[TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?
Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 28 February 2023 02:31 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B136EC151AE0 for <tls@ietfa.amsl.com>; Mon, 27 Feb 2023 18:31:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.897
X-Spam-Level:
X-Spam-Status: No, score=-6.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J8QCZ8p6LSFY for <tls@ietfa.amsl.com>; Mon, 27 Feb 2023 18:31:33 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D9E6AC14CEE3 for <tls@ietf.org>; Mon, 27 Feb 2023 18:31:33 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id EAFDE120198; Mon, 27 Feb 2023 21:31:31 -0500 (EST)
Date: Mon, 27 Feb 2023 21:31:31 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <Y/1ngz1ITlYds2WP@straasha.imrryr.org>
Reply-To: tls@ietf.org
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/TWMsTin3pz2DhROUTyPTfqSZzqE>
Subject: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2023 02:31:37 -0000
I took a look at whether it is practically possible for a client to
"opt-in" to (ostensibly cheaper) non-DHE TLS 1.3 resumption by sending a
"psk_key_exchange_modes" extension consisting of just "psk_ke".
Turns out that at least when the server is OpenSSL, the client is likely
to be sad.
Details below, but my question based on the details is whether, when the
client offers just [psk_ke], servers should generally be willing to go
along and support non-DHE resumption? For otherwise, clients that
don't also offer "psk_dhe_ke" are punished for their non-conformity.
It seems to me that in many cases, and perhaps by default, servers
should be liberal in this regard, and accept the client's security
posture. In server-to-server communications (say DNS resolver via ADoT
to DNS authoritative) where "hogging" idle connections is "rude", but
CPU cost and latency are also a concern on both ends, one might want
to use "psk_ke" with PSK lifetimes of up to an hour, but this turns
out to be impractical, either by design, or lack of clarity on default
expected server behaviour.
Comments welcome. [ The issue is likely to also carry over into QUIC,
but there perhaps keeping somewhat idle "connections" "open" is less of
a concern, and resumption may be less frequent??? ]
Details:
- Unless the server is *explicitly* configured with a non-default
option to support psk_ke resumption, an OpenSSL server will
(incorrectly I believe) still issue NewSessionTickets (2 by
default):
https://mailarchive.ietf.org/arch/msg/tls/ACqre4e9-CWiwJrvdOCIDw0rdl4/
What this text is supposed to mean is that the server
shouldn't send tickets if it doesn't like the client's
psk_ke modes. So, say that the client only supports
psk_dhe_ke and the server only supports psk_ke, then the
server shouldn't advertise tickets, because future
resumption will be useless.
- And of course, they will then be useless for resumption, which
results in a full handshake, which again (by default) sends two
useless tickets... So sending only [psk_ke] to reduce the cost
of resumption, actually has the opposite effect of completely
defeating resumption.
- If the client sends both "psk_ke" and "psk_dhe_ke", OpenSSL
servers will always choose to do DHE.
So, unless an, e.g. OpenSSL, server is specifically known (oracular
local configuration?) to support "psk_ke", the client must avoid that
choice, making just [psk_ke] essentially impractical. The client simply
has to accept the CPU cost of asymmetric key agreement on every
resumption, and hope to amortise the cost by keeping connections open
long enough to perform multiple operations, and not do resumption too
often.
--
Viktor.
- [TLS] TLS 1.3 servers and psk_key_exchange_modes … Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Peter Gutmann
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Nick Harper
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Nick Harper
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Nick Harper
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Peter Gutmann
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Peter Gutmann