Re: [TLS] Comments on draft-dt-tls-external-psk-guidance-01
"Hollenbeck, Scott" <shollenbeck@verisign.com> Thu, 23 April 2020 15:16 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 563BA3A0A12 for <tls@ietfa.amsl.com>; Thu, 23 Apr 2020 08:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qlUKDW0oUAmS for <tls@ietfa.amsl.com>; Thu, 23 Apr 2020 08:16:02 -0700 (PDT)
Received: from mail6.verisign.com (mail6.verisign.com [69.58.187.32]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0D3023A0A10 for <tls@ietf.org>; Thu, 23 Apr 2020 08:16:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=7563; q=dns/txt; s=VRSN; t=1587654962; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=rZarEefj5GvWLJxKcv+6R63M600IiUZVbEYLfP9wE5s=; b=I67+9IGZlDbbLocZAE2+1B3NOROhDbqXJIyv8/zaIk8w94/2dsZCq+Cy 6Kd6odgIOco21QV+MxItbSJceHtvldurZBZ0+82pAA05n5dZ6VL9RHRVs ge75kgwT/62PNr/eQ/+ZM4e6HNKlyhxuHGZmXakPXq3DXajmyYgTb0tPE DtL7U143dcSCGJ24uU1pZbVofxnYP7Sq1WYOdllDg8RD6sRjPw7Dnrfs+ ChoJPDKv1Rq+kWz/GQPk5m95H1Oat7dVBpN956yTynzjGDkaKuuyO8eao vNwrU+EsSkTXFY6BzzTywxvcZ4eCGbRp73SjFCd3rsUBO1JJi0i6qHvBK w==;
IronPort-SDR: xmwqORC7JYkzcXHjqAvmhjppNTrwKDrrBLUd6lBz4Toi2Uks3rs6oLmyF5LqPNoAG1l2EI3WvY kp8axzCFDpeI4lphDWawS7rL25tQkn2idGvJ3o8f35FjfW2M8qHyLj3bN5pLypHM7moUtsf+4I saPrI+EhJ+dPsehkThllJIoMQW/yqF28Hj6jW2FRTVqd7X6L73KfXbs2ZXuAW3d3Mm1dre56GJ iKY7BLm2h6xDCghVtLrNkY0kIt02TjoGwzvUT7ERFMYrB3lrXetGKg1G3kYCFB+BAE6BxJlDE0 beo=
X-IronPort-AV: E=Sophos;i="5.73,307,1583211600"; d="scan'208";a="1217037"
IronPort-PHdr: 9a23:WGqPeR2EyYOk0irEsmDT+DRfVm0co7zxezQtwd8ZseMWKPad9pjvdHbS+e9qxAeQG9mCtrQY2qGI4ujJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fcbglVhDexe7x/IRG5oQjQssQdnJdvJLs2xhbVuHVDZv5YxXlvJVKdnhb84tm/8Zt++ClOuPwv6tBNX7zic6s3UbJXAjImM3so5MLwrhnMURGP5noHXWoIlBdDHhXI4wv7Xpf1tSv6q/Z91SyHNsD4Ubw4RTKv5LptRRT1iikIKiQ5/XnXhMJukaxbvByvqR9xw4HWYYGaKPVwcazGcNMGXGpBXNpdWzBdDo+iaYYEEuoPPfxfr4n4v1YCoxmwBQ6oBOPr1DBIgGT50rMm3OQiCQ3NwREuEM4JsHTIsNX5OroZXOeuzKnIyjXDa/dW1in76IfTbB8uvfKMUKluccXP00kvFhjFjlSfqYzjJT+ayuMNs22C4udmSOmhiHYnphlsrjSz3Msgl4vEi4wPxlzZ9Sh0zpw5KNK7RUJjfNKoDIFcuzyYOodqWM8uXm5ltSUgxrEbupO2ejUBxo49yB7FcfOHdpCF4hfkVOmMPzh1nGlleLejhxaq9kig1/H8WtG00FlUqipFlcHBu20R2RLL98SISuNz8Eig1jqTygzf8P9ELlwzlarBM54t2KQ/mYcJvUTdBC/2g0P2gLWKeUUj/+ik8+XnYrP4qZ+AL4J4lx3yPr4zlsG9D+k0KBUCUmiV9Oim27Du/lX1QLBQgf03lqnZvoraJcMepqOhGA9V0oEj6xK7Dzi41tQXhmcII05GeB+ckYjmJUvOIPHjDfe+jFSsli1nyOzBPr3kGpnNNGTMkK/9fbZh7E5R0BY8wspR5p9PCrEOPuj8WlfwtNzeAR82KA20w/r8CNln0IMRR36PCLeDMKzOqV+I+v4vI+6UaY8JvDb9MOMo5//wgn8ll18RZ66p3YEYaCPwIvMzaU6QflLsj94ZEGEFtAsiV6rshUHIGWpYbmmaX681/jA9B4inEZyFQI2x1vjJlju/BbVXa3xITFeWHj2gI5mAQN8NZT6cZMh7nWpXe6KmTtpr9RaqsAL8wbdsLa6cwSYfqY6pnIxu5+rXkRw0/zF/DOyD3nuMVGB7mCUDQDpgj/M3mlB01lrWifswuPdfD9EGv/4=
X-IPAS-Result: A2HOAgAesKFe/zCZrQpmHAEBAQEBBwEBEQEEBAEBgXuERwqVLJtZCgEBAQEBAQEBAQcBLwQBAYREAoJKOBMCAwEBCwEBAQUBAQEBAQUDAQEBAoYTCDCCOyKDaQEBAQECATpLBAIBCBEBAwEBARgGEDIXBggBAQQBEgiFe7B+gieFT4R5gTiJbYJmgUI+gRGDED6EJRFnhSIEjh0/iQ6KOI59fAMHgkWXbyWCWYhUkT6PdZx5AgQCBAUCFYFpgXlwUIJpUBgNjhyRYXSMfSaBD4EQAQE
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 23 Apr 2020 11:15:59 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1913.005; Thu, 23 Apr 2020 11:15:59 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "caw@heapingbits.net" <caw@heapingbits.net>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [EXTERNAL] Re: [TLS] Comments on draft-dt-tls-external-psk-guidance-01
Thread-Index: AdYXH6KSBS1BAI8XTwWXm/Rvqwo8MQByrvgAACXMJHA=
Date: Thu, 23 Apr 2020 15:15:59 +0000
Message-ID: <16d1dd1b028e4428868a61e3c891e43e@verisign.com>
References: <5baf193953c94e3093fda66c8e3baa4d@verisign.com> <9074c915-2482-46a2-be99-cdf72939ec7b@www.fastmail.com>
In-Reply-To: <9074c915-2482-46a2-be99-cdf72939ec7b@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9HFdko79Zsb62UjQVHReu1Xpt-o>
Subject: Re: [TLS] Comments on draft-dt-tls-external-psk-guidance-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Apr 2020 15:16:07 -0000
> -----Original Message----- > From: TLS <tls-bounces@ietf.org> On Behalf Of Christopher Wood > Sent: Wednesday, April 22, 2020 1:10 PM > To: TLS@ietf.org > Subject: [EXTERNAL] Re: [TLS] Comments on draft-dt-tls-external-psk- > guidance-01 > > Thanks for the feedback, Scott. Please see inline below. > > On Mon, Apr 20, 2020, at 7:26 AM, Hollenbeck, Scott wrote: > > Here are a few comments gathered from Verisign Labs on > > draft-dt-tls-external-psk-guidance-01: > > > > 1. Sec. 6, requirement 1 states "Low entropy keys are only secure > > against active attack if a Password Authenticated Key Exchange (PAKE) > > is used with TLS." "only secure ... if" may be too strong a > > statement, because there could be other mechanisms for increasing the > > entropy of a pre-shared key that do not meet the formal definition of a > PAKE. > > Moreover, as defined in draft-barnes-tls-pake, a PAKE repurposes the > > DH key share to carry a transformed version of the EPSK, so it > > involves a different architecture than the ordinary process for > > incorporating EPSKs into the TLS key schedule that is assumed in most > > of the present draft. > > > > If the goal of the present draft is to encompass PAKEs as well as the > > ordinary process, then the scope of the draft should be broadened to > > something like "handshakes based on EPSKs, whether through the > > ordinary process of incorporating them into the key schedule, or > > through alternate mechanisms such as PAKE where the DH key share is > > based on the EPSK." > > > > Alternatively, the statement in requirement 1 could be rephrased as > follows: > > > > "If only low-entropy keys are available, then key establishment > > mechanisms such as Password Authenticated Key Exchange (PAKE) that > > mitigate the risk of offline dictionary attacks MUST be employed. > > Note that these mechanisms do not necessarily follow the same > > architecture as the ordinary process for incorporating EPSKs described > > in this draft." > > This seems like a reasonable proposal to me. Specifying integration with > PAKEs is (or was intended to be) out of scope, and this clarifies the > requirement without widening the scope. Agreed. > > 2. Sec. 6, requirement 2 states, "Each PSK MUST NOT be shared between > > with more than two logical nodes." This "MUST NOT" is stronger than > > the "NOT RECOMMENDED to share the same PSK between more than one > > client and server" > > In Sec. 7 and would exclude group PSK use cases that are acknowledged > > in that section. The requirement is also inconsistent with this > > statement in Appendix B of draft-ietf-tls-external-psk-importer: > > > > "Applications which require authenticating finer-grained roles while > > still configuring a single shared PSK across all nodes can resolve > > this mismatch either by exchanging roles over the TLS connection after > > the handshake or by incorporating the roles of both the client and > > server into the IPSK context string." > > > > If the intent is to restrict use to at most two nodes, then > > requirement > > 2 should go even further and restrict use to one node in a TLS client > > role, and one in a TLS server role. > > > > We would therefore suggest that requirement 2 be changed to something > > like the following: > > > > "Unless other accommodations are made, each PSK MUST be restricted in > > its use to at most two logical nodes: one logical node in a TLS > > client role and one logical node in a TLS server role. (The two > > logical nodes MAY be the same, in different roles.) Two acceptable > > accommodations are described in > > [draft-ietf-tls-external-psk-importer]: exchanging client and server > > identifiers over the TLS connection after the handshake; and > > incorporating identifiers for both the client and the server into the context > string for an EPSK importer." > > > > (Note that we've changed "roles" to "identifiers" to align with Sec. > > 7) > > This is a *great* suggestion! Thank you for clarifying in ways we could not. I'll > take it. Glad to be able to add clarity here. > > Related to this, "logical node" should be defined somewhere, e.g., > > "For purposes of this document, a logical node is a computing presence > > that other parties can interact with via the TLS protocol. A logical > > node could potentially be realized with multiple physical instances > > operating under common administrative control, e.g., a server farm." > > Alternatively, the term "endpoint," which is used elsewhere in this > > document, could be used here as well (perhaps also avoiding the single > > use of "agent"). > > Yep, defining "logical node" would be great. We should probably have a > separate definition section up front to consolidate these terms in one place. > We can work with your suggestions and make that happen. OK. > > 3. Sec. 7 recommends that that each node selects one globally unique > > identifier for all PSK handshakes, but without giving rationale why > > this approach is preferred for mitigating the attacks mentioned > > earlier in the section. This may be limiting, because a logical node > > may legitimately be known to different endpoints by different identifiers: > > a domain name in some cases, an IPv4 address in other cases, and an > > IPv6 address in still other cases. We would therefore recommend > > relaxing this recommendation. > > Since it's merely a recommendation, I think we ought to keep it. It's a simple > deployment model that solves issues. > > We could list your use case as a counter example as to when this > recommendation may not be appropriate. Would that work? Yes. > > 4. General. The draft makes no mention of certificate-based > > authentication in connection with EPSKs, for instance as described in > > in RFC 8773, "TLS 1.3 Extension for Certificate-based Authentication > > with an External Pre-Shared Key." We understand that use of external > > PSKs with certificates is out of scope for the design team. > > Certificate-based authentication, potentially in combination with a DH > > exchange, can improve the security properties of TLS handshakes based > > on EPSKs and help protect against both rerouting attacks and > > impersonation attacks. Is there any interest in adding some guiding > > text to the document before it's adopted by the WG? We're willing to > > provide text for consideration. > > Sure, we're absolutely open to contributions! You're right that it's out of > scope, though it could be useful in an appendix, or wherever else you think > it's appropriate. We'd recommend adding a sentence to the introduction that certificate-based authentication is out of scope, with a reference to RFC 8773 for details. This could be combined with a statement that PAKE is also outside of scope. Suggestion: "The design team effort that produced this document was limited in scope to the PSK techniques specified in TLS 1.3 when using high-entropy PSKs. Other approaches can also be beneficial in certain situations, but were out of scope. For example, Password Authenticated Key Exchange (PAKE) techniques [[ref]] can be used to establish a TLS session with low-entropy PSKs, and certificate-based authentication can be combined with PSKs (and possibly with a Diffie-Hellman exchange) to help protect against both rerouting attacks and impersonation attacks [RFC 8773]." Scott
- [TLS] Comments on draft-dt-tls-external-psk-guida… Hollenbeck, Scott
- Re: [TLS] Comments on draft-dt-tls-external-psk-g… Christopher Wood
- Re: [TLS] Comments on draft-dt-tls-external-psk-g… Hollenbeck, Scott