Re: [TLS] psk_key_exchange_mode question
Eric Rescorla <ekr@rtfm.com> Thu, 03 May 2018 11:22 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A23612D947 for <tls@ietfa.amsl.com>; Thu, 3 May 2018 04:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.608
X-Spam-Level:
X-Spam-Status: No, score=-2.608 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gc7cYMY2jQdY for <tls@ietfa.amsl.com>; Thu, 3 May 2018 04:22:55 -0700 (PDT)
Received: from mail-oi0-x236.google.com (mail-oi0-x236.google.com [IPv6:2607:f8b0:4003:c06::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A96412D959 for <tls@ietf.org>; Thu, 3 May 2018 04:22:55 -0700 (PDT)
Received: by mail-oi0-x236.google.com with SMTP id b130-v6so15718136oif.12 for <tls@ietf.org>; Thu, 03 May 2018 04:22:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=zjEA27Eg6XF3eKGeHuHUg4Y9VCQuoz9AH6MD+L6AeIk=; b=xEi0BYYbf6Mzl3FvtvbIUuPYajzftGkx1BUWWGROD3hJFFAUo8fcm3Lsh0lDV4AK5n eFGNIRo/mGQj5+GfhlYHnRUEb9vrPrEvxknHn4/OnC+BaroGEOyHge2kunAwqGLNXr4A y3Dns+5szSc3pMZkVP8540bEKRBD+ZNnOgWNB2xYOb+lBVT6bYWzVmQxcsSBlEL9ITUT BQXsNfByonnhAu/SYifBg0E6TfM4M13bmQBEGcMf9cahd0SzhrFwMqPGv60Zy3qr9Tc6 /XTi+JbvGnGnbHUSXcBgrKE/dfY8/Kjeg4vR587iDA2JI/lZCZfWxW3k5xL3nH1SKwjh w6qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=zjEA27Eg6XF3eKGeHuHUg4Y9VCQuoz9AH6MD+L6AeIk=; b=lt6YQcrJILnT+ZU2nMHDw+x+6GGwE56LkPxUbbcrFxT9tkx3oxvtJ6S/yNdAEDUFqE ILD6ZQ8GnNwOWepyjzDNQ8qihxzfq20hJ1UXbJggkyQfdWhs7htstCMtuLjz3jBV/rAa b5XO1XYYLk9RLmZMrDzheXBTFKFDSwMdz8W59DGRUvMg/MBAYOflfbuKU+GGLheNU39b eSDLeW03kkztGMDMDhQ308waWMHwWFHWTpjDisJDqb+wmdoilV6BZpsCAc9Z9K1nRO7S 9UdC+3T184iNMDpb3kNTtC4CzQzDI4ieBk2Yt7Wp3riQncaYH7OIbh1OeG58jMm31Cfx 3s0g==
X-Gm-Message-State: ALQs6tBqS21NuC4LPggVYZvV3c4NAuohUGvCfNXfLEzVoHiliSj9YBk/ Dxtc4AatYfUCaTuWRtSpHbq4MLp3z2LLSZ/YXGtPZQ==
X-Google-Smtp-Source: AB8JxZoQPDD/nmtmxyDeX8U/VfTSjsua6Z8zI8PVluvtm5quqKWingAc2go/4nJocrQ/ZjcuKyrL42cMe3NOoVMDxn8=
X-Received: by 2002:aca:3cc1:: with SMTP id j184-v6mr14973684oia.91.1525346574595; Thu, 03 May 2018 04:22:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.201.118.130 with HTTP; Thu, 3 May 2018 04:22:14 -0700 (PDT)
In-Reply-To: <20180502235705.GJ5742@akamai.com>
References: <od14lk2b0yp.fsf-dueno@redhat.com> <20180502235705.GJ5742@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 03 May 2018 04:22:14 -0700
Message-ID: <CABcZeBPm3p3dkkYb81-6dcqqpWpe3-cjhUjv3n4vswaY2vZYvg@mail.gmail.com>
To: Benjamin Kaduk <bkaduk@akamai.com>
Cc: Daiki Ueno <dueno@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bd136b056b4b6c17"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ACqre4e9-CWiwJrvdOCIDw0rdl4>
Subject: Re: [TLS] psk_key_exchange_mode question
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2018 11:22:58 -0000
On Wed, May 2, 2018 at 4:57 PM, Benjamin Kaduk <bkaduk@akamai.com> wrote: > On Mon, Apr 23, 2018 at 01:45:34PM +0200, Daiki Ueno wrote: > > Hello, > > > > I have a question about handling the psk_key_exchange_mode extension. > > > > 4.2.9. Pre-Shared Key Exchange Modes says: > > > > This extension also restricts the modes for use with PSK resumption; > > servers SHOULD NOT send NewSessionTicket with tickets that are not > > compatible with the advertised modes > > > > Is this compatibility defined externally to the protocol, or does it > > depend on the initial handshake? > > > > To take an example, suppose the server uses the ticket construction > > mechanism described in RFC 5077. > > > > If the former is the case, the server requires PSK with (EC)DHE when the > > ticket encryption key is required to be forward secret. From the > > implementation point of view, that would be provided as an option in the > > server configuration. > > > > On the other hand, if the latter is the case, the server requires PSK > > with (EC)DHE when the initial handshake chose (EC)DHE key exchange, > > because the ticket is tied to resumption_master_secret derived from the > > (EC)DHE secret. > > > > Since the above paragraph is followed by: > > > > however, if a server does so, the impact will just be that the > > client’s attempts at resumption fail. > > > > I thought the latter is more plausible; however, in that case psk_ke > > would only be meaningful when the initial handshake is PSK-only. > > It looks like this came in with https://github.com/tlswg/ > tls13-spec/pull/672 which doesn't > provide much commentary on the motivation for it. > > I believe the latter is the case, in that the issued ticket contains > information > about the psk_key_exchange_modes sent in the initial handshake, but I > disagree with > your interpretation that it is only meaningful when the initial handshake > is PSK-only. > (To be fair, the existing text is not very clear about what it should > mean, so > confusion is understandable.) > > In particular, I think "also restricts the modes for use with PSK > resumption" > means that the psk_key_exchange_modes value(s) sent in the ClientHello is > supposed > to be retained by both parties and associated with the session ticket, and > the > saved value(s) then restrict what mode can be used for resumption, along > with > what values are sent in the resumption handshake itself. This would be > useful if, > for example, a client sends psk_key_exchange_modes of just psk_dhe_ke in > an initial > (non-resumption) handshake, so the server can store state in the session > ticket that > indicates the session ticket must not be used for a psk_ke resumption flow. > The text about "SHOULD NOT send NewSessionTicket with tickets that are not > compatible > with the advertised modes" is then pretty devoid of content, since any > given PSK > (considered as a string of bits) could be used for either psk_ke or > psk_dhe_ke -- > the math doesn't care. It perhaps means that if the server gets this > psk_dhe_ke > initial handshake and then stores a session ticket which only references > psk_ke, > the resumption would fail, but the server has no reason to do that, so we > probably > didn't even need to say it. > What this text is supposed to mean is that the server shouldn't send tickets if it doesn't like the client's psk_ke modes. So, say that the client only supports psk_dhe_ke and the server only supports psk_ke, then the server shouldn't advertise tickets, because future resumption will be useless. -Ekr _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] psk_key_exchange_mode question Daiki Ueno
- Re: [TLS] psk_key_exchange_mode question Benjamin Kaduk
- Re: [TLS] psk_key_exchange_mode question Eric Rescorla