Re: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ciphersuites
Jayaraghavendran k <jayaraghavendran.k@huawei.com> Mon, 30 November 2015 06:33 UTC
Return-Path: <jayaraghavendran.k@huawei.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 828FA1A885C for <tls@ietfa.amsl.com>; Sun, 29 Nov 2015 22:33:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.785
X-Spam-Level:
X-Spam-Status: No, score=-4.785 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DI52KXIgcwey for <tls@ietfa.amsl.com>; Sun, 29 Nov 2015 22:33:11 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0438E1A885B for <tls@ietf.org>; Sun, 29 Nov 2015 22:33:09 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml406-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CEU32587; Mon, 30 Nov 2015 06:33:06 +0000 (GMT)
Received: from SZXEMI401-HUB.china.huawei.com (10.82.75.33) by lhreml406-hub.china.huawei.com (10.201.5.243) with Microsoft SMTP Server (TLS) id 14.3.235.1; Mon, 30 Nov 2015 06:33:05 +0000
Received: from SZXEMI501-MBX.china.huawei.com ([169.254.1.253]) by SZXEMI401-HUB.china.huawei.com ([10.82.75.33]) with mapi id 14.03.0235.001; Mon, 30 Nov 2015 14:32:54 +0800
From: Jayaraghavendran k <jayaraghavendran.k@huawei.com>
To: Xuelei Fan <xuelei.fan@vimino.com>
Thread-Topic: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ciphersuites
Thread-Index: AQHRKSTQR81q0xKmjECWMANvrDN0uZ60HO7g
Date: Mon, 30 Nov 2015 06:32:54 +0000
Message-ID: <8D925D4C0B78EE41857D407022ECD163BFF02DD7@SZXEMI501-MBX.china.huawei.com>
References: <CAAgBOhtGnaf12xBnmSph4p1Akrndu=SX37cdDCPjkKPub3RO8w@mail.gmail.com> <8D925D4C0B78EE41857D407022ECD163BFF02A60@SZXEMI501-MBX.china.huawei.com> <CAAgBOhvfs86QGyS-JPjUs6ddyY=YQMceT3NVKQtRFwkFQPxZGA@mail.gmail.com>
In-Reply-To: <CAAgBOhvfs86QGyS-JPjUs6ddyY=YQMceT3NVKQtRFwkFQPxZGA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.213.218]
Content-Type: multipart/alternative; boundary="_000_8D925D4C0B78EE41857D407022ECD163BFF02DD7SZXEMI501MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.565BEDA3.007E, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.253, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: faa7962a42ad686fb6768c315cc2e638
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/C6Rgwesqv2cB-sj4DhBxdXgRemg>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ciphersuites
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Nov 2015 06:33:14 -0000
Yes. Theoretically, you do seem to have a point. But, I have so far not come across implementations making an effective usage of Identity Hint. So, I guess this should not be such a big problem. Regards, Jay *************************************************************************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! *************************************************************************************** From: Xuelei Fan [mailto:xuelei.fan@vimino.com] Sent: 27 November 2015 20:34 To: Jayaraghavendran k Cc: tls@ietf.org Subject: Re: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ciphersuites It is a great idea to use PSK for session resumption. However, as the ServerKeyExchange.psk_identity_hint disappears in TLS 1.3, I was wondering, it may be not easy to make an upgrade for those PSK implementation that relies on ServerKeyExchange.psk_identity_hint. Considering the following initial handshaking example in TLS 1.2. 1. client requests a PSK cipher suite negotiation; 2. server responses with a hint in ServerKeyExchange.psk_identity_hint 3. client looks for the shared key with the hint in the local database/cache/remote service, etc. 4. client provides the shared key in ClientKeyExchange.psk_identity. Here ServerKeyExchange.psk_identity_hint is used as an index to find the shared key in client side. If moving to TLS 1.3, as there is no hint any more, application may need to reconstruct the scenarios above in order to follow the spec of TLS 1.3 and find a new approach to get the shared key. If the client and server are supposed to have a short set of known “Identity – key” pair on either sides between them, the reconstruction can be minimal. If the shared keys are unknown previously before the hint get known, the reconstruction would get complicated. Just guessing theoretically, I have no practical evidence for the case. Hopefully, no one use the case in practice. Regards, Xuelei On Fri, Nov 27, 2015 at 10:00 PM, Jayaraghavendran k <jayaraghavendran.k@huawei.com<mailto:jayaraghavendran.k@huawei.com>> wrote: Hi Xuelei, As per RFC 4279 also, both the client and server are supposed to have a set of “Identity – key” pair on either sides. The “ServerKeyExchange.psk_identity_hint” only helps the client in choosing an “identity-key” pair from a list of several “identity-key pairs” the client may have. In TLS 1.3, instead of the ServerKeyExchange.psk_identity_hint, client sends its list of identities in the client hello itself through PreSharedKey Extension and server chooses one from it and replies in the PreSharedKey Extension. Now, instead of traditional session resumption, this logic will be used which basically has the same abbreviated handshake. So, essentially, TLS 1.2 to TLS 1.3 transition for the above scenario should be viewed as below: (a) In case of PSK, instead of Client guessing and using an Identity based on PSK Identity Hint, both client and server negotiate which identity to use in the hello messages itself. (b) ServerKeyExchange.psk_identity_hint can be obsoleted removed when you transition from 1.2 to 1.3. In my opinion, this makes the PSK based handshake a lot more simpler and easier to use. Could you elaborate on your scenario based on which you say the transition from TLS 1.2 to TLS 1.3 for PSK will be difficult? Regards, Jay *************************************************************************************** This e-mail and attachments contain confidential information from HUAWEI, which is intended only for the person or entity whose address is listed above. Any use of the information contained herein in any way (including, but not limited to, total or partial disclosure, reproduction, or dissemination) by persons other than the intended recipient's) is prohibited. If you receive this e-mail in error, please notify the sender by phone or email immediately and delete it! *************************************************************************************** From: TLS [mailto:tls-bounces@ietf.org<mailto:tls-bounces@ietf.org>] On Behalf Of Xuelei Fan Sent: 27 November 2015 17:29 To: tls@ietf.org<mailto:tls@ietf.org> Subject: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ciphersuites Hi, In the draft spec of TLS 1.3, ServerKeyExchange and ClientKeyExchange get removed, and key_share extension applies to non-PSK cipher suites only. As RFC 4279 need ServerKeyExchange and ClientKeyExchange messages, I think TLS 1.3 updates or obsoletes RFC 4279. Per the draft spec of TLS 1.3, if no suitable identity is provided in pre-shared key extension, the server MUST NOT negotiate a PSK cipher suite. The question comes to me: where the suitable identity comes from? The identity can be acquired by out-of-band approach, or the server NewSessionTicket message. If no out-of-band approach in some circumstances, the server NewSessionTicket message would be the only way to create the identity. The scenarios of using pre-shared key may look like: 1. establish a fresh connection, server sends the NewSessionTicket to indicate it supports session resumption and provide the psk_identity. 2. if client wants a session resumption, subsequent handshaking will use pre_shared key extension with the server provided psk_identity. Looks like PSK applies to session resume only in TLS 1.3, and cannot be used for fresh (initial) handshaking any more, unless out-of-band approach is used to define the identities. I have no experience on PSK, but looks like that it is not A minimal effort for PSK deployments to upgrade from TLS 1.2 to TLS 1.3, if ServerKeyExchange.psk_identity_hint is used previously. It would be nice to consider and specify the impact on RFC 4279 in TLS 1.3 protocols. Regards, Xuelei
- [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Cipher… Xuelei Fan
- Re: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ci… Jayaraghavendran k
- Re: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ci… Xuelei Fan
- Re: [TLS] TLS 1.3 and RFC 4279, Pre-Shared Key Ci… Jayaraghavendran k