Re: [TLS] Distinguishing between external/resumption PSKs

"Owen Friel (ofriel)" <ofriel@cisco.com> Thu, 19 September 2019 14:04 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 161CB120108 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 07:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Ydb6KDQ5; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JpyGnJb1
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a0nzinh1QUL6 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 07:04:57 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD9AF120090 for <tls@ietf.org>; Thu, 19 Sep 2019 07:04:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4230; q=dns/txt; s=iport; t=1568901896; x=1570111496; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=NvSW1IdIjxsXURkDU3c55tWN8Remd9O+fZ7OxY7bdO0=; b=Ydb6KDQ57r+5iB6zhnzo+Tcl8GsQvdeWf225XDG3MdOUvRijLWtShGdJ kLOHZ14vbTuRlMznm7f4213+ggmiUm8jtar/H4EOlIqRC+o9inzmst44Z atU00mskjlDDE1JaQ5IJFLeQGqER3U6wzHAHlcil7rVFXpDcCkeAFQy6g E=;
IronPort-PHdr: 9a23:S08wgRGPuq+32homOrwIWp1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4w3Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+efnkdS03GOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AUAAB3ioNd/4sNJK1cCRoBAQEBAQIBAQEBBwIBAQEBgVUDAQEBAQsBgURQA21WIAQLKoQig0cDinyCXIlmjg2BLoEkA1QJAQEBDAEBGAsKAgEBhD8CF4JsIzYHDgIDCQEBBAEBAQIBBQRthS0MhUoBAQEDAQEBEBERDAEBLAsBCwQCAQgRBAEBAQICIwMCAgIfBgsUAQgIAQEEDgUIGoMBgWoDDg8BDqJUAoE4iGFzgTKCfQEBBYUIDQuCFwMGgQwoAYwIGIFAP4FXgkw+ghpHAQEDgTQUBhKDCTKCJo9YnHFBCoIihwWFFIRvhBuZI5YnggiOeAIEAgQFAg4BAQWBWQIvgVhwFTuCbFAQFIFOg3KFFIU/c4Epj00BAQ
X-IronPort-AV: E=Sophos;i="5.64,523,1559520000"; d="scan'208";a="546273541"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 19 Sep 2019 14:04:53 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x8JE4qXE025574 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 19 Sep 2019 14:04:53 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 09:04:52 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 19 Sep 2019 09:04:52 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 19 Sep 2019 10:04:52 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aWwraa5LFJiguI87dlvs6G+wMukpTuZ/7IDFt9edSwK4JCsGa8Z7kkSY2ny4OhwfksEZKVVlBibw9DUK3pikxHnjaRBKlSyZZYkBQ2sUcDZVL4LpdrSb2PsBE7lteZKcecuSm0VWStEulrJEPUI52JXH4JDHRp/qS3xFSzDEiQl7lO9aUwcuDUoabuxnzApnx1sHCcbjoJc0pXT2IMfIbt4WkXsK6VqybcHFLO7d6jeGogFZ66hT34iizydwC+KzdII51Rb6d8yVN5RDqYUlhMePyY/EEGpLO2qZTApkQMv55PcEaTN3CljDpqE4QHYL5v6YJXkA+zffqbVXuYTaTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NvSW1IdIjxsXURkDU3c55tWN8Remd9O+fZ7OxY7bdO0=; b=lVJymWiaAmZGE74MEpiPBO5GHc1tyWQ0IjkMcdDOQuRqtTu/RCpfjs+3ju7hKtW61nOFaqpWyALlLo/xLrKaBXFn7cceMoXL+98PAcQgnfqcEKOyxnUysApzPtcPM5paceAgxckdVj++CQC/zFFuAV9dg7TwpV7fzuxfFd0payIEXBTWaOGLjTXAqBqsWdugHZGHiJSJ5rGJpsPEn9cK6i6EzeCgkLnKYFrl4MSnpPwwAzbFgWu76tdrD60SQPS7V1KVmQnyzy6hCBfmv6BGZdiJVgc8G5AAzUZIxRysLXZmyyCXfwjwNvgBkHJpfJQ7LwNfueOOKkT932QPD2Q6Nw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=NvSW1IdIjxsXURkDU3c55tWN8Remd9O+fZ7OxY7bdO0=; b=JpyGnJb1DxFWtU8Yh+XTCKeypmjEESk6JBcLjiezF04314Xmp0XJQRyIRntpYsmkkD3FQ0Pg+77m6ONCzeRXYZyYFy2IifwSqX6Fqe0su57v/RSZr5o3IY675NDcf6qEx24h/FLFMZHkwdsOeScy8fA/GJhqKp0jFNuozU0UNVM=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2262.namprd11.prod.outlook.com (10.172.76.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.18; Thu, 19 Sep 2019 14:04:51 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127%9]) with mapi id 15.20.2263.028; Thu, 19 Sep 2019 14:04:50 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: Martin Thomson <mt@lowentropy.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Distinguishing between external/resumption PSKs
Thread-Index: AdVu2EcOhu/1f/3HRzaHS0CqIUTzpgAFkgUAAADU1nA=
Date: Thu, 19 Sep 2019 14:04:50 +0000
Message-ID: <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com>
In-Reply-To: <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [2001:420:4041:1300:4507:b8e9:a4cb:1dc0]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 79968965-c249-4e32-c996-08d73d0a56a6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2262;
x-ms-traffictypediagnostic: CY4PR1101MB2262:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <CY4PR1101MB22624E4743FB9EC4312A10A7DB890@CY4PR1101MB2262.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(376002)(346002)(366004)(39860400002)(136003)(13464003)(189003)(199004)(25786009)(966005)(14454004)(14444005)(256004)(478600001)(9686003)(4326008)(6246003)(76116006)(2906002)(66946007)(66446008)(64756008)(316002)(66556008)(66476007)(6436002)(55016002)(6116002)(99286004)(54906003)(6306002)(6916009)(52536014)(76176011)(229853002)(7696005)(5660300002)(33656002)(446003)(11346002)(46003)(476003)(486006)(7736002)(305945005)(102836004)(74316002)(53546011)(6506007)(186003)(81156014)(8676002)(71200400001)(71190400001)(86362001)(8936002)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2262; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: rvAMTJYiBwJSEMtCmgy+9j62d08T6EQj4t3YTUpAcJZO0fwjq6KbXWDAqWL/QNySb4s4Yd6oLwySZhgD6nbMDN+jtwvtGkh4TM//CN+08j1ERr+ln+KCWJZ1IXjU94kY4pD3qdX4NNtDHxR5KPf39/G/w7DtlDMOw3djHWbwKzILwJ6J3O/F7esQfAnQ3c/TEnwFuDpwr9qTN0ZxdiyNuQRo9Q8rB2WqS9djWz0DsyU0NKykjWE28DNnKeuoQ9kJ8CvUhCP2xUJpw6vriUn5PSj0cDPJBvxuzE9cz75ef6e2SilHodEVZEV+4+4jqkKiKcB8iOFLVubE2S9YQK2Q3314Ja+0/e4vdFy7U4N5Emdk3EYd/KkSMTy5G6QnTaUa41qn7c2oqYSCzT4WNa3I4ZvYMvtYaEYhiowkg72pATw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 79968965-c249-4e32-c996-08d73d0a56a6
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 14:04:50.6274 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7hC29MqVxZGzHPooyZvGd2JVbyM0k7mStj0njQ1sh21VSCnSipD0kFeJN68V+oNQcn+k6xpN3y/SXjWcmx0f9w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2262
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/8qF49TUt9K02Hte52pQNbTuwDok>
Subject: Re: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 14:04:59 -0000


> -----Original Message-----
> From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
> Sent: 19 September 2019 14:32
> To: Owen Friel (ofriel) <ofriel@cisco.com>
> Cc: Martin Thomson <mt@lowentropy.net>; tls@ietf.org
> Subject: Re: [TLS] Distinguishing between external/resumption PSKs
> 
> Hi Owen,
> 
> If I understand your question correctly the distinguishing is done implicitly
> (not explicitly) through the key schedule.
> If the client and server do not agree on whether the PSK is a resumption or
> an OOB PSK then the `binder_key` will not match, and the handshake will fail.
> 
> See pp. 93-94 of the spec.

And we only even get that far on the off chance that an ext PskIdentity.identity is exactly the same as a res PskIdentity.identity. e.g. a client presents an ext PskIdentity.identity, the server somehow thinks it’s a res PskIdentity.identity, and then handshaking will fail, not only because the actual raw PSK is likely different but the binders will not match due to different labels.

But my question was before we even get that far - its an internal server implementation decision how it determines whether the presented PskIdentity.identity is ext or res, or whether e.g. to try lookup an ext DB table vs. a res cache first to find a PskIdentity.identity match. And say it fails to find an ext match then it tries to find a res match, and if it finds a match, then it knows what binder label to use.


> 
> Does that answer your question?
> 
> Regards,
> 
> Jonathan
> 
> On Thu, 19 Sep 2019 at 11:52, Owen Friel (ofriel) <mailto:ofriel@cisco.com>
> wrote:
> 
> > -----Original Message-----
> > From: TLS <mailto:tls-bounces@ietf.org> On Behalf Of Martin Thomson
> > Sent: 04 September 2019 02:46
> > To: mailto:tls@ietf.org
> > Subject: Re: [TLS] Binder key labels for imported PSKs
> >
> >
> > When we built the ext/res distinction, there was a clear problem
> expressed.
> > We had the potential for both to be used by the same servers at the same
> > time (though not for the same connection) and distinguishing between
> them
> > was important
> 
> Martin, maybe I am missing something in the threads on this. Is there
> anything explicit planned in ClientHello PreSharedKeyExtension or
> PskKeyExchangeModes to explicitly distinguish between ext/res PSKs? Or is
> it up to server implementation and how the server handles the opaque
> PskIdentity.identity? e.g. ImportedIdentity.external_identity fields could be
> stored in one DB table, and (ignoring https://tools.ietf.org/html/draft-ietf-
> tls-external-psk-importer-00#section-9 for now) the server on receipt of a
> ClientHello searches for PskIdentity.identity in its
> ImportedIdentity.external_identity  table and if that lookup fails, then try to
> parse PskIdentity.identity  as a NewSessionTicket.ticket? And the order of
> those two operations is of course implementation specific too.
> 
> 
> _______________________________________________
> TLS mailing list
> mailto:TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls