IETF Logo Mail Archive

Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Tony Putman <Tony.Putman@dyson.com> Thu, 22 February 2018 09:19 UTC

Return-Path: <prvs=5847d1dba=Tony.Putman@dyson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2BBA12E86E; Thu, 22 Feb 2018 01:19:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4aBm852fGezk; Thu, 22 Feb 2018 01:19:01 -0800 (PST)
Received: from esa2.dyson.c3s2.iphmx.com (esa2.dyson.c3s2.iphmx.com [68.232.133.94]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70680124319; Thu, 22 Feb 2018 01:19:00 -0800 (PST)
X-IronPort-SPF: SKIP
X-IronPort-AV: E=McAfee;i="5900,7806,8811"; a="30403344"
X-IronPort-AV: E=Sophos;i="5.47,377,1515456000"; d="scan'208";a="30403344"
Received: from unknown (HELO uk-dlp-smtp-01.dyson.global.corp) ([62.189.202.16]) by esa2.dyson.c3s2.iphmx.com with ESMTP; 22 Feb 2018 09:28:27 +0000
Received: from uk-dlp-smtp-01.dyson.global.corp (uk-dlp-smtp-01.dyson.global.corp [127.0.0.1]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id BCD0AFA10; Thu, 22 Feb 2018 07:47:00 +0000 (GMT)
Received: from UK-MAL-CAS-01.dyson.global.corp (unknown [10.1.108.2]) by uk-dlp-smtp-01.dyson.global.corp (Service) with ESMTP id A36EAFA02; Thu, 22 Feb 2018 07:47:00 +0000 (GMT)
Received: from UK-MAL-CAS-03.dyson.global.corp (10.1.108.111) by UK-MAL-CAS-01.dyson.global.corp (10.1.108.2) with Microsoft SMTP Server (TLS) id 14.3.319.2; Thu, 22 Feb 2018 09:18:45 +0000
Received: from UK-MAL-MBOX-01.dyson.global.corp ([fe80::3975:cbc9:490b:523a]) by UK-MAL-CAS-03.dyson.global.corp ([10.1.108.111]) with mapi id 14.03.0319.002; Thu, 22 Feb 2018 09:18:45 +0000
From: Tony Putman <Tony.Putman@dyson.com>
To: Martin Thomson <martin.thomson@gmail.com>
CC: "draft-ietf-tls-tls13@ietf.org" <draft-ietf-tls-tls13@ietf.org>, "<tls@ietf.org>" <tls@ietf.org>, IETF discussion list <ietf@ietf.org>
Thread-Topic: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
Thread-Index: AQHTqx5FKb1d2DSy/UuxaAWe7a4q2aOu6G0AgAABUgCAAAFbgIAAlF+AgACk6TA=
Date: Thu, 22 Feb 2018 09:18:44 +0000
Message-ID: <140080C241BAA1419B58F093108F9EDC10B7F9B4@UK-MAL-MBOX-01.dyson.global.corp>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <1545738.SpB3f87gQo@pintsize.usersys.redhat.com> <CABcZeBOXzXf32JZkOw51JkXz6e_RG5Y+n+XG-9Y=Fb=a-as-CQ@mail.gmail.com> <21708133.DmTAOkxbDk@pintsize.usersys.redhat.com> <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com> <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
In-Reply-To: <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.1.108.27]
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/VrIC2YtiAaoX7v2KEAo8rEqRKGY>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 09:19:02 -0000

For externally established PSKs (especially for IoT devices) the identity can be as simple as a serial number, easily enumerated. I think it would be a mistake to place requirements on the structure of the identity to resolve this (if it needs resolving); IMHO treating the situation in the same way as one which does not include a valid PSK is better. But I agree with Eric that we should hear from cryptographers on this.
-- Tony

-----Original Message-----
From: TLS [mailto:tls-bounces@ietf.org] On Behalf Of Martin Thomson
Sent: 21 February 2018 23:23
To: Eric Rescorla
Cc: draft-ietf-tls-tls13@ietf.org; <tls@ietf.org>; IETF discussion list
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

I think that the current behavior is fine, but we might add text to
suggest that identities be self-authenticating to avoid this sort of
enumeration.  Note that in common practice, this sort of enumeration
would be over an infeasibly large space, it's only where identities
are more easily enumerable that it becomes an issue (e.g., "ted" as an
identity, rather than a self-encrypted session ticket)

On Thu, Feb 22, 2018 at 1:31 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> i think your general point is sound here, but I'll nitpick the statement
> that
> "if the server recognises an identity but is unable to verify corresponding
> binder".
>
> 1. The server only picks one identity so you if you send A, B, and C and you
> get an abort, you don't know if it recognized one or all.
> 2. The server can *recognize* the identity but ignore it (say it's a ticket
> that's
> too old)
>
> With that said, I think it would probably be safe to say you must ignore an
> identity
> where the binder doesn't validate, but I'd like to hear from cryptographers
> on this
> one.
>
> Thanks,
> -Ekr
>
>
> On Wed, Feb 21, 2018 at 6:26 AM, Hubert Kario <hkario@redhat.com> wrote:
>>
>> On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote:
>> > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> wrote:
>> > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote:
>> > > > The IESG has received a request from the Transport Layer Security WG
>> > >
>> > > (tls)
>> > >
>> > > > to consider the following document: - 'The Transport Layer Security
>> > > > (TLS)
>> > > > Protocol Version 1.3'
>> > > >
>> > > >   <draft-ietf-tls-tls13-24.txt> as Proposed Standard
>> > >
>> > > The current draft states that if the server recognises an identity but
>> > > is
>> > > unable to verify corresponding binder, it "MUST abort the handshake"
>> >
>> > Which text are you referring to here?
>>
>> Section 4.2.11:
>>
>>    Prior to accepting PSK key establishment, the server MUST validate
>>    the corresponding binder value (see Section 4.2.11.2 below).  If this
>>    value is not present or does not validate, the server MUST abort the
>>    handshake.  Servers SHOULD NOT attempt to validate multiple binders;
>>    rather they SHOULD select a single PSK and validate solely the binder
>>    that corresponds to that PSK.
>>
>> > -Ekr
>> >
>> > at the same time, they "SHOULD select as single PSK and validate solely
>> > the
>> >
>> > > binder that corresponds to that PSK"
>> > > (Page 60, draft-ietf-tls-tls13-24).
>> > >
>> > > That allows for trivial enumeration of externally established
>> > > identities -
>> > > the
>> > > attacker just needs to send to the server a list of identity guesses,
>> > > with
>> > > random data as binders, if the server recognises any identity it will
>> > > abort
>> > > connection, if it doesn't, it will continue to a non-PSK handshake.
>> > >
>> > > Behaviour like this is generally considered a vulnerability:
>> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
>> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
>> > >
>> > > I was wondering if the document shouldn't recommend ignoring any and
>> > > all
>> > > identities for which binders do not verify to prevent this kind of
>> > > attack.
>> > > --
>> > > Regards,
>> > > Hubert Kario
>> > > Senior Quality Engineer, QE BaseOS Security team
>> > > Web: www.cz.redhat.com
>> > > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
>> > > _______________________________________________
>> > > TLS mailing list
>> > > TLS@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/tls
>>
>>
>> --
>> Regards,
>> Hubert Kario
>> Senior Quality Engineer, QE BaseOS Security team
>> Web: www.cz.redhat.com
>> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
>
>

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK.
This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment.
Dyson may monitor email traffic data and content for security & training.

v2.23.0 | Report a Bug | By Email