Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
Russ Housley <housley@vigilsec.com> Thu, 22 December 2016 22:36 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0C5B1298AA for <tls@ietfa.amsl.com>; Thu, 22 Dec 2016 14:36:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xs4ewO2CLEAj for <tls@ietfa.amsl.com>; Thu, 22 Dec 2016 14:36:08 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 303611279EB for <tls@ietf.org>; Thu, 22 Dec 2016 14:29:37 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id F27773002B9 for <tls@ietf.org>; Thu, 22 Dec 2016 17:19:19 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id 6ZXwmsgD1mSw for <tls@ietf.org>; Thu, 22 Dec 2016 17:19:18 -0500 (EST)
Received: from [192.168.2.100] (pool-108-45-101-150.washdc.fios.verizon.net [108.45.101.150]) by mail.smeinc.net (Postfix) with ESMTPSA id D723A30025C; Thu, 22 Dec 2016 17:19:17 -0500 (EST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_5621000A-ADBD-44FA-A503-93D10F4E89C0"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com>
Date: Thu, 22 Dec 2016 17:29:45 -0500
Message-Id: <9D8BEE12-49F9-4DE3-81C7-909CB114805F@vigilsec.com>
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com> <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com>
To: David Benjamin <davidben@chromium.org>
X-Mailer: Apple Mail (2.1878.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KJNoUTs25jFIS4Z9MeQCq-buI0E>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 22:36:09 -0000
David: Yes, it does allow both, but the authentication is unclear when both are in play. The last bullet implies that certificate authentication only comes into play when there is no PSK. So, if there is a PSK, the identity associated with it seems to trump whatever is in the certificate. As I explained below, I’d like the identity associate with the External PSK and the identity in the certificate to both have a role. Russ On Dec 22, 2016, at 5:12 PM, David Benjamin <davidben@chromium.org> wrote: > It's possible I'm misunderstanding your message here (I'm a little confused by the mention of combining normal certificate authentication with an external PSK), but TLS 1.3 already allows doing both PSK and (EC)DH. That's the psk_dhe_ke mode, rather than the psk_ke mode. It's signaled by the server by sending both pre_shared_key and key_share extensions. Perhaps the wording should be a bit clearer. > > Our stack does not even implement psk_ke. It always requires an (EC)DH operation in a TLS 1.3 handshake, whether using PSK or certificates. > > David > > On Thu, Dec 22, 2016 at 4:54 PM Russ Housley <housley@vigilsec.com> wrote: > I want to make sure that it is possible to mix PSK with (EC)DH as a protection against the discovery of a quantum computer. I recognize that the WG does not want to tackle this topic in the base specification; however, the following text in Section 4.1.1 makes this difficult to do so in a companion document: > > > The server indicates its selected parameters in the ServerHello as > > follows: > > > > - If PSK is being used then the server will send a "pre_shared_key" > > extension indicating the selected key. > > > > - If PSK is not being used, then (EC)DHE and certificate-based > > authentication are always used. > > > > - When (EC)DHE is in use, the server will also provide a "key_share" > > extension. > > > > - When authenticating via a certificate (i.e., when a PSK is not in > > use), the server will send the Certificate (Section 4.4.1) and > > CertificateVerify (Section 4.4.2) messages. > > An Internal PSK offers no protection against the discovery of a quantum computer. I assume that an attacker can save the handshake that established the Internal PSK, and then at some future date use the quantum computer to discover the Internal PSK. Therefore, protection against the discovery of a quantum computer is only concerned with External PSK. > > I would like for the specification to permit normal certificate authentication when someone is using an External PSK. I am guessing that the granularity of the name associated with the External PSK to be pretty broad. If this guess is correct, it would be appropriate for the name in the certificate to be further restrict the one associated with the External PSK. Maybe the External PSK is associated with example.com, and then the certificate that includes www.example.com would be acceptable acceptable. Then, I would expect any Internal PSK that is generated after such an authentication would be associated with the more granular certificate name. > > Maybe it is as simple as reorganizing these bullets like this: > > - When only PSK is being used, … > > - When only (EC)DHE is being used, … > > - When PSK and (EC)DHE are both being used, … > > If others agree with this direction, I am willing to propose some text. > > Happy holidays, > Russ > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Using both External PSK and (EC)DH in TLS 1… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Joseph Salowey
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Martin Thomson
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Ilari Liusvaara