Re: [TLS] Revision 10: possible attack if client authentication is allowed during PSK
Ilari Liusvaara <ilariliusvaara@welho.com> Sun, 01 November 2015 09:01 UTC
Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B86CF1B7500 for <tls@ietfa.amsl.com>; Sun, 1 Nov 2015 01:01:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9sbaZ8SIr3_h for <tls@ietfa.amsl.com>; Sun, 1 Nov 2015 01:01:16 -0800 (PST)
Received: from filtteri5.pp.htv.fi (filtteri5.pp.htv.fi [213.243.153.188]) by ietfa.amsl.com (Postfix) with ESMTP id 7153E1B7456 for <tls@ietf.org>; Sun, 1 Nov 2015 01:01:16 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by filtteri5.pp.htv.fi (Postfix) with ESMTP id 19EAF5A79DD; Sun, 1 Nov 2015 11:00:58 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from smtp4.welho.com ([213.243.153.38]) by localhost (filtteri5.pp.htv.fi [213.243.153.188]) (amavisd-new, port 10024) with ESMTP id GFuHciRta0vW; Sun, 1 Nov 2015 11:00:57 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-35-116.bb.dnainternet.fi [87.92.35.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp4.welho.com (Postfix) with ESMTPSA id C0B6F5BC019; Sun, 1 Nov 2015 11:01:14 +0200 (EET)
Date: Sun, 01 Nov 2015 11:01:11 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Eric Rescorla <ekr@rtfm.com>
Message-ID: <20151101090111.GA13377@LK-Perkele-V2.elisa-laajakaista.fi>
References: <5634A3B8.7070701@gmail.com> <CABcZeBPNHPzywr89wLgV4zWKjKXXk_kyxoV75pYOuuuK=QO9=A@mail.gmail.com> <20151031142945.GA12815@LK-Perkele-V2.elisa-laajakaista.fi> <CABcZeBPspSzExeDwOTz91LuhPxVyPNsu8F-5NP+3FVLc8ZceOQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CABcZeBPspSzExeDwOTz91LuhPxVyPNsu8F-5NP+3FVLc8ZceOQ@mail.gmail.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Sender: ilariliusvaara@welho.com
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/BY7czWPe_Covhiz0_OsHjJqHmus>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Revision 10: possible attack if client authentication is allowed during PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Nov 2015 09:01:18 -0000
On Sun, Nov 01, 2015 at 04:36:43AM +0900, Eric Rescorla wrote: > > I've been planning to do a big rewrite of the security "analysis" sections > and while I don't think it's worth having a real analysis in the protocol > (the literature is going to do a much better job here than we can), this > seems like exactly the kind of thing that we do want to capture to > explain the design and for future extensions. What I think is also very important with regards to security is explaining the properties of interfaces to applications. E.g. I want to be able to find answer to "Can I authenticate a client by reading value off TLS-EXTRACTOR and signing it?"[1][2] in the final RFC. Or "Can I key something non-TLS off TLS-Extractor" (yes). And with regards to protocol analysis, the thing that nails you with highest probability (after known bad ideas) is some oddball feature that nobody really analyzes (or analyzes in non-realistic ways, for this documenting assumptions at external interface is VERY useful). These often allow taking cracks in one part of the protocol and then amplifying those to actual attacks. [1] The answer being: Yes, but: - You also need ciphersuite if you need cross-collision resistance (TLS certificate auth would be vulernable to CC if another PRF- hash with 256 or 384 bit output was added). - In versions previous to TLS 1.3, you need extended_master_secret negotiated (because otherwise TLS-Extractor outputs aren't nonces). [2] While TLS does have built-in client certificate authentication, application-layer certificate authentication can be much more flexible, doing things that are just plain infeasible to do in TLS layer (like fine-grained authentication). -Ilari
- [TLS] Revision 10: possible attack if client auth… Sam Scott
- Re: [TLS] Revision 10: possible attack if client … Ilari Liusvaara
- Re: [TLS] Revision 10: possible attack if client … Eric Rescorla
- Re: [TLS] Revision 10: possible attack if client … Ilari Liusvaara
- Re: [TLS] Revision 10: possible attack if client … Eric Rescorla
- Re: [TLS] Revision 10: possible attack if client … Stephen Farrell
- Re: [TLS] Revision 10: possible attack if client … Ilari Liusvaara
- Re: [TLS] Revision 10: possible attack if client … Karthikeyan Bhargavan