Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Wed, 09 October 2019 08:34 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52B4412008D for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 01:34:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vFh1UdIKuwCY for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 01:34:51 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70049.outbound.protection.outlook.com [40.107.7.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D907512000F for <tls@ietf.org>; Wed, 9 Oct 2019 01:34:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gwI6pODhMST5DkiC+Nau0mBoM0yxNYJleCxi4NFIqiv73I7V2lsRapfoQuYpCgvjoWySO+/AWGazWZcu+1vaalUkltKLm9ZoA7WYBAt9kBEzBQLhLuASrgRhIqchx6AyFEVHe/5SER9hxnFUssh/2kR344FZlJ1lfHpjyXUbuDY2mMbA/e7j/wMaDVjvo3JOUTzHOk5MQIMeTcjOZEJVo+mksiXp5z+rKRBGYifo34PhgRQB3mkrJSomLb7tgFy8paowJfmq7+CmiN6M+LRu87eSRRK7IO9RoQqUJoFZOjFK6oTgm8YuBQTBWoflqV3wn+YbfGKW5EoJgWnMXBVhiw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=L1DpeJfU4oLMx5jT1XYOucCUd/O4JI/pvomaCY/EJxM=; b=W5yKHlol2qFlM3B64ITl6MJLPZ3nxN/DOBXpYH1h5jWTB6QNPTl7rz+fFbXo9QhOpOyFoYkuGITwkisXkNivk+IZZPbBus3SYKcmmJDfpagLasK6PvhNdpQYR8yEpfGfVJ+KDqJdtrx2KOxbhobelHfPQtZMsaf/3jCEDb46QbP7vh03qcraEYdjHHczL5Bah7n7YNTGHe2lzdUkQROnWO/6dbSm6X9c8WjDe0wjICWhn4oAOMbFAVJYQ0Mjfhq9/MDWDP0kpi6BzwehBWAJEuQEqoKJ2EV1JYL9UASzYpItbNVdqa9F6YFwHglZJXoyyBL9s1qyt7AaEkttiGcFgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7PR01MB4154.eurprd01.prod.exchangelabs.com (52.135.133.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.23; Wed, 9 Oct 2019 08:34:48 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::64bb:99b3:3e20:83ea]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::64bb:99b3:3e20:83ea%7]) with mapi id 15.20.2327.026; Wed, 9 Oct 2019 08:34:48 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Christopher Wood <caw@heapingbits.net>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
Thread-Index: AQHVe3H9CjIT5rIIxkyi892bPekIVadSEqoA
Date: Wed, 9 Oct 2019 08:34:48 +0000
Message-ID: <D9C3572C.489C7%u1775114@live.warwick.ac.uk>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com> <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk> <896F89B2-37D0-4674-881D-FB9FE4874978@ericsson.com> <FE583332-1915-4B5A-AAAB-AD854CF336B8@live.warwick.ac.uk> <bb410c2a-6836-48a8-ac3d-de395f4c57d8@www.fastmail.com>
In-Reply-To: <bb410c2a-6836-48a8-ac3d-de395f4c57d8@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.7.7.170905
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [217.114.50.58]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d0d6d50a-c2a1-46a0-ce68-08d74c938b93
x-ms-traffictypediagnostic: DB7PR01MB4154:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <DB7PR01MB4154B1545A624E910B7ADBEED6950@DB7PR01MB4154.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 018577E36E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(136003)(346002)(366004)(376002)(199004)(189003)(13464003)(53754006)(51914003)(6246003)(476003)(81166006)(786003)(305945005)(7736002)(6486002)(966005)(58126008)(478600001)(486006)(316002)(86362001)(91956017)(186003)(6306002)(14454004)(81156014)(446003)(8676002)(11346002)(26005)(66066001)(14444005)(6512007)(71200400001)(3846002)(66946007)(66446008)(102836004)(6436002)(2906002)(99286004)(25786009)(4326008)(66476007)(76116006)(53546011)(66556008)(6506007)(64756008)(6916009)(76176011)(229853002)(8936002)(6116002)(256004)(5660300002)(71190400001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7PR01MB4154; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zzuTpQpzlExkTrBJEHVtyWT1GfAgkE8X31PFLctEhQL8SyFfqMBcbyPKKXBd3oguRiPtltmhAYq4QhT3XPVyZbkd0y0PuP6v2tMQA7pXFFoNX8Po/740w9+Glx4eWDSBGPWjQcExqwc+Z8vwYyr2KV3UqabSvxRuQ8U04x2G9YjUax1aqaf4QKASdeVrykkP1Z0TTNbJQy9ZS7Hk/y3gcJ9WvgKXuRNuvzYaSjrHfybV82093U7y/nUz+9At32QxGDNxCXmmpBZbXN62DB3WNKUI8Ovz0Nw/FY+fLaAZI6L5ksr+lkNeq60wI9sPUYllLqDBA48Hv+eM54Zy24EEo6z1UjqzerXHfcRrZGymwzV/iuyvWiyTdEpcGXJ3elmp87UUeAIRx05o3hvQ1V/j9g9JOgx7dF7+utzQphSV+VYp/kSpBe9KdaWbO3Zh4EV/ZvQ1pxQR3aM+zgPblcINIQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <F51D2B1725125B4A91D6E0258DB2AD8C@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: d0d6d50a-c2a1-46a0-ce68-08d74c938b93
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Oct 2019 08:34:48.0588 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ms/LBNov8Z9r/abUH0+OrK8CEvBKtG2F5xPEkQttkgSeshMkc8zZNSZ/bxDUIP7iLvo/j6DOU2uD/rVY7wKYBkkuRy/Lcq+h5t2EscrAbWw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR01MB4154
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/F7kpGoIR7Ykkqsbt3WbmuIfr4hI>
Subject: Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 08:34:54 -0000

Hi Chris,

Thanks for the link. The use of a ³context² field is reasonable. As long
as the client and server check the two MAC identities and ensure they are
different, this specific selfie attack should be presented. I¹m not sure
how TLS PSK deals with the case of having parallel key exchange sessions
between two nodes. If that¹s allowed, and the same ³context field² is used
in the parallel sessions, there might still be a possible UKS attack.
Either the parallel sessions are disabled, or if they are allowed,
additional context should be added to ensure the identities of the two
nodes remain unique even within parallel sessions.

Cheers,
Feng

On 05/10/2019, 12:41, "TLS on behalf of Christopher Wood"
<tls-bounces@ietf.org on behalf of caw@heapingbits.net>; wrote:

>Hi Feng,
>
>For what it's worth, the latest version of the PSK importers draft
>includes a "context" field into which identity information can be fed:
>
>   
>https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-01#append
>ix-B
>
>Best,
>Chris
>
>On Tue, Sep 24, 2019, at 9:19 AM, Hao, Feng wrote:
>> Hi John,
>> 
>> Reflection attacks are indeed older, but the selfie attack is a bit
>> different. It's actually a variant of the unknown key share attack. A
>> typical example of the UKS attack is the one reported on MQV by Kaliski
>> in 2001 (see "An unknown key-share attack on the MQV key agreement
>> protocol" in ACM TISSEC 2001). In that example, the adversary plays
>> message between two users to cause confusion in the identity, but in
>> Selfie, the adversary plays message with only one user and uses another
>> instance of the user to cause confusion in the identity. When we
>> reported this variant of UKS in [3], we were not aware of anything like
>> that in the literature.
>> 
>> Cheers,
>> Feng
>> 
>> On 24/09/2019, 16:17, "John Mattsson" <john.mattsson@ericsson.com>;
>>wrote:
>> 
>>     Hi,
>>     
>>     I think these reflection attacks are much older than this. I quick
>> search for reflection attack security protocol gives a lot of old
>> results, The description of reflection attack in the following lecture
>> material from 2009 looks just like the "selfie attack" on TLS 1.3
>>     http://www.cs.bham.ac.uk/~tpc/cwi/Teaching/Files/Lecture4_6up.pdf
>>     
>>     With multiple sections there are other things that change as well.
>> If two nodes unintentionally initiate simultaneous ClientHello to each
>> other, even if they only want a single secure connection (I have seen
>> live systems where this happens in practice), an attacker can select
>> which ClientHello to block (e.g. the one with the strongest
>> cryptographic parameters). The following security property would then
>> no longer hold :
>>     
>>       "Downgrade protection:  The cryptographic parameters should be the
>>           same on both sides and should be the same as if the peers had
>>been
>>           communicating in the absence of an attack"
>>     
>>     (I have not looked at what the definitions in [BBFGKZ16] say).
>>     
>>     Cheers,
>>     John
>>     
>>     -----Original Message-----
>>     From: TLS <tls-bounces@ietf.org>; on behalf of "Hao, Feng"
>> <Feng.Hao@warwick.ac.uk>;
>>     Date: Tuesday, 24 September 2019 at 16:09
>>     To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>;,
>> "Owen Friel (ofriel)" <ofriel@cisco.com>;, Jonathan Hoyland
>> <jonathan.hoyland@gmail.com>;
>>     Cc: "TLS@ietf.org"; <tls@ietf.org>;
>>     Subject: Re: [TLS] Selfie attack was Re: Distinguishing between
>> external/resumption PSKs
>>     
>>         
>>         On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M"
>> <tls-bounces@ietf.org on behalf of
>> mohit.m.sethi=40ericsson.com@dmarc.ietf.org>; wrote:
>>         
>>             Hi all,
>>             
>>             On the topic of external PSKs in TLS 1.3, I found a
>> publication on the
>>             Selfie attack:
>> 
>>https://protect2.fireeye.com/url?k=dd432f13-81c9e5ad-dd436f88-869a17b5b21
>>b-dc6c6f0a5dd21faf&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2019%2F347
>>             
>>             Perhaps this was already discussed on the list. I thought
>> that sharing 
>>             it again wouldn't hurt while we discuss how servers
>> distinguish between
>>             external and resumption PSKs.
>>             
>>         I just read the paper with interest. It occurs to me that the
>> selfie attack is consistent with the "impersonation attack" that we
>> reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with
>> details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack
>> can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5,
>> [3]) is reported on the self-communication mode of HMQV. The essence of
>> these attacks is the same: Bob tricks Alice into thinking that she is
>> talking to authenticated Bob, but she is actually talking to herself.
>> In [3], we explained that the attack was missed from the "security
>> proofs" as the proofs didn't consider multiple sessions.
>>         
>>         The countermeasure we proposed in [1-3] was to ensure the user
>> identity is unique in key exchange processes: in case of multiple
>> sessions that may cause confusion in the user identity, an extension
>> should be added to the user identity to distinguish the instances. The
>> underlying intuition is that one should know "unambiguously" whom they
>> are communicating with, and perform authentication based on that. The
>> discovery of this type of attacks and the proposed solution are
>> inspired by the "explicitness principle" (Ross Anderson and Roger
>> Needham, Crypto'95), which states the importance of being explicit on
>> user identities and other attributes in a public key protocol; also see
>> [3]. I hope it might be useful to people who work on TLS PSK.
>>         
>>         [1] 
>> 
>>https://protect2.fireeye.com/url?k=5a822513-0608efad-5a826588-869a17b5b21
>>b-eb260151f78b0718&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2014%2F585.pdf
>>         [2] https://arxiv.org/abs/1802.04900
>>         [3] 
>> 
>>https://protect2.fireeye.com/url?k=d5bf88ff-89354241-d5bfc864-869a17b5b21
>>b-0e9b3bf58e104f32&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2010%2F136.pdf
>>         
>>         
>>         _______________________________________________
>>         TLS mailing list
>>         TLS@ietf.org
>>         https://www.ietf.org/mailman/listinfo/tls
>>         
>>     
>>     
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
>
>_______________________________________________
>TLS mailing list
>TLS@ietf.org
>https://www.ietf.org/mailman/listinfo/tls