IETF Logo Mail Archive

[TLS] Comments on draft-wood-tls-external-psk-importer-01

John Mattsson <john.mattsson@ericsson.com> Mon, 01 April 2019 19:01 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CECBE1204FD for <tls@ietfa.amsl.com>; Mon, 1 Apr 2019 12:01:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MetpEwNEYHa for <tls@ietfa.amsl.com>; Mon, 1 Apr 2019 12:01:01 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30089.outbound.protection.outlook.com [40.107.3.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B5505120515 for <TLS@ietf.org>; Mon, 1 Apr 2019 12:01:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eaNxkK8drmh5sBgn7srJe9xG7BC8P8hPk2LAyTjy/SU=; b=Dkq4zHniFNRvoZ6twWYjCa07/0Y3ipl7+l6w17Eh/sJMPOnQPgppurIz5u4gEY4ePA587/hiQ1Ncqtbe2uDDMCR1zWj4Rd95hUZNi/K6BBypLD5NTpsngolkLyRSzGxm8Z38U3DL8GbYj9OHXIZ2NEtvrQSDUS7i3118a4OAwXo=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.166.22) by HE1PR07MB3193.eurprd07.prod.outlook.com (10.170.245.31) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.6; Mon, 1 Apr 2019 19:00:58 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::91bd:a367:2414:b4bc%5]) with mapi id 15.20.1771.007; Mon, 1 Apr 2019 19:00:58 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: Comments on draft-wood-tls-external-psk-importer-01
Thread-Index: AQHU6L09RDZKHT8Ksk2niB+rgTbbFA==
Date: Mon, 01 Apr 2019 19:00:58 +0000
Message-ID: <89127FF7-CE3F-4DF1-98A5-B1006C5FF56B@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.17.0.190309
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2fee17e7-b1ae-4ac7-118b-08d6b6d46022
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600139)(711020)(4605104)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB3193;
x-ms-traffictypediagnostic: HE1PR07MB3193:
x-microsoft-antispam-prvs: <HE1PR07MB31933125F0DC9E38AC9FF00289550@HE1PR07MB3193.eurprd07.prod.outlook.com>
x-forefront-prvs: 0994F5E0C5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(376002)(366004)(136003)(396003)(189003)(199004)(476003)(58126008)(106356001)(53936002)(3846002)(2616005)(6116002)(7736002)(6436002)(71200400001)(102836004)(14454004)(86362001)(25786009)(5660300002)(256004)(305945005)(5640700003)(486006)(68736007)(2906002)(478600001)(6512007)(26005)(99286004)(2501003)(8936002)(97736004)(81166006)(44832011)(6916009)(66066001)(6506007)(33656002)(36756003)(316002)(83716004)(6346003)(82746002)(6486002)(81156014)(2351001)(71190400001)(8676002)(186003)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3193; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: QVVDn6vw+57cJ/J1EcnM3xDc89QhHUZEzOqCdX7rJu7t24/Z6f17t9bqXnQ/A2tPhofuiBxYA+hjtq9JdCrCoUpi8byqTAalI1DLUMezasQPOT/0A5yhz6cA2Dm5f24qo8ahbRytCsisNF11bOnGotTSd+SVivLHW/LiVfwTNaijOjXDKSyTAiCS5zOvEw7bHjZajGWx77zE/gh4Rlb2HOFU++wZY2zziNARTH1wTsND1D6g3PKlLZeGPv7+ni1LfpGreMILS2jQb8DGNg2RpgalaTDZsOx9IEOOIv7ydva2ZR7d+H2181KVAQiejUZSC1h/dKtz3zXXcKfYhptt52rcQv7TiXbmPbjeLiv5UZWbIFcVFi2TSqTxIcG1Gpi9FnfnnfeO0hgDeeutWgf6lc8JyvIF7iNBiR7ev3zH5pI=
Content-Type: text/plain; charset="utf-8"
Content-ID: <00DA62CE39CDF1408BAC135FF50CF526@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2fee17e7-b1ae-4ac7-118b-08d6b6d46022
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Apr 2019 19:00:58.0130 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3193
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Vsxx4EpooMygLVhofhZPjlyG9dE>
Subject: [TLS] Comments on draft-wood-tls-external-psk-importer-01
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Apr 2019 19:01:12 -0000

 Hi,

Thanks for trying to solve this problem! Not having a way to use the same external PSK for different cipher suites is definitely a thing missing from TLS 1.3.

As I stated during the wg session, 3GPP have a few use cases that use PSK-ECDHE between phone and core network. Contrary to what IETF people sometimes believe, most 3GPP use of TLS (between phone and core network, between core nodes, and between different operators) use mutual authentication with certificates.

According to the current 3GPP specification, the phone and the core network would share an external PSK and an external identity. The hash function is undefined, i.e. SHA-256 is used for TLS 1.3. The phone and the network would then negotiate TLS 1.2 with any cipher suite or TLS 1.3 with SHA-256.

Some comments

- The draft should make clear if the External PSK and external identity can be used together with the imported identities. I assume the idea is that they can’t but I can’t see any text specifying this.

- ”Imported keys do not require negotiation for use, as a client and
server will not agree upon identities if not imported correctly.
Thus, importers induce no protocol changes with the exception of
expanding the set of PSK identities sent on the wire.”

While I see how the defined mechanism can be deployed in a new deployment, I do not see how to introduce it in an existing deployment. Assuming that the external PSK cannot be used together with the imported identities, the TLS client and server must introduce the mechanism at the same time, that is often not possible to control.

- “struct {
       opaque external_identity<1...2^16-1>;
       opaque label<0..2^8-1>;
       HashAlgorithm hash;
   } ImportedIdentity;
  ”

This scales poorly, A client has to send n*m identities where n is the number of supported versions and m is the number of supported hash algorithms...

- Would it not be possible to just use the version number as label? I.e. 0x0304 instead of “tls13”. In that way you do at least not have to define a new labels.

- “TLS 1.3 [RFC8446] supports pre-shared key (PSK) resumption, wherein
PSKs can be established via session tickets from prior connections or
externally via some out-of-band mechanism.”

This seems to indicate that all use of PSK is resumption which is not correct. I suggest changing to “TLS 1.3 [RFC8446] supports pre-shared key (PSK) authentication”

- “importing external PSK (Pre-Shared Key) into TLS.”

Not sure if “into” is the right word, I think “for” as in the title is better. The mechanism seems very much external to TLS itself. I see it as a mechanism to derive several external PSKs from a single external PSK.

- “Similarly, TLS 1.2 and all prior TLS versions should use "tls12" “

The versions prior to TLS 1.2 will soon be deprecated. And why spend time updating the TLS 1.2 code base instead of moving to TLS 1.3? 


Suggestion:

Instead of deriving a large set of new external PSKs, wouldn’t it be possible to just use different hash functions in different parts of the key hierarchy? I.e. if SHA-256 is associated with the external PSK and SHA-384 is the hash algorithms in the chosen cipher suite:

PSK ->  HKDF-Extract(SHA-256) = Early Secret
          |
          +-----> Derive-Secret(., "ext binder" | "res binder", "")
          |                     = binder_key
          |
          +-----> Derive-Secret(., "c e traffic", ClientHello)
          |                     = client_early_traffic_secret
          |
          +-----> Derive-Secret(., "e exp master", ClientHello)
          |                     = early_exporter_master_secret
          v
    Derive-Secret(., "derived", "")
          |
          v
(EC)DHE -> HKDF-Extract(SHA-384) = Handshake Secret

Support of this could be signalled with the tls_flags extension. If the server does not support the extension it must according to RFC 8446 chose a cipher suite with SHA-256.

Cheers,
John

v2.23.0 | Report a Bug | By Email