Re: [TLS] psk_key_exchange_mode question
Benjamin Kaduk <bkaduk@akamai.com> Wed, 02 May 2018 23:57 UTC
Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7247412E8A0 for <tls@ietfa.amsl.com>; Wed, 2 May 2018 16:57:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XmUR2Vzz-Nfu for <tls@ietfa.amsl.com>; Wed, 2 May 2018 16:57:09 -0700 (PDT)
Received: from mx0a-00190b01.pphosted.com (mx0a-00190b01.pphosted.com [IPv6:2620:100:9001:583::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C881F12E8C1 for <tls@ietf.org>; Wed, 2 May 2018 16:57:08 -0700 (PDT)
Received: from pps.filterd (m0122332.ppops.net [127.0.0.1]) by mx0a-00190b01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w42Nqbra005914; Thu, 3 May 2018 00:57:08 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : content-transfer-encoding : in-reply-to; s=jan2016.eng; bh=EQ590ZoS+d3zkTJpQn51i/3b5/yfJun5SML02wikOxU=; b=QcZ7b97H/xKv6w3yYURVmJLzp4PhUvtK10UpNGFkLXQQXyEUv/2L7AZyIDYjD2DW2Xiy Ab125WwJA9rJF+NO+Vwvo9biE5vpJrVqGW7JSOb0cE2aaCegDpwQIyp/DOHTlfnn2ohX DO9QTMXemaDfqtWagasEcdgEaHSNfST3iKMvNzNAWM+TR6IzomP/NpAahJ0cWBjdhHFV /uROkhBT8TjENKT6hGG3w+cvb4lDH2vddUaRJ9qrXQUsF8hoXZ+cWdW1pHTTpQY7CqGZ okd2ttwM4UpKBHhmSxUNEA/u4vBjbK2CvHhmtuixC3vVaDNxRuTgkzylnVaqS6O9GJtv yQ==
Received: from prod-mail-ppoint4 ([96.6.114.87]) by mx0a-00190b01.pphosted.com with ESMTP id 2hqgvugwn3-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 03 May 2018 00:57:08 +0100
Received: from pps.filterd (prod-mail-ppoint4.akamai.com [127.0.0.1]) by prod-mail-ppoint4.akamai.com (8.16.0.21/8.16.0.21) with SMTP id w42NpTgO003999; Wed, 2 May 2018 19:57:07 -0400
Received: from prod-mail-relay14.akamai.com ([172.27.17.39]) by prod-mail-ppoint4.akamai.com with ESMTP id 2hmm9wh6ux-1; Wed, 02 May 2018 19:57:06 -0400
Received: from bos-lpczi.kendall.corp.akamai.com (bos-lpczi.kendall.corp.akamai.com [172.19.17.86]) by prod-mail-relay14.akamai.com (Postfix) with ESMTP id C954C82EF3; Wed, 2 May 2018 23:57:06 +0000 (GMT)
Received: from bkaduk by bos-lpczi.kendall.corp.akamai.com with local (Exim 4.86_2) (envelope-from <bkaduk@akamai.com>) id 1fE1cQ-00038i-3T; Wed, 02 May 2018 18:57:06 -0500
Date: Wed, 02 May 2018 18:57:05 -0500
From: Benjamin Kaduk <bkaduk@akamai.com>
To: Daiki Ueno <dueno@redhat.com>
Cc: tls@ietf.org
Message-ID: <20180502235705.GJ5742@akamai.com>
References: <od14lk2b0yp.fsf-dueno@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <od14lk2b0yp.fsf-dueno@redhat.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-02_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805020200
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-05-02_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1805020200
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/UN2LawZrAxG-WOVfViUILDKMPjk>
Subject: Re: [TLS] psk_key_exchange_mode question
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 May 2018 23:57:15 -0000
On Mon, Apr 23, 2018 at 01:45:34PM +0200, Daiki Ueno wrote: > Hello, > > I have a question about handling the psk_key_exchange_mode extension. > > 4.2.9. Pre-Shared Key Exchange Modes says: > > This extension also restricts the modes for use with PSK resumption; > servers SHOULD NOT send NewSessionTicket with tickets that are not > compatible with the advertised modes > > Is this compatibility defined externally to the protocol, or does it > depend on the initial handshake? > > To take an example, suppose the server uses the ticket construction > mechanism described in RFC 5077. > > If the former is the case, the server requires PSK with (EC)DHE when the > ticket encryption key is required to be forward secret. From the > implementation point of view, that would be provided as an option in the > server configuration. > > On the other hand, if the latter is the case, the server requires PSK > with (EC)DHE when the initial handshake chose (EC)DHE key exchange, > because the ticket is tied to resumption_master_secret derived from the > (EC)DHE secret. > > Since the above paragraph is followed by: > > however, if a server does so, the impact will just be that the > client’s attempts at resumption fail. > > I thought the latter is more plausible; however, in that case psk_ke > would only be meaningful when the initial handshake is PSK-only. It looks like this came in with https://github.com/tlswg/tls13-spec/pull/672 which doesn't provide much commentary on the motivation for it. I believe the latter is the case, in that the issued ticket contains information about the psk_key_exchange_modes sent in the initial handshake, but I disagree with your interpretation that it is only meaningful when the initial handshake is PSK-only. (To be fair, the existing text is not very clear about what it should mean, so confusion is understandable.) In particular, I think "also restricts the modes for use with PSK resumption" means that the psk_key_exchange_modes value(s) sent in the ClientHello is supposed to be retained by both parties and associated with the session ticket, and the saved value(s) then restrict what mode can be used for resumption, along with what values are sent in the resumption handshake itself. This would be useful if, for example, a client sends psk_key_exchange_modes of just psk_dhe_ke in an initial (non-resumption) handshake, so the server can store state in the session ticket that indicates the session ticket must not be used for a psk_ke resumption flow. The text about "SHOULD NOT send NewSessionTicket with tickets that are not compatible with the advertised modes" is then pretty devoid of content, since any given PSK (considered as a string of bits) could be used for either psk_ke or psk_dhe_ke -- the math doesn't care. It perhaps means that if the server gets this psk_dhe_ke initial handshake and then stores a session ticket which only references psk_ke, the resumption would fail, but the server has no reason to do that, so we probably didn't even need to say it. -Ben
- [TLS] psk_key_exchange_mode question Daiki Ueno
- Re: [TLS] psk_key_exchange_mode question Benjamin Kaduk
- Re: [TLS] psk_key_exchange_mode question Eric Rescorla