Re: [TLS] Comments on draft-dt-tls-external-psk-guidance-01
Christopher Wood <caw@heapingbits.net> Wed, 22 April 2020 17:10 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D6E843A1080 for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 10:10:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=CiJMH0zk; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=YK9wNb74
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JV8-BdppApgJ for <tls@ietfa.amsl.com>; Wed, 22 Apr 2020 10:10:16 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C20E3A1077 for <tls@ietf.org>; Wed, 22 Apr 2020 10:10:16 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 7FE205C0284 for <tls@ietf.org>; Wed, 22 Apr 2020 13:10:15 -0400 (EDT)
Received: from imap7 ([10.202.2.57]) by compute1.internal (MEProxy); Wed, 22 Apr 2020 13:10:15 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=8Pz/c00i30KzE3byOeM07ro6pZLut1z shZ3mZYvgB5Q=; b=CiJMH0zkLf0L9Cs3xG+GRIEeg7o4vjck0sUCS9iI5m8l4Om BPPSFjsrEnAvKBUX2w6tl9Py7igyO4x2e3MTpoODkIDz2DRs6Fe8HOoMi5sTW6tz AobZjEa5PPJr+vg6nRXNmJy5CsR2U9mo1FL9DDzENHL1e9mjb666hQNbCABv6u34 rNmxFtxjaEvsgxGYNwPEx7y9SPSxk7RueNtls9L5uRY6FOCL3ECwR9qJusIziknX 6qRzbEtu2nthPyzh8eOmBnS4LcxCtYrgcw+96ryyZWCOVGwLFK0vrunmzg7QbmIM Pw4HHs/rvkinFXpD90GQ4VXFFGlv1JlPx1v7SOg==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=8Pz/c0 0i30KzE3byOeM07ro6pZLut1zshZ3mZYvgB5Q=; b=YK9wNb74a/0Bit3rRwQlt7 SC/E8Tm+zYq2+OGPKcX89bRXEZh7ouqbNWwEwU5f5u5c0XUpoRRXN1R4BWoUxK3r 7ZdCLRPIEvhRwxo78eCsjBuyRPZzEHor3M3RF8kW+Dh+oRW+F3gA55oy3SxgT+YE nFCqIO/e9jOaUkcKs8szKJEQ1rVmVFJjteBOyIrnL5DPWZhUtRnzT2TVWb6K2bty iFjZCbnagF6st21vVKlgBqahwoi07X6tEmXwXkrkcV0IGbu4D/pu69GPc5ZIYQxF Vt8eucjNepkPaPoUeBtLtvh+t5UAHhkmxyjBJrCYKCz5izki0mnJFrkT3sCDlatA ==
X-ME-Sender: <xms:dnqgXiQCJZrhjVYvkrvL9zSjdCcJ_2ZSiRhi4nAKX2KaYoGDYCwkfw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrgeejgddutdduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd ertderredtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucevlhhushhtvghrufhiiigvpedtnecurf grrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:dnqgXoevjaFsjK9FK3ikKiiDBOAn2xKnbsL3r52gnej_Gd7ApwxVUw> <xmx:dnqgXuDaLz_-QGD-qBcKh11xdHOOLIF1TRKr8BG01rWFYSqQkl2grQ> <xmx:dnqgXinR0j6RysjUsoE9stpLSS8ypYt6JtIKS3v5WBrutMnMPlnezw> <xmx:d3qgXnfN_Pu20qNtOj909xhLpOts8qj_cTq_ckVo8C5OYkIJRAEtLw>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id C3553180091; Wed, 22 Apr 2020 13:10:14 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <9074c915-2482-46a2-be99-cdf72939ec7b@www.fastmail.com>
In-Reply-To: <5baf193953c94e3093fda66c8e3baa4d@verisign.com>
References: <5baf193953c94e3093fda66c8e3baa4d@verisign.com>
Date: Wed, 22 Apr 2020 10:09:54 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IMNW7BA7yYQz4EgzqE1_Ix0onvs>
Subject: Re: [TLS] Comments on draft-dt-tls-external-psk-guidance-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Apr 2020 17:10:18 -0000
Thanks for the feedback, Scott. Please see inline below. On Mon, Apr 20, 2020, at 7:26 AM, Hollenbeck, Scott wrote: > Here are a few comments gathered from Verisign Labs on > draft-dt-tls-external-psk-guidance-01: > > 1. Sec. 6, requirement 1 states "Low entropy keys are only secure > against active attack if a Password Authenticated Key Exchange (PAKE) > is used with TLS." "only secure ... if" may be too strong a statement, > because there could be other mechanisms for increasing the entropy of a > pre-shared key that do not meet the formal definition of a PAKE. > Moreover, as defined in draft-barnes-tls-pake, a PAKE repurposes the DH > key share to carry a transformed version of the EPSK, so it involves a > different architecture than the ordinary process for incorporating > EPSKs into the TLS key schedule that is assumed in most of the present > draft. > > If the goal of the present draft is to encompass PAKEs as well as the > ordinary process, then the scope of the draft should be broadened to > something like "handshakes based on EPSKs, whether through the ordinary > process of incorporating them into the key schedule, or through > alternate mechanisms such as PAKE where the DH key share is based on > the EPSK." > > Alternatively, the statement in requirement 1 could be rephrased as follows: > > "If only low-entropy keys are available, then key establishment > mechanisms such as Password Authenticated Key Exchange (PAKE) that > mitigate the risk of offline dictionary attacks MUST be employed. Note > that these mechanisms do not necessarily follow the same architecture > as the ordinary process for incorporating EPSKs described in this > draft." This seems like a reasonable proposal to me. Specifying integration with PAKEs is (or was intended to be) out of scope, and this clarifies the requirement without widening the scope. > 2. Sec. 6, requirement 2 states, "Each PSK MUST NOT be shared between > with more than two logical nodes." This "MUST NOT" is stronger than > the "NOT RECOMMENDED to share the same PSK between more than one client > and server" > In Sec. 7 and would exclude group PSK use cases that are acknowledged > in that section. The requirement is also inconsistent with this > statement in Appendix B of draft-ietf-tls-external-psk-importer: > > "Applications which require authenticating finer-grained roles while > still configuring a single shared PSK across all nodes can resolve this > mismatch either by exchanging roles over the TLS connection after the > handshake or by incorporating the roles of both the client and server > into the IPSK context string." > > If the intent is to restrict use to at most two nodes, then requirement > 2 should go even further and restrict use to one node in a TLS client > role, and one in a TLS server role. > > We would therefore suggest that requirement 2 be changed to something > like the following: > > "Unless other accommodations are made, each PSK MUST be restricted in > its use to at most two logical nodes: one logical node in a TLS client > role and one logical node in a TLS server role. (The two logical nodes > MAY be the same, in different roles.) Two acceptable accommodations > are described in [draft-ietf-tls-external-psk-importer]: exchanging > client and server identifiers over the TLS connection after the > handshake; and incorporating identifiers for both the client and the > server into the context string for an EPSK importer." > > (Note that we've changed "roles" to "identifiers" to align with Sec. 7) This is a *great* suggestion! Thank you for clarifying in ways we could not. I'll take it. > > Related to this, "logical node" should be defined somewhere, e.g., "For > purposes of this document, a logical node is a computing presence that > other parties can interact with via the TLS protocol. A logical node > could potentially be realized with multiple physical instances > operating under common administrative control, e.g., a server farm." > Alternatively, the term "endpoint," which is used elsewhere in this > document, could be used here as well (perhaps also avoiding the single > use of "agent"). Yep, defining "logical node" would be great. We should probably have a separate definition section up front to consolidate these terms in one place. We can work with your suggestions and make that happen. > 3. Sec. 7 recommends that that each node selects one globally unique > identifier for all PSK handshakes, but without giving rationale why > this approach is preferred for mitigating the attacks mentioned earlier > in the section. This may be limiting, because a logical node may > legitimately be known to different endpoints by different identifiers: > a domain name in some cases, an IPv4 address in other cases, and an > IPv6 address in still other cases. We would therefore recommend > relaxing this recommendation. Since it's merely a recommendation, I think we ought to keep it. It's a simple deployment model that solves issues. We could list your use case as a counter example as to when this recommendation may not be appropriate. Would that work? > 4. General. The draft makes no mention of certificate-based > authentication in connection with EPSKs, for instance as described in > in RFC 8773, "TLS 1.3 Extension for Certificate-based Authentication > with an External Pre-Shared Key." We understand that use of external > PSKs with certificates is out of scope for the design team. > Certificate-based authentication, potentially in combination with a DH > exchange, can improve the security properties of TLS handshakes based > on EPSKs and help protect against both rerouting attacks and > impersonation attacks. Is there any interest in adding some guiding > text to the document before it's adopted by the WG? We're willing to > provide text for consideration. Sure, we're absolutely open to contributions! You're right that it's out of scope, though it could be useful in an appendix, or wherever else you think it's appropriate. Best, Chris
- [TLS] Comments on draft-dt-tls-external-psk-guida… Hollenbeck, Scott
- Re: [TLS] Comments on draft-dt-tls-external-psk-g… Christopher Wood
- Re: [TLS] Comments on draft-dt-tls-external-psk-g… Hollenbeck, Scott