Re: [TLS] PSK in 1.3?

["Dan Harkins" <dharkins@lounge.org>]

On Sun, October 19, 2014 7:35 am, Yoav Nir wrote:
>
> I also understand that in practice, PSK ciphersuites are used only by
> small devices, whereas the web and SMTP and other things never went for
> it. But the standards don’t say that. They don’t say that PSK
> ciphersuites are especially for constrained devices. So if we insist that
> the same TLS 1.3 be used for both, and we don’t want to say that PSK is
> for weak security, then we should have a good story of why PFS is not
> needed for PSK uses, whereas it’s essential for all RSA uses.  If I
> understand the mechanism correctly, PSKs tend to be long-lived, and a
> subsequent compromise of a PSK (even if it is expired at the time of
> compromise) allows an attacker to decrypt the content of a TLS session.

  The non-PFS PSK ciphersuites are no different than the widely
discredited, and easily cracked, WPA-PSK mode of WiFi security. It would
be a really bad idea to continue with these ciphersuites in TLS 1.3. But the
issue is not just PFS (or the lack of it), it's that PSK ciphersuites are
susceptible to dictionary attack.

> So either we believe that PSK compromise is unlikely, or we believe that
> the data in a connection with a PSK ciphersuite is not future-sensitive.
> If we don’t, we’re saying that we’re just piling on security
> nice-to-haves because we think the users can handle them.

  There's no way that the protocol can be defined to justify that belief.
What you're talking about is how people end up using the protocol and
that is entirely out of the power of this WG. What we can do is to make
TLS be as _misuse resistant_ as possible. And to do that we should not
allow PSKs in TLS 1.3 unless they are used in a PAKE.

  By the way, I'm surprised that no one is expressing outrageous outrage
at the lack of a security proof for PSK ciphersuites.

  regards,

  Dan.