[TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Hubert Kario <hkario@redhat.com> Wed, 21 February 2018 14:23 UTC

(fixing missed ietf@ietf.org)

On Friday, 16 February 2018 18:06:41 CET The IESG wrote:
> The IESG has received a request from the Transport Layer Security WG (tls)
> to consider the following document: - 'The Transport Layer Security (TLS)
> Protocol Version 1.3'
>   <draft-ietf-tls-tls13-24.txt> as Proposed Standard

The current draft states that if the server recognises an identity but is 
unable to verify corresponding binder, it "MUST abort the handshake"
at the same time, they "SHOULD select as single PSK and validate solely the 
binder that corresponds to that PSK"
(Page 60, draft-ietf-tls-tls13-24).

That allows for trivial enumeration of externally established identities - the 
attacker just needs to send to the server a list of identity guesses, with 
random data as binders, if the server recognises any identity it will abort 
connection, if it doesn't, it will continue to a non-PSK handshake.

Behaviour like this is generally considered a vulnerability:

I was wondering if the document shouldn't recommend ignoring any and all 
identities for which binders do not verify to prevent this kind of attack.

