IETF Logo Mail Archive

Re: [TLS] Review of draft-ietf-tls-external-psk-guidance-00

Carrick Bartle <cbartle891@icloud.com> Thu, 20 August 2020 01:42 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125B63A1013 for <tls@ietfa.amsl.com>; Wed, 19 Aug 2020 18:42:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.848
X-Spam-Level:
X-Spam-Status: No, score=-1.848 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JH3SBPEEfz3K for <tls@ietfa.amsl.com>; Wed, 19 Aug 2020 18:42:25 -0700 (PDT)
Received: from mr85p00im-ztdg06021701.me.com (mr85p00im-ztdg06021701.me.com [17.58.23.196]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E63353A100A for <tls@ietf.org>; Wed, 19 Aug 2020 18:42:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1597887744; bh=p8NGrO2A/tAi/HLuFO30Vq2pBMZ5QHttjMxPZ4hsTMY=; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:To; b=dJ45quVxDIqBpfWNz43LtnUWzc/G2SEuWzxhKKpRsUtpJiAZ1PRac4groE8z1SJcC w5UZpytO4crr6WqL2ol9asgD8Dp57Jeji1s66GoXtEZ6gPYlbBh6za1uY+5bgs1i9o 8F7yTpv6uC+qACZ7nq4tzwN0KsZBCfQXvmqEC6SxnOO5D9hhKvrRMPkg8XE9Azzqe+ SQ3/TD52vga0fR4aBoN7Z0M/8Os9GsXLJO51iYlM/VLLiWeVMgLDnMumcbEYf78LD7 V7IISfPm94qXBtPpUkqbR6f+RoeOgOuop36En+d36rlMT6qbeIBq7VvTesGoT2JpWj ikQGl29/cUezQ==
Received: from [17.235.4.78] (unknown [17.235.4.78]) by mr85p00im-ztdg06021701.me.com (Postfix) with ESMTPSA id 098B8A003BF; Thu, 20 Aug 2020 01:42:23 +0000 (UTC)
From: Carrick Bartle <cbartle891@icloud.com>
Message-Id: <4659F6E4-D167-4CBC-B9CE-1DF110AAE5D7@icloud.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C7192DD3-ACE4-415F-BD7B-8A1D81C85C29"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Wed, 19 Aug 2020 18:42:21 -0700
In-Reply-To: <841bd643-d7bf-4211-a40c-9121967b67b6@www.fastmail.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
To: Christopher Wood <caw@heapingbits.net>
References: <3359D367-16E3-4C30-B434-A8043B1F253A@icloud.com> <841bd643-d7bf-4211-a40c-9121967b67b6@www.fastmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.235, 18.0.687 definitions=2020-08-19_13:2020-08-19, 2020-08-19 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2004280000 definitions=main-2008200011
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TGHVy2oTzkxLr0eLRAlLa9xWq-o>
Subject: Re: [TLS] Review of draft-ietf-tls-external-psk-guidance-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Aug 2020 01:42:29 -0000

Thanks for the feedback! I've posted a bunch of PRs and issues, as you've seen. Here are my remaining comments:

>>> Low entropy keys are only secure against active attack if a PAKE is 
>> used with TLS.
>> Maybe cite a document that contains a recommended way of using PAKEs 
>> with TLS (e.g. draft-sullivan-tls-opaque-00)?
> 
> I'd rather not cite one (now), especially since that document is expired. Perhaps we can file an issue to add a citation later on?

Looks like Mohit already added a more up-to-date citation.

> Filed: https://github.com/tlswg/external-psk-design-team/issues/36

Thanks, Mohit! :)

>>> Preventing this type of linkability is out of scope, as PSKs are explicitly designed to support mutual authentication.
>> Isn't mutual authentication, in general, orthogonal to linkability? 
>> Certificates, for example, are encrypted in TLS 1.3, and so cannot be 
>> linked across connections.
> 
> This section speaks of linkability by the endpoints, not the network. Any sort of identifier that's reused across connections can be linkable, be it an external PSK ID or a certificate. 


Right, I get that. What I'm saying is that since there are solutions that can prevent that type of linkability (for instance, if a third party deals the PSKs to the server and clients, and those PSKs are never used more than once), the fact that PSKs are designed to support mutual authentication is irrelevant. (I.e., mutual authentication for one connection doesn't necessarily imply that the server knows it's talking to the same client on every connection that client makes.)

>>> 6.1.  Provisioning Examples
>> This section contains a list of ways to provision PSKs, but mostly 
>> without any commentary or discussion. Are these methods good? Bad? Are 
>> there any pitfalls? If so, how can one guard against them?
> 
> It's meant to be informational without any comment on the pros and cons of each. 


But the title is "Guidance for External PSK Usage." What is guidance if not a collection of recommendations?

>>> Identities may sometimes need to be routable, as is currently under 
>> discussion for EAP-TLS-PSK.
>> What does it mean for an identity to be "routable"? Also, EAP-TLS-PSK 
>> needs a citation link. I'm not sure which document it's referring to.
> 
> It might be, for example, a FQDN. Mohit understands the EAP-TLS-PSK use case better than I do, though, so I'll let him answer. 

Looks like Mohit added a citation for that.

>>>   3.  Nodes SHOULD use external PSK importers [I-D.ietf-tls-external-psk-importer] when configuring PSKs for a pair of TLS client and server.
>> Why?
> 
> Because that interface exists to enable external PSKs for TLS 1.3 and beyond. 


My understanding is that that interface doesn't enable external PSKs for 1.3, but that it just to makes it easier and less error-prone because the interface generates several PSKs--one for each hash function. Is that the case? If so, why not mention that as the rationale as to why nodes SHOULD use the importer?

>>> OpenSSL and BoringSSL: Applications specify support for external PSKs 
>> via distinct ciphersuites.
>> This is not true of BoringSSL for TLS 1.3. Although the paragraph goes 
>> on to mention "new callback functions added specifically to OpenSSL for 
>> TLS 1.3 [RFC8446] PSK support," this doesn't preclude 1.3 PSK support 
>> in BoringSSL.
> 
> We didn't want to go into version-specific details here, but yes, that's right. 


Might be better to mention this particular version-specific detail here since otherwise this statement is misleading.

>>> some systems require the provisioning process to embed 
>> application-specific information in either PSKs or their identities.
>> Is it really a good idea to embed data in the PSK itself? Does that not 
>> diminish the entropy of the PSK? Why is it not sufficient to put that 
>> sort of information in the identity?
> 
> It is probably desirable to use the identity for this purpose since, well, its application-specific identifying information. This is just commenting on the state of affairs, I think.

Okay, but if this document is guidance and not just a description, shouldn't it also comment on whether this state of affairs is a good idea?

Carrick





> On Aug 18, 2020, at 8:26 AM, Christopher Wood <caw@heapingbits.net> wrote:
> 
> Hi Carrick,
> 
> Sorry for the delay. Please see inline below!
> 
> On Thu, Jul 9, 2020, at 10:09 PM, Carrick Bartle wrote:
>> Isn’t the rerouting attack described in Section 4 not possible if "A" 
>> uses the SNI extension and "C" aborts the connection on mismatch? If 
>> so, it might be worth mentioning that as a potential mitigation (as the 
>> Selfie paper does).
> 
> Indeed. That seems like a fine thing to mention.
> 
>>> "C" has completed the handshake, ostensibly with "A".
>> "C" did in fact complete the handshake with "A." (Without mistaking it 
>> for some other endpoint or something.)
> 
> +1, I'm fine with dropping that bit.
> 
>>> Low entropy keys are only secure against active attack if a PAKE is 
>> used with TLS.
>> Maybe cite a document that contains a recommended way of using PAKEs 
>> with TLS (e.g. draft-sullivan-tls-opaque-00)?
> 
> I'd rather not cite one (now), especially since that document is expired. Perhaps we can file an issue to add a citation later on?
> 
>>> Applications should take precautions when using external PSKs to mitigate these risks.
>> What sort of precautions should they take?
> 
> Filed: https://github.com/tlswg/external-psk-design-team/issues/36
> 
>>> Preventing this type of linkability is out of scope, as PSKs are 
>> explicitly designed to support mutual authentication.
>> Isn't mutual authentication, in general, orthogonal to linkability? 
>> Certificates, for example, are encrypted in TLS 1.3, and so cannot be 
>> linked across connections.
> 
> This section speaks of linkability by the endpoints, not the network. Any sort of identifier that's reused across connections can be linkable, be it an external PSK ID or a certificate. 
> 
>>> Below, we list some example use-cases where pair-wise external PSKs 
>> with TLS have been used for authentication.
>> I assume "pair-wise" here means a PSK is shared between only one server 
>> and one client, but this the term "pair-wise" hasn't been associated 
>> with that concept in this document, it's not completely clear. Since 
>> "pair-wise" is used twice in the document, maybe define it when the 
>> concept is first introduced.
> 
> Yep, I agree.
> 
>>> primarily for the purposes of supporting TLS connections with fast 
>> open (0-RTT data)
>> I've only ever heard "fast open" used in the context of TFO, which is 
>> distinct from (albeit similar to) 0-RTT. Using "fast open" to refer to 
>> 0-RTT sounds like it's conflating terms. Shouldn't "early data" be used 
>> here instead of "fast open"?
> 
> I think the two phrases are basically equivalent, but if using "early data" is more clear, let's go with that. 
> 
>>> In this use-case, resource-constrained IoT devices act as TLS clients 
>> and share the same PSK.  The devices use this PSK for quickly 
>> establishing connections with a central server.  Such a scheme ensures 
>> that the client IoT devices are legitimate members of the system.
>> If the IoT devices only talk to a central server and not each other, 
>> why do they all need the same PSK?
>> 
>>> To perform rare system specific operations that require a higher 
>> security level, the central server can request resource-intensive 
>> client authentication with the usage of a certificate after 
>> successfully establishing the connection with a PSK.
>> If you're going to authenticate with a cert, why bother preceding that 
>> with an authentication with a PSK?
> 
> Good question. I'll let Mohit answer this, but my impression was that, unlike the PSKs, each node has its own private key, which seemingly allows the server to authenticate a specific client.
> 
>>> 6.1.  Provisioning Examples
>> This section contains a list of ways to provision PSKs, but mostly 
>> without any commentary or discussion. Are these methods good? Bad? Are 
>> there any pitfalls? If so, how can one guard against them?
> 
> It's meant to be informational without any comment on the pros and cons of each. 
> 
>>> Moreover, PSK production lacks guidance unlike user passwords.
>> Isn't that precisely the point of this draft? Seems unnecessary to 
>> mention. (Or it might be better to move this point to the intro as a 
>> motivating factor of this document.)
> 
> Great suggestion!
> 
>>> PSK provisioning systems are often constrained in application-specific ways.  For example, although one goal of provisioning is to ensure that each pair of nodes has a unique key pair, some systems do not want to distribute pair-wise shared keys to achieve this.
>> Why not? What application-specific constraint would warrant that?
> 
> Pointing again to Mohit for the IoT case. :-)
> 
> (We might just replace "do not want to" with "might not want to", and leave it at that.)
> 
>>> some systems require the provisioning process to embed 
>> application-specific information in either PSKs or their identities.
>> Is it really a good idea to embed data in the PSK itself? Does that not 
>> diminish the entropy of the PSK? Why is it not sufficient to put that 
>> sort of information in the identity?
> 
> It is probably desirable to use the identity for this purpose since, well, its application-specific identifying information. This is just commenting on the state of affairs, I think. 
> 
>>> Identities may sometimes need to be routable, as is currently under 
>> discussion for EAP-TLS-PSK.
>> What does it mean for an identity to be "routable"? Also, EAP-TLS-PSK 
>> needs a citation link. I'm not sure which document it's referring to.
> 
> It might be, for example, a FQDN. Mohit understands the EAP-TLS-PSK use case better than I do, though, so I'll let him answer. 
> 
>>> Applications MUST use external PSKs that adhere to the following 
>> requirements:
>> I think you mean "If an application uses external PSKs, the PSKs MUST 
>> adhere to the following requirements." Otherwise it sounds like you're 
>> saying every application must use an external PSK.
> 
> Yep, that would be more clear.
> 
>>> Each PSK SHOULD be derived from at least 128 bits of entropy
>> Recommend a particular method for doing that?
> 
> I don't think that's necessary. Any suitable method will suffice.
> 
>>> Note that these mechanisms do not necessarily follow the same 
>> architecture as the ordinary process for incorporating EPSKs described 
>> in this draft.
>> Where was the ordinary process for incorporating EPSKs described? Is 
>> "incorporating" a PSK the same as "provisioning" one? If so, several 
>> ways were described. What's the problem with these mechanisms (e.g. 
>> PAKE) having a different architecture from these ordinary processes? 
>> Are they not compatible?
> 
> I'm not seeing this text in the editor's copy, so I'm not sure what the context is.
> 
>>>   3.  Nodes SHOULD use external PSK importers [I-D.ietf-tls-external-psk-importer] when configuring PSKs for a pair of TLS client and server.
>> Why?
> 
> Because that interface exists to enable external PSKs for TLS 1.3 and beyond. 
> 
>>> OpenSSL and BoringSSL: Applications specify support for external PSKs 
>> via distinct ciphersuites.
>> This is not true of BoringSSL for TLS 1.3. Although the paragraph goes 
>> on to mention "new callback functions added specifically to OpenSSL for 
>> TLS 1.3 [RFC8446] PSK support," this doesn't preclude 1.3 PSK support 
>> in BoringSSL.
> 
> We didn't want to go into version-specific details here, but yes, that's right. 
> 
>>> PSK identities MAY have a domain name suffix for roaming and federation.
>> What do roaming and federation mean here? Is there a source that discusses this?
> 
> Hmm, probably? Mohit, can you please drop in a reference?
> 
>>> Deployments should take care that the length of the PSK identity is sufficient to avoid obvious collisions.
>> What's the difference between a "collision" and an "obvious collision"?
> 
> Nothing. We can drop "obivous."
> 
>>> This means that if a PSK identity collision occurs, the application will be given precedence over how to handle the PSK.
>> How should the application handle the collision?
> 
> That's an application-specific decision, so we don't specify it. 
> 
>> I'm happy to make the suggested changes in a PR if they look ok.
> 
> Yes, please!
> 
> Best,
> Chris
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email