Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 18 March 2018 16:08 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F93712DA2B for <tls@ietfa.amsl.com>; Sun, 18 Mar 2018 09:08:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2COdvezA4uz3 for <tls@ietfa.amsl.com>; Sun, 18 Mar 2018 09:08:15 -0700 (PDT)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [108.5.242.66]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7CE1812D88B for <tls@ietf.org>; Sun, 18 Mar 2018 09:08:15 -0700 (PDT)
Received: from [192.168.1.161] (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mournblade.imrryr.org (Postfix) with ESMTPSA id 255C07A3309 for <tls@ietf.org>; Sun, 18 Mar 2018 16:08:14 +0000 (UTC) (envelope-from ietf-dane@dukhovni.org)
Content-Type: text/plain; charset=us-ascii
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
In-Reply-To: <CABcZeBOFvdfV3b5+yfJbeYxHLi_uDY34X7u3cbpiLa6RtnmFkQ@mail.gmail.com>
Date: Sun, 18 Mar 2018 12:08:13 -0400
Content-Transfer-Encoding: quoted-printable
Reply-To: TLS WG <tls@ietf.org>
Message-Id: <9A9BB6E5-2620-4DE8-9BA1-18DB47801A50@dukhovni.org>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <CABcZeBOFvdfV3b5+yfJbeYxHLi_uDY34X7u3cbpiLa6RtnmFkQ@mail.gmail.com>
To: TLS WG <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KKhS_9yoDECIe-yNzRs_LVELa0c>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Mar 2018 16:08:19 -0000


> On Mar 18, 2018, at 11:27 AM, Eric Rescorla <ekr@rtfm.com>; wrote:
> 
> After discussion with the chairs and the AD, I have opted to just add a section
> that explains the attack. I just merged that (but managed not to get it into -27
> due to fumble fingering).

It seems to me that privacy considerations for external PSKs are a rather
secondary issue.  These are infinitely more likely to be used by IOT devices
calling the mothership than by users browsing content they'd rather keep
private.  I've never used an external PSK, nor do I expect have any of the
posters pointing out the privacy issues.

The devices that might use external PSKs will likely be unavoidably
fingerprinted by source IP address and the target mothership.

So I agree with the above approach.  It is better to keep external PSKs
simple, with understood limitations, that to attempt (and fail) to turn
privacy up to eleven.

-- 
	Viktor.