Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
Hubert Kario <hkario@redhat.com> Thu, 22 February 2018 10:49 UTC
Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125BE126B72; Thu, 22 Feb 2018 02:49:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MVYlaQ8kWa5U; Thu, 22 Feb 2018 02:49:45 -0800 (PST)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9F981242F5; Thu, 22 Feb 2018 02:49:44 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 22D287C81F; Thu, 22 Feb 2018 10:49:44 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 403BE2026E04; Thu, 22 Feb 2018 10:49:39 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Eric Rescorla <ekr@rtfm.com>, draft-ietf-tls-tls13@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, IETF discussion list <ietf@ietf.org>
Date: Thu, 22 Feb 2018 11:49:33 +0100
Message-ID: <1539403.0ddWoG7Tox@pintsize.usersys.redhat.com>
In-Reply-To: <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com> <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart12560930.LqIdlgQPAG"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 22 Feb 2018 10:49:44 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.2]); Thu, 22 Feb 2018 10:49:44 +0000 (UTC) for IP:'10.11.54.4' DOMAIN:'int-mx04.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Dk4D1CHALPvp5v0YLHgvAH_uFoY>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 10:49:47 -0000
On Thursday, 22 February 2018 00:22:35 CET Martin Thomson wrote: > I think that the current behavior is fine, but we might add text to > suggest that identities be self-authenticating to avoid this sort of > enumeration. Note that in common practice, this sort of enumeration > would be over an infeasibly large space, it's only where identities > are more easily enumerable that it becomes an issue (e.g., "ted" as an > identity, rather than a self-encrypted session ticket) that's why the subject is saying "external PSK", and those can be as simple as "ted", "admin", "mary"... yes, session tickets ("resumption PSK") SHOULD be self-authenticating, if only because non authenticated ciphertext is malleable > On Thu, Feb 22, 2018 at 1:31 AM, Eric Rescorla <ekr@rtfm.com> wrote: > > i think your general point is sound here, but I'll nitpick the statement > > that > > "if the server recognises an identity but is unable to verify > > corresponding > > binder". > > > > 1. The server only picks one identity so you if you send A, B, and C and > > you get an abort, you don't know if it recognized one or all. > > 2. The server can *recognize* the identity but ignore it (say it's a > > ticket > > that's > > too old) > > > > With that said, I think it would probably be safe to say you must ignore > > an > > identity > > where the binder doesn't validate, but I'd like to hear from > > cryptographers > > on this > > one. > > > > Thanks, > > -Ekr > > > > On Wed, Feb 21, 2018 at 6:26 AM, Hubert Kario <hkario@redhat.com> wrote: > >> On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote: > >> > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> wrote: > >> > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote: > >> > > > The IESG has received a request from the Transport Layer Security > >> > > > WG > >> > > > >> > > (tls) > >> > > > >> > > > to consider the following document: - 'The Transport Layer Security > >> > > > (TLS) > >> > > > Protocol Version 1.3' > >> > > > > >> > > > <draft-ietf-tls-tls13-24.txt> as Proposed Standard > >> > > > >> > > The current draft states that if the server recognises an identity > >> > > but > >> > > is > >> > > unable to verify corresponding binder, it "MUST abort the handshake" > >> > > >> > Which text are you referring to here? > >> > >> Section 4.2.11: > >> Prior to accepting PSK key establishment, the server MUST validate > >> the corresponding binder value (see Section 4.2.11.2 below). If this > >> value is not present or does not validate, the server MUST abort the > >> handshake. Servers SHOULD NOT attempt to validate multiple binders; > >> rather they SHOULD select a single PSK and validate solely the binder > >> that corresponds to that PSK. > >> > > >> > -Ekr > >> > > >> > at the same time, they "SHOULD select as single PSK and validate solely > >> > the > >> > > >> > > binder that corresponds to that PSK" > >> > > (Page 60, draft-ietf-tls-tls13-24). > >> > > > >> > > That allows for trivial enumeration of externally established > >> > > identities - > >> > > the > >> > > attacker just needs to send to the server a list of identity guesses, > >> > > with > >> > > random data as binders, if the server recognises any identity it will > >> > > abort > >> > > connection, if it doesn't, it will continue to a non-PSK handshake. > >> > > > >> > > Behaviour like this is generally considered a vulnerability: > >> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190 > >> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229 > >> > > > >> > > I was wondering if the document shouldn't recommend ignoring any and > >> > > all > >> > > identities for which binders do not verify to prevent this kind of > >> > > attack. > >> > > -- > >> > > Regards, > >> > > Hubert Kario > >> > > Senior Quality Engineer, QE BaseOS Security team > >> > > Web: www.cz.redhat.com > >> > > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic > >> > > _______________________________________________ > >> > > TLS mailing list > >> > > TLS@ietf.org > >> > > https://www.ietf.org/mailman/listinfo/tls > >> > >> -- > >> Regards, > >> Hubert Kario > >> Senior Quality Engineer, QE BaseOS Security team > >> Web: www.cz.redhat.com > >> Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic -- Regards, Hubert Kario Senior Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
- [TLS] UPDATED Last Call: <draft-ietf-tls-tls13-24… The IESG
- Re: [TLS] UPDATED Last Call: <draft-ietf-tls-tls1… Sean Turner
- [TLS] Future interoperability issues for HRR for … Hubert Kario
- Re: [TLS] Future interoperability issues for HRR … Benjamin Kaduk
- [TLS] external PSK identity enumeration Re: UPDAT… Hubert Kario
- Re: [TLS] Future interoperability issues for HRR … Eric Rescorla
- Re: [TLS] external PSK identity enumeration Re: U… Eric Rescorla
- Re: [TLS] external PSK identity enumeration Re: U… Hubert Kario
- Re: [TLS] external PSK identity enumeration Re: U… Eric Rescorla
- Re: [TLS] external PSK identity enumeration Re: U… Martin Thomson
- Re: [TLS] external PSK identity enumeration Re: U… Tony Putman
- Re: [TLS] external PSK identity enumeration Re: U… Hubert Kario
- Re: [TLS] external PSK identity enumeration Re: U… Hubert Kario