Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Hubert Kario <hkario@redhat.com> Thu, 22 February 2018 10:49 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125BE126B72; Thu, 22 Feb 2018 02:49:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVYlaQ8kWa5U; Thu, 22 Feb 2018 02:49:45 -0800 (PST)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F981242F5; Thu, 22 Feb 2018 02:49:44 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 22D287C81F; Thu, 22 Feb 2018 10:49:44 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 403BE2026E04; Thu, 22 Feb 2018 10:49:39 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, draft-ietf-tls-tls13@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, IETF discussion list <ietf@ietf.org>
Date: Thu, 22 Feb 2018 11:49:33 +0100
Message-ID: <1539403.0ddWoG7Tox@pintsize.usersys.redhat.com>
In-Reply-To: <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com> <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart12560930.LqIdlgQPAG"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 22 Feb 2018 10:49:44 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 22 Feb 2018 10:49:44 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Dk4D1CHALPvp5v0YLHgvAH_uFoY>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 10:49:47 -0000

On Thursday, 22 February 2018 00:22:35 CET Martin Thomson wrote:
> I think that the current behavior is fine, but we might add text to
> suggest that identities be self-authenticating to avoid this sort of
> enumeration.  Note that in common practice, this sort of enumeration
> would be over an infeasibly large space, it's only where identities
> are more easily enumerable that it becomes an issue (e.g., "ted" as an
> identity, rather than a self-encrypted session ticket)

that's why the subject is saying "external PSK", and those can be as simple as 
"ted", "admin", "mary"...

yes, session tickets ("resumption PSK") SHOULD be self-authenticating, if only 
because non authenticated ciphertext is malleable

> On Thu, Feb 22, 2018 at 1:31 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> > i think your general point is sound here, but I'll nitpick the statement
> > that
> > "if the server recognises an identity but is unable to verify
> > corresponding
> > binder".
> > 
> > 1. The server only picks one identity so you if you send A, B, and C and
> > you get an abort, you don't know if it recognized one or all.
> > 2. The server can *recognize* the identity but ignore it (say it's a
> > ticket
> > that's
> > too old)
> > 
> > With that said, I think it would probably be safe to say you must ignore
> > an
> > identity
> > where the binder doesn't validate, but I'd like to hear from
> > cryptographers
> > on this
> > one.
> > 
> > Thanks,
> > -Ekr
> > 
> > On Wed, Feb 21, 2018 at 6:26 AM, Hubert Kario <hkario@redhat.com> wrote:
> >> On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote:
> >> > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> 
wrote:
> >> > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote:
> >> > > > The IESG has received a request from the Transport Layer Security
> >> > > > WG
> >> > > 
> >> > > (tls)
> >> > > 
> >> > > > to consider the following document: - 'The Transport Layer Security
> >> > > > (TLS)
> >> > > > Protocol Version 1.3'
> >> > > > 
> >> > > >   <draft-ietf-tls-tls13-24.txt> as Proposed Standard
> >> > > 
> >> > > The current draft states that if the server recognises an identity
> >> > > but
> >> > > is
> >> > > unable to verify corresponding binder, it "MUST abort the handshake"
> >> > 
> >> > Which text are you referring to here?
> >> 
> >> Section 4.2.11:
> >>    Prior to accepting PSK key establishment, the server MUST validate
> >>    the corresponding binder value (see Section 4.2.11.2 below).  If this
> >>    value is not present or does not validate, the server MUST abort the
> >>    handshake.  Servers SHOULD NOT attempt to validate multiple binders;
> >>    rather they SHOULD select a single PSK and validate solely the binder
> >>    that corresponds to that PSK.
> >> > 
> >> > -Ekr
> >> > 
> >> > at the same time, they "SHOULD select as single PSK and validate solely
> >> > the
> >> > 
> >> > > binder that corresponds to that PSK"
> >> > > (Page 60, draft-ietf-tls-tls13-24).
> >> > > 
> >> > > That allows for trivial enumeration of externally established
> >> > > identities -
> >> > > the
> >> > > attacker just needs to send to the server a list of identity guesses,
> >> > > with
> >> > > random data as binders, if the server recognises any identity it will
> >> > > abort
> >> > > connection, if it doesn't, it will continue to a non-PSK handshake.
> >> > > 
> >> > > Behaviour like this is generally considered a vulnerability:
> >> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
> >> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
> >> > > 
> >> > > I was wondering if the document shouldn't recommend ignoring any and
> >> > > all
> >> > > identities for which binders do not verify to prevent this kind of
> >> > > attack.
> >> > > --
> >> > > Regards,
> >> > > Hubert Kario
> >> > > Senior Quality Engineer, QE BaseOS Security team
> >> > > Web: www.cz.redhat.com
> >> > > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> >> > > _______________________________________________
> >> > > TLS mailing list
> >> > > TLS@ietf.org
> >> > > https://www.ietf.org/mailman/listinfo/tls
> >> 
> >> --
> >> Regards,
> >> Hubert Kario
> >> Senior Quality Engineer, QE BaseOS Security team
> >> Web: www.cz.redhat.com
> >> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic