Re: [TLS] Review of draft-ietf-tls-external-psk-guidance-00

Christopher Wood <caw@heapingbits.net> Tue, 18 August 2020 15:27 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D89F3A0CF3 for <tls@ietfa.amsl.com>; Tue, 18 Aug 2020 08:27:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=YrKRDTxI; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=uYZqFGcy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6EggrrMpBEy9 for <tls@ietfa.amsl.com>; Tue, 18 Aug 2020 08:27:02 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73BA53A0CF6 for <tls@ietf.org>; Tue, 18 Aug 2020 08:27:02 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id B3FBC5C01B2 for <tls@ietf.org>; Tue, 18 Aug 2020 11:27:01 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Tue, 18 Aug 2020 11:27:01 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=TXUao xelloqvQ8uQclhJU8lgYDq/+c6TQEClxAKvMhQ=; b=YrKRDTxICIBsZ3sl7xkse 4ajl6xPjlj73VVeuIVFjTQix+klxcZejJrq+LoenNJsPOk/4bHmM7iiUh4morKz+ KXGAdLchN0GeHRoLc9MVo9wWtowp7QFgwI1e/mEIn4OjsHKo5UJyzN7890ecD7h7 B+H6acRkBwfEsqzep+JXUFKdUVWo2dPHMoKLY4VnGVKfk75o0Y9dNlbqQBG1yQVj MZPjbaKnAaA0rgt5UKXCGrlWYLIgrOkLahLF2qRM7nPcG9FXNN0pt8Zx1g+fcqX1 hYMC/tWFb+31sYsNHROFAeZsPChV6RwU5AArJ5UeuZHTaIXIPOunpJ+E4IK5eg/z Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=TXUaoxelloqvQ8uQclhJU8lgYDq/+c6TQEClxAKvM hQ=; b=uYZqFGcyHoltXaVPcRZEQzOUP2RV23TXYytNz8vxjn4M+/iOj+d0eFmGb LMLnFfLCkpnvdXMF29NQX/14tefliueebR8LlYhNt7rF7/4HO+oUIsSctKBezzML sGud5g7wRMv8PlrBB/+TPpAmn8a3I0sEGEVlUimBCr22NKRwIYywXJuVRBWj9iG7 gcwPFw3DBrub61NqjIT/RR7fXxVhe9WFoWE4p1rJ2QxO+cZ7HnjVUyl/djFxO1wD hQZZcQXP5V0fqtG6Ba4feFAKkReZvX6rvf1aqZFfvheGtI4z9mVlK1mUD4jCL8PX 4VHXDmYDoLHKai3n7AjXtd1zTehfA==
X-ME-Sender: <xms:RfM7X8V8-U2qACT-VuRrg3NlGkyVKkcEhT9hJTNpqsvh45jG8A3iig>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduiedruddtiedgjeefucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtgfesth hqredtreerjeenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggr fieshhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnhepkeekieelue euueeuhfeugeeujeeuhedutddujeekheevtdekheelleetudfgueeunecuffhomhgrihhn pehgihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmh grihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:RfM7Xwk65XxpmiaFIDJJfaE6nPMMrKscnCWN9z8J3Ss-PRDNm5Xk6Q> <xmx:RfM7XwYkamWBLiAI3ibXK5d8Kpcz3vzRT0rTp7sIKMFtLCZTHwrg5Q> <xmx:RfM7X7Um-jh95t25pBMRYS5cVjd6gUyDo_O5WfISGWWQ8EUEgh9DqQ> <xmx:RfM7X8lnQnJK3RSoDx1L2I1bxrUITlUnKxLmqU0H7X8BiYK_qNP2DA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7C82D3C00A1; Tue, 18 Aug 2020 11:27:01 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-191-gef79d59-fm-20200818.001-gef79d590
Mime-Version: 1.0
Message-Id: <841bd643-d7bf-4211-a40c-9121967b67b6@www.fastmail.com>
In-Reply-To: <3359D367-16E3-4C30-B434-A8043B1F253A@icloud.com>
References: <3359D367-16E3-4C30-B434-A8043B1F253A@icloud.com>
Date: Tue, 18 Aug 2020 08:26:41 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Fq7qoFOiTDdni5mXmDMpfM5T0FA>
Subject: Re: [TLS] Review of draft-ietf-tls-external-psk-guidance-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Aug 2020 15:27:06 -0000

Hi Carrick,

Sorry for the delay. Please see inline below!

On Thu, Jul 9, 2020, at 10:09 PM, Carrick Bartle wrote:
> Isn’t the rerouting attack described in Section 4 not possible if "A" 
> uses the SNI extension and "C" aborts the connection on mismatch? If 
> so, it might be worth mentioning that as a potential mitigation (as the 
> Selfie paper does).

Indeed. That seems like a fine thing to mention.

> > "C" has completed the handshake, ostensibly with "A".
> "C" did in fact complete the handshake with "A." (Without mistaking it 
> for some other endpoint or something.)

+1, I'm fine with dropping that bit.

> > Low entropy keys are only secure against active attack if a PAKE is 
> used with TLS.
> Maybe cite a document that contains a recommended way of using PAKEs 
> with TLS (e.g. draft-sullivan-tls-opaque-00)?

I'd rather not cite one (now), especially since that document is expired. Perhaps we can file an issue to add a citation later on?

> >  Applications should take precautions when using external PSKs to mitigate these risks.
> What sort of precautions should they take?

Filed: https://github.com/tlswg/external-psk-design-team/issues/36

> > Preventing this type of linkability is out of scope, as PSKs are 
> explicitly designed to support mutual authentication.
> Isn't mutual authentication, in general, orthogonal to linkability? 
> Certificates, for example, are encrypted in TLS 1.3, and so cannot be 
> linked across connections.

This section speaks of linkability by the endpoints, not the network. Any sort of identifier that's reused across connections can be linkable, be it an external PSK ID or a certificate. 

> > Below, we list some example use-cases where pair-wise external PSKs 
> with TLS have been used for authentication.
> I assume "pair-wise" here means a PSK is shared between only one server 
> and one client, but this the term "pair-wise" hasn't been associated 
> with that concept in this document, it's not completely clear. Since 
> "pair-wise" is used twice in the document, maybe define it when the 
> concept is first introduced.

Yep, I agree.

> > primarily for the purposes of supporting TLS connections with fast 
> open (0-RTT data)
> I've only ever heard "fast open" used in the context of TFO, which is 
> distinct from (albeit similar to) 0-RTT. Using "fast open" to refer to 
> 0-RTT sounds like it's conflating terms. Shouldn't "early data" be used 
> here instead of "fast open"?

I think the two phrases are basically equivalent, but if using "early data" is more clear, let's go with that. 

> > In this use-case, resource-constrained IoT devices act as TLS clients 
> and share the same PSK.  The devices use this PSK for quickly 
> establishing connections with a central server.  Such a scheme ensures 
> that the client IoT devices are legitimate members of the system.
> If the IoT devices only talk to a central server and not each other, 
> why do they all need the same PSK?
> 
> > To perform rare system specific operations that require a higher 
> security level, the central server can request resource-intensive 
> client authentication with the usage of a certificate after 
> successfully establishing the connection with a PSK.
> If you're going to authenticate with a cert, why bother preceding that 
> with an authentication with a PSK?

Good question. I'll let Mohit answer this, but my impression was that, unlike the PSKs, each node has its own private key, which seemingly allows the server to authenticate a specific client.

> > 6.1.  Provisioning Examples
> This section contains a list of ways to provision PSKs, but mostly 
> without any commentary or discussion. Are these methods good? Bad? Are 
> there any pitfalls? If so, how can one guard against them?

It's meant to be informational without any comment on the pros and cons of each. 

> > Moreover, PSK production lacks guidance unlike user passwords.
> Isn't that precisely the point of this draft? Seems unnecessary to 
> mention. (Or it might be better to move this point to the intro as a 
> motivating factor of this document.)

Great suggestion!

> > PSK provisioning systems are often constrained in application-specific ways.  For example, although one goal of provisioning is to ensure that each pair of nodes has a unique key pair, some systems do not want to distribute pair-wise shared keys to achieve this.
> Why not? What application-specific constraint would warrant that?

Pointing again to Mohit for the IoT case. :-)

(We might just replace "do not want to" with "might not want to", and leave it at that.)
 
> > some systems require the provisioning process to embed 
> application-specific information in either PSKs or their identities.
> Is it really a good idea to embed data in the PSK itself? Does that not 
> diminish the entropy of the PSK? Why is it not sufficient to put that 
> sort of information in the identity?

It is probably desirable to use the identity for this purpose since, well, its application-specific identifying information. This is just commenting on the state of affairs, I think. 

> > Identities may sometimes need to be routable, as is currently under 
> discussion for EAP-TLS-PSK.
> What does it mean for an identity to be "routable"? Also, EAP-TLS-PSK 
> needs a citation link. I'm not sure which document it's referring to.

It might be, for example, a FQDN. Mohit understands the EAP-TLS-PSK use case better than I do, though, so I'll let him answer. 

> > Applications MUST use external PSKs that adhere to the following 
> requirements:
> I think you mean "If an application uses external PSKs, the PSKs MUST 
> adhere to the following requirements." Otherwise it sounds like you're 
> saying every application must use an external PSK.

Yep, that would be more clear.

> > Each PSK SHOULD be derived from at least 128 bits of entropy
> Recommend a particular method for doing that?

I don't think that's necessary. Any suitable method will suffice.

> > Note that these mechanisms do not necessarily follow the same 
> architecture as the ordinary process for incorporating EPSKs described 
> in this draft.
> Where was the ordinary process for incorporating EPSKs described? Is 
> "incorporating" a PSK the same as "provisioning" one? If so, several 
> ways were described. What's the problem with these mechanisms (e.g. 
> PAKE) having a different architecture from these ordinary processes? 
> Are they not compatible?

I'm not seeing this text in the editor's copy, so I'm not sure what the context is.

> >    3.  Nodes SHOULD use external PSK importers [I-D.ietf-tls-external-psk-importer] when configuring PSKs for a pair of TLS client and server.
> Why?

Because that interface exists to enable external PSKs for TLS 1.3 and beyond. 

> > OpenSSL and BoringSSL: Applications specify support for external PSKs 
> via distinct ciphersuites.
> This is not true of BoringSSL for TLS 1.3. Although the paragraph goes 
> on to mention "new callback functions added specifically to OpenSSL for 
> TLS 1.3 [RFC8446] PSK support," this doesn't preclude 1.3 PSK support 
> in BoringSSL.

We didn't want to go into version-specific details here, but yes, that's right. 

> > PSK identities MAY have a domain name suffix for roaming and federation.
> What do roaming and federation mean here? Is there a source that discusses this?

Hmm, probably? Mohit, can you please drop in a reference?

> > Deployments should take care that the length of the PSK identity is sufficient to avoid obvious collisions.
> What's the difference between a "collision" and an "obvious collision"?

Nothing. We can drop "obivous."

> > This means that if a PSK identity collision occurs, the application will be given precedence over how to handle the PSK.
> How should the application handle the collision?

That's an application-specific decision, so we don't specify it. 

> I'm happy to make the suggested changes in a PR if they look ok.

Yes, please!

Best,
Chris