Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
Hubert Kario <hkario@redhat.com> Wed, 21 February 2018 14:26 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D1F1126D05; Wed, 21 Feb 2018 06:26:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rjSOPRFbkoqf; Wed, 21 Feb 2018 06:26:45 -0800 (PST)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D2DB81241F3; Wed, 21 Feb 2018 06:26:44 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3623FFB640; Wed, 21 Feb 2018 14:26:44 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 77BFC213AEE2; Wed, 21 Feb 2018 14:26:43 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: draft-ietf-tls-tls13@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, ietf@ietf.org
Date: Wed, 21 Feb 2018 15:26:42 +0100
Message-ID: <21708133.DmTAOkxbDk@pintsize.usersys.redhat.com>
In-Reply-To: <CABcZeBOXzXf32JZkOw51JkXz6e_RG5Y+n+XG-9Y=Fb=a-as-CQ@mail.gmail.com>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <1545738.SpB3f87gQo@pintsize.usersys.redhat.com> <CABcZeBOXzXf32JZkOw51JkXz6e_RG5Y+n+XG-9Y=Fb=a-as-CQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart1850902.Jp56FTomI8"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 21 Feb 2018 14:26:44 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.1]); Wed, 21 Feb 2018 14:26:44 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/6b4X-SvVqKfCv_CYfkiPErIWsOg>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 14:26:46 -0000
On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote: > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> wrote: > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote: > > > The IESG has received a request from the Transport Layer Security WG > > > > (tls) > > > > > to consider the following document: - 'The Transport Layer Security > > > (TLS) > > > Protocol Version 1.3' > > > > > > <draft-ietf-tls-tls13-24.txt> as Proposed Standard > > > > The current draft states that if the server recognises an identity but is > > unable to verify corresponding binder, it "MUST abort the handshake" > > Which text are you referring to here? Section 4.2.11: Prior to accepting PSK key establishment, the server MUST validate the corresponding binder value (see Section 4.2.11.2 below). If this value is not present or does not validate, the server MUST abort the handshake. Servers SHOULD NOT attempt to validate multiple binders; rather they SHOULD select a single PSK and validate solely the binder that corresponds to that PSK. > -Ekr > > at the same time, they "SHOULD select as single PSK and validate solely the > > > binder that corresponds to that PSK" > > (Page 60, draft-ietf-tls-tls13-24). > > > > That allows for trivial enumeration of externally established identities - > > the > > attacker just needs to send to the server a list of identity guesses, with > > random data as binders, if the server recognises any identity it will > > abort > > connection, if it doesn't, it will continue to a non-PSK handshake. > > > > Behaviour like this is generally considered a vulnerability: > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229 > > > > I was wondering if the document shouldn't recommend ignoring any and all > > identities for which binders do not verify to prevent this kind of attack. > > -- > > Regards, > > Hubert Kario > > Senior Quality Engineer, QE BaseOS Security team > > Web: www.cz.redhat.com > > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic > > _______________________________________________ > > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] UPDATED Last Call: <draft-ietf-tls-tls13-24… The IESG
- Re: [TLS] UPDATED Last Call: <draft-ietf-tls-tls1… Sean Turner
- [TLS] Future interoperability issues for HRR for … Hubert Kario
- Re: [TLS] Future interoperability issues for HRR … Benjamin Kaduk
- [TLS] external PSK identity enumeration Re: UPDAT… Hubert Kario
- Re: [TLS] Future interoperability issues for HRR … Eric Rescorla
- Re: [TLS] external PSK identity enumeration Re: U… Eric Rescorla
- Re: [TLS] external PSK identity enumeration Re: U… Hubert Kario
- Re: [TLS] external PSK identity enumeration Re: U… Eric Rescorla
- Re: [TLS] external PSK identity enumeration Re: U… Martin Thomson
- Re: [TLS] external PSK identity enumeration Re: U… Tony Putman
- Re: [TLS] external PSK identity enumeration Re: U… Hubert Kario
- Re: [TLS] external PSK identity enumeration Re: U… Hubert Kario