Re: [TLS] Comments on draft-ietf-tls-external-psk-importer-04
"Hollenbeck, Scott" <shollenbeck@verisign.com> Mon, 27 April 2020 14:08 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F168A3A0B32 for <tls@ietfa.amsl.com>; Mon, 27 Apr 2020 07:08:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=verisign.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MQce1oYMYSUn for <tls@ietfa.amsl.com>; Mon, 27 Apr 2020 07:08:05 -0700 (PDT)
Received: from mail2.verisign.com (mail2.verisign.com [72.13.63.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35CCC3A0B30 for <TLS@ietf.org>; Mon, 27 Apr 2020 07:08:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verisign.com; l=3327; q=dns/txt; s=VRSN; t=1587996485; h=from:to:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version:subject; bh=CUBsYOEeq1djXy7iVIAh05WKoPeJbBkC8ucdosl93To=; b=FLn/wMHJqtUIP//96aXuGNSMzDRqs/1+GnRmiUWrvGj71g8p4jOcPHW7 72MrifiMWL1CVVCbg3GDXI32iemHISdNwdFh2GrtJDauA3ViE/PQtM5K/ 4tCzfz+ApNUDpCBdApp18+7HG1cjyftJsGARwA1HUvW8pyllsp9e9G5N/ joLuVqD6MDcTi9YbM9rFtE71YVAu856RkRRYAn5NvhDj/0bagf5mblCeK cMqon3ZepIBUoJgu5YkoUqHzn+dvV0uNWWRLO7A5dRxzAHGg5hGn5Z8hv YYnbDAgCjXdXQS3dGlBOar4D2xfp0xJBETxA1AAXwwSCDO1qjK5y2TVnM A==;
IronPort-SDR: Q6yVPYWROp9q615sGq1HtHbyleWrRcXzIZ3JAEV7B8SWcHi1pTwXeCklzSrHPdyB8FRhpsfc1j kslOkC5Ve45Q6TAG3mFsKQAuTBoFxTjuYEl4ErEnKS0FcvNjZkWoLaWqgf+ERKNt/e3VYYfRBC UFsOiM7v4y7uGzEgCFcZLxgfXvL8CFShBJbMhkVplYWYIn6D5NTUxBNpsXFn+20trYO8gqXSO2 67am3ZRy9hM7hzOBUQmiGDQFQl9qc0CLcXvaQ27ZEKmRRrPGbSNccHs8kY8F2JlZz+SsrN5GTS gIs=
X-IronPort-AV: E=Sophos;i="5.73,324,1583193600"; d="scan'208";a="761493"
IronPort-PHdr: 9a23:9LAUOxekufWaVU1/XyYbYifFlGMj4u6mDksu8pMizoh2WeGdxcW6Zh7h7PlgxGXEQZ/co6odzbaP7ua9CCdfud6oizMrSNR0TRgLiMEbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpTEdFQ/iOgVrO+/7BpDdj9it1+C15pbffxhEiCCybL9vLBi6twXcu80ZjYZgNqo61wfErGZPd+lK321jOEidnwz75se+/Z5j9zpftvc8/MNeUqv0Yro1Q6VAADspL2466svrtQLeTQSU/XsTTn8WkhtTDAfb6hzxQ4r8vTH7tup53ymaINH2QLUpUjms86tnVBnlgzoBOjUk8m/Yl9Zwgbpbrhy/uhJ/34DaboKbNPV8f6PSYdwUSmVaU8ZNTixBAJ+wY5cTA+YfO+tTsonzp0EJrRu7HQSgCuHhyjhMhn/yw6I61f8uHh/a0wwjB94FrWnao8nyNKcOTeC5wrTDwDLYb/NW3jf97IzIfQ4nof6XQ71/bcnRxFIxFwzblFWQqJflPzKa1uQLqWSU8+1gVee2hmMhtgp/oSCvy98xhoXVnI4Z11LJ+CtjzIooJdC1RlR3bNGnHZdIqi2WK5F6Tt4gTm10oio217ILtJ2hcCQXy5kqwQPUZeadfIiS+B3jUf6cITJ/hH14Zr2ynw2y8U28yu3kUcm0zUpKojJFktbSsnAN0ATe59WbRPVl40uu2S6B2Q/S5e1YPEw4j7TbJIImwr4qjpofq17METLslEXolq+WbUMk9vK05OTgZ7Xqvp6cN4lqhQHiKqkih9CzDf4lPgUMUWWX4/mw2b3t8EHjT7hHjeU6kqzDv5DbIcQbqLS5AwhQ0os78Ba/DzCm0NAcnXYZKlJKYwyIgJTqO1zVPvD3E+2/g1W3kDdqyPDGOKftDYnKLnjGiLvhZ6py61ZAyAovytBS/45bBasPIf/oWk/+qsbXDgc4MwyyzOboE9R91p8FWW6VBK+WLr/Su0eS5u0zO+mMeJMVuDHlJvY74fDgkGQ0mV4Dcqm105sbcne4Hu5pIxbRXX25yNwIDk8KswMmTerlglyeSnhVamr4F/Y37y4TCI+vFYbFSYqsnKfH2iqnSNkeLFxiMXiNHGvmMYKeVL1EPB62GedgnyAKE7+7RNly+wupsVqw671jKufS8CATttar79Ny+/GZ3UUp9TtwC8mb2WyGTElqk3kJXD452uZ0pkkrmQTL6rRxn/ENTY8b3PhOSApvbZM=
X-IPAS-Result: A2HOAgDU5qZe/zCZrQpmHAEBAQEBBwEBEQEEBAEBPIFHgXiCTwqVL4EBmHCBZwsBAQEBAQEBAQEHAS8EAQGERAKCTTgTAgMBAQsBAQEFAQEBAQEFAwEBAQKGS4I7IoNpAQEBAQIBOhoxBAIBCBEEAQEWCRAyHQgCBAESCIV7sXp0gTSFT4UYgTiJcYJmgUI+gRGCWzU+hAeBBoUyBI4QpBIDB4JFl3glnHuPep0GAgQCBAUCFYFpgXlwgzlQGA2RPxiOJXQ1AgYIAQEDCY4MgRABAQ
Received: from BRN1WNEX02.vcorp.ad.vrsn.com (10.173.153.49) by BRN1WNEX01.vcorp.ad.vrsn.com (10.173.153.48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 27 Apr 2020 10:08:03 -0400
Received: from BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde]) by BRN1WNEX02.vcorp.ad.vrsn.com ([fe80::7c0a:1cc:5def:9dde%4]) with mapi id 15.01.1913.005; Mon, 27 Apr 2020 10:08:03 -0400
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: "caw@heapingbits.net" <caw@heapingbits.net>, "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [EXTERNAL] Re: [TLS] Comments on draft-ietf-tls-external-psk-importer-04
Thread-Index: AQHWGo1uQ1Ky+wbzAEuWZzH8R3hjiaiNBD1Q
Date: Mon, 27 Apr 2020 14:08:03 +0000
Message-ID: <f61e7163478d49a9a0a92a8da38cb226@verisign.com>
References: <fb7c3f894dfa49efb5917d2e39c4ea78@verisign.com> <96ed3f4c-7ad4-4406-95c9-1e96b5a49eed@www.fastmail.com> <acd71cd2e3b7412aafc98595161bfb1d@verisign.com> <8fd481c1-7edb-4d9c-bc6d-f1a3f67e8bcf@www.fastmail.com>
In-Reply-To: <8fd481c1-7edb-4d9c-bc6d-f1a3f67e8bcf@www.fastmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.170.148.18]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/K6y4IGxvat1WVhnE2mM4KTrJo2Y>
Subject: Re: [TLS] Comments on draft-ietf-tls-external-psk-importer-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Apr 2020 14:08:08 -0000
> -----Original Message----- > From: Christopher Wood <caw@heapingbits.net> > Sent: Friday, April 24, 2020 7:09 PM > To: Hollenbeck, Scott <shollenbeck@verisign.com>; TLS@ietf.org > Subject: [EXTERNAL] Re: [TLS] Comments on draft-ietf-tls-external-psk- > importer-04 [snip] > > > Hmm, not quite. The statement intends to say that if you need EPSK k > > > into an importer and into TLS 1.2 then the resulting keys used in > > > TLS 1.3 and 1.2 are different. I'm not sure further clarification is > > > needed, though I'm happy to review suggestions if you have them! > > > > Agree with that as the goal. Here's our concern in brief. If our > > understanding is correct, prior to this draft, the client could use an > > EPSK k in two ways: > > > > * as input to the TLS 1.2 PRF (based on any hash function) > > * as input to the TLS 1.3 key schedule via HKDF-extract (based on a > > single hash function) > > > > Following this draft, the client could use k in two ways: > > > > * as input to the TLS 1.2 PRF (based on any hash function) [same as > > before] > > * as input to the importer function via HKDF-extract (based on a > > single hash function) > > > > So there is still a potential cryptographic overlap in the use of k > > between TLS 1.2 and TLS 1.3. The imported keys don't have this > > overlap, because they're separated from one another and from the > > underlying EPSK through the use of the importer function. But doesn't > > the security proof for k still need to take into account that the > > input to HKDF-extract might also be input to the TLS 1.2 PRF (with the > > same or a different hash function)? > > > > In other words, if it was a problem for the security proof that k > > could be input to the PRF and to HKDF-extract before the draft, isn't > > it still a problem afterwards? The conclusion that there are no > > cross-protocol collisions depends on the specifics of the TLS 1.2 PRF > > and how it's used, compared to HKDF-extract. > > > > We're not suggesting there is any attack here, just trying to > > understand the design actually addresses the statement in the > > introduction that k "could possibly be re-used in two different > > contexts with the same hash functions during key derivation". > > For lack of a better way to describe this (sorry!), we're trying to avoid this > input collision during the key derivation process of a TLS connection. As the > importer happens before a connection, and can be viewed as part of the > provisioning process that produces unique PSKs for each target hash > function, we achieve the goal for TLS 1.3 of not re-using a PSK with different > hash functions. > > I'm not sure how to better clarify that right now, so suggestions are very > much welcome. We're okay with the arguments in the draft that the design preserves security proofs when the same EPSK is used to produce internal PSKs associated with different hash functions within TLS 1.3 only. However, it isn't clear enough to us how the design preserves security proofs when the same EPSK is used with both TLS 1.2 and TLS 1.3. I don't yet have any text to suggest, because we're not sure we understand the rationale. What is the rationale for the design in that situation? Scott
- [TLS] Comments on draft-ietf-tls-external-psk-imp… Hollenbeck, Scott
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Christopher Wood
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Hollenbeck, Scott
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Christopher Wood
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Hollenbeck, Scott
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Christopher Wood