Re: [TLS] The future of external PSK in TLS 1.3
David Benjamin <davidben@chromium.org> Wed, 23 September 2020 15:47 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32BF03A11AA for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 08:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.944
X-Spam-Level:
X-Spam-Status: No, score=-10.944 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WqbxBIBOyEkp for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 08:47:44 -0700 (PDT)
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com [IPv6:2607:f8b0:4864:20::631]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 979243A11A6 for <tls@ietf.org>; Wed, 23 Sep 2020 08:47:44 -0700 (PDT)
Received: by mail-pl1-x631.google.com with SMTP id m15so7062269pls.8 for <tls@ietf.org>; Wed, 23 Sep 2020 08:47:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=XnvlggdocXw1zMvP0ablzmHV3hZ4Ch3KnAzlCS6flhM=; b=IHygD/u7zJvz/lZ53P1F2aHb5yRc+/iNNEJegsXYuJQDUnBDzJ+SEl/E4Kp8o4u4c/ QiCrMTiY9ht3U3zMAjahT/wsSrqjCkK0I/vstJSKOox5m7ST5G+qxjonIFjo15RXBire ihkYLgHpHIEDBakbb7cjZiHD1tJCxhuvFaHrM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=XnvlggdocXw1zMvP0ablzmHV3hZ4Ch3KnAzlCS6flhM=; b=hJ2+Fm4uwSF1BtAsx9U+DhI9Ai+lqvDamjD892EOXyQ7dNfwcPZtv3qSjbwwiOXVqi DhVhHd2TLOAY4Ss2St2FvAo/3wCtkm/OOUkZKTohnlxJTICzcb92XR3GbmNEcBolE8G/ QYFtCi7w9Qr2RVhNOKXgcQWskgwYTMM6a1WwknWNf1UAyEKH4ZQDeUb+c8yW73BxWjTA qdAP9hsg+3ObIGTs+3EO+g+XQGE3Br60zFe62XeKKIsp6/rIT+t5ZAu8RMttIcPxherP mphwPOv6tqjwaaQunA4RylUtj4ocZpjfZwhbR/GkIVkNJ1dSRTENx/X/1yRpr5BHwsZ+ T7YQ==
X-Gm-Message-State: AOAM531NVHPrK6dZDTY4QBZxbnxY+rTsoOnh08jZ6YSV03PuyDweSPy1 ccJ6/gnVHDRqiHmaS3YddClhlhnjuYJFpUJCSnKL
X-Google-Smtp-Source: ABdhPJy/7wlis3eSmubUNGyvsp0Yb/sLtfsPXzEx8wDrP8mxU23OGUoppI6o0X4xs2aeJwu1/IsJqEFAijRL+o3FL5s=
X-Received: by 2002:a17:90a:67c7:: with SMTP id g7mr77473pjm.42.1600876063840; Wed, 23 Sep 2020 08:47:43 -0700 (PDT)
MIME-Version: 1.0
References: <77039F11-188E-4408-8B39-57B908DDCB80@ericsson.com> <1600516093048.75181@cs.auckland.ac.nz> <2f2ecb30-bef5-414a-8ff7-d707d773c7ea@www.fastmail.com> <FDD012C2-9B37-461D-BC81-854135EE994E@icloud.com> <AM0PR08MB3716861B782527DAB3C1EA1BFA3A0@AM0PR08MB3716.eurprd08.prod.outlook.com> <DF3B268F-2E80-4444-B643-D33BC0C7151E@icloud.com> <AM0PR08MB371678103D9EEB89C9AA44C1FA380@AM0PR08MB3716.eurprd08.prod.outlook.com> <ff5f77a9-ea45-4a72-b075-65c2d5e8ab45@www.fastmail.com> <AM0PR08MB37168140C95EB4620ED0FE92FA380@AM0PR08MB3716.eurprd08.prod.outlook.com> <809E2772-DFA1-4E4F-AAD7-8CBF97F5C9AC@akamai.com>
In-Reply-To: <809E2772-DFA1-4E4F-AAD7-8CBF97F5C9AC@akamai.com>
From: David Benjamin <davidben@chromium.org>
Date: Wed, 23 Sep 2020 11:47:27 -0400
Message-ID: <CAF8qwaDvBWrCedJK9qPnmq8bdc54tht3G=LKWMinUhabY=RVZg@mail.gmail.com>
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Filippo Valsorda <filippo@ml.filippo.io>, Carrick Bartle <cbartle891@icloud.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001dd8e505affd0107"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/5yT475lL2DZtTh16uDvzvgE4kyk>
Subject: Re: [TLS] The future of external PSK in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 15:47:46 -0000
There are two different code points involved in TLS 1.3 PSK, and I think there may be some mixup here: 1. Whether TLS 1.3 psk_ke should be marked N 2. Whether TLS 1.3. psk_dhe_ke should be marked N Avoiding psk_ke does not remove compatibility with any authentication method. psk_ke and psk_dhe_ke use the same PSKs. The difference is whether the handshake mixes an additional (EC)DH exchange into the key schedule. We've *already* marked TLS_PSK_WITH_AES_128_GCM_SHA256 with an N, so it seems to me psk_ke with an external PSK should be similar. Handshakes using psk_ke with an external PSK incorporate no secrets in the key exchange apart from a (often long-lived) external symmetric secret. Compromise that secret, and all traffic ever authenticated with that PSK is compromised. Resumption PSKs use short-lived keys, so psk_ke is less immediately disastrous but given the equivalent construction in TLS 1.2 has forward secrecy issues <https://www.imperialviolet.org/2013/06/27/botchingpfs.html>, marking it as N across the board seems a good idea to me. (BoringSSL does not implement psk_ke for this reason. Looks like Go and NSS do not implement it either.) psk_dhe_ke I suppose depends on how one interprets "specific use case", so I don't feel very strongly here. David On Wed, Sep 23, 2020 at 11:37 AM Salz, Rich <rsalz= 40akamai.com@dmarc.ietf.org> wrote: > I agree with Hannes’s reasoning. > > > > I am also concerned about devolving TLS to be just Web browser/server. > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] The future of external PSK in TLS 1.3 Peter Gutmann
- [TLS] The future of external PSK in TLS 1.3 John Mattsson
- Re: [TLS] The future of external PSK in TLS 1.3 Filippo Valsorda
- Re: [TLS] The future of external PSK in TLS 1.3 Viktor Dukhovni
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Carrick Bartle
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Carrick Bartle
- Re: [TLS] The future of external PSK in TLS 1.3 Achim Kraus
- Re: [TLS] The future of external PSK in TLS 1.3 Achim Kraus
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Achim Kraus
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] The future of external PSK in TLS 1.3 Filippo Valsorda
- Re: [TLS] The future of external PSK in TLS 1.3 David Woodhouse
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Salz, Rich
- Re: [TLS] The future of external PSK in TLS 1.3 David Benjamin
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 David Benjamin
- Re: [TLS] The future of external PSK in TLS 1.3 Carrick Bartle
- Re: [TLS] The future of external PSK in TLS 1.3 Lanlan Pan
- Re: [TLS] The future of external PSK in TLS 1.3 Peter Gutmann
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Filippo Valsorda
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Salz, Rich
- Re: [TLS] The future of external PSK in TLS 1.3 Pascal Urien
- Re: [TLS] The future of external PSK in TLS 1.3 Achim Kraus
- Re: [TLS] The future of external PSK in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] The future of external PSK in TLS 1.3 Watson Ladd
- Re: [TLS] The future of external PSK in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] The future of external PSK in TLS 1.3 Carrick Bartle
- Re: [TLS] The future of external PSK in TLS 1.3 Achim Kraus
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Rob Sayre
- Re: [TLS] The future of external PSK in TLS 1.3 Achim Kraus
- Re: [TLS] The future of external PSK in TLS 1.3 Hannes Tschofenig
- Re: [TLS] The future of external PSK in TLS 1.3 Watson Ladd
- Re: [TLS] The future of external PSK in TLS 1.3 Blumenthal, Uri - 0553 - MITLL
- Re: [TLS] The future of external PSK in TLS 1.3 Salz, Rich
- Re: [TLS] The future of external PSK in TLS 1.3 Rob Sayre