IETF Logo Mail Archive

Re: [TLS] PSK in 1.3?

Yoav Nir <ynir.ietf@gmail.com> Sun, 19 October 2014 14:35 UTC

Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84B401A1A18 for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 07:35:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VS4rmYrKXBSz for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 07:35:06 -0700 (PDT)
Received: from mail-wi0-x233.google.com (mail-wi0-x233.google.com [IPv6:2a00:1450:400c:c05::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E2BA1A1A12 for <tls@ietf.org>; Sun, 19 Oct 2014 07:35:05 -0700 (PDT)
Received: by mail-wi0-f179.google.com with SMTP id d1so4416695wiv.12 for <tls@ietf.org>; Sun, 19 Oct 2014 07:35:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=IbKPWKIrP2j+wD44pgj5GbPzOaRx9KFUy9Glodl07Zs=; b=PfKw/yI14ozzB9nXO1HK9spK2wUpjVlTJ+1i1plyZTGqSaGe4fApicLPIN5mRWhNYE QNrYix3MJnfTd6Yb80EfQ2jF6aHgSH/TAorGSWZ5s5SGytvxpVVjlUIF2XNPYH2jTqgd uaPfBuHr0+TDcWDFA2tjBdNFtS2RHvgavkYuY5WjV3DuTqX1ClA7N3p4TKG1mixe+O22 MDChj9emp2ieFjdlKzUIwmLss0UZSUvL/Ea0JNaxTC/PtQ7rmLSmjAUufup8o+WJSl1t SsTy5qNaZlOsIT6MAryvqJZXAXjIix6yDBrK9q4kbkimJmjjznJwRNESWyhUsVOJFLzT /ETg==
X-Received: by 10.180.72.228 with SMTP id g4mr12786337wiv.81.1413729304757; Sun, 19 Oct 2014 07:35:04 -0700 (PDT)
Received: from [172.24.248.215] (dyn32-131.checkpoint.com. [194.29.32.131]) by mx.google.com with ESMTPSA id wk5sm8570291wjb.12.2014.10.19.07.35.03 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 19 Oct 2014 07:35:04 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 8.0 \(1990.1\))
From: Yoav Nir <ynir.ietf@gmail.com>
In-Reply-To: <5443BF11.3090505@polarssl.org>
Date: Sun, 19 Oct 2014 17:35:02 +0300
Content-Transfer-Encoding: quoted-printable
Message-Id: <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com>
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
X-Mailer: Apple Mail (2.1990.1)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/FsrnHU8BStoqhbNsMyL7-wSjdZI
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Oct 2014 14:35:07 -0000

> On Oct 19, 2014, at 4:39 PM, Manuel Pégourié-Gonnard <mpg@polarssl.org> wrote:
> 
> On 19/10/2014 15:03, Yoav Nir wrote:
>> I don’t see what the rationale can be to allow non-PFS for PSK
>> authentication, but prohibit it for certificate authentication.  That would
>> imply that we can make a blanket statement that the data passed in
>> PSK-authenticated sessions is inherently low-value or non-private.  I don’t
>> think we can make that statement.
>> 
> I think the point is that a non-FS PSK key exchange is orders of magnitude
> cheaper in terms of computation time/power usage, RAM usage, and ROM footprint
> which makes it a practical option in much more scenarios than the FS variants.
> 
> For non-PSK key exchanges however, there is some asymetric crypto going on
> regardless of whether the exchange is FS or not. So while the non-FS version
> might be cheaper, the cost difference is nowhere near as big as ECDHE-PSK vs PSK.
> 
> Also, while it would of course be simpler to be able to state that "TLS 1.3
> offers FS" rather than "TLS 1.3 offers FS *except* for PSK", it should be noted
> that there is almost no risk for PSK to be negotiated "by mistake" since the
> keys need to be provisioned.

I understand. It’s just weird that we’re treating non-PFS like it was made from asbestos, laced with arsenic and painted with lead paint, while this is proposing to allow asbestos/arsenic/lead combo as long as it’s much cheaper.

I also understand that in practice, PSK ciphersuites are used only by small devices, whereas the web and SMTP and other things never went for it. But the standards don’t say that. They don’t say that PSK ciphersuites are especially for constrained devices. So if we insist that the same TLS 1.3 be used for both, and we don’t want to say that PSK is for weak security, then we should have a good story of why PFS is not needed for PSK uses, whereas it’s essential for all RSA uses.  If I understand the mechanism correctly, PSKs tend to be long-lived, and a subsequent compromise of a PSK (even if it is expired at the time of compromise) allows an attacker to decrypt the content of a TLS session. 

So either we believe that PSK compromise is unlikely, or we believe that the data in a connection with a PSK ciphersuite is not future-sensitive. If we don’t, we’re saying that we’re just piling on security nice-to-haves because we think the users can handle them.

Yoav

v2.23.0 | Report a Bug | By Email