Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
Eric Rescorla <ekr@rtfm.com> Fri, 20 July 2018 12:09 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8853B127AC2 for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 05:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BglVO4xsNiFS for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 05:09:31 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7452124D68 for <tls@ietf.org>; Fri, 20 Jul 2018 05:09:30 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id l15-v6so10953767lji.6 for <tls@ietf.org>; Fri, 20 Jul 2018 05:09:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ol0ZiKy6O8XweWAJM2WViYXxZPO0TRcGol29MipldUE=; b=HC5bpf+NUvLwpwVgnqTL2l2A4OO0Spzo9UhesZcpwh3SZoRonjlySVi9li3g5sIQMy JpQ6tRSSMzt25OnLbggVmnt62pE2BDtblWku0eMC7LLanhf+698gt6J+WNmk5sFvn14I A0fmVSoPD3rzNVJZLXu0fWyyfkilRjOy+BRomLX3rKh7isLOYhi0QGxqGJbxUhWKbgaR mTcB5wiFGuhkSZzIG5t35DzY2rxorZCYuuJYvFima7ljqrnqvOID6yKYjHtNuDjVqh4+ sJn+3WQ2TPzKmKJzqkPIKvCFZrduRDq3zIarDxPUCNaT5vHU+SuMQgSFv1modVwUK/Ob /E9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ol0ZiKy6O8XweWAJM2WViYXxZPO0TRcGol29MipldUE=; b=ROFPkHH1OeVUNRrXtLGc3U/2TfzOF4sqMO8gPzg2Mu99MWcOjPodxw28/8lz+7hzmD IsJb6ljssCRRwqwkuQ4wlCSHBoSCaFJC7Xy2ObkPZZnaRMtfoGeToOrWn+zi4zCO29aZ LsacQ7AXZxSYVH5uoZDblkNzqbL0+D4fDkqD248Uo2TR/k2hY1hEC6bvbHfVESCNyf54 oTvRaqxYorRe6tsSocho5S8Ast97aD3bY6VGgjbU5PMrt61ZIyqUFk4lcbM2KXdgcyMM 5liMG4il1LpMlveMxIJm5X35ywwRVvuwVx3UFXhRTdMZmCLQyKOT4wNr1bT303FDQxEj V9Bg==
X-Gm-Message-State: AOUpUlGjWOwJPgiZdLxeiBnipUW7hTha9ekLB24bw7E9bL/m55OVtLvT OTI0IooZxUHqRHB7OPEQk7F0dRLtoLuREP+KISeyOA==
X-Google-Smtp-Source: AAOMgpdnZNuLiaj8uNNnk/ZrkZrwLbrb4uSaYBBx6PcfRpu/npmTFCK7lCyuWBz0CkiNrTb0RpMzLaB5PF1LK5+Ofb0=
X-Received: by 2002:a2e:9c4d:: with SMTP id t13-v6mr1442831ljj.153.1532088569154; Fri, 20 Jul 2018 05:09:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Fri, 20 Jul 2018 05:08:48 -0700 (PDT)
In-Reply-To: <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com>
References: <20180719230009.GD14551@akamai.com> <ce4cb23be8939e57574062e17c4f204f7145d020.camel@redhat.com> <CABcZeBN4tdHZ_fzqqEJNR46BP5bxiy6gWa17xxhfj9YXVAR0rw@mail.gmail.com> <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 Jul 2018 05:08:48 -0700
Message-ID: <CABcZeBMyiNVX8abMd5OTwr6SrHWmTBnS2mV6U9=cPdbkgYxEWg@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Cc: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000edde5e05716d2a78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QXes9P4KCc8nS0amv9QPSg7j8lc>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 12:09:35 -0000
On Fri, Jul 20, 2018 at 4:39 AM, Nikos Mavrogiannopoulos <nmav@redhat.com> wrote: > On Fri, 2018-07-20 at 02:38 -0700, Eric Rescorla wrote: > > > > > > > This is somewhat timely, as if we do want to introduce a > > > restriction, > > > > it > > > > would ideally be in the form of some text in the TLS 1.3 > > > > specification, > > > > which is very nearly done. > > > > > > > > It would be good to hear more opinions on this question, > > > particularly > > > > from those who have worked on the formal verification directly. > > > > > > > > If I can attempt to summarize some discussion that occurred in > > > the > > > > mic > > > > line today, Hannes was surprised that we would care, likening > > > this > > > > case > > > > to the regular version negotiation, where we are happy to use the > > > > same > > > > certificate to sign messages for both TLS 1.2 and 1.3. David > > > > Benjamin > > > > points out that we explicitly go to the trouble of putting 64 > > > bytes > > > > of > > > > 0x20 padding at the front of the content that gets signed for > > > > CertificateVerify, to enforce separation between the TLS > > > versions. > > > > > > > > My own personal opinion is that we should enforce a domain > > > separation > > > > between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's > > > "Universal > > > > PSKs" > > > > proposal seems like a potential mechanism by which to do so > > > without > > > > doubling the provisioning needs. > > > > > > I think the same rules should apply for PSK and RSA/ECDSA/EdDSA > > > keys. > > > There is no inherent difference between the two keys types. I could > > > have deployed TLS with PKI or TLS with PSK. I should be able to > > > upgrade > > > protocols the same way. > > > > > > If RSA keys can be re-used between TLS1.2 and TLS1.3, then so > > > should > > > PSK keys. The current document specifically allows that re-use, and > > > if > > > you fear that the current document did not take cross-protocol > > > attacks > > > in mind during design, then let's fix that instead. > > > > The issue is not cross-protocol attacks; it's the reuse of PSKs with > > different KDFs, which we don't have any analysis for > > I understand, but as I have already mentioned that argument also > applies for RSA keys which can be used e.g., for RSA encryption under > TLS1.2 and for RSA-PSS signatures under TLS1.3. ECDSA keys can be used > with multiple hashes under TLS1.2 while only one under TLS1.3. > TLS 1.3 did not enforce protocol separation for that ugly scenario, so > I wouldn't expect the treatment of PSKs differently. > I will let Karthik speak for himself, but I believe we do in fact have analysis for these cases. -Ekr > Said that, I want to clarify that I wouldn't necessarily object to an > improvement the situation for externally established PSKs. The issue I > see is that TLS1.3 already gives a "good enough" solution with re-using > the key, and I'm afraid we're going to have interoperation issues if > some implementations move to universal psks and some do not, defeating > the purpose of a standard. > > regards, > Nikos > >
- [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3 Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… David Benjamin
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Jonathan Hoyland
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla