IETF Logo Mail Archive

Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Eric Rescorla <ekr@rtfm.com> Wed, 21 February 2018 14:32 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C1C18127599 for <tls@ietfa.amsl.com>; Wed, 21 Feb 2018 06:32:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2T3hLkmMB3RZ for <tls@ietfa.amsl.com>; Wed, 21 Feb 2018 06:32:17 -0800 (PST)
Received: from mail-qk0-x243.google.com (mail-qk0-x243.google.com [IPv6:2607:f8b0:400d:c09::243]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F0EC81275AB for <tls@ietf.org>; Wed, 21 Feb 2018 06:32:14 -0800 (PST)
Received: by mail-qk0-x243.google.com with SMTP id d206so2159262qkb.3 for <tls@ietf.org>; Wed, 21 Feb 2018 06:32:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IBH3XBpOAMJUcwvsjzj834VgYZdXPyh1GGmPMhY5+XA=; b=RDXfE3CgQTnSHs4GHlq+A6MdMMh0ucPocqCa66D8W2tsFOQyzRmDpma+mw0oTK8bg2 lDydo1K3JwAah/cDRlgHBD6N4Blx+w2AGQN5SXczPL60bI0Kh/MDNDxQiDQRHEwXQhDN rFTbE1fpVHaRodifWXGpqD/YmS57jfkc0VpzdsZST+u04Do93TlkS7M5OsaTT0taxQXi RXWPZiL3KucIAuLhAy3DVByrnQQfMdiM+ybE+/xngVWIFzL3otAboymTim0OE8wq5UJI bfJE13JeX9R4W4IDRKdq8MS8+OOJlU/vOURXn5LL1JIyespaykbzMQ9YqVQQ682+hC3+ 59WQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IBH3XBpOAMJUcwvsjzj834VgYZdXPyh1GGmPMhY5+XA=; b=MsFN4odBOaVBKIJd7rHc1TRFH/Zy3FJ63AXt6pVFFHHcwfJaygctgzlrAVP2MVJyjS qHLNj/EFYGjeqf+aDkdg7jTMEETUQulUd+Vz5/FcCY5RjcM5OYx1poumVNX0ryQun7zi PPrdAIgGkUyjP9zcIyi4t8Eq66lFlftjG6d4JGVzrl7DN6U5NhHKSA166upb9RoSqsVt 85vEzWkYoEILBF6pXNJw3t4VbMukv46cxq9cIYKqwElaL2bUE5YDfOaaHPP7805cJxiu CRJ/A7y/GTf381LSJxHsMiqXo7zARwDmInwvtveB41Bx5S021QPT2XcdOwlozktXF5sF ATxA==
X-Gm-Message-State: APf1xPCXh2cydatYHZziiwj16CRvZgjs4E6uEcFDPyODgUnqWTVyuHIL dvZeUDe1nY32io8dOeyXtJ9G1E1FxSVpoJUI9rgvfA==
X-Google-Smtp-Source: AG47ELu8fMB0hUidykbcWwS0pspLFf7+1wVHSnyhBx6ACnawM/SrNKaByLcXRfq9pEsduCgOKL96Ef1J5c6nxD2+5m4=
X-Received: by 10.55.137.132 with SMTP id l126mr5571388qkd.15.1519223533983; Wed, 21 Feb 2018 06:32:13 -0800 (PST)
MIME-Version: 1.0
Received: by 10.200.37.176 with HTTP; Wed, 21 Feb 2018 06:31:33 -0800 (PST)
In-Reply-To: <21708133.DmTAOkxbDk@pintsize.usersys.redhat.com>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <1545738.SpB3f87gQo@pintsize.usersys.redhat.com> <CABcZeBOXzXf32JZkOw51JkXz6e_RG5Y+n+XG-9Y=Fb=a-as-CQ@mail.gmail.com> <21708133.DmTAOkxbDk@pintsize.usersys.redhat.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Wed, 21 Feb 2018 06:31:33 -0800
Message-ID: <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com>
To: Hubert Kario <hkario@redhat.com>
Cc: draft-ietf-tls-tls13@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c072d761414530565b9cb80"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/U82KLFmQhCoOMnY6s_zTB_ojjek>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 14:32:19 -0000

i think your general point is sound here, but I'll nitpick the statement
that
"if the server recognises an identity but is unable to verify corresponding
binder".

1. The server only picks one identity so you if you send A, B, and C and you
get an abort, you don't know if it recognized one or all.
2. The server can *recognize* the identity but ignore it (say it's a ticket
that's
too old)

With that said, I think it would probably be safe to say you must ignore an
identity
where the binder doesn't validate, but I'd like to hear from cryptographers
on this
one.

Thanks,
-Ekr


On Wed, Feb 21, 2018 at 6:26 AM, Hubert Kario <hkario@redhat.com> wrote:

> On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote:
> > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> wrote:
> > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote:
> > > > The IESG has received a request from the Transport Layer Security WG
> > >
> > > (tls)
> > >
> > > > to consider the following document: - 'The Transport Layer Security
> > > > (TLS)
> > > > Protocol Version 1.3'
> > > >
> > > >   <draft-ietf-tls-tls13-24.txt> as Proposed Standard
> > >
> > > The current draft states that if the server recognises an identity but
> is
> > > unable to verify corresponding binder, it "MUST abort the handshake"
> >
> > Which text are you referring to here?
>
> Section 4.2.11:
>
>    Prior to accepting PSK key establishment, the server MUST validate
>    the corresponding binder value (see Section 4.2.11.2 below).  If this
>    value is not present or does not validate, the server MUST abort the
>    handshake.  Servers SHOULD NOT attempt to validate multiple binders;
>    rather they SHOULD select a single PSK and validate solely the binder
>    that corresponds to that PSK.
>
> > -Ekr
> >
> > at the same time, they "SHOULD select as single PSK and validate solely
> the
> >
> > > binder that corresponds to that PSK"
> > > (Page 60, draft-ietf-tls-tls13-24).
> > >
> > > That allows for trivial enumeration of externally established
> identities -
> > > the
> > > attacker just needs to send to the server a list of identity guesses,
> with
> > > random data as binders, if the server recognises any identity it will
> > > abort
> > > connection, if it doesn't, it will continue to a non-PSK handshake.
> > >
> > > Behaviour like this is generally considered a vulnerability:
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
> > >
> > > I was wondering if the document shouldn't recommend ignoring any and
> all
> > > identities for which binders do not verify to prevent this kind of
> attack.
> > > --
> > > Regards,
> > > Hubert Kario
> > > Senior Quality Engineer, QE BaseOS Security team
> > > Web: www.cz.redhat.com
> > > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> > > _______________________________________________
> > > TLS mailing list
> > > TLS@ietf.org
> > > https://www.ietf.org/mailman/listinfo/tls
>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
>

v2.23.0 | Report a Bug | By Email