Re: [TLS] issues with DTLS + PSK
Hannes Tschofenig <hannes.tschofenig@gmx.net> Mon, 05 January 2015 18:26 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 935941A876E for <tls@ietfa.amsl.com>; Mon, 5 Jan 2015 10:26:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4tYL3amqS2cg for <tls@ietfa.amsl.com>; Mon, 5 Jan 2015 10:26:23 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.19]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2DC61A87A5 for <tls@ietf.org>; Mon, 5 Jan 2015 10:26:20 -0800 (PST)
Received: from [192.168.131.143] ([80.92.122.140]) by mail.gmx.com (mrgmx001) with ESMTPSA (Nemesis) id 0LiTm8-1XXlfs1R4m-00clfg; Mon, 05 Jan 2015 19:26:12 +0100
Message-ID: <54AAD743.6070801@gmx.net>
Date: Mon, 05 Jan 2015 19:26:11 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Nikos Mavrogiannopoulos <nmav@redhat.com>, IETF TLS <tls@ietf.org>
References: <1420474094.10168.49.camel@redhat.com>
In-Reply-To: <1420474094.10168.49.camel@redhat.com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="vwBV3DsBIEHHdPaO4WHtEIrcOMFOGT1Gc"
X-Provags-ID: V03:K0:tiTOs5lJ7FdcIGXUc/L0reC7oSNSaonpj+24StgWYByq05dw99u LDAn9L5doLvjMs4b+anNx9ofl4PgKoZwzowuwlj6yiTnxTa2Nb1yb5eenAOwN1/lwPJyzmL XVi8K03P30ZiRsmRoFeGLUj5X0SZ8mtxo0iYU7x1d8QDVMVHt95JWIVmzmsI4efXyWgB5UT 5JfQibVIKavEiA25OjyRQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/LQjtvyUt9MVlEkUt8FaR7dY1T0U
Subject: Re: [TLS] issues with DTLS + PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 18:26:26 -0000
Hi Nikos, the issue you raise did not surface as a problem in the IoT space with the use of DTLS. When you do not have the right key for authentication in DTLS then waiting for the timeout is not going to be a big deal. Note that this is not a user sitting in front of the machine and typing in passwords. This is, as the name indicates, a shared secret-based mechanism. Using DTLS-PSK in combination with DH is IMHO not particularly useful since then you can also switch to a raw public key right away since you loose all the performance and code size benefits that the PSK mechanism provides with DTLS. Ciao Hannes On 01/05/2015 05:08 PM, Nikos Mavrogiannopoulos wrote: > Some issues while using PSK in combination with DTLS. > 1. The PSK ciphersuites rely on Finished messages mismatch to detect a > wrong preshared-key. That doesn't work well with DTLS where wrongly > encrypted messages are simply ignored. Thus there is no reasonable way > to detect wrong PSK keys except wait for some timeout. > > 2. Even if one would not ignore the finished message decryption issue, > and fail the handshake immediately, there is no way to notify the peer > of the failure. The exchanged keys don't match, so any alert message > will not be received by the peer. > > > A solution would be, on a revision of the PSK ciphersuites, to define > PSK ciphersuites which will authenticate (e.g., with a MAC), an (EC)DH > key exchange. That would allow a graceful failure in case of a mismatch > of keys. In addition it will allow the usage of hardware security > modules with PSK (something that is very hard to impossible with the > current ECDHE/DHE PSK ciphersuites). > > regards, > Nikos > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] issues with DTLS + PSK Nikos Mavrogiannopoulos
- Re: [TLS] issues with DTLS + PSK Martin Thomson
- Re: [TLS] issues with DTLS + PSK Hannes Tschofenig
- Re: [TLS] issues with DTLS + PSK Martin Thomson
- Re: [TLS] issues with DTLS + PSK Hannes Tschofenig
- Re: [TLS] issues with DTLS + PSK Martin Thomson
- Re: [TLS] issues with DTLS + PSK Nikos Mavrogiannopoulos