IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer

"Christopher Wood" <caw@heapingbits.net> Fri, 28 February 2020 04:49 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2993A0F5C for <tls@ietfa.amsl.com>; Thu, 27 Feb 2020 20:49:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=E3H0hrGD; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=onsALUde
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WCdJi_dtoiNI for <tls@ietfa.amsl.com>; Thu, 27 Feb 2020 20:49:48 -0800 (PST)
Received: from out3-smtp.messagingengine.com (out3-smtp.messagingengine.com [66.111.4.27]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DFEC3A0F32 for <tls@ietf.org>; Thu, 27 Feb 2020 20:49:48 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id ADE7D21F57; Thu, 27 Feb 2020 23:49:46 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Thu, 27 Feb 2020 23:49:46 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=xBASIH5kSFjddj2DnpXBdbVv7TF0 nxXO0kAdA4knIzo=; b=E3H0hrGDAt6CJtCOsU3api2j588iwuIaz/GckhxLb8u9 MyKTfH6myvhw9KBK+Ql5h8y0qf3F/FIrXXZnmktaR3DLinMziR2pJYgu/MTIG7Nl mJhRfuLO8GM+gcNkyLU/K9Rr1HZWe6/5J7GRJz+1lt5brhDqjWsvjs1jHbdX55Tf 8cTA+LIe8wBvY9+Z2MTyDGBYs39nbL9WZ9ruH5fRG8plgEekx7cfz5Nrx9U/GOds EcuEXzs7OBLq4Dui4Q2Nu5+fCUj9f/6ZoLvQumbLvnqpRDGPNCLNA010dwkXVBut 5aUh7xh7sW9ouIBAJXUWxLR3bRa1Ltat+TtpAocokQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=xBASIH 5kSFjddj2DnpXBdbVv7TF0nxXO0kAdA4knIzo=; b=onsALUdedi4XeHhgQoKrfQ IqF9o2gJnTK9CzPHl0sIexn7zJJrWyO0cc9Bfy9YxehU1nmRF3AjrKVQqZDAf4xb /ftublcXQxgFErUStABf6E8SgkxQibTI+72X/LtlXQwSNpbfTxqkeo9s9NMDadCv zDpIAjUHS3CsF6fnTi+E0cPtiu4E4q3tKGqAIq0Ps4JlWIJUdTNLAbm4MPW/Hn0E VwTTZZ52JsqDhTuUmat7hdI8byAg5Gp4qyVVoONQ+o7/n6xTAgLaxzQ9+GowFjUY xHMm5JeVgS9CSgv3etYKtgOpiZ18DTeLymGdUalO3Vs/SgEFOtrY36RHwiSV90bw ==
X-ME-Sender: <xms:6ptYXrJJKM-ny1cmnGoBuhpko2gz4vV4gbix4y6cgUDaibcbO4W2Zw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrleejgdejjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:6ptYXqrfh1V0K-MQlCi0lEudGwmxkfc-NsNNV0G2iLvBpGNmxZiCZA> <xmx:6ptYXqIhJqCphoKAwDBbc6kDj52QC4EDU1gTq5spyntXL6lp_4ezlA> <xmx:6ptYXvSa4SSbLwQcTuiMmNe-R3tlLIZSoPYiVWlTCaTt5JgPjAWZ1A> <xmx:6ptYXtkkuWR0LENQkWeKIWFcLqHtUHEEMbnyTRpDOOQZ_A6VnxAkzg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 1E88A3C00A1; Thu, 27 Feb 2020 23:49:46 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-967-g014f925-fmstable-20200226v1
Mime-Version: 1.0
Message-Id: <75b70352-9cc5-4aa1-9cca-42f37fe615d2@www.fastmail.com>
In-Reply-To: <CAF8qwaCPQ1JwKKwbM9THnhiO=1F1V5Z_Wj5LYMjZkyf0W-zygg@mail.gmail.com>
References: <CAOgPGoBnSsDDaWWRHjkdjVRWw_DtxFYSQS7G-NyeSUfTzmYbAw@mail.gmail.com> <CAChr6SyA05VTB1n5Dcc2WNP6rrpsvDGXuPQxDxM9-=3JiYYPLQ@mail.gmail.com> <CABcZeBOPaGZ1ZKWpXkhC05v3HcbSLNuXYD_Lzw0S6iaBQY0a9A@mail.gmail.com> <CAChr6Sz7EqMbHNzcvbwdXkWB1JbQQig3RXCrzG6zascJL__t2Q@mail.gmail.com> <8887946c-8509-483c-9c62-de5393fb9eaf@www.fastmail.com> <CACykbs3LjPXPyvXGthCxYPK_Kv_+3TCV8VmkYab6gkfOfNmYuA@mail.gmail.com> <CAF8qwaCPbQfXWvTm7VgS7G6XAfzEY_=rTfD2CzRWsSod+MpC2Q@mail.gmail.com> <CACykbs08ico3WVDK-E=sqTSVPD=gYQdJ8eiQzyxhKqY=q_EPUQ@mail.gmail.com> <CAF8qwaCPQ1JwKKwbM9THnhiO=1F1V5Z_Wj5LYMjZkyf0W-zygg@mail.gmail.com>
Date: Thu, 27 Feb 2020 20:49:23 -0800
From: Christopher Wood <caw@heapingbits.net>
To: David Benjamin <davidben@chromium.org>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/D8Gv4d7PI1EcN7Rdz4e8jnrAhQw>
Subject: Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 04:49:50 -0000


On Thu, Feb 27, 2020, at 1:31 PM, David Benjamin wrote:
> On Mon, Feb 24, 2020 at 5:58 PM Jonathan Hoyland 
> <jonathan.hoyland@gmail.com> wrote:
> > This would be for cases where we want to inject extra context into a resumption. 
> > That would be anything that changes an authentication property, so for example if you wanted to include some agreement on the status of a post-handshake auth or Exported Authenticator.
> > 
> > So for example imagine I had a session during which I received an EA and when I came to resume that session I wished to indicate that I was still willing to accept the EA.
> > I would offer a special PSK and inject some extra material into the handshake*, and if the server was able / willing to agree to this it would select the PSK. 
> > I could also offer a PSK with no extra injected material, as a fallback, and request the EA again. 
> > 
> > * This would only affect the binder for the PSK in the ClientHello. 
> 
> I'm still not following. If you're resuming, this is a PSK issued from 
> a NewSessionTicket, in which case this isn't an imported PSK at all. 
> It's a resumption PSK and uses "res binder". If we needed to negotiate 
> variations on a resumption, this importer mechanism wouldn't give us a 
> way to express that anyway. I expect we'd instead lean on some 
> combination of multiple tickets, NewSessionTicket extensions, and plain 
> ClientHello extensions. But maybe I'm still not understanding the 
> scenario.
> > Another potential use would be the binding for ECHO, although I don't have a clear enough picture of the precise mechanics of that to know if it would be helpful.
> 
> Chris is probably more up-to-date here, but I don't believe the current 
> ECHO design looks like a funny PSK.

That's right -- it's just another extension in the outer CH. 

Best,
Chriss

> > Something that would allow for a consistent naming in the future would be my preference, because just as "imp binder" doesn't preclude "imp r binder", using "imp e binder" doesn't preclude us never adopting "imp r binder".
> > I vaguely remember discussing whether the longer name would tip us into an extra hash invocation at the last IETF, and concluding that it didn't, although I'd have to double check that. 
> 
> Of course. Yeah, I think the more pertinent question is whether "imp r 
> binder" is actually a thing.
> > Regards,
> > 
> > Jonathan 
> > 
> > On Mon, 24 Feb 2020, 22:23 David Benjamin, <davidben@chromium.org> wrote:
> >> On Mon, Feb 24, 2020 at 4:33 PM Jonathan Hoyland <jonathan.hoyland@gmail.com> wrote:
> >>> Just looking at this again, it might be better to make a slightly different tweak to the key schedule.
> >>> Instead of:
> >>>                 0
>                 |
>                 v
>       PSK ->  HKDF-Extract = Early Secret
>                 |
>                 +-----> Derive-Secret(., "ext binder"
>                 |                      | "res binder"
>                 |                      | "imp binder", "")
>                 |                     = binder_key                v
> >>> 
> >>> We should do:
> >>> 
> >>>                 0
>                 |
>                 v
>       PSK ->  HKDF-Extract = Early Secret
>                 |
>                 +-----> Derive-Secret(., "ext binder"
>                 |                      | "res binder"
>                 |                      | "imp e binder"                
> |                      | "imp r binder", "")
>                 |                     = binder_key                v
> >>> or at least:
> >>>                 0
>                 |
>                 v
>       PSK ->  HKDF-Extract = Early Secret
>                 |
>                 +-----> Derive-Secret(., "ext binder"
>                 |                      | "res binder"
>                 |                      | "imp e binder", "")
>                 |                     = binder_key                v
> >>> 
> >>> 
> >>> Just so that we can distinguish between external imported binders and resumed imported binders, should we at some point decide to do both. 
> >> 
> >> I may just be confused, but what would a resumed imported binder mean? I see this mechanism as largely a bugfix for TLS 1.3 external PSKs, rather than a new kind of adjective describing PSKs.
> >> 
> >> ("imp binder" also doesn't preclude "imp r binder" later if we later define something which needs it, but I'm confused what the concept even would be.)
> >> 
> >> David
> >>> On Mon, 24 Feb 2020 at 20:50, Christopher Wood <caw@heapingbits.net> wrote:
> >>>> On Fri, Feb 21, 2020, at 1:15 PM, Rob Sayre wrote:
> >>>>  > 
> >>>>  > 
> >>>>  > On Fri, Feb 21, 2020 at 8:35 AM Eric Rescorla <ekr@rtfm.com> wrote:
> >>>>  > > 
> >>>>  > > 
> >>>>  > > On Thu, Feb 20, 2020 at 7:08 PM Rob Sayre <sayrer@gmail.com> wrote:
> >>>>  > >> Hi,
> >>>>  > >> 
> >>>>  > >> I'm not sure how violations of these requirements would result in poor interoperability:
> >>>>  > >> 
> >>>>  > >> Clients which import external keys TLS MUST NOT use these keys for
> >>>>  > >> any other purpose. Moreover, each external PSK MUST be associated
> >>>>  > >> with at most one hash function.
> >>>>  > >> 
> >>>>  > >> These seem like aspirational security goals. It would be better to describe the consequences of violating these conditions.
> >>>>  > > 
> >>>>  > > I don't agree. They are requirements in order to be able to make the assertions we want to make about the security of the protocol.
> >>>>  > > 
> >>>>  > > This is consistent with the following text of RFC 2119 S 6
> >>>>  > > ".. or to limit behavior which has potential for causing harm (e.g., limiting retransmisssions) "
> >>>>  > > 
> >>>>  > > I don't think it would be unreasonable.to explain the reason for these, though this is already a requirement of 8446 S 4.2.11 (though without justification).
> >>>>  > 
> >>>>  > I think that interpretation of 2119 is a stretch, but your idea to add 
> >>>>  > an explanation while keeping the 2119 terms addresses my concern. At 
> >>>>  > the very least, the draft should note this is already a requirement of 
> >>>>  > 8446.
> >>>> 
> >>>>  That seems perfectly reasonable! We can point to the security considerations to clarify the "single hash function" requirement, and we can note cross protocol attack deterrence for the other claim. Would that suffice? If not, can you please recommend text?
> >>>> 
> >>>>  Thanks,
> >>>>  Chris
> >>>> 
> >>>>  _______________________________________________
> >>>>  TLS mailing list
> >>>> TLS@ietf.org
> >>>> https://www.ietf.org/mailman/listinfo/tls
> >>>  _______________________________________________
> >>>  TLS mailing list
> >>> TLS@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email