Re: [TLS] PSK in 1.3?
"Christian Kahlo" <ck@vx4.de> Thu, 19 February 2015 16:21 UTC
Return-Path: <ck@vx4.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD68A1A8833 for <tls@ietfa.amsl.com>; Thu, 19 Feb 2015 08:21:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.7
X-Spam-Level:
X-Spam-Status: No, score=-1.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 79vbGZJVdcQP for <tls@ietfa.amsl.com>; Thu, 19 Feb 2015 08:21:39 -0800 (PST)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE5391A893E for <tls@ietf.org>; Thu, 19 Feb 2015 08:21:38 -0800 (PST)
Received: by mail-wi0-f171.google.com with SMTP id hi2so49203487wib.4 for <tls@ietf.org>; Thu, 19 Feb 2015 08:21:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=vx4.de; s=google; h=from:to:cc:references:in-reply-to:subject:date:organization :message-id:mime-version:content-type:thread-index:content-language; bh=jMaveSy8gUgn5U7zIZOUoKA93fCkL6t+4YDVgSjJalc=; b=nrUTN5R8SunjocixMoUDuvZAwn5YkmzKMlmHDGaU5g+FK098xvlhcVzEZGSz457kxc Wvmw+yeRF+PJMBqCAO6U9buca2xYxbiFAB5B3My1GLgLvcR1fX5QSohX+3SmEiG9ff3j 0mqXd9w1JKeYyIZizuiL3L1sH8KkLWeOPaBX8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:references:in-reply-to:subject:date :organization:message-id:mime-version:content-type:thread-index :content-language; bh=jMaveSy8gUgn5U7zIZOUoKA93fCkL6t+4YDVgSjJalc=; b=ko2EmXfFQyA/YVSpSfm5MHdi1MvNDig9r8ZhL1SGMMjADh38UWF2wAKxnW97J5+ZPx laaQAk8xLyhVmvAcuz9wkHMUpNKgVaZewYeru8CVZJqEQ+UIYVgQi4ABy4iaLjhVMxIh +2Qyoeaxf6Eiyjw9aPQ/NpTzT39/4gce+ueO/ljpf4YD7tDk1MZMeX6/J/JCgpBMz9XN Q4tXBkSPdfMkZOORjYkeGnAT7THpTpVTs/jHaMSiZpkkQ82ac/C+u8JcstzYfcn/h/Lv KRMMqgb3LGjFyy5lh9xSdzQ8FyuSGV0YnQHdWBtZNE5dNAeasfB+e++tLacnAwSv0Zi2 hpqw==
X-Gm-Message-State: ALoCoQn7yhTPXaykk1cSCMJYeCR9+qvWTU1w2ULApOufMym4Opm/kgkjcp7ew9OOmYZTwuFlicdu
X-Received: by 10.181.13.174 with SMTP id ez14mr8054786wid.72.1424362897273; Thu, 19 Feb 2015 08:21:37 -0800 (PST)
Received: from THINK2 ([82.119.170.75]) by mx.google.com with ESMTPSA id nb9sm25187930wic.3.2015.02.19.08.21.35 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 19 Feb 2015 08:21:36 -0800 (PST)
From: Christian Kahlo <ck@vx4.de>
To: 'Sven Schäge' <sven.schaege@rub.de>, 'Dan Harkins' <dharkins@lounge.org>, tls@ietf.org
References: <544384C7.9030002@polarssl.org> <78795A6D-3DFA-41C6-A380-C63DDF4C0285@gmail.com> <5443BF11.3090505@polarssl.org> <1D875BD8-2727-4895-842A-FC4FAA482E15@gmail.com> <5e587b4474939cad09c12cbf3625dd98.squirrel@www.trepanning.net> <CAO9bm2mQzjiLpMgB-mh-bRca-A2gkTZiBd9c3CsFq4kekBGxUw@mail.gmail.com>
In-Reply-To: <CAO9bm2mQzjiLpMgB-mh-bRca-A2gkTZiBd9c3CsFq4kekBGxUw@mail.gmail.com>
Date: Thu, 19 Feb 2015 17:21:34 +0100
Organization: VX4.NET
Message-ID: <002601d04c60$21f80c60$65e82520$@de>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0027_01D04C68.83BC7460"
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdBMW5nPYtMYd+mxRRut/641Dx7zXgAAs8Ag
Content-Language: de
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/QBS6sMcAcijD1NMRzJiUWHERF60>
Cc: jens.bender@bsi.bund.de
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Feb 2015 16:21:41 -0000
BTW: We're using TLS_ECDHE_RSA_PSK_WITH_AES_256_CBC_SHA384 on a custom code point for a couple of years now. Works well - even in customer infrastructure with SPI firewalls. BSI TR-03116-4 requires TLS1.2, EtM (RFC7366) and PFS. For some cases PSK is needed as a three-party cryptographic binding. When I saw how lazy RFC7366 standardization was in this WG I just skipped talking about and we decided to fulfill the requirements out-of-IETF-standard. It's sufficient if we rely on the basics such as versions, record format, supported minimum, interoperable cipher suites for non-internal infrastructure communication. But maybe this is a pointer how to support PSK-PFS in TLS1.3+. I could provide pseudo code from the key exchanger part. We would really appreciate PSK-PFS as a public standard. (No, we don't reveal source code of those projects. But we could add it to i.e. BouncyCastle.) Best regards, Christian Von: TLS [mailto:tls-bounces@ietf.org] Im Auftrag von Sven Schäge Gesendet: Donnerstag, 19. Februar 2015 16:41 An: Dan Harkins; tls@ietf.org Betreff: Re: [TLS] PSK in 1.3? I was just reading through the TLS-PSK related discussions so far and came across your post... 2014-10-20 14:13 GMT+02:00 Dan Harkins <dharkins@lounge.org>: On Sun, October 19, 2014 7:35 am, Yoav Nir wrote: > > I also understand that in practice, PSK ciphersuites are used only by > small devices, whereas the web and SMTP and other things never went for > it. But the standards don’t say that. They don’t say that PSK > ciphersuites are especially for constrained devices. So if we insist that > the same TLS 1.3 be used for both, and we don’t want to say that PSK is > for weak security, then we should have a good story of why PFS is not > needed for PSK uses, whereas it’s essential for all RSA uses. If I > understand the mechanism correctly, PSKs tend to be long-lived, and a > subsequent compromise of a PSK (even if it is expired at the time of > compromise) allows an attacker to decrypt the content of a TLS session. The non-PFS PSK ciphersuites are no different than the widely discredited, and easily cracked, WPA-PSK mode of WiFi security. It would be a really bad idea to continue with these ciphersuites in TLS 1.3. But the issue is not just PFS (or the lack of it), it's that PSK ciphersuites are susceptible to dictionary attack. > So either we believe that PSK compromise is unlikely, or we believe that > the data in a connection with a PSK ciphersuite is not future-sensitive. > If we don’t, we’re saying that we’re just piling on security > nice-to-haves because we think the users can handle them. There's no way that the protocol can be defined to justify that belief. What you're talking about is how people end up using the protocol and that is entirely out of the power of this WG. What we can do is to make TLS be as _misuse resistant_ as possible. And to do that we should not allow PSKs in TLS 1.3 unless they are used in a PAKE. By the way, I'm surprised that no one is expressing outrageous outrage at the lack of a security proof for PSK ciphersuites. Perhaps you might find http://eprint.iacr.org/2014/037 useful. regards, Dan. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls Many greetings, Sven
- Re: [TLS] PSK in 1.3? Yoav Nir
- [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Hauke Mehrtens
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Jeffrey Walton
- Re: [TLS] PSK in 1.3? Paul Bakker
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Eric Rescorla
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Watson Ladd
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Manuel Pégourié-Gonnard
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Mohamad Badra
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Peter Gutmann
- Re: [TLS] PSK in 1.3? Yoav Nir
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Ilari Liusvaara
- Re: [TLS] PSK in 1.3? Sven Schäge
- Re: [TLS] PSK in 1.3? Christian Kahlo
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? John Mattsson
- Re: [TLS] PSK in 1.3? Alex Elsayed
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Dan Harkins
- Re: [TLS] PSK in 1.3? Stephen Checkoway
- Re: [TLS] PSK in 1.3? Viktor Dukhovni
- Re: [TLS] PSK in 1.3? Watson Ladd