Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Sean Turner <sean@sn3rd.com> Tue, 20 March 2018 12:55 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7BB75127078 for <tls@ietfa.amsl.com>; Tue, 20 Mar 2018 05:55:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EEUQYDFHdxUJ for <tls@ietfa.amsl.com>; Tue, 20 Mar 2018 05:55:40 -0700 (PDT)
Received: from mail-pl0-x22d.google.com (mail-pl0-x22d.google.com [IPv6:2607:f8b0:400e:c01::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 634B81271FD for <tls@ietf.org>; Tue, 20 Mar 2018 05:55:40 -0700 (PDT)
Received: by mail-pl0-x22d.google.com with SMTP id 9-v6so893555ple.11 for <tls@ietf.org>; Tue, 20 Mar 2018 05:55:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Fh/TP2GxcR8FDwWVGPUaWqlf1lwTujtAzsUdEFVoIc4=; b=UW1ou5kyNrdU9s6oZmtOj118L8A/KU1eZMUorEj7yAZAzSqKZLFd7iA7ffgmFebeSU VL0SRB+y7yNGi6oql72+qIqXMHc61OIZf6pOf6JUlel8iC1Hkp2oHP5nIWAbDXWEFPuY R22EOh2BpyYtSHNhjzXrYGVOxZoXP5SCZAtOo=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=Fh/TP2GxcR8FDwWVGPUaWqlf1lwTujtAzsUdEFVoIc4=; b=iMbTwqduucwka5+Y8DWswMUTRmgI9lKkUZk7CebfgOjHN3hY4fKPK58UixAgvdeGYw 5AUr8etVSh26wTEIeme2oL2nhwFEipxzcAs5hIGTCd6wTwS29qTuxSWh6J8gRt2GyFwW rNI9QkLEWUqWWZ8im7Bk+8zZeUPMwrIynh88VDve0FfbVnB8xNr0cdGeljdhBB62v5La qMdStRlKtaTo88FzLWuhXpQxEL6SaIjyXPXg8gjgeK4d9DnMEisW9qAO3ZgopTS0N2Vi BPk6PSRLSsl6xHbnxJdxWXAZ2M1+l885S8/6ppLu1Wn5MQJwEZm5aHsyM7vJfTO0/mhZ pbtQ==
X-Gm-Message-State: AElRT7GUC8KnRSO9+WPuVVEopGrMKuRqPx5S88QfYOwY79IcW5JSg+bv hfVxk50o6gtXnikiZAcYpcyK+w==
X-Google-Smtp-Source: AG47ELuLodqlg9b0ngTBtch1FMB5zGRKJfjVqEppsh9B37U07vM2iWBfyrBd+zJi4epCnDEblqyCPw==
X-Received: by 2002:a17:902:760e:: with SMTP id k14-v6mr5667391pll.292.1521550539947; Tue, 20 Mar 2018 05:55:39 -0700 (PDT)
Received: from [5.5.33.96] (vpn.snozzages.com. [204.42.252.17]) by smtp.gmail.com with ESMTPSA id i11sm2877863pgq.34.2018.03.20.05.55.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 20 Mar 2018 05:55:39 -0700 (PDT)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <7981509.2MgGW89sdW@pintsize.usersys.redhat.com>
Date: Tue, 20 Mar 2018 12:55:31 +0000
Cc: Benjamin Kaduk <kaduk@mit.edu>, Eric Rescorla <ekr@rtfm.com>, tls-chairs <tls-chairs@ietf.org>, TLS WG <tls@ietf.org>, The IESG <iesg@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <640F00C7-F652-4500-A0FB-E9C98886EDFD@sn3rd.com>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <6535335.hpFIu7S1IC@pintsize.usersys.redhat.com> <20180319225316.GP55745@kduck.kaduk.org> <7981509.2MgGW89sdW@pintsize.usersys.redhat.com>
To: Hubert Kario <hkario@redhat.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8Y4TP953nt3hhmyGal7wjnUaPZA>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Mar 2018 12:55:42 -0000

> On Mar 20, 2018, at 12:52, Hubert Kario <hkario@redhat.com>; wrote:
> 
> On Monday, 19 March 2018 23:53:16 CET Benjamin Kaduk wrote:
>> On Mon, Mar 19, 2018 at 05:00:51PM +0100, Hubert Kario wrote:
>>> On Sunday, 18 March 2018 16:27:34 CET Eric Rescorla wrote:
>>>> After discussion with the chairs and the AD, I have opted to just add a
>>>> section
>>>> that explains the attack. I just merged that (but managed not to get it
>>>> into -27
>>>> due to fumble fingering).
>>> 
>>> If there is no consensus on the recommended fix for the issue, I wonder if
>>> we shouldn't then soften the language in the section about PSK binder
>>> handling, from SHOULD to MAY.
>> 
>> I think on the balance I am happier retaining SHOULD.
>> 
>>> Though, I'd say that the reference to that newly added section is
>>> definitely missing.
>> 
>> I expect that can be done as an RFC Editor note or during AUTH48.
>> 
>> -Benjamin
> 
> https://github.com/tlswg/tls13-spec/pull/1189 filed as a reminder

Thanks!

spt