Re: [TLS] PSK in 1.3?
"Dan Harkins" <dharkins@lounge.org> Mon, 20 October 2014 12:13 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC391A7D84 for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 05:13:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.968
X-Spam-Level:
X-Spam-Status: No, score=-1.968 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RaiDE3Ir0K0r for <tls@ietfa.amsl.com>; Mon, 20 Oct 2014 05:13:10 -0700 (PDT)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by ietfa.amsl.com (Postfix) with ESMTP id E68411A7035 for <tls@ietf.org>; Mon, 20 Oct 2014 05:13:09 -0700 (PDT)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 35CA910224008; Mon, 20 Oct 2014 05:13:09 -0700 (PDT)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Mon, 20 Oct 2014 05:13:09 -0700 (PDT)
Message-ID: <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net>
In-Reply-To: <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com>
Date: Mon, 20 Oct 2014 05:13:09 -0700
From: Dan Harkins <dharkins@lounge.org>
To: Yoav Nir <ynir.ietf@gmail.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/8lEx7TuttykIy5uyZCm6G9zeZfk
Cc: Manuel Pégourié-Gonnard <mpg@polarssl.org>, tls@ietf.org
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Oct 2014 12:13:12 -0000
On Sun, October 19, 2014 7:35 am, Yoav Nir wrote: > > I also understand that in practice, PSK ciphersuites are used only by > small devices, whereas the web and SMTP and other things never went for > it. But the standards donât say that. They donât say that PSK > ciphersuites are especially for constrained devices. So if we insist that > the same TLS 1.3 be used for both, and we donât want to say that PSK is > for weak security, then we should have a good story of why PFS is not > needed for PSK uses, whereas itâs essential for all RSA uses. If I > understand the mechanism correctly, PSKs tend to be long-lived, and a > subsequent compromise of a PSK (even if it is expired at the time of > compromise) allows an attacker to decrypt the content of a TLS session. The non-PFS PSK ciphersuites are no different than the widely discredited, and easily cracked, WPA-PSK mode of WiFi security. It would be a really bad idea to continue with these ciphersuites in TLS 1.3. But the issue is not just PFS (or the lack of it), it's that PSK ciphersuites are susceptible to dictionary attack. > So either we believe that PSK compromise is unlikely, or we believe that > the data in a connection with a PSK ciphersuite is not future-sensitive. > If we donât, weâre saying that weâre just piling on security > nice-to-haves because we think the users can handle them. There's no way that the protocol can be defined to justify that belief. What you're talking about is how people end up using the protocol and that is entirely out of the power of this WG. What we can do is to make TLS be as _misuse resistant_ as possible. And to do that we should not allow PSKs in TLS 1.3 unless they are used in a PAKE. By the way, I'm surprised that no one is expressing outrageous outrage at the lack of a security proof for PSK ciphersuites. regards, Dan.
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd