Re: [TLS] The future of external PSK in TLS 1.3

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Wed, 23 September 2020 16:03 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07A1D3A11BC for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 09:03:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=OKJiXhAs; dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com header.b=OKJiXhAs
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GlqobiCkB5uw for <tls@ietfa.amsl.com>; Wed, 23 Sep 2020 09:03:46 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60063.outbound.protection.outlook.com [40.107.6.63]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33EF33A11EE for <tls@ietf.org>; Wed, 23 Sep 2020 09:03:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nA+Zrscn/KpfRkSTI0Fl2Q5+luFkTLKKhad8f7iR2AM=; b=OKJiXhAs6ooUopD9S5/iDt8H/Xuk10j1FZPXPa7wZTdLCn03aS57d6wsQ7Q4Nq4tOpU4EMso6O637Cr+vfsxTpLgVGufvnKL6zMsvLNkUYnqijej0tCcz1ako1KaCkCixsOAK4TcfyUQXtnq/cZVJWyrZ1j/nfJ+zwLj+/M7Jq0=
Received: from AM5PR0701CA0023.eurprd07.prod.outlook.com (2603:10a6:203:51::33) by VI1PR08MB5423.eurprd08.prod.outlook.com (2603:10a6:803:133::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13; Wed, 23 Sep 2020 16:03:43 +0000
Received: from AM5EUR03FT049.eop-EUR03.prod.protection.outlook.com (2603:10a6:203:51:cafe::20) by AM5PR0701CA0023.outlook.office365.com (2603:10a6:203:51::33) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.6 via Frontend Transport; Wed, 23 Sep 2020 16:03:43 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; ietf.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;ietf.org; dmarc=bestguesspass action=none header.from=arm.com;
Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com;
Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT049.mail.protection.outlook.com (10.152.17.130) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.21 via Frontend Transport; Wed, 23 Sep 2020 16:03:42 +0000
Received: ("Tessian outbound 195a290eb161:v64"); Wed, 23 Sep 2020 16:03:42 +0000
X-CR-MTA-TID: 64aa7808
Received: from 127d638ec03c.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id FD63CBAB-B802-4D4E-BBD7-FE3CEA361ECA.1; Wed, 23 Sep 2020 16:03:37 +0000
Received: from EUR05-AM6-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id 127d638ec03c.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Wed, 23 Sep 2020 16:03:37 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=etE732dg8KQOXuepCeauWSOqkbNeXYl9NQtSnRUnOl0B7b4QxWy6oeI7wj9EEKjwmwT2cK9Ksmotc5Ajc1tT1jSsX4v/JC83p0q6HB+Y/oJI9IPKIesXImTX11RCaAvK7mb2/TQ5saXipWa9OZdEqdfLab/rAvyEaMAdQyIlJ2u6beR471eAiaKxJ2dzRetpl+lpvZXTEnF2HQstFBQTKq2SFq6dHJBgX7xkci1DUMc0KzyOj5/3c/4DMiXVEAhxZUstvw0JmuRUOuBdsdisbCNOmqfutlHBQ2jKWXzs78nCnGW7sMwHfQw0eE3GS5uHvgmgLIxymUgBP+/t01u66Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nA+Zrscn/KpfRkSTI0Fl2Q5+luFkTLKKhad8f7iR2AM=; b=n9pkGkihwEAiryqsFvyX3nCmaGzMV6cz7gao9brhyFSF2oh0wajfpAwsbdwd4gkA4Chz3G9Qbaf4TP9/KFtanU6eR1Q5+IJAwQ1WM+E81SLUdT67aMb//WwQS0F/PNaSW4osOzlzp38ViFEexpHrAcSBf3/dy0+t0iuDZyxgmVlPDjKPB+T+MIT3vTxT6vU8BLLUSGqO+RhAbSfjtF4dWhQ1fsOcCZ7qKlnhlQLJfKOHt30BYSFWFSdMKHe7T/FFHP0/SufY4sg/v39/6pascKMbg60PnBwWY++7MpdFTOkgj2HVZsRm7aiEOv6zF1vaI7ER0QaSxq7R+zRv/2/uLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector2-armh-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nA+Zrscn/KpfRkSTI0Fl2Q5+luFkTLKKhad8f7iR2AM=; b=OKJiXhAs6ooUopD9S5/iDt8H/Xuk10j1FZPXPa7wZTdLCn03aS57d6wsQ7Q4Nq4tOpU4EMso6O637Cr+vfsxTpLgVGufvnKL6zMsvLNkUYnqijej0tCcz1ako1KaCkCixsOAK4TcfyUQXtnq/cZVJWyrZ1j/nfJ+zwLj+/M7Jq0=
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com (2603:10a6:208:106::13) by AM8PR08MB5763.eurprd08.prod.outlook.com (2603:10a6:20b:1d7::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13; Wed, 23 Sep 2020 16:03:36 +0000
Received: from AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860]) by AM0PR08MB3716.eurprd08.prod.outlook.com ([fe80::900e:c64d:a006:4860%6]) with mapi id 15.20.3391.026; Wed, 23 Sep 2020 16:03:36 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: David Benjamin <davidben@chromium.org>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>
CC: Filippo Valsorda <filippo@ml.filippo.io>, Carrick Bartle <cbartle891@icloud.com>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] The future of external PSK in TLS 1.3
Thread-Index: AQHWjng9Pwzr8fTsOkSjvpJZy/djPKlv2BqIgABG0ACAAlNKgIAAVNSggACB6oCAAAGjAIAC9lQAgAAPjNCAABEpAIAAAx6AgAACOpA=
Date: Wed, 23 Sep 2020 16:03:36 +0000
Message-ID: <AM0PR08MB37160FA097D2AE52FEDE1551FA380@AM0PR08MB3716.eurprd08.prod.outlook.com>
References: <77039F11-188E-4408-8B39-57B908DDCB80@ericsson.com> <1600516093048.75181@cs.auckland.ac.nz> <2f2ecb30-bef5-414a-8ff7-d707d773c7ea@www.fastmail.com> <FDD012C2-9B37-461D-BC81-854135EE994E@icloud.com> <AM0PR08MB3716861B782527DAB3C1EA1BFA3A0@AM0PR08MB3716.eurprd08.prod.outlook.com> <DF3B268F-2E80-4444-B643-D33BC0C7151E@icloud.com> <AM0PR08MB371678103D9EEB89C9AA44C1FA380@AM0PR08MB3716.eurprd08.prod.outlook.com> <ff5f77a9-ea45-4a72-b075-65c2d5e8ab45@www.fastmail.com> <AM0PR08MB37168140C95EB4620ED0FE92FA380@AM0PR08MB3716.eurprd08.prod.outlook.com> <809E2772-DFA1-4E4F-AAD7-8CBF97F5C9AC@akamai.com> <CAF8qwaDvBWrCedJK9qPnmq8bdc54tht3G=LKWMinUhabY=RVZg@mail.gmail.com>
In-Reply-To: <CAF8qwaDvBWrCedJK9qPnmq8bdc54tht3G=LKWMinUhabY=RVZg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ts-tracking-id: BDB7D4564D34D84599A69235ACD734AB.0
x-checkrecipientchecked: true
Authentication-Results-Original: chromium.org; dkim=none (message not signed) header.d=none; chromium.org; dmarc=none action=none header.from=arm.com;
x-originating-ip: [80.92.122.149]
x-ms-publictraffictype: Email
X-MS-Office365-Filtering-HT: Tenant
X-MS-Office365-Filtering-Correlation-Id: 878b659a-5cda-4727-fcc7-08d85fda3e88
x-ms-traffictypediagnostic: AM8PR08MB5763:|VI1PR08MB5423:
X-Microsoft-Antispam-PRVS: <VI1PR08MB54234406D0D8C852E21E5797FA380@VI1PR08MB5423.eurprd08.prod.outlook.com>
x-checkrecipientrouted: true
nodisclaimer: true
x-ms-oob-tlc-oobclassifiers: OLM:7219;OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Untrusted: BCL:0;
X-Microsoft-Antispam-Message-Info-Original: Sg8kCBB6MIgtyOJ+gBzoToNz9gmwkQUMuaUZKLMi5avdLWYRHSXDIMmfYC7q+5L2HH9Dy6n06/J3PfbhOGwWyH9iNeu0RN9qRrL9LPGrhFWxyIRFnQy3wJUR/oCNNK4XoDTAXhG21wGuBAAjVZPLPszVmwYZ51MsDNf6VhsFUNECWXvV+mXQvS2ztHpK1WWxL+RQrb+h0xyRVT8lGsboe9zj+AP6d0IfpIQVGEVL7v7I2xywR3b/MxMQayB91ul5WDsht/iG/3lgODFCZzQnwrHHqI5yg33OqFqAVczgjMj6pGp3bGnIzO3msSPAiSp+lXP+DKpaimTwoOMhy6bF9DdjFV9JgjWaqsR7Zc6d+1gTojNKL9QlmP5t9sL6GbZSnX1jWNcxHDUj6PfMZO6IvjhYbKlWRksXwPdt1v8jDIdPPulBu4ucmjsWwWhXTszqswbUiPAtlEw+E2040xnXmQ==
X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0PR08MB3716.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(376002)(39860400002)(136003)(346002)(366004)(52536014)(316002)(76116006)(966005)(7696005)(478600001)(8676002)(166002)(86362001)(5660300002)(2906002)(26005)(33656002)(9326002)(83380400001)(186003)(71200400001)(53546011)(66574015)(8936002)(55016002)(110136005)(66946007)(54906003)(66556008)(9686003)(64756008)(66476007)(66446008)(6506007)(21615005)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: /70vHgI3ueC9GhzHnJVkAg2VtGwQLoiwpTaCx2AqlJpaVUd3TxzPZW8YZXSgeqM0AXFB0A4NZgVYdMN38zIKMDsgYYp4lcyYEtvsfhBm1FNKz6CrERO39CLmV9eCgjd8I082tjbuKXSfFPppqsCQZr2EI90gtik6DQcCcj839zlJVSCE2MyzNJYmYx1Q0Z7mMZdWrtwNA/7G4L63xPMOfayhpPms0hTTyXVbrogNHQT85+73sf3O4bHa8ZxYaC6XjabUMzrby946w995PT4zRZfim7Mv+GAOWOKUQ52O0+ubbhWmjbWkVkl4dcRTp8qkP95ePu5UcEOLUVSVqF34LPS7EQlDmFk09yarALSUqmSwawx+qUvd0ViHQdzVTGCN6DjP/H16gshZ3VSA+Rg0LbHPIv/zRUphHWUxyxCVKmGCQK3KVIa4mdbn7XWSz5P3mjWTYEJaM4mwKznrVkpMak4qgdB0+WAr4bcYAzyl+1KBHmrnZCEtMk3x+jUyEdciNnnJKKSjwnUGJ7aSoZWOLRzcyySCCC2i/UXQiAKmTwKTjyzdMjB4WA/wCUQH8yWbUMXRzUpRKlaYL1FfHRzuGjxmr6rApjm4O3WGw4NUc7BMGx3M5aZ4aPxV1yYUMWSltMjqUl75tVeQtpVpNbTpaw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_AM0PR08MB37160FA097D2AE52FEDE1551FA380AM0PR08MB3716eurp_"
MIME-Version: 1.0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR08MB5763
Original-Authentication-Results: chromium.org; dkim=none (message not signed) header.d=none; chromium.org; dmarc=none action=none header.from=arm.com;
X-EOPAttributedMessage: 0
X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT049.eop-EUR03.prod.protection.outlook.com
X-MS-Office365-Filtering-Correlation-Id-Prvs: 6bd4098b-ecae-434b-3f88-08d85fda3ac7
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: KYVYsdvXvk2mi+gSVyp8+59ReQvApwF7asxNEzxklSFfFC735keTJ4FlrIRd5SotZe+fWuHbE0zrOxXMwA+twk/Ek5lH+JL4pmcX0mJVVdRjSahrrMn49kFHeZzafZdTZIpZqQYm2hytvKwM2ZnpGKILkfqKgStoreYUt4FVsIssPYM9HU98rk8PciD7jKc2um0io1tm3XQtamSdTbJ4AOESRJBMzR4mG5CvimjaxI16VFCwh6uyBRhENOZ2MspRFVnWkc6fCCvYCv8KGNbc71BZDvr76z8dbvZ9o8VvD0d29EvXk24+EGk20pHhmzjyn5USPrJ7H5qsORiSsyqJsaNnBnqFnXXnAD1SR+mgdzLnZnDHQNKOnx670kNYPlowZwdBaTpEJM5Q90x8Vs2ftbfsAFo3NrdM7qJ/O7drly5HhpwaLiKgOncVkYukgNQaMSdComsHCai5YtlY7ezBHy8VrOE6mhHEXWf1IIBGhjA=
X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(396003)(376002)(39860400002)(346002)(136003)(46966005)(186003)(7696005)(8936002)(9686003)(82310400003)(33656002)(316002)(36906005)(26005)(6506007)(53546011)(336012)(47076004)(33964004)(110136005)(8676002)(5660300002)(54906003)(55016002)(86362001)(478600001)(166002)(83380400001)(9326002)(356005)(70586007)(52536014)(966005)(2906002)(21615005)(66574015)(4326008)(82740400003)(81166007)(70206006); DIR:OUT; SFP:1101;
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 23 Sep 2020 16:03:42.8949 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 878b659a-5cda-4727-fcc7-08d85fda3e88
X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com]
X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT049.eop-EUR03.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB5423
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AL6pyjiq58prDpvksTJA1VfkWTA>
Subject: Re: [TLS] The future of external PSK in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 16:03:55 -0000

Hi David,

my problem is that the IANA registry only says “not recommended” but it does not say for what environments these ciphersuites are not recommended. Worse, it also wants to indicate whether the specification has gone through the IETF process.

Ciao
Hannes

From: David Benjamin <davidben@chromium.org>
Sent: Wednesday, September 23, 2020 5:47 PM
To: Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <Hannes.Tschofenig@arm.com>om>; Filippo Valsorda <filippo@ml.filippo.io>io>; Carrick Bartle <cbartle891@icloud.com>om>; tls@ietf.org
Subject: Re: [TLS] The future of external PSK in TLS 1.3

There are two different code points involved in TLS 1.3 PSK, and I think there may be some mixup here:
1. Whether TLS 1.3 psk_ke should be marked N
2. Whether TLS 1.3. psk_dhe_ke should be marked N

Avoiding psk_ke does not remove compatibility with any authentication method. psk_ke and psk_dhe_ke use the same PSKs. The difference is whether the handshake mixes an additional (EC)DH exchange into the key schedule. We've already marked TLS_PSK_WITH_AES_128_GCM_SHA256 with an N, so it seems to me psk_ke with an external PSK should be similar. Handshakes using psk_ke with an external PSK incorporate no secrets in the key exchange apart from a (often long-lived) external symmetric secret. Compromise that secret, and all traffic ever authenticated with that PSK is compromised. Resumption PSKs use short-lived keys, so psk_ke is less immediately disastrous but given the equivalent construction in TLS 1.2 has forward secrecy issues<https://www.imperialviolet.org/2013/06/27/botchingpfs.html>ml>, marking it as N across the board seems a good idea to me. (BoringSSL does not implement psk_ke for this reason. Looks like Go and NSS do not implement it either.)

psk_dhe_ke I suppose depends on how one interprets "specific use case", so I don't feel very strongly here.

David

On Wed, Sep 23, 2020 at 11:37 AM Salz, Rich <rsalz=40akamai.com@dmarc.ietf.org<mailto:40akamai.com@dmarc.ietf.org>> wrote:
I agree with Hannes’s reasoning.

I am also concerned about devolving TLS to be just Web browser/server.

_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.