IETF Logo Mail Archive

[TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

Benjamin Kaduk <bkaduk@akamai.com> Thu, 19 July 2018 23:00 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A7ADE130DD2 for <tls@ietfa.amsl.com>; Thu, 19 Jul 2018 16:00:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YZQTkIEe29wk for <tls@ietfa.amsl.com>; Thu, 19 Jul 2018 16:00:12 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 935C4130EE8 for <tls@ietf.org>; Thu, 19 Jul 2018 16:00:12 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w6JMvPXx018135 for <tls@ietf.org>; Fri, 20 Jul 2018 00:00:12 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : subject : message-id : mime-version : content-type; s=jan2016.eng; bh=6tabot/lQBi4542QzNY1tVK4ChsMKoqXSlkG0N2qSsE=; b=YtWGEI3i3Gvf4uGMXRcq4RpygoPRCn7nP/cSoaUu8ufl5MKyuQUsK/kiEbjdOBDsh5Fp q4RUZBvC9XGXiCYoZDonDmuzF26qEFmfWx/JAwO2kaw92zaFwMFNhRwL1cxXJe4NaCb7 ELq4FrhfY0I8vKxFr31M7Kxcs4LqB82MTvo+D4zghAl8ZEY1XBZEPBpwkM4CV0d9DrOx CwRZDIKKGMdvfuSGPLXEOsAtp5ufYJtIrDH37h5JOXFM4UYpzpHK04PAdYKvUL1FGZ7g ytIOpDHg/4i7NvzNQ22Skh3H7jB7K6m7fDwMxWCHHMgIpZHuHj8R73pxCFys0xcIFtHc bg==
Received: from prod-mail-ppoint1 (prod-mail-ppoint1.akamai.com [184.51.33.18]) by mx0a-00190b01.pphosted.com with ESMTP id 2kadm2k3rp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <tls@ietf.org>; Fri, 20 Jul 2018 00:00:12 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w6JMnwvr008978 for <tls@ietf.org>; Thu, 19 Jul 2018 19:00:10 -0400
Received: from prod-mail-relay10.akamai.com ([172.27.118.251]) by prod-mail-ppoint1.akamai.com with ESMTP id 2k7cgura4q-1 for <tls@ietf.org>; Thu, 19 Jul 2018 19:00:10 -0400
Received: from bos-lpczi.kendall.corp.akamai.com (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 6A29C225C1 for <tls@ietf.org>; Thu, 19 Jul 2018 23:00:10 +0000 (GMT)
Received: from bkaduk by bos-lpczi.kendall.corp.akamai.com with local (Exim 4.86_2) (envelope-from <bkaduk@akamai.com>) id 1fgHu5-0003Ts-U5 for tls@ietf.org; Thu, 19 Jul 2018 18:00:09 -0500
Date: Thu, 19 Jul 2018 18:00:09 -0500
From: Benjamin Kaduk <bkaduk@akamai.com>
To: tls@ietf.org
Message-ID: <20180719230009.GD14551@akamai.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-19_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 suspectscore=1 malwarescore=0 phishscore=0 bulkscore=0 spamscore=1 mlxscore=1 mlxlogscore=190 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807190237
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-19_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=1 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=1 clxscore=1015 lowpriorityscore=0 mlxscore=1 impostorscore=0 mlxlogscore=189 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807190239
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BXsHBsoSHv31ysf6ocITiuTx7fg>
Subject: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 23:00:15 -0000

Hi all,

As I mentioned at the mic today, there is a question that has been
raised about whether it's wise to reuse an existing (TLS 1.2) PSK
directly in the TLS 1.3 key ladder.  At a high level, the reason why one
might want to restrict this is that the security proofs for TLS 1.3 rely
on the pre-shared key being only used with a single key-derivation
function (our HKDF-using Derive-Secret), and TLS 1.2 uses a different
key-derivation function, so formally the proofs do not hold.  We don't
currently know of a specifc attack against such reuse, of course, but
perhaps it is prudent to restrict our usage to adhere to the verified
scenarios.

This is somewhat timely, as if we do want to introduce a restriction, it
would ideally be in the form of some text in the TLS 1.3 specification,
which is very nearly done.

It would be good to hear more opinions on this question, particularly
from those who have worked on the formal verification directly.

If I can attempt to summarize some discussion that occurred in the mic
line today, Hannes was surprised that we would care, likening this case
to the regular version negotiation, where we are happy to use the same
certificate to sign messages for both TLS 1.2 and 1.3.  David Benjamin
points out that we explicitly go to the trouble of putting 64 bytes of
0x20 padding at the front of the content that gets signed for
CertificateVerify, to enforce separation between the TLS versions.

My own personal opinion is that we should enforce a domain separation
between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's "Universal PSKs"
proposal seems like a potential mechanism by which to do so without
doubling the provisioning needs.

-Ben (with no hat)

v2.23.0 | Report a Bug | By Email