Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Benjamin Kaduk <kaduk@mit.edu> Mon, 19 March 2018 00:40 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15B34126BFD for <tls@ietfa.amsl.com>; Sun, 18 Mar 2018 17:40:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7WAADBPnYmjx for <tls@ietfa.amsl.com>; Sun, 18 Mar 2018 17:40:37 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F2381267BB for <tls@ietf.org>; Sun, 18 Mar 2018 17:40:36 -0700 (PDT)
X-AuditID: 12074422-7fbff700000027e0-a8-5aaf0700ecaa
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id DC.D4.10208.2070FAA5; Sun, 18 Mar 2018 20:40:34 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2J0eTbj029173; Sun, 18 Mar 2018 20:40:30 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2J0eP6j020345 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sun, 18 Mar 2018 20:40:28 -0400
Date: Sun, 18 Mar 2018 19:40:25 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Lanlan Pan <abbypan@gmail.com>
Cc: Hubert Kario <hkario@redhat.com>, TLS WG <tls@ietf.org>
Message-ID: <20180319004025.GE55745@kduck.kaduk.org>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <20180313151848.GA26250@LK-Perkele-VII> <3060420.fu6fxUo7fv@pintsize.usersys.redhat.com> <20180314020207.GY55987@kduck.kaduk.org> <CANLjSvVbrJLVX8L2jx2KVAygeZiWzQtQO4Njeq6chr_EtKD9UQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CANLjSvVbrJLVX8L2jx2KVAygeZiWzQtQO4Njeq6chr_EtKD9UQ@mail.gmail.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrCKsWRmVeSWpSXmKPExsUixG6nrsvEvj7KYOllbYuL/3axW9z6dpjV 4tP5LkYHZo+ds+6yeyxZ8pPJ4/2+q2wBzFFcNimpOZllqUX6dglcGfdXHGQqOMFesf/CHdYG xia2LkZODgkBE4k5C7uZuhi5OIQEFjNJzO1awAzhbGSUmPFgC1TmKpPE05XXmUBaWARUJaZ2 nmQGsdkEVCQaui+D2SICShJHT/SA1TALWEucvdTLCmILC6RK7D27GSjOwcELtG7Z9FCImd1M Er2THzCC1PAKCEqcnPmEBaJXXeLPvEvMIPXMAtISy/9xQITlJZq3zgYLcwoESjzrigYJiwoo S+ztO8Q+gVFwFpJBs5AMmoUwaBaSQQsYWVYxyqbkVunmJmbmFKcm6xYnJ+blpRbpmurlZpbo paaUbmIEB7qL0g7Gif+8DjEKcDAq8fBq/F4XJcSaWFZcmXuIUZKDSUmU9+7mNVFCfEn5KZUZ icUZ8UWlOanFhxglOJiVRHifXgEq501JrKxKLcqHSUlzsCiJ83qYaEcJCaQnlqRmp6YWpBbB ZGU4OJQkeL+zro8SEixKTU+tSMvMKUFIM3FwggznARq+ggWohre4IDG3ODMdIn+K0ZLj2d4H bcwcbSufAMkbL163MQux5OXnpUqJ894EGSoA0pBRmgc3E5S4JLL317xiFAd6UZjXD6SKB5j0 4Ka+AlrIBLTQZ+kakIUliQgpqQbGvp/3WXcd2Lz0pEXA1Ic/jH2W7zwk4RSTFzfFz87tDHem PXOfek9lMUOBYPkFn9BvS+Jl3AWkD9Q9eWrIc03g5oXJzNa7eX7/yK1cUXsxf5p+eNlP7zNn xH9k3Ql56vng2uRLj1rPKDY21s7Yd3qH2c9d0/ablBxJTKq+UbziTdvkXQ3yT7M2K7EUZyQa ajEXFScCAHOf5c03AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9XIR1H7YFASx-4J9KZRtOWLs29U>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 00:40:39 -0000

On Sun, Mar 18, 2018 at 03:24:02PM +0000, Lanlan Pan wrote:
> Benjamin Kaduk <kaduk@mit.edu>于2018年3月14日周三 上午10:02写道:
> 
> > It seems like we get ourselves in trouble by allowing multiple
> > external PSKs to be present.  If we allowed at most one external
> > PSK in a given ClientHello, then aborting the handshake on binder
> > failure would be the correct choice, as discovering a valid identity
> > would require discovering a valid key/password as well.
> >
> > Disallowing multiple external PSKs would make migration scenarios a
> > little more annoying, but perhaps not fatally so.
> >
> 
> what about each external PSK's survival time ?
> 
> It seems should be updated in period.

It should, but that has always been the case and nothing has changed
in that regard in TLS 1.3 vs TLS 1.2.  (In practice, they are not,
and nothing we say in the document is likely to produce substantial
change in that regard.)

-Ben