Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
Bas Westerbaan <bas@cloudflare.com> Thu, 28 March 2024 16:28 UTC
Return-Path: <bas@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDEFDC1D4A63 for <tls@ietfa.amsl.com>; Thu, 28 Mar 2024 09:28:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JcHL8HBrvxWQ for <tls@ietfa.amsl.com>; Thu, 28 Mar 2024 09:28:18 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CA264C14F5F3 for <tls@ietf.org>; Thu, 28 Mar 2024 09:28:18 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id 3f1490d57ef6-dcc80d6004bso1141579276.0 for <tls@ietf.org>; Thu, 28 Mar 2024 09:28:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google09082023; t=1711643297; x=1712248097; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=KPTimuYNbi6Cj/EkKIL1bRdPyfN3qsRZntuTHUuxgus=; b=HSuTp6tVtCtD0J7tWkoz2Z0YmJ5TsrmrbPsTB9/J01Z1NCwHO4HkRfBCk8ieM/OA9t qhZTDPY2DtCFWwUEJyQ5WWy9MMaVp4L6RVJ4F3+8Lnvsq/MGHfFT1cUkgT4qD0oh+8NJ KXjIsxeM/LCE9u8zYbkUWXjWDQNAGqmOJouY9n0I8P9CbcxFbAS4888NMadHMtLb1bzL anhsTk8MuT1yqVEg3y25UqXzNG4T+ygoJScV6UoOHzwFFXjZEqvJDImylC9DlxHgILmF YHc79+FWSVWOqUNyuP5uhaU3/uqwOgU3sh5NiEdg2ybAkCPbBrMr8NnnpKCfQEBsYyzE 8oMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711643297; x=1712248097; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KPTimuYNbi6Cj/EkKIL1bRdPyfN3qsRZntuTHUuxgus=; b=S0/GZwUaXb7b0KWxjoiZZWsGSJFuYQBawa682Z6WPoXZbvISmUq7icptxchjmS+TpT qvdt/yvBhqeP8nkhcgdaJ8Z57CnA6vDI2XUtgEcTtP6/l8xwyPhzUDgOqEcweFZ0mZFq +DE4Q5chmome/k0wmSbbo0+wPlcyiRsTkOTFSgK4f0lUWN1YvbhokVdZPZp7wSlJKkjk jFNsSDS2EM97YUyuH8u6Kt4QGeIXH7tTFOD/F75qqCzyiEbDjM+5pl1FIPYckGboEduK V8QtIYZdxsQjsv0dDwpBHAewM6Nfgn3cuFxd+kBX6/73fg7ErCtfb9V5ZJmRvDUtc8jH 1a/g==
X-Gm-Message-State: AOJu0YyvO3UPKeujvAArrptnH2U6hVU2uGt6449dOdK5yzeyJcFVWpQh urofUw2jB8GuQqIpqR00Y0/emtcgRkjN5nC5cK4+pAVdgm0QO3xNa3/hbdgLRxrNAYAjllFcObI bD/EoGtkc5fo0kQvTZJHI0RD0+WYUDKpoix3GDlFEvElReCqUPl7rqA==
X-Google-Smtp-Source: AGHT+IEye4d/L7I7HxZNOElY5kyzOSz6O9tXTcyh9xagwmqUMOXr/bvjztYDnNwOKjMlfW1C9wAo77IipgbZZvanEdQ=
X-Received: by 2002:a25:ac4e:0:b0:dcf:6122:ccec with SMTP id r14-20020a25ac4e000000b00dcf6122ccecmr3584665ybd.36.1711643297624; Thu, 28 Mar 2024 09:28:17 -0700 (PDT)
MIME-Version: 1.0
References: <GVXPR07MB9678DFD1EED3971606FB3DE6893B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678DFD1EED3971606FB3DE6893B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
From: Bas Westerbaan <bas@cloudflare.com>
Date: Thu, 28 Mar 2024 17:28:05 +0100
Message-ID: <CAMjbhoUF7Co2j+oydzoMveMeqqpSnf0arp3Ay-EJX69hFEDY=w@mail.gmail.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bce6070614bb024a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/SmKp39jx_OSrkrE6n18fwDMzLtM>
Subject: Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 16:28:23 -0000
On Thu, Mar 28, 2024 at 4:22 PM John Mattsson <john.mattsson= 40ericsson.com@dmarc.ietf.org> wrote: > Hi, > > > > I looked into what RFC 8446(bis) says about Raw Public Keys. As correctly > stated in RFC 8446, TLS 1.3 with signatures and certificates is an > implementation of SIGMA-I: > > > > SIGMA does however require that the identities of the endpoints (called A > and B in [SIGMA]) are included in the messages. This is not true for TLS > 1.3 with RPKs and TLS 1.3 with RPKs is therefore not SIGMA. TLS 1.3 with > RPKs is vulnerable to what Krawczyk’s SIGMA paper calls misbinding attacks: > > > > “This attack, to which we refer as an “identity misbinding attack”, > applies to many seemingly natural and intuitive protocols. Avoiding this > form of attack and guaranteeing a consistent binding between a session key > and the peers to the session is a central element in the design of SIGMA.” > > > > “Even more significantly we show here that the misbinding attack applies > to this protocol in any scenario where parties can register public keys > without proving knowledge of the corresponding signature key.” > With a bit more context (emphasis my own): Yet, no proof of security of the *STS protocol* exists (see more on this below). Even more significantly we show here that the misbinding attack applies to this protocol in any scenario where parties can register public keys without proving knowledge of the corresponding signature key. (We note that while such “proof of possession” is required by some CAs for issuing a certificate, this is not a universal requirement for public key certificates; in particular it is not satisfied in many “out-of-band distribution” scenarios, webs of trust, etc.) In this case Eve can register A’s public key as its own and then simply replace A’s identity (or certificate) in the third message of STS with her own. B verifies the incoming message and accepts it as coming from Eve. Thus, in this case the STS protocol fails to defend against the misbinding attack. Thus, for the STS to be secure one must assume that a secure external mechanism for proof of possession of signature keys is enforced. *As we will see both the ISO* *protocol discussed in Section 4 and the SIGMA protocols presented here do not* *require such a mechanism.* > > > As stated in Appendix E.1, at the completion of the handshake, each side > outputs its view of the identities of the communicating parties. On of the > TLS 1.3 security properties are “Peer Authentication”, which says that the > client’s and server’s view of the identities match. TLS 1.3 with PRKs does > not fulfill this unless the out-of-band mechanism to register public keys > proved knowledge of the private key. RFC 7250 does not say anything about > this either. > > > > I think this needs to be clarified in RFC8446bis. The only reason to ever > use an RPK is in constrained IoT environments. Otherwise a self-signed > certificate is a much better choice. TLS 1.3 with self-signed certificates > is SIGMA-I. > > > > It is worrying to find comments like this: > > > > “I'd like to be able to use wireguard/ssh-style authentication for my app. > This is possible currently with self-signed certificates, but the proper > solution is RFC 7250, which is also part of TLS 1.3.” > > https://github.com/openssl/openssl/issues/6929 > > > > RPKs are not the proper solution. > > > > (Talking about misbinding, does RFC 8446 say anything about how to avoid > selfie attacks where an entity using PSK authentication ends up talking to > itself?) > > > > Cheers, > > John Preuß Mattsson > > > > [SIGMA] https://link.springer.com/chapter/10.1007/978-3-540-45146-4_24 > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Dennis Jackson
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Bas Westerbaan
- [TLS] TLS 1.3, Raw Public Keys, and Misbinding At… John Mattsson
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Viktor Dukhovni
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Martin Thomson
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Tschofenig, Hannes