[TLS] Imported Keys/PR #22
Eric Rescorla <ekr@rtfm.com> Thu, 21 November 2019 02:49 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1F68120840 for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 18:49:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7K9OyyeilJ1s for <tls@ietfa.amsl.com>; Wed, 20 Nov 2019 18:49:24 -0800 (PST)
Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5066612018B for <tls@ietf.org>; Wed, 20 Nov 2019 18:49:24 -0800 (PST)
Received: by mail-lf1-x12f.google.com with SMTP id a17so1239299lfi.13 for <tls@ietf.org>; Wed, 20 Nov 2019 18:49:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=drFj5nQS7oHr3YhHYzSbsG5UtpfEdxIcT1fBZbbYr0o=; b=Gfby7W4ZmEXy1rV1QTRk0TnYadnCQYyrO+kK6KwBlVsxYM14bfv5DbAnZ3yeSGtxJw 1ZbLnm0Jy9NhiRcvIrzJ9AalBeVyp+sMweBpd+qkVNiuLp/g8OnWz5FFU7ELXgBkyT4B sDSErmNPi2PmrS2Quv7bn1E2KjHeVsKqflA4dpfIQBs9vqCF5P/zMZgLmVsv1tnJFhUq VNfA/icHFfuJQxdAEaiRQE/sCg+b92Gu09EH5EWPFwOCE4xxuXbLtyUi3K0t5eBBc2bq hWQCffAxT+0LiSjPlBHokF0MihHmT6VRwUCG3uSBya7mSXLaKLoNDUll+xZC+c4iPtag ZVGQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=drFj5nQS7oHr3YhHYzSbsG5UtpfEdxIcT1fBZbbYr0o=; b=Gq54M8o/AXEy2KfU3WHTKcLI6/S9tnQbIW1MFDQOBKYC3XzoEb2UHzbqGTs3enOeXm Qu0ONurwSNZLWERMO1Mr2N4gEYwIhRpeWPX7zMtTeqJSqZMm3licGRvJBkyH5LAfueqn ofvK0MjlKGCT4aVWd0J7MA9UgtGY8JHyDHNKz02gs1bykQI0/PBaCMzJOLdllaDKd4Kl 1nAShv1IZl6UoE9CxtSayyYfYvdsnSs4X+rP/kD1GX0yzr4jbJiCV/ZNrxpJA2y+UW8A 517uzVdEKJ2o3gv60ydZ1lKn+7I0ktBZvyN6+E8BvOjQf78cHIydZHs67Cppl+gylHhr uCEQ==
X-Gm-Message-State: APjAAAViLqNdv9YdpBEs2bT6JWzNPcnjg+MC1vlQlrV7bzx0QQjVM31g 2Thoso8Ntm0PD5qnHLZ/FDZ91HKPtiwm6hCZT28UKMYrmds=
X-Google-Smtp-Source: APXvYqz5se4cIRGJSVG0Y4WJyLrvBF3Hfhn1hT+LUhy62V/v9VjCy4FQp4baMrf+9jUPpxgETnGheqXvlR8pqIrb3Cc=
X-Received: by 2002:ac2:455c:: with SMTP id j28mr1076175lfm.184.1574304562336; Wed, 20 Nov 2019 18:49:22 -0800 (PST)
MIME-Version: 1.0
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 20 Nov 2019 18:48:45 -0800
Message-ID: <CABcZeBOMvKhBPZAWdOh6-Humk4A=vrqWhXaL3EtXe2_BGza=sA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000034e9450597d258c9"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/T0YQJNE6SLPAjbRudsIgq4_d7a8>
Subject: [TLS] Imported Keys/PR #22
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 02:49:27 -0000
To recap what I was saying at the microphone earlier today about selfie/reroute issues, there are actually three separate issues. - A reflection attack where an outside attacker makes the client also act as a server. - A reroute attack where an outside attacker makes the client talk to another server with the same PSK as the intended server. - An attack where an inside attacker impersonates another attacker who also has the PSK. The reflection attack is a special case of the reroute attack. The general solution to the reroute attack is to carry the identities of the communicating endpoints in the handshake [0]; AFAIK it's not necessary to have separate keys, though the current text actually generates distinct keys for each pair as well. It's not a problem to have distinct keys, but it's important to know what piece does what. However, that doesn't generally solve the third class of attack if the inside attacker is configured with the input key rather than the fanned out pairwise keys. -Ekr [0] As John Mattson has pointed out, you can fix just the reflection attack by comparing the random values you have outstanding in each direction.
- [TLS] Imported Keys/PR #22 Eric Rescorla
- Re: [TLS] Imported Keys/PR #22 Mohit Sethi M