Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
Eric Rescorla <ekr@rtfm.com> Thu, 22 December 2016 22:46 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056C11295CC for <tls@ietfa.amsl.com>; Thu, 22 Dec 2016 14:46:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UWNUDHs3hTkY for <tls@ietfa.amsl.com>; Thu, 22 Dec 2016 14:46:03 -0800 (PST)
Received: from mail-yw0-x22c.google.com (mail-yw0-x22c.google.com [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82C291279EB for <tls@ietf.org>; Thu, 22 Dec 2016 14:46:03 -0800 (PST)
Received: by mail-yw0-x22c.google.com with SMTP id r204so122300054ywb.0 for <tls@ietf.org>; Thu, 22 Dec 2016 14:46:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=6+u4izeqbWidNTEoePDWYsXXVsrpZV1+3mRHvVhyrTY=; b=x5+WcT2OrKPb40WCOc6wyqCEf0gc9Ew/te0z9dPdlzxyvHeszcKjUU15fOK8A6W5G6 bZC1rk4L1A2cGG9NvKefQZ8IARjL963sAEFwrEHOFYa9yayDsJXp4DOFAItq0Kl2E7Yy f3kGuKMJzHwuoXmpzCnDsaZfxhn0hyvvuGcs4SWbEGtuE3AxPTzK1+rVJcnow2aQFui4 KEFVd3HSn+G7NmhfuLfFE0Fkc5YoTpPWlzD9SPWWvRr03SdyC6von3To8QlEQHFDxZDz HVfyV3on4V8+g8F+Bc/DXpNj4gddZo3ZyASZxK+5Zl2fa1tzT7aPkRP7aSGF6Sluop3j QanA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=6+u4izeqbWidNTEoePDWYsXXVsrpZV1+3mRHvVhyrTY=; b=rM/Fa8cL5AT7Ck3T0XFfAApGjiLL972HsTSs69prjqTJ1nfBa+pas4NquGaMsZv3W/ NeEeQo1SVeCeus3yfYe6lyCLQyWkSPAR73KDlPXoBOCEZnRF2wpmCGCC+0MW3hHQWLYj 3mz5g8CBfR2KjW146lj9Rm4cerEd3le96Ry3Fbnqad75o+8kN+8htGcE/CuSOt/ndIV9 0SJk76lycMau5qJ8qiyNFq6ouhsR3Ec8nkt2ZenUO2iU9hIFed3fi2Qlx5pbxfNWKqEB asw1B+gIw1G8D8qybaR2EzfzPEIRUOb3GozzOxHkxTz4z4D3HR47NDHhQNeLJDu1cEPM lGBw==
X-Gm-Message-State: AIkVDXJYfn/ITpff3jv4QI/RXHVKCf0N6Sk7o8aSpq6oGBmzGPex1PQCHGp/+D/ySiUtoPCwGH81Ogt0l37OSw==
X-Received: by 10.129.53.203 with SMTP id c194mr7658511ywa.205.1482446762827; Thu, 22 Dec 2016 14:46:02 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.164.210 with HTTP; Thu, 22 Dec 2016 14:45:22 -0800 (PST)
In-Reply-To: <CAOgPGoCwQ4j4ZPpoApc-9mpE-hfWNGa+41KUo4P2OS6gUrBu1g@mail.gmail.com>
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com> <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com> <CAOgPGoCwQ4j4ZPpoApc-9mpE-hfWNGa+41KUo4P2OS6gUrBu1g@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 22 Dec 2016 14:45:22 -0800
Message-ID: <CABcZeBN35B9VNK_02A41H0dZSkNMPoinhs8Ch8pBCV9=8nZr0g@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
Content-Type: multipart/alternative; boundary="001a11422656b2917a05444708b1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KOcRHa5flCrl-kXJ7wN6eDIUN1w>
Cc: IETF TLS <tls@ietf.org>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 22:46:06 -0000
On Thu, Dec 22, 2016 at 2:28 PM, Joseph Salowey <joe@salowey.net> wrote: > Does you implementation allow a PSK to be used along with certificate > based authentication? > There is presently no way to negotiate this in TLS 1.3. I have been assuming that if we decide we want this we would add a psk_auth_mode extension to parallel psk_ke_mode. The sense of a number of us is that there are enough complications with adding this feature (consider what happens if the server provides a different set of SANs....) that we should add it later. -Ekr > On Thu, Dec 22, 2016 at 2:12 PM, David Benjamin <davidben@chromium.org> > wrote: > >> It's possible I'm misunderstanding your message here (I'm a little >> confused by the mention of combining normal certificate authentication with >> an external PSK), but TLS 1.3 already allows doing both PSK and (EC)DH. >> That's the psk_dhe_ke mode, rather than the psk_ke mode. It's signaled by >> the server by sending both pre_shared_key and key_share extensions. Perhaps >> the wording should be a bit clearer. >> >> Our stack does not even implement psk_ke. It always requires an (EC)DH >> operation in a TLS 1.3 handshake, whether using PSK or certificates. >> >> David >> >> >> On Thu, Dec 22, 2016 at 4:54 PM Russ Housley <housley@vigilsec.com> >> wrote: >> >>> I want to make sure that it is possible to mix PSK with (EC)DH as a >>> protection against the discovery of a quantum computer. I recognize that >>> the WG does not want to tackle this topic in the base specification; >>> however, the following text in Section 4.1.1 makes this difficult to do so >>> in a companion document: >>> >>> > The server indicates its selected parameters in the ServerHello as >>> > follows: >>> > >>> > - If PSK is being used then the server will send a "pre_shared_key" >>> > extension indicating the selected key. >>> > >>> > - If PSK is not being used, then (EC)DHE and certificate-based >>> > authentication are always used. >>> > >>> > - When (EC)DHE is in use, the server will also provide a >>> "key_share" >>> > extension. >>> > >>> > - When authenticating via a certificate (i.e., when a PSK is not in >>> > use), the server will send the Certificate (Section 4.4.1) and >>> > CertificateVerify (Section 4.4.2) messages. >>> >>> An Internal PSK offers no protection against the discovery of a quantum >>> computer. I assume that an attacker can save the handshake that >>> established the Internal PSK, and then at some future date use the quantum >>> computer to discover the Internal PSK. Therefore, protection against the >>> discovery of a quantum computer is only concerned with External PSK. >>> >>> I would like for the specification to permit normal certificate >>> authentication when someone is using an External PSK. I am guessing that >>> the granularity of the name associated with the External PSK to be pretty >>> broad. If this guess is correct, it would be appropriate for the name in >>> the certificate to be further restrict the one associated with the External >>> PSK. Maybe the External PSK is associated with example.com, and then >>> the certificate that includes www.example.com would be acceptable >>> acceptable. Then, I would expect any Internal PSK that is generated after >>> such an authentication would be associated with the more granular >>> certificate name. >>> >>> Maybe it is as simple as reorganizing these bullets like this: >>> >>> - When only PSK is being used, … >>> >>> - When only (EC)DHE is being used, … >>> >>> - When PSK and (EC)DHE are both being used, … >>> >>> If others agree with this direction, I am willing to propose some text. >>> >>> Happy holidays, >>> Russ >>> _______________________________________________ >>> TLS mailing list >>> TLS@ietf.org >>> https://www.ietf.org/mailman/listinfo/tls >>> >> >> _______________________________________________ >> TLS mailing list >> TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls >> >> > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > >
- [TLS] Using both External PSK and (EC)DH in TLS 1… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Joseph Salowey
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Martin Thomson
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Ilari Liusvaara