[TLS] Finished stuffing/PSK Binders
Eric Rescorla <ekr@rtfm.com> Fri, 07 October 2016 15:02 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 397FB1295F0 for <tls@ietfa.amsl.com>; Fri, 7 Oct 2016 08:02:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fBnLwkUT8kHW for <tls@ietfa.amsl.com>; Fri, 7 Oct 2016 08:02:25 -0700 (PDT)
Received: from mail-yb0-x22c.google.com (mail-yb0-x22c.google.com [IPv6:2607:f8b0:4002:c09::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 928E5129426 for <tls@ietf.org>; Fri, 7 Oct 2016 08:02:25 -0700 (PDT)
Received: by mail-yb0-x22c.google.com with SMTP id e2so17129460ybi.1 for <tls@ietf.org>; Fri, 07 Oct 2016 08:02:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=S6my0EkbGT5Eby0qeZtjQ4FDBwNq/JnlJGn3RlukSGA=; b=oyTxActuAARLQ/jnFl0yzzvepLKNyTdLMFZWxvX3bUzQebahqWgh3mwR0Jd8JFIBna YdZ5hru3kach/AacHyE8ai7ul9CTxPzm+ig3anh+6BmWHQyh8z5oMFdBKdm//29ba06G hSxSuk5gvZXJmeoIYqgaD2LAaplWppsE5UT/mISZ9cjDIMiasPv7ypwF6sgym7QK2RK1 Rw6n775TVsMpLbzIenKHolCZYQTDM12wxbek8p51P3ceOqJtWQeA9c4m6T9zKglC45rR ZbXcyWC+vonRawteRMUoZLX3w+v0AnPrRAy75CP1hJqsbiRNwGp3EHKkgb1umeRkVZ0b 4jNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=S6my0EkbGT5Eby0qeZtjQ4FDBwNq/JnlJGn3RlukSGA=; b=PONH/TXg6ml3w/1hzBiKqB1/GJtm7gy5eIr5O/bQ05q3Eze7b8S2QioVwb9271rIQU 5WrS1jSOr0uY7yzLvk3ZEJlcZP8vKSmqbVGd08J3H9eupR8D3RlaweCYG4olmo8ecWL6 Pr+hHcc4YintWUfW81pawjn1MoWVX13+J9Rk37SXOjPhYpxtFXE96Ev2y6ArX99QCV7i q5DXFiwtCwhiyVuf4ME7cB0XD7t3239y7sgYVpkiYrFam1HgyDeOw3DefyfanQoxea+K +ggTRMdRI77uzpKpKt4I+PEKG6GNfbeOueSahwxS0tUIo4RLJiYBILj+oKaGOlAQjxUQ kJ8A==
X-Gm-Message-State: AA6/9RlMk0fqdQimuiEMXeFzszZpUg/AhS9fAkBoacZ9/6yX5R0VKIp0oMtVBJ+cy0pRNITMm8bjkab+yCSMpQ==
X-Received: by 10.37.174.11 with SMTP id a11mr4221283ybj.180.1475852544541; Fri, 07 Oct 2016 08:02:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.75.212 with HTTP; Fri, 7 Oct 2016 08:01:43 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 07 Oct 2016 08:01:43 -0700
Message-ID: <CABcZeBOJPz8DY92LE6531xbRYLU-Wvkqeb-vTX59gU5rYcp+Ww@mail.gmail.com>
To: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="f403045db83ea8d580053e47b211"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ICWPHD60ryGfsYL8QxbnNZxIxOs>
Subject: [TLS] Finished stuffing/PSK Binders
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Oct 2016 15:02:28 -0000
After the discussion on PR #615, I took another pass at this with some help from the research community. Please see: https://github.com/tlswg/tls13-spec/pull/672 Key changes in this PR: 1. I have merged the HMAC into the PreSharedKey message, where it is now called "PSK Binder" to make very clear what the purpose of the HMAC it is (this suggestion due to Karthik Bhargavan) This also makes implementation somewhat easier and avoids creating another extension. 2. It is now possible to have >1 PSK, each with its own binder. 3. The binder is now computed over the ClientHello prefix rather than filling the MAC with zeroes. 4. I've taken a suggestion from David Benjamin to move the negotiation of the PSK key exchange parameters out of the PSK itself and into a separate message. This cleans things up and also lets us drop the currently non-useful auth_mode parameter. This text is still a bit rough but I think shows the right direction. As usual, comments welcome, but I think the key question we need to resolve is whether we really need multiple PSKs. It's clearly simpler not to support them but it seems like we need to worry about the case where we are resuming a session created with a PSK. I've come to the conclusion that if we want to have multiple concurrent PSKs at all, then this is the right structure, rather than having one PSK and using HRR to fix it. ISTM that the other major alternatives are to say: 1. You can't resume sessions created with a PSK. 2. Tickets created in sessions created with a PSK have a hard lifetime value and it's a failure if the server forgets during the lifetime (this seems like it's going to interact badly with clock skew). Note that if we decide that we only want one PSK, I'll just revise the PreSharedKey section to have one, not a list [0]. Thanks, -Ekr [0] In fairness, it's also worth noting that if we decide to only have one, it's possible in the future to replace the PreSharedKey extension with a MultiplePreSharedKey extension.
- [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Benjamin Kaduk
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Hugo Krawczyk
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Martin Thomson
- Re: [TLS] Finished stuffing/PSK Binders Eric Rescorla
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Martin Thomson
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara
- Re: [TLS] Finished stuffing/PSK Binders Benjamin Kaduk
- Re: [TLS] Finished stuffing/PSK Binders Ilari Liusvaara