 09:22:08 -0700 (PDT)
Received: from [192.168.0.101] (pool-71-241-128-60.burl.east.myfairpoint.net. [71.241.128.60]) by smtp.gmail.com with ESMTPSA id g39-v6sm1236587qtb.47.2018.07.26.09.22.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 26 Jul 2018 09:22:07 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <DA04D974-EAA4-4166-BC01-49558D518BE5@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C7702972-9C40-45D4-AE03-D4CB302ED930"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Thu, 26 Jul 2018 12:21:59 -0400
In-Reply-To: <CABcZeBMyiNVX8abMd5OTwr6SrHWmTBnS2mV6U9=cPdbkgYxEWg@mail.gmail.com>
Cc: Nikos Mavrogiannopoulos <nmav@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>, Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <20180719230009.GD14551@akamai.com> <ce4cb23be8939e57574062e17c4f204f7145d020.camel@redhat.com> <CABcZeBN4tdHZ_fzqqEJNR46BP5bxiy6gWa17xxhfj9YXVAR0rw@mail.gmail.com> <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com> <CABcZeBMyiNVX8abMd5OTwr6SrHWmTBnS2mV6U9=cPdbkgYxEWg@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/40kzGhIgFnrKYqDMj_wXxaMmimE>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 16:22:13 -0000

I can speak a little to how the reuse of keys will affect existing TLS 1.3 proofs and analyses.

First it is worth noting that most TLS 1.3 proofs do not consider hash function agility, and say nothing about deploying TLS 1.3 in parallel to TLS 1.2 (with some exceptions like [1], [2])
So, the good news is that these proofs do not care much about how PSKs or signature keys are used in TLS 1.2.
The bad news is that this means that, in general, reusing the same keys in 1.2 and 1.3 is insecure.
Even just within TLS 1.3, if we use the same PSK with two versions of HKDF that use different hash algorithms, we would need a strong “joint” assumption on both these hash functions.
Assuming that the HKDF hash algorithm is fixed (either by the standard or for each key), we can then use the Universal PSK trick to specialize the PSK for other parameters (such as hash algorithm used for the TLS transcript).
But from what I understand the HKDF hash algorithm is itself determined by the cipher suite hash algorithm, so I need to think whether the specialisation provides any formal guarantees.

Secondly, TLS 1.3 analyses that account for downgrade attack (like [1],[2]) show that the downgrade countermeasures in TLS 1.3 are sufficient to protect TLS 1.3 sessions, but only under some conditions.
In particular, [2] shows that it is only safe for an endpoint to reuse keys between TLS 1.2 and TLS 1.3 if
(1) even in TLS 1.2, the endpoint only supports PSK-based or signature-based ciphersuites (i.e. no RSA encryption)
(2) even in TLS 1.2, the endpoint only supports “strong” hash functions 
(3) in TLS 1.2 and 1.3, all the hash functions used within signatures and MACs are *jointly* collision resistant (i.e. you cannot easily find b such that H2(b) == H1(a), for different supported hash functions H1 and H2)

In summary, the security proofs for TLS 1.3 require fairly strong conditions on what modes and algorithms of TLS 1.2 can be safely supported by the same client/server.
It is probably worth writing these down as security considerations, and we can quickly discuss this with the academics who did the various proofs.

-Karthik

[1] Downgrade Resilience in Key-Exchange Protocols (IEEE S&P 2016) https://eprint.iacr.org/2016/072
[2] Verified Models and Reference Implementations for the TLS 1.3 Standard Candidate (IEEE S&P 2017)  https://hal.inria.fr/hal-01528752v2/


> On 20 juil. 2018, at 08:08, Eric Rescorla <ekr@rtfm.com> wrote:
> 
> Karthik

v2.23.0 | Report a Bug | By Email