IETF Logo Mail Archive

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

Eric Rescorla <ekr@rtfm.com> Thu, 26 July 2018 17:58 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8446B130E83 for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 10:58:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x3r2MsAf8_T4 for <tls@ietfa.amsl.com>; Thu, 26 Jul 2018 10:58:48 -0700 (PDT)
Received: from mail-lj1-x231.google.com (mail-lj1-x231.google.com [IPv6:2a00:1450:4864:20::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D117124D68 for <tls@ietf.org>; Thu, 26 Jul 2018 10:58:47 -0700 (PDT)
Received: by mail-lj1-x231.google.com with SMTP id p6-v6so2246965ljc.5 for <tls@ietf.org>; Thu, 26 Jul 2018 10:58:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/bWKJKIl0g2HCijCi/SRXWupOwITDycujDqVv1iiKqI=; b=jGbVELmFRpVota9FUGfQuJxR15ElOPsHEW+wj3jSIHQjyC7+q4lZ6hWsvyMX4pnC1N osl/T6iNMtuS3j4rgsXorFE8DgGbDghJ3tEwWgdqvHZtuEKOZzuWIcd6xtsN07V8cH6z jjCqJRyQIA9MSX31Te/gvnQ76Od28UJ3Ws8o4MxvwtKiN0QEbQm7Gu4ZLRgQ/jeGMDGf R0iLdUuJmvNIT2M3dAXjF26cTfhCgJsgQ4x9wKOG2yf0lepEr3xS/pj1hCKKQuosODGe tIpPHAP/Pjsa67P1tV9+4DH+0iwLbiOLliEDmOaXHGQm0QjklG1Eab8eXseR9WzY53Sr x0Lg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/bWKJKIl0g2HCijCi/SRXWupOwITDycujDqVv1iiKqI=; b=axBXOzBN5P5FKHFo5TYghnfExlIpSLvjaBuZhz83ChetlzXrN/uW22MXsMLiHcg6pc TeWOMaGyBHhOEQrca6luX/B2/8EIegaKj4YKQ+IC7kCRK9rTfNK+7MUyD/7QJvVGYE+N iqQvQMrfmrIg6D8ylC8zy91kPsutV7KHTF+n43UgnKIri07mX2PwAOrZwsRS3aA3SPdP FAvKj4K2FZKR+N8IACNu1tCGScxjXdIkUBW/UdD5JGyLofOO87dlrg/4H1KYlifJsGVr 8sXBeZH/bET9q5gamnm1uVK80QBsIRDWDqsr9UsDhHXE4IOUrH3Pe/xivi2d1Rlrc+EE bNzQ==
X-Gm-Message-State: AOUpUlFbQ/gdueA4ywTZ+5tVLD/B1AjC3sVPYB60PDn5KRoy5yw3jfOD UBrfPDy582Phbu/8u4aldrBFK0Igq0umR3V5bGbCwOaw
X-Google-Smtp-Source: AAOMgpfwrzeRBwFTnhZTTVvQN7Ly4BBgcTap7NVVZ6TRFoUE1J47X+lz/Adnh69+QE+mYwbUa8g6JXax5D6t8g/ZHPE=
X-Received: by 2002:a2e:7014:: with SMTP id l20-v6mr2535297ljc.141.1532627925799; Thu, 26 Jul 2018 10:58:45 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Thu, 26 Jul 2018 10:58:05 -0700 (PDT)
In-Reply-To: <20180719230009.GD14551@akamai.com>
References: <20180719230009.GD14551@akamai.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 26 Jul 2018 10:58:05 -0700
Message-ID: <CABcZeBO=LnxybFq2uog3UYoGgnb0KiE3oG=hGY5UWYauOtwMBw@mail.gmail.com>
To: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000017267c0571eabf2c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/FKB5oNxTVoIh59I3q9epHk6Q1Uw>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jul 2018 17:58:50 -0000

Ben,

Thanks for focusing on this issue.

Chris and I have been discussing an alternative design which we think
is more consistent with the existing structure, which we call PSK
Importers. As with your design, we have an input universal PSK, but
instead of using explicitly as part of the connection, we just use it
as the base key to import a set of new PSKs into TLS.

As with Universal PSKs (UPSKs), each input key is a triplet of
(BaseIdentity, BaseKey, KDF), where a BaseIdentity is a PSK identity
as used today. To use a UPSK, an implementation takes the set of KDF
hashes it knows about H_i and derives a set of PSKs:

  Hash_i: H_i
  Identity_i: BaseIdentity || H_i
  Key_i: Derived from BaseKey and Identity_i

This gives you a set of keys which you can offer simultaneously on the
TLS connection in independent psk_identity blocks. (Note that the hash
algorithm is what differentiates each derived key.) This is a bit
ugly, but with the current TLS 1.3 ciphers, this basically just means
SHA-256, but even in the worst case it’s probably only 2-3.

The nice thing about this design is that if you know the set of hash
functions, you can just compute all the imported PSKs in advance, and
there’s no need to touch the internals of the TLS stack. This also
means that if you have decided you don’t like old hash X, you don’t
need to use it to compute PSK binders, you just use it do the KDF,
which seems like it has weakersecurity requirements.

Here’s a specific construction, but we’re flexible about the details:

   struct {
       opaque base_identity<1...2^16-1>;
       HashAlgorithm hash;
   } imported_psk_identity;

   UPSKx = HKDF-Extract(0, UPSK)  // UPSK is the input universal PSK
   PSK = HKDF-Expand-Label(UPSKx, "derived psk", BaseKDF(psk_identity),
TargetHash.length) // Might need to shorten label

These functions would be executed with the KDF associated with the UPSK,
but produce
a key the size of the desired hash.

This brings us to the question of TLS 1.2. I found Ilari’s analyis
pretty persuasive, so I would suggest we add the following text to the
TLS 1.3 spec:

    TLS 1.3 takes a conservative approach to PSKs by binding them to a
    specific KDF. TLS 1.2 allows PSKs to be used with any hash function
    and the TLS 1.2 PRF. The constructions in TLS 1.2 and TLS 1.3,
    although both based on HMAC, are very different and there is no known
    way in which reuse of the same PSK in TLS 1.3 and TLS 1.2 would
    produce related output, although only limited formal analysis has been
    done. Implementations MAY wish to avoid reuse of keys between TLS 1.3
    and TLS 1.2, or use a key derivation proposal such as [Informative ref
    to this email or a draft].

Other than this, we wouldn’t make any changes to the document.

What do people think?

-Ekr





On Thu, Jul 19, 2018 at 4:00 PM, Benjamin Kaduk <bkaduk=40akamai.com@dmarc.
ietf.org> wrote:

> Hi all,
>
> As I mentioned at the mic today, there is a question that has been
> raised about whether it's wise to reuse an existing (TLS 1.2) PSK
> directly in the TLS 1.3 key ladder.  At a high level, the reason why one
> might want to restrict this is that the security proofs for TLS 1.3 rely
> on the pre-shared key being only used with a single key-derivation
> function (our HKDF-using Derive-Secret), and TLS 1.2 uses a different
> key-derivation function, so formally the proofs do not hold.  We don't
> currently know of a specifc attack against such reuse, of course, but
> perhaps it is prudent to restrict our usage to adhere to the verified
> scenarios.
>
> This is somewhat timely, as if we do want to introduce a restriction, it
> would ideally be in the form of some text in the TLS 1.3 specification,
> which is very nearly done.
>
> It would be good to hear more opinions on this question, particularly
> from those who have worked on the formal verification directly.
>
> If I can attempt to summarize some discussion that occurred in the mic
> line today, Hannes was surprised that we would care, likening this case
> to the regular version negotiation, where we are happy to use the same
> certificate to sign messages for both TLS 1.2 and 1.3.  David Benjamin
> points out that we explicitly go to the trouble of putting 64 bytes of
> 0x20 padding at the front of the content that gets signed for
> CertificateVerify, to enforce separation between the TLS versions.
>
> My own personal opinion is that we should enforce a domain separation
> between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's "Universal PSKs"
> proposal seems like a potential mechanism by which to do so without
> doubling the provisioning needs.
>
> -Ben (with no hat)
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>

v2.23.0 | Report a Bug | By Email