IETF Logo Mail Archive

Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk

Russ Housley <housley@vigilsec.com> Fri, 27 July 2018 19:26 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07EB3131056 for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 12:26:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9yj5exn7ym33 for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 12:26:10 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C387E13105D for <tls@ietf.org>; Fri, 27 Jul 2018 12:26:09 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id A60973005A8 for <tls@ietf.org>; Fri, 27 Jul 2018 15:26:07 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id vz6FbIxbdlgS for <tls@ietf.org>; Fri, 27 Jul 2018 15:26:06 -0400 (EDT)
Received: from a860b60074bd.home (pool-71-127-50-4.washdc.fios.verizon.net [71.127.50.4]) by mail.smeinc.net (Postfix) with ESMTPSA id 66DEF300541; Fri, 27 Jul 2018 15:26:06 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <98fd53a18dc6b06ecd750201239721e8f88d5e7e.camel@redhat.com>
Date: Fri, 27 Jul 2018 15:26:07 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <BB14E2C1-8D96-466E-B44E-0870CF6EE61E@vigilsec.com>
References: <797D67EC-9390-47CD-BD6A-75E34E5FE33F@vigilsec.com> <1524474119.4793.7.camel@redhat.com> <E1DD6812-9085-4FD4-98A4-1DE5B4E4DD72@vigilsec.com> <98fd53a18dc6b06ecd750201239721e8f88d5e7e.camel@redhat.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/O03bIv5L5n3nYnI3ePjzXsUaXMA>
Subject: Re: [TLS] draft-housley-tls-tls13-cert-with-extern-psk
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 19:26:17 -0000


> On Jul 27, 2018, at 5:23 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote:
> 
> On Mon, 2018-04-23 at 15:30 -0400, Russ Housley wrote:
>>> 
>>> In the presentation the main driver for it seems to be quantum
>>> computer
>>> resistance as temporary measure. If that's the main argument I
>>> don't
>>> think it is really significant. PSK can hardly be used with PKI,
>>> and as
>>> a matter of fact we use PKI because of PSK key distribution
>>> problems.
>>> If we switch to PSK for quantum computer resistance there is there
>>> a
>>> reason to use PKI? Probably no (I may be wrong here, if there is a
>>> reason for a hubrid model I'm missing, I'd be glad to know).
>> 
>> I am not advocating for a pairwise PSK between every client and
>> server.  If that were available to us, then as you say, we would
>> always use the PSK without any PKI.
>> 
>> I envision a PSK being distributed to a group of clients and group of
>> severs.  At some point in the future a large-scale quantum computer
>> might get invented, and if any member of the group has access to it,
>> then they can recover the traffic.  However, parties outside the
>> group cannot recover the traffic because the large-scale quantum
>> computer does not assist with the discovery of the PSK.
> 
> [going back to this thread, as I have missed that reply and only saw it
> after the request for adoption was made]
> 
> It certainly makes sense.
> 
>>> I could see the main driver for such proposal the replacement of
>>> the
>>> RSA-PSK ciphersuites. I know they have _some_ adoption, but I'm not
>>> sure whether that is significant to require update to TLS1.3.
>> 
>> This is not my goal.
>> 
>>> On the implementation side, why not use post-handshake
>>> authentication
>>> here? I.e., extend it to be usable from client-side, and on a PSK
>>> key
>>> exchange, have the client request server authentication after the
>>> handshake?
>> 
>> I'm not sure why that is easier to implement.  Can you say more?
> 
> Current TLS1.3 implementations can do a PSK key exchange and
> authenticate the client's certificate with post-handshake auth. Based
> on that, what you'd need to make that authentication two-way (both
> server and client use cert) is the ability for client to ask the server
> for certificate. 
> 
> As PHA is fairly simple (server sends a certificate request to client
> if the PHA extension is seen), doing the opposite if another extension
> is seen, seems trivial (the bits and pieces are already there).

The bits and pieces for using and external PSK with certificates are also already present.  That is why the extension is defines as:

      struct {
          select (Handshake.msg_type) {
              case client_hello: Empty;
              case server_hello: Empty;
          };
      } CertWithExternPSK;

See https://datatracker.ietf.org/meeting/102/materials/slides-102-tls-certificate-based-authentication-with-external-psk-00;
Slide 5 shows that other extensions are used, and slide 6 shows the above syntax.

Russ

v2.23.0 | Report a Bug | By Email