[TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
Benjamin Kaduk <bkaduk@akamai.com> Thu, 19 July 2018 23:00 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7ADE130DD2 for <tls@ietfa.amsl.com>; Thu, 19 Jul 2018 16:00:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZQTkIEe29wk for <tls@ietfa.amsl.com>; Thu, 19 Jul 2018 16:00:12 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 935C4130EE8 for <tls@ietf.org>; Thu, 19 Jul 2018 16:00:12 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6JMvPXx018135 for <tls@ietf.org>; Fri, 20 Jul 2018 00:00:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : subject : message-id : mime-version : content-type; s=jan2016.eng; bh=6tabot/lQBi4542QzNY1tVK4ChsMKoqXSlkG0N2qSsE=; b=YtWGEI3i3Gvf4uGMXRcq4RpygoPRCn7nP/cSoaUu8ufl5MKyuQUsK/kiEbjdOBDsh5Fp q4RUZBvC9XGXiCYoZDonDmuzF26qEFmfWx/JAwO2kaw92zaFwMFNhRwL1cxXJe4NaCb7 ELq4FrhfY0I8vKxFr31M7Kxcs4LqB82MTvo+D4zghAl8ZEY1XBZEPBpwkM4CV0d9DrOx CwRZDIKKGMdvfuSGPLXEOsAtp5ufYJtIrDH37h5JOXFM4UYpzpHK04PAdYKvUL1FGZ7g ytIOpDHg/4i7NvzNQ22Skh3H7jB7K6m7fDwMxWCHHMgIpZHuHj8R73pxCFys0xcIFtHc bg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by mx0a-00190b01.pphosted.com with ESMTP id 2kadm2k3rp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 20 Jul 2018 00:00:12 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w6JMnwvr008978 for <tls@ietf.org>; Thu, 19 Jul 2018 19:00:10 -0400
Received: from prod-mail-relay10.akamai.com ([172.27.118.251]) by prod-mail-ppoint1.akamai.com with ESMTP id 2k7cgura4q-1 for <tls@ietf.org>; Thu, 19 Jul 2018 19:00:10 -0400
Received: from bos-lpczi.kendall.corp.akamai.com (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 6A29C225C1 for <tls@ietf.org>; Thu, 19 Jul 2018 23:00:10 +0000 (GMT)
Received: from bkaduk by bos-lpczi.kendall.corp.akamai.com with local (Exim 4.86_2) (envelope-from <bkaduk@akamai.com>) id 1fgHu5-0003Ts-U5 for tls@ietf.org; Thu, 19 Jul 2018 18:00:09 -0500
Date: Thu, 19 Jul 2018 18:00:09 -0500
From: Benjamin Kaduk <bkaduk@akamai.com>
To: tls@ietf.org
Message-ID: <20180719230009.GD14551@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-19_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=1 mlxscore=1 mlxlogscore=190 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807190237
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-19_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=1 clxscore=1015 lowpriorityscore=0 mlxscore=1 impostorscore=0 mlxlogscore=189 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807190239
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BXsHBsoSHv31ysf6ocITiuTx7fg>
Subject: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 23:00:15 -0000
Hi all, As I mentioned at the mic today, there is a question that has been raised about whether it's wise to reuse an existing (TLS 1.2) PSK directly in the TLS 1.3 key ladder. At a high level, the reason why one might want to restrict this is that the security proofs for TLS 1.3 rely on the pre-shared key being only used with a single key-derivation function (our HKDF-using Derive-Secret), and TLS 1.2 uses a different key-derivation function, so formally the proofs do not hold. We don't currently know of a specifc attack against such reuse, of course, but perhaps it is prudent to restrict our usage to adhere to the verified scenarios. This is somewhat timely, as if we do want to introduce a restriction, it would ideally be in the form of some text in the TLS 1.3 specification, which is very nearly done. It would be good to hear more opinions on this question, particularly from those who have worked on the formal verification directly. If I can attempt to summarize some discussion that occurred in the mic line today, Hannes was surprised that we would care, likening this case to the regular version negotiation, where we are happy to use the same certificate to sign messages for both TLS 1.2 and 1.3. David Benjamin points out that we explicitly go to the trouble of putting 64 bytes of 0x20 padding at the front of the content that gets signed for CertificateVerify, to enforce separation between the TLS versions. My own personal opinion is that we should enforce a domain separation between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's "Universal PSKs" proposal seems like a potential mechanism by which to do so without doubling the provisioning needs. -Ben (with no hat)
- [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3 Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… David Benjamin
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Jonathan Hoyland
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla