IETF Logo Mail Archive

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

Eric Rescorla <ekr@rtfm.com> Fri, 20 July 2018 12:09 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8853B127AC2 for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 05:09:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BglVO4xsNiFS for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 05:09:31 -0700 (PDT)
Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7452124D68 for <tls@ietf.org>; Fri, 20 Jul 2018 05:09:30 -0700 (PDT)
Received: by mail-lj1-x229.google.com with SMTP id l15-v6so10953767lji.6 for <tls@ietf.org>; Fri, 20 Jul 2018 05:09:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ol0ZiKy6O8XweWAJM2WViYXxZPO0TRcGol29MipldUE=; b=HC5bpf+NUvLwpwVgnqTL2l2A4OO0Spzo9UhesZcpwh3SZoRonjlySVi9li3g5sIQMy JpQ6tRSSMzt25OnLbggVmnt62pE2BDtblWku0eMC7LLanhf+698gt6J+WNmk5sFvn14I A0fmVSoPD3rzNVJZLXu0fWyyfkilRjOy+BRomLX3rKh7isLOYhi0QGxqGJbxUhWKbgaR mTcB5wiFGuhkSZzIG5t35DzY2rxorZCYuuJYvFima7ljqrnqvOID6yKYjHtNuDjVqh4+ sJn+3WQ2TPzKmKJzqkPIKvCFZrduRDq3zIarDxPUCNaT5vHU+SuMQgSFv1modVwUK/Ob /E9Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ol0ZiKy6O8XweWAJM2WViYXxZPO0TRcGol29MipldUE=; b=ROFPkHH1OeVUNRrXtLGc3U/2TfzOF4sqMO8gPzg2Mu99MWcOjPodxw28/8lz+7hzmD IsJb6ljssCRRwqwkuQ4wlCSHBoSCaFJC7Xy2ObkPZZnaRMtfoGeToOrWn+zi4zCO29aZ LsacQ7AXZxSYVH5uoZDblkNzqbL0+D4fDkqD248Uo2TR/k2hY1hEC6bvbHfVESCNyf54 oTvRaqxYorRe6tsSocho5S8Ast97aD3bY6VGgjbU5PMrt61ZIyqUFk4lcbM2KXdgcyMM 5liMG4il1LpMlveMxIJm5X35ywwRVvuwVx3UFXhRTdMZmCLQyKOT4wNr1bT303FDQxEj V9Bg==
X-Gm-Message-State: AOUpUlGjWOwJPgiZdLxeiBnipUW7hTha9ekLB24bw7E9bL/m55OVtLvT OTI0IooZxUHqRHB7OPEQk7F0dRLtoLuREP+KISeyOA==
X-Google-Smtp-Source: AAOMgpdnZNuLiaj8uNNnk/ZrkZrwLbrb4uSaYBBx6PcfRpu/npmTFCK7lCyuWBz0CkiNrTb0RpMzLaB5PF1LK5+Ofb0=
X-Received: by 2002:a2e:9c4d:: with SMTP id t13-v6mr1442831ljj.153.1532088569154; Fri, 20 Jul 2018 05:09:29 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:ab3:4091:0:0:0:0:0 with HTTP; Fri, 20 Jul 2018 05:08:48 -0700 (PDT)
In-Reply-To: <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com>
References: <20180719230009.GD14551@akamai.com> <ce4cb23be8939e57574062e17c4f204f7145d020.camel@redhat.com> <CABcZeBN4tdHZ_fzqqEJNR46BP5bxiy6gWa17xxhfj9YXVAR0rw@mail.gmail.com> <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 20 Jul 2018 05:08:48 -0700
Message-ID: <CABcZeBMyiNVX8abMd5OTwr6SrHWmTBnS2mV6U9=cPdbkgYxEWg@mail.gmail.com>
To: Nikos Mavrogiannopoulos <nmav@redhat.com>
Cc: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000edde5e05716d2a78"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QXes9P4KCc8nS0amv9QPSg7j8lc>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 12:09:35 -0000

On Fri, Jul 20, 2018 at 4:39 AM, Nikos Mavrogiannopoulos <nmav@redhat.com>
wrote:

> On Fri, 2018-07-20 at 02:38 -0700, Eric Rescorla wrote:
> > >
> > > > This is somewhat timely, as if we do want to introduce a
> > > restriction,
> > > > it
> > > > would ideally be in the form of some text in the TLS 1.3
> > > > specification,
> > > > which is very nearly done.
> > > >
> > > > It would be good to hear more opinions on this question,
> > > particularly
> > > > from those who have worked on the formal verification directly.
> > > >
> > > > If I can attempt to summarize some discussion that occurred in
> > > the
> > > > mic
> > > > line today, Hannes was surprised that we would care, likening
> > > this
> > > > case
> > > > to the regular version negotiation, where we are happy to use the
> > > > same
> > > > certificate to sign messages for both TLS 1.2 and 1.3.  David
> > > > Benjamin
> > > > points out that we explicitly go to the trouble of putting 64
> > > bytes
> > > > of
> > > > 0x20 padding at the front of the content that gets signed for
> > > > CertificateVerify, to enforce separation between the TLS
> > > versions.
> > > >
> > > > My own personal opinion is that we should enforce a domain
> > > separation
> > > > between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's
> > > "Universal
> > > > PSKs"
> > > > proposal seems like a potential mechanism by which to do so
> > > without
> > > > doubling the provisioning needs.
> > >
> > > I think the same rules should apply for PSK and RSA/ECDSA/EdDSA
> > > keys.
> > > There is no inherent difference between the two keys types. I could
> > > have deployed TLS with PKI or TLS with PSK. I should be able to
> > > upgrade
> > > protocols the same way.
> > >
> > > If RSA keys can be re-used between TLS1.2 and TLS1.3, then so
> > > should
> > > PSK keys. The current document specifically allows that re-use, and
> > > if
> > > you fear that the current document did not take cross-protocol
> > > attacks
> > > in mind during design, then let's fix that instead.
> >
> > The issue is not cross-protocol attacks; it's the reuse of PSKs with
> > different KDFs, which we don't have any analysis for
>
> I understand, but as I have already mentioned that argument also
> applies for RSA keys which can be used e.g., for RSA encryption under
> TLS1.2 and for RSA-PSS signatures under TLS1.3. ECDSA keys can be used
> with multiple hashes under TLS1.2 while only one under TLS1.3.
> TLS 1.3 did not enforce protocol separation for that ugly scenario, so
> I wouldn't expect the treatment of PSKs differently.
>

I will let Karthik speak for himself, but I believe we do in fact have
analysis
for these cases.

-Ekr


> Said that, I want to clarify that I wouldn't necessarily object to an
> improvement the situation for externally established PSKs. The issue I
> see is that TLS1.3 already gives a "good enough" solution with re-using
> the key, and I'm afraid we're going to have interoperation issues if
> some implementations move to universal psks and some do not, defeating
> the purpose of a standard.
>
> regards,
> Nikos
>
>

v2.23.0 | Report a Bug | By Email