Re: [TLS] Selfie attack
"Christopher Wood" <caw@heapingbits.net> Tue, 08 October 2019 16:46 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0942120058 for <tls@ietfa.amsl.com>; Tue, 8 Oct 2019 09:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=XPgLiESh; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XGgudQvx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czJVr6nLAM-0 for <tls@ietfa.amsl.com>; Tue, 8 Oct 2019 09:46:48 -0700 (PDT)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 759A312004C for <tls@ietf.org>; Tue, 8 Oct 2019 09:46:48 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id CC6372F1; Tue, 8 Oct 2019 12:46:47 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Tue, 08 Oct 2019 12:46:47 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=Rty6P BrgtPmrA2DELo6rym6dW+VdVopAzByX5kKHYLE=; b=XPgLiEShBrr3c/N/GDryD q0P/okK/2a5/7/F0aagiS+LvF++Nmlk8kCyjnvSXV1IqxtdUw9FeAvk9KMq2SEC9 40ouWKuyTxbkSaNGsWFUlfixxrIS+qVLwXrFTYxYzV3UrxGYbnWeSsyDN75KAf2L LDMXFkjnDUcagrGHN7XczFHnB/17YV7Vgl19HDf3zhgHv/mYO2ScvEvJAGUyRpKL IXleFGx8CnvX8peVG04UubRJrOelQZeSJ4AMvUCeFnb9zEZBcRaXmze8F6zd2cmR rrtYjcHc7z+kMpzAOAPA/7fOuI+i5khNMThbAwny8afUWvoBoQywTHE4G0ctHvl1 Q==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=Rty6PBrgtPmrA2DELo6rym6dW+VdVopAzByX5kKHY LE=; b=XGgudQvx2h0GBJCiTeaPU5ySh8BLgQqcBvO49pCfYZyI/BT+XfmBReQwj y4vZsZEKMWAqrkN0PNB0V0y/yEPPOW2O+3D9R2tPmo4jpl/iKCXrgI7y1gn4ocmt vGIMi0fmTdx80f5A0FfnJTxrV4OBm0zJyXtdNuZTq6uwbfltmER9LfzSKH9HuA7w BY7Xtb3e/eoWKZ60bSVeh43MXac5UG7EjdViKEQ5db2mWpRqH0zPvdML0URfEKG3 y86CU1dxfuE8A+p4pRz4RU0pFU0mS24rynEMwwl71d7KtHBsUKs6ysIvR2p70kEA 0DlAy1j+iAlBhQc5OOa3+DguWufRg==
X-ME-Sender: <xms:d72cXSJYbuxuWq7B153rVby1Ric4wXVqEKkjk6M21nxFRWvZ5ibHxg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrheelgddutdejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvffutgfgsehtqhertderreejnecuhfhrohhmpedfvehh rhhishhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvg htqeenucffohhmrghinhepsghhrghmrdgrtgdruhhkpdhgihhthhhusgdrtghomhdpihgv thhfrdhorhhgnecurfgrrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsg hithhsrdhnvghtnecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:d72cXRvy-kSBpHX8d3AhWbbjKk_BCyFbW6Yu8vi5O0hoaqsTOKMXVQ> <xmx:d72cXaR0eRO20VxuOd1-kuYrwOd4Qse93oPrMN1t557LwWbARNO1HQ> <xmx:d72cXXWJ5LVERLXI7qXwxb0tuL_3cOPOf4VBUkXEHxTme_OFqPDXJQ> <xmx:d72cXWmXe3seAN3nOtFCQ_VPWODkR5cMbZ35IvCbc6raIONrsCnI8g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 0EBC03C00A2; Tue, 8 Oct 2019 12:46:47 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <90ddc116-f5d9-4b22-8b80-e31835e09f10@www.fastmail.com>
In-Reply-To: <a0c560b0-8bca-d843-dac8-57c90c0488de@ericsson.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com> <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk> <896F89B2-37D0-4674-881D-FB9FE4874978@ericsson.com> <FE583332-1915-4B5A-AAAB-AD854CF336B8@live.warwick.ac.uk> <bb410c2a-6836-48a8-ac3d-de395f4c57d8@www.fastmail.com> <a0c560b0-8bca-d843-dac8-57c90c0488de@ericsson.com>
Date: Tue, 08 Oct 2019 09:46:26 -0700
From: Christopher Wood <caw@heapingbits.net>
To: Mohit Sethi M <mohit.m.sethi@ericsson.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ReHG20YxO0wRyw6aXkiscT7eNSs>
Subject: Re: [TLS] Selfie attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 16:46:52 -0000
On Tue, Oct 8, 2019, at 2:55 AM, Mohit Sethi M wrote: > > Hi Chris, > > For the benefit of the list, let me summarize that the selfie attack is > only relevant where multiple parties share the same PSK and use the > same PSK for outgoing and incoming connections. These situations are > rather rare, but I accept that TLS is widely used (and sometimes > misused) in many places. > > The Selfie attack only happens when an entity with the PSK acts > maliciously. So I think the fact that you write in the draft: "each > node must be trusted not to impersonate another node's role" does not > take into account that there must be a malicious node for the selfie > attack to happen in the first place. > > Drucker and Gueron's paper recommends that "every participating party > gets (during the setup of the network) a unique identity" and "the > client and the server must verify the validity of the claimed > identities.". The reality however is that in most group PSK scenarios, > the nodes don't have any strong identities that can be verified. > > What you should instead (or additionally) say in the text is that a > node should check that the client_mac and server_mac (or any other > identities used) *are never the same*. This seems implicit in the text as written. Could I ask you to submit a PR against [1] to clarify? Thanks, Chris [1] https://github.com/tlswg/draft-ietf-tls-external-psk-importer > Without this check, the selfie > attack would still be possible. And at least this does not require > strong identity verification for preventing selfie attacks. > > --Mohit > > On 10/5/19 2:41 PM, Christopher Wood wrote: > > Hi Feng, > > For what it's worth, the latest version of the PSK importers draft > includes a "context" field into which identity information can be fed: > > > https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-01#appendix-B > > Best, > Chris > > On Tue, Sep 24, 2019, at 9:19 AM, Hao, Feng wrote: > >> Hi John, > > Reflection attacks are indeed older, but the selfie attack is a bit > different. It's actually a variant of the unknown key share attack. A > typical example of the UKS attack is the one reported on MQV by Kaliski > in 2001 (see "An unknown key-share attack on the MQV key agreement > protocol" in ACM TISSEC 2001). In that example, the adversary plays > message between two users to cause confusion in the identity, but in > Selfie, the adversary plays message with only one user and uses another > instance of the user to cause confusion in the identity. When we > reported this variant of UKS in [3], we were not aware of anything like > that in the literature. > > Cheers, > Feng > > On 24/09/2019, 16:17, "John Mattsson" <john.mattsson@ericsson.com> wrote: > > Hi, > > I think these reflection attacks are much older than this. I quick > search for reflection attack security protocol gives a lot of old > results, The description of reflection attack in the following lecture > material from 2009 looks just like the "selfie attack" on TLS 1.3 > http://www.cs.bham.ac.uk/~tpc/cwi/Teaching/Files/Lecture4_6up.pdf > > With multiple sections there are other things that change as well. > If two nodes unintentionally initiate simultaneous ClientHello to each > other, even if they only want a single secure connection (I have seen > live systems where this happens in practice), an attacker can select > which ClientHello to block (e.g. the one with the strongest > cryptographic parameters). The following security property would then > no longer hold : > > "Downgrade protection: The cryptographic parameters should be the > same on both sides and should be the same as if the peers had been > communicating in the absence of an attack" > > (I have not looked at what the definitions in [BBFGKZ16] say). > > Cheers, > John > > -----Original Message----- > From: TLS <tls-bounces@ietf.org> on behalf of "Hao, Feng" > >> <Feng.Hao@warwick.ac.uk> > Date: Tuesday, 24 September 2019 at 16:09 > To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, > "Owen Friel (ofriel)" <ofriel@cisco.com>, Jonathan Hoyland > >> <jonathan.hoyland@gmail.com> > Cc: "TLS@ietf.org" <tls@ietf.org> > Subject: Re: [TLS] Selfie attack was Re: Distinguishing between > external/resumption PSKs > > > On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" > >> <tls-bounces@ietf.org on behalf of > mohit.m.sethi=40ericsson.com@dmarc.ietf.org> > <mailto:tls-bounces@ietf.orgonbehalfofmohit.m.sethi=40ericsson.com@dmarc.ietf.org> wrote: > > Hi all, > > On the topic of external PSKs in TLS 1.3, I found a > publication on the > Selfie attack: > >> https://protect2.fireeye.com/url?k=dd432f13-81c9e5ad-dd436f88-869a17b5b21b-dc6c6f0a5dd21faf&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2019%2F347 > > Perhaps this was already discussed on the list. I thought > that sharing > it again wouldn't hurt while we discuss how servers > distinguish between > external and resumption PSKs. > > I just read the paper with interest. It occurs to me that the > selfie attack is consistent with the "impersonation attack" that we > reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with > details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack > can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5, > [3]) is reported on the self-communication mode of HMQV. The essence of > these attacks is the same: Bob tricks Alice into thinking that she is > talking to authenticated Bob, but she is actually talking to herself. > In [3], we explained that the attack was missed from the "security > proofs" as the proofs didn't consider multiple sessions. > > The countermeasure we proposed in [1-3] was to ensure the user > identity is unique in key exchange processes: in case of multiple > sessions that may cause confusion in the user identity, an extension > should be added to the user identity to distinguish the instances. The > underlying intuition is that one should know "unambiguously" whom they > are communicating with, and perform authentication based on that. The > discovery of this type of attacks and the proposed solution are > inspired by the "explicitness principle" (Ross Anderson and Roger > Needham, Crypto'95), which states the importance of being explicit on > user identities and other attributes in a public key protocol; also see > [3]. I hope it might be useful to people who work on TLS PSK. > > [1] > >> https://protect2.fireeye.com/url?k=5a822513-0608efad-5a826588-869a17b5b21b-eb260151f78b0718&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2014%2F585.pdf > [2] https://arxiv.org/abs/1802.04900 > [3] > >> https://protect2.fireeye.com/url?k=d5bf88ff-89354241-d5bfc864-869a17b5b21b-0e9b3bf58e104f32&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2010%2F136.pdf > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > > > > > _______________________________________________ > TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > > > _______________________________________________ > TLS mailing list > > TLS@ietf.org > > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Distinguishing between external/resumption … Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Christian Huitema
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Mohit Sethi M
- Re: [TLS] Distinguishing between external/resumpt… Nikos Mavrogiannopoulos
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- [TLS] Selfie attack was Re: Distinguishing betwee… Mohit Sethi M
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… John Mattsson
- Re: [TLS] Selfie attack was Re: Distinguishing be… Viktor Dukhovni
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… Christopher Wood
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack Christian Huitema
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson