IETF Logo Mail Archive

[TLS] The future of external PSK in TLS 1.3

John Mattsson <john.mattsson@ericsson.com> Sat, 19 September 2020 11:30 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ED9C3A07FB for <tls@ietfa.amsl.com>; Sat, 19 Sep 2020 04:30:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.796
X-Spam-Level:
X-Spam-Status: No, score=-3.796 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.695, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1n5_jC1DQSji for <tls@ietfa.amsl.com>; Sat, 19 Sep 2020 04:30:18 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20046.outbound.protection.outlook.com [40.107.2.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E196D3A07F9 for <TLS@ietf.org>; Sat, 19 Sep 2020 04:30:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Fo/CpqMMOqm6x6QDsHcOmSQ2QvY125E0/xD9OoTBveX2C7EqkZ8O5Vm2INQPB9FxLgVBG2yNd7fifQv3NqMknreS9FYgyQMnAXraU2Ol/rcMtp4S55HOPnsYWUEl8y2ntXeQV4cZjWoqEQZkI/6s4rxd5fk1rs2NJR5avW1c0Q2XxXHSoRf4nkPkoMsxEXWveLTAQV7KH9jWEJqaaTgzKYEJ3nANL3kz/+9VgpXTytrznWScVPejjgU8KUy2/PPeKGnlA8Bqdd3w5ti9rK5HxGpOVpnZWbXiK4uJPNGtMmMdRb5+MrArfa7CoTXgqXa/3FYdDFFNqnYuFkRG0ixmfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HDElewjcEsQWGRIYnEBgYQcazWl04qA5Z7dT0buPELA=; b=hGGDQYyaQzyx5rOW2boJzCuYjOVP0MJO3skInSkYBadeK7A5hxV+z/4zwdI4aE23gqPRU2baW2uHsLVtO4Ntyd3Mctpb9iLMYJ0oycrp3UrSRT7C29g+0AOtK+QkPKVPQtG32oFYW59PQMZvzYsYv/qaw7ngKOTMHg8XrwOtlN7S1VxhdneWrFKx7J4+nbcTVRQh34wfQRukEBUDDny20LaUFMvyw0G4HqX7dgfc2SMHz/ytc9O762CV0qQ2rnmXCxJ/SKpeoMA/L8MBZ5/8KQn5nCEFIbtf6oa8HEUkq3hmWOnD/qCEYRL7IgSVw5UGe7Wg0dG0KynDt7lh0e1sFw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HDElewjcEsQWGRIYnEBgYQcazWl04qA5Z7dT0buPELA=; b=K232KCZkm8asEGPtcD4d6TQx73OC2MnexeqIwuL8mzIny+Ye4x7Hxh65kYXKjx1csBIIizonJzVMEfKQUCgOy7yGZJmA5mXowhZDTwaxabB9/wV0/XjczctB3GUgnrQGn2m21akfnHkwRY5O+RlyP+u2rPoaOpgP7O3+07jgNX0=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM7PR07MB6455.eurprd07.prod.outlook.com (2603:10a6:20b:137::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3412.4; Sat, 19 Sep 2020 11:30:14 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::39e8:f3f:a912:6e92]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::39e8:f3f:a912:6e92%6]) with mapi id 15.20.3391.021; Sat, 19 Sep 2020 11:30:14 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: The future of external PSK in TLS 1.3
Thread-Index: AQHWjng9Pwzr8fTsOkSjvpJZy/djPA==
Date: Sat, 19 Sep 2020 11:30:13 +0000
Message-ID: <77039F11-188E-4408-8B39-57B908DDCB80@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: edd69ec5-2502-44ed-0677-08d85c8f606c
x-ms-traffictypediagnostic: AM7PR07MB6455:
x-microsoft-antispam-prvs: <AM7PR07MB645511EFCA8C778523F0081D893C0@AM7PR07MB6455.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DUBXFcG67HPiLaqtPwRSIbUA6b1bdhFYBXwYitfd3H66RDVLMLgL2PcOvwE2CX5ribbQ9GzZvZdlWLCiJzW49Llhw76zUHQ5gRsdA3zez0Jt2vWmsodLs0Wi35z0NlAIquTJBYeDFDJeCLn2Hl9SG8f8iFnKzfBy/nrV71NtXTSBBUAoQvO/3aJ6xliIU5yBL3X6zJeF9jU/qauvV5oRXtWOXRyBAprpBdYmuINlS8Yk6ZJ68VWDWIl1+nqYTFWMbxHYt/fiMSoh9wl/76YnUsS/NrjWh4sAOOQ8AD6WocgZWz296GhemucZEgOATNcDGB7yWrxzMHPwOFpaEr4fgvskj+8l3hStXIqfuampmdOD4i8OmIODQOMHzjuZ2a8D1/p60ZJgpRl2RjVXhBPEdZBJDbKU4rucNuxuY2+B/PMGw8mcqUN0jpeVZIp+82GYPP430MsQDP27mD8lzHzhog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(376002)(366004)(39860400002)(64756008)(66446008)(66556008)(66476007)(83380400001)(966005)(8676002)(6916009)(8936002)(86362001)(91956017)(76116006)(33656002)(5660300002)(36756003)(6512007)(44832011)(66946007)(71200400001)(478600001)(2906002)(316002)(6506007)(6486002)(186003)(26005)(2616005); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: I+HMps69yVbeu9BOCDXF2yo3Nd2Pr6eKjx1eXsgK6tcZplJg8U+bY9is5uLF1iHQ2VinCgWgfQhx/YtREXzbpd6KSAunw9VBbGj6GVLjENtp1VsdZK65prrzDWowbXHg+DgMQQHjGgQRSzh9RwwRRNKkfJRZq+IO5zMkvRTKNu674IuTlE8mDumXdpnNIFUUHwWVRnLDd+IRrG4KK4nf8H9FYXWeq7XQidq69g/9psTBUtF6WMVWcLNadQ4XUd/C5WZSF9APuHueWdAGK5qR/IrdBkOjpKsvpQq3cVBMK0ACIsl5zoe+cPSgv7hXnX7Ydn3VEq7Q+9N+w7A86nWmjqOc8/pVHRZ+KRVFPDgcd8UqzzEI6zmJUwbdjS5OgRXpjY1PetKKPsik0A8lsD9Ez+JptnIfOMixXGZWBMS3zfZsQWnnXZYfcd8GUfFXHEY1KpzG0Z+bX9f9P8weTuSXvJtsIxD4QmKAT66EA6qWbGeQGN6Nxuej5t9t0h3rlccrxoSX3bWRAKWCtznKgcBr0YmLsSmS0/iioZdsWxE7lXIaeZAUZIiRxv5fCkvZdu5jkxf2u41hyXrFPzCFCGR8UJki45SUZx/hSF+2iNB/AMKCpVExu2F3pMCj+ns+Lhlt0ICgRDWISsFezC4GfMCbmg==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <DB226AE94C497A48A0BAE283F9935EB6@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: edd69ec5-2502-44ed-0677-08d85c8f606c
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2020 11:30:13.9436 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iQNdCqIfZ+lQwznkw27q4EYOdRHYSQpV2G6IgZZiRGx9gLqIPv0Ap5PBQs2cbQgdkH+A0r2NVfuN0ccGEBwXZ/SJPZ/Nf87UhSvSdXdyO8Q=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6455
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/WoBwUCqEMcFhvIHN6neo5W4Urg4>
Subject: [TLS] The future of external PSK in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2020 11:30:19 -0000

Hi,

Recent discussions in 3GPP, ACE, and LAKE about the use of symmetric keys for authentication and key exchange made me think about the future role of external PSK in TLS.

https://mailarchive.ietf.org/arch/msg/ace/A60CFIvUohBwAXi_JuMKkQanZak/

I authored RFC 8442 because I believe PSK+ECDHE is needed for legacy systems. Due to the major privacy, security, and deployment limitations with PSK, I see little need to use PSK (besides resumption) in new systems, except for the use case in RFC 8773.

LAKE recently removed PSK authentication completely as it does not produce smaller messages and comes with severe privacy and deployments problems. Increasing code size (a few kB) and slightly increased computation/latency was not seen as a big problems.

Looking at the IANA TLS registry, I am surprised to see that psk_dhe_ke and especially psk_ke are both marked as RECOMMENDED. If used in the initial handshake, both modes have severe privacy problems, and psk_ke does not give PFS, thus making pervasive monitoring much easier. If groups keys are used, additional security problems arise. All TLS 1.2 cipher suites without (EC)DHE has for good reasons been marked as NOT RECOMMENDED.

I have recently seen several people arguing that the inclusion of PSK in TLS 1.3 means that the use external PSKs are now recommended. I don't think that was the intension of the TLS WG.

I strongly think psk_ke should be NOT RECOMMENDED, except for resumption. Irrespectively of what ‘Y’ in the recommended column actually means, people are and will read it as recommended to use.

Cheers,
John

v2.23.0 | Report a Bug | By Email