Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
Benjamin Kaduk <bkaduk@akamai.com> Wed, 04 January 2017 01:02 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92F0B12946F for <tls@ietfa.amsl.com>; Tue, 3 Jan 2017 17:02:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.811
X-Spam-Level:
X-Spam-Status: No, score=-3.811 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZaK639NjhWjq for <tls@ietfa.amsl.com>; Tue, 3 Jan 2017 17:02:40 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (prod-mail-xrelay05.akamai.com [23.79.238.179]) by ietfa.amsl.com (Postfix) with ESMTP id 38C60129408 for <tls@ietf.org>; Tue, 3 Jan 2017 17:02:40 -0800 (PST)
Received: from prod-mail-xrelay05.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id 9550C433435; Wed, 4 Jan 2017 01:02:39 +0000 (GMT)
Received: from prod-mail-relay10.akamai.com (prod-mail-relay10.akamai.com [172.27.118.251]) by prod-mail-xrelay05.akamai.com (Postfix) with ESMTP id 7F397433414; Wed, 4 Jan 2017 01:02:39 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1483491759; bh=+F6om8/si7m2N3nMr8UO5pX6C6mfjjiMeSCuxBLpOQ4=; l=13377; h=To:References:Cc:From:Date:In-Reply-To:From; b=LPnP0N5DPo41XrngskTvFIy42ce1q+mDDimVbXru/Hvcq0sqX49JUzdW6f+FM+CtX lZDy/JXoLaNmF8Z6c/Rtd1LuQ8yKK3nKM7NiFcB7P+ApmrqnNvsVK6j1fzwr2TnTN/ CSXZynYXNXvRCBp/6hLE7tV8SBluALthftelNOdM=
Received: from [172.19.17.86] (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id 37C7F1FC86; Wed, 4 Jan 2017 01:02:39 +0000 (GMT)
To: Russ Housley <housley@vigilsec.com>, David Benjamin <davidben@chromium.org>
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com> <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com> <9D8BEE12-49F9-4DE3-81C7-909CB114805F@vigilsec.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <1b678d65-b146-b25f-c1ad-6dfc044f7ce0@akamai.com>
Date: Tue, 03 Jan 2017 19:02:38 -0600
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <9D8BEE12-49F9-4DE3-81C7-909CB114805F@vigilsec.com>
Content-Type: multipart/alternative; boundary="------------098FE66D94B8C819616ADC7C"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KL15ww8Ltl_W_sPJZJGn89wKd7k>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2017 01:02:42 -0000
I also had the sense that ekr noted that we didn't want to do this in the core spec. So, could you point me more clearly at what you would want to change in the core spec that would allow doing the thing you want to see done in a future document? (Is it just removing "i.e., when a PSK is not in use"?) -Ben On 12/22/2016 04:29 PM, Russ Housley wrote: > David: > > Yes, it does allow both, but the authentication is unclear when both > are in play. The last bullet implies that certificate authentication > only comes into play when there is no PSK. So, if there is a PSK, the > identity associated with it seems to trump whatever is in the certificate. > > As I explained below, I’d like the identity associate with the > External PSK and the identity in the certificate to both have a role. > > Russ > > > On Dec 22, 2016, at 5:12 PM, David Benjamin <davidben@chromium.org > <mailto:davidben@chromium.org>> wrote: > >> It's possible I'm misunderstanding your message here (I'm a little >> confused by the mention of combining normal certificate >> authentication with an external PSK), but TLS 1.3 already allows >> doing both PSK and (EC)DH. That's the psk_dhe_ke mode, rather than >> the psk_ke mode. It's signaled by the server by sending both >> pre_shared_key and key_share extensions. Perhaps the wording should >> be a bit clearer. >> >> Our stack does not even implement psk_ke. It always requires an >> (EC)DH operation in a TLS 1.3 handshake, whether using PSK or >> certificates. >> >> David >> >> On Thu, Dec 22, 2016 at 4:54 PM Russ Housley <housley@vigilsec.com >> <mailto:housley@vigilsec.com>> wrote: >> >> I want to make sure that it is possible to mix PSK with (EC)DH as >> a protection against the discovery of a quantum computer. I >> recognize that the WG does not want to tackle this topic in the >> base specification; however, the following text in Section 4.1.1 >> makes this difficult to do so in a companion document: >> >> > The server indicates its selected parameters in the >> ServerHello as >> > follows: >> > >> > - If PSK is being used then the server will send a >> "pre_shared_key" >> > extension indicating the selected key. >> > >> > - If PSK is not being used, then (EC)DHE and certificate-based >> > authentication are always used. >> > >> > - When (EC)DHE is in use, the server will also provide a >> "key_share" >> > extension. >> > >> > - When authenticating via a certificate (i.e., when a PSK >> is not in >> > use), the server will send the Certificate (Section >> 4.4.1) and >> > CertificateVerify (Section 4.4.2) messages. >> >> An Internal PSK offers no protection against the discovery of a >> quantum computer. I assume that an attacker can save the >> handshake that established the Internal PSK, and then at some >> future date use the quantum computer to discover the Internal >> PSK. Therefore, protection against the discovery of a quantum >> computer is only concerned with External PSK. >> >> I would like for the specification to permit normal certificate >> authentication when someone is using an External PSK. I am >> guessing that the granularity of the name associated with the >> External PSK to be pretty broad. If this guess is correct, it >> would be appropriate for the name in the certificate to be >> further restrict the one associated with the External PSK. Maybe >> the External PSK is associated with example.com >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__example.com_&d=DwMF-g&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=L7igTlV6YOIfY5Lb--b56L_kVzagQDYBba0h3CuE2Ug&s=Qh9_NqRvx6gQ7yd7xUbh7ty4wNEZb4WXWig2yeB15yU&e=>, >> and then the certificate that includes www.example.com >> <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.example.com_&d=DwMF-g&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=L7igTlV6YOIfY5Lb--b56L_kVzagQDYBba0h3CuE2Ug&s=hXFSjfgYGwtp4L2BKSOF67C4qzFaN9yX8A0HamQLdqY&e=> >> would be acceptable acceptable. Then, I would expect any >> Internal PSK that is generated after such an authentication would >> be associated with the more granular certificate name. >> >> Maybe it is as simple as reorganizing these bullets like this: >> >> - When only PSK is being used, … >> >> - When only (EC)DHE is being used, … >> >> - When PSK and (EC)DHE are both being used, … >> >> If others agree with this direction, I am willing to propose some >> text. >> >> Happy holidays, >> Russ >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org <mailto:TLS@ietf.org> >> https://www.ietf.org/mailman/listinfo/tls >> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_tls&d=DwMF-g&c=96ZbZZcaMF4w0F4jpN6LZg&r=sssDLkeEEBWNIXmTsdpw8TZ3tAJx-Job4p1unc7rOhM&m=L7igTlV6YOIfY5Lb--b56L_kVzagQDYBba0h3CuE2Ug&s=thMCyk6nvtg9KMys9ccc4NuxXMYd-v6zxVgD6rShHY0&e=> >> > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Using both External PSK and (EC)DH in TLS 1… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Joseph Salowey
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Martin Thomson
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Ilari Liusvaara