Re: [TLS] Distinguishing between external/resumption PSKs

Richard Barnes <rlb@ipv.sx> Thu, 19 September 2019 15:57 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED565120810 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 08:57:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B8zJ2qF5_zFR for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 08:57:53 -0700 (PDT)
Received: from mail-oi1-x22b.google.com (mail-oi1-x22b.google.com [IPv6:2607:f8b0:4864:20::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D14812080F for <tls@ietf.org>; Thu, 19 Sep 2019 08:57:53 -0700 (PDT)
Received: by mail-oi1-x22b.google.com with SMTP id 83so3205188oii.1 for <tls@ietf.org>; Thu, 19 Sep 2019 08:57:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=lrLBmQlBEV27N22BLJ1ggph1WYJ1R1D4DGGSaIths5c=; b=EvNW7TN9ZDJcHL/DPdx1IPUbbuGrSz/QMzItUUGkKcgsfmaBSQFYoFMdszskkEYtmn rcFtHPy+sbPdywzvoOqFipImh9L3blxCdIgOQpcjA1Odz3rtzkTq30Qe/9gxAhsEZrat Hp3CNvJVTxseTSy4JKILJeMsDUzLXKvqrBJBaQR7OL+lfQKlQGr/6genHpcVMDUBHnCK 1tE9pubCzCmrV4rMAkiyXcF7jvl3EuswsSW/R6pLRR9h40V/3GaoXXpP1BiXffzLt2ez dlg8ElTOmKpEePmkkgcYC1hmVEH0a/mjbkY9FHhrppq2c8xFIhJV1qnmOdFfxhnPr8wP 8YPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=lrLBmQlBEV27N22BLJ1ggph1WYJ1R1D4DGGSaIths5c=; b=Yqu4Wjr9lZutVN5vrqQt3k1bg3Tyf+djq6uY0UuXz8/fNGYmerknje+V8lGqMlADyc f1a+/G7J8mJvVlX3r1l9A0D67FDE4I71LeAsNXMtsK5atd+PIHXACluiSavo8MEOwbFO v/nSoHQQLC6VPJqKBerlVq28EM5h4gooquzD1tR2uBv5CZCz8qTnpIFE7mYuyuurM+ek wk/S8S5ojhh9y1RgGc328kb90eOr/UhFNdznvS5XqV4VQyxYdszdlBK5gfzIItJpQYnV hIMo7HaDddOW+ec2qXNjANhFcaNKXzJC/zFUQC3IBOikqFD43b1nUZj75oSJVFveUb1G QE1A==
X-Gm-Message-State: APjAAAX7VYF7U+dmyVRZ/+huqbekDoh6gCIinLLnz6cuWdKGiCOFGl+3 tfymz2a8vEoWdqizGhB5Dn7NppvwRAiwmjmH9L+Kug==
X-Google-Smtp-Source: APXvYqxAp3c3pCSTt706ONIacUCmt1kn6UULOELosyQ+WVhOJDPS+WRD/orsh29YKyk4S5mMLOLxTEGFcQoWp8ljmuc=
X-Received: by 2002:aca:4e12:: with SMTP id c18mr2674385oib.135.1568908672291; Thu, 19 Sep 2019 08:57:52 -0700 (PDT)
MIME-Version: 1.0
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs3aQxM3kxa3khOYbj8naXfcaPmSOKY01nAsuAyfEWYkzg@mail.gmail.com> <CAL02cgT73q0iOj=7fMsneQwjAFFDnSYM92MhV0adSfU2qOCurQ@mail.gmail.com> <CACykbs2=e9LvnvvU=zOWuzqeU4aYXOA3SPWBwQGyPcW6QjrSkA@mail.gmail.com>
In-Reply-To: <CACykbs2=e9LvnvvU=zOWuzqeU4aYXOA3SPWBwQGyPcW6QjrSkA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 19 Sep 2019 11:57:38 -0400
Message-ID: <CAL02cgSuFGNd26TS8bNbjhh+YEYVbAH5TQBneeLNyouZemAZXw@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000018e6550592ea040d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/_BruYjoYACpPhmN9T_i_-ybIXRc>
Subject: Re: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 15:57:56 -0000

As nice as that requirement would be, I'm not sure it's really compatible
with the way people want to build software.  For example, OpenSSL right now
gets external PSKs by calling out to an external callback.  Given that
degree of separation, proactively assuring no collisions would be hard.

On Thu, Sep 19, 2019 at 11:43 AM Jonathan Hoyland <
jonathan.hoyland@gmail.com>; wrote:

> Ah yes, Richard is right, the PSK IDs do not have a defined structure.
>
> Having two different PSKs attached to a single PSK_ID should be banned if
> it isn't already.
>
> Regards,
>
> Jonathan
>
> On Thu, 19 Sep 2019 at 16:26, Richard Barnes <rlb@ipv.sx>; wrote:
>
>> On Thu, Sep 19, 2019 at 10:26 AM Jonathan Hoyland <
>> jonathan.hoyland@gmail.com>; wrote:
>>
>>> That's how I would interpret the spec yes.
>>> You could argue that there's a distinguishing attack where the attacker
>>> measures the response time on PSKs to determine if it was an OOB PSK or a
>>> resumption, but I think you could do equally well just by looking at the
>>> PSK lengths, because resumption PSKs have a defined structure.
>>>
>>
>> I don't think that's quite right.  The PSKs resulting from
>> NewSessionTicket have a defined structure, but the PSK *IDs* do not;
>> they're specified by the server.  AFAICT, existing server stacks generate
>> their own PSK IDs for resumption PSKs, so from the application's
>> perspective, the structure of the resumption PSKs is unknown (or at best,
>> specific to the TLS library in use).
>>
>> If I understand correctly, the worst case here would be:
>>
>> 1. The server application wants to have some behavior change based on the
>> use of an external PSK (not resumption)
>> 2. The server TLS stack is configured with external and resumption PSKs
>> with the same PSK ID
>> 3. The client sends a ClientHello using the resumption PSK
>> 4. The server TLS stack attempts to verify the binder with the resumption
>> PSK and succeeds
>> 5. The server application gets a session that is authenticated with the
>> PSK ID and notes that the PSK ID matches one of its external PSKs
>> 6. The server application improperly does the external PSK behavior when
>> in fact resumption has happened
>>
>> I might be missing something, but I don't see anything in the spec that
>> would prevent this situation from arising.  So it's up to the application
>> to choose its PSK IDs in such a way that they don't collide with resumption
>> PSK IDs.  But the fact that resumption PSK IDs are implementation-specific
>> mean that this is tough to do with any generality, unless you're willing to
>> rely on long pseudorandom strings not colliding with each other.
>>
>> Maybe the answer is just that TLS stacks that handle their own resumption
>> caches need to signal to applications when that cache has been used vs. an
>> external PSK.
>>
>> --Richard
>>
>>
>>
>>> Regards,
>>>
>>> Jonathan
>>>
>>> On Thu, 19 Sep 2019 at 15:04, Owen Friel (ofriel) <ofriel@cisco.com>;
>>> wrote:
>>>
>>>>
>>>>
>>>> > -----Original Message-----
>>>> > From: Jonathan Hoyland <jonathan.hoyland@gmail.com>;
>>>> > Sent: 19 September 2019 14:32
>>>> > To: Owen Friel (ofriel) <ofriel@cisco.com>;
>>>> > Cc: Martin Thomson <mt@lowentropy.net>;; tls@ietf.org
>>>> > Subject: Re: [TLS] Distinguishing between external/resumption PSKs
>>>> >
>>>> > Hi Owen,
>>>> >
>>>> > If I understand your question correctly the distinguishing is done
>>>> implicitly
>>>> > (not explicitly) through the key schedule.
>>>> > If the client and server do not agree on whether the PSK is a
>>>> resumption or
>>>> > an OOB PSK then the `binder_key` will not match, and the handshake
>>>> will fail.
>>>> >
>>>> > See pp. 93-94 of the spec.
>>>>
>>>> And we only even get that far on the off chance that an ext
>>>> PskIdentity.identity is exactly the same as a res PskIdentity.identity.
>>>> e.g. a client presents an ext PskIdentity.identity, the server somehow
>>>> thinks it’s a res PskIdentity.identity, and then handshaking will fail, not
>>>> only because the actual raw PSK is likely different but the binders will
>>>> not match due to different labels.
>>>>
>>>> But my question was before we even get that far - its an internal
>>>> server implementation decision how it determines whether the presented
>>>> PskIdentity.identity is ext or res, or whether e.g. to try lookup an ext DB
>>>> table vs. a res cache first to find a PskIdentity.identity match. And say
>>>> it fails to find an ext match then it tries to find a res match, and if it
>>>> finds a match, then it knows what binder label to use.
>>>>
>>>>
>>>> >
>>>> > Does that answer your question?
>>>> >
>>>> > Regards,
>>>> >
>>>> > Jonathan
>>>> >
>>>> > On Thu, 19 Sep 2019 at 11:52, Owen Friel (ofriel) <mailto:
>>>> ofriel@cisco.com>;
>>>> > wrote:
>>>> >
>>>> > > -----Original Message-----
>>>> > > From: TLS <mailto:tls-bounces@ietf.org> On Behalf Of Martin Thomson
>>>> > > Sent: 04 September 2019 02:46
>>>> > > To: mailto:tls@ietf.org
>>>> > > Subject: Re: [TLS] Binder key labels for imported PSKs
>>>> > >
>>>> > >
>>>> > > When we built the ext/res distinction, there was a clear problem
>>>> > expressed.
>>>> > > We had the potential for both to be used by the same servers at the
>>>> same
>>>> > > time (though not for the same connection) and distinguishing between
>>>> > them
>>>> > > was important
>>>> >
>>>> > Martin, maybe I am missing something in the threads on this. Is there
>>>> > anything explicit planned in ClientHello PreSharedKeyExtension or
>>>> > PskKeyExchangeModes to explicitly distinguish between ext/res PSKs?
>>>> Or is
>>>> > it up to server implementation and how the server handles the opaque
>>>> > PskIdentity.identity? e.g. ImportedIdentity.external_identity fields
>>>> could be
>>>> > stored in one DB table, and (ignoring
>>>> https://tools.ietf..org/html/draft-ietf-
>>>> <https://tools.ietf.org/html/draft-ietf->
>>>> > tls-external-psk-importer-00#section-9 for now) the server on receipt
>>>> of a
>>>> > ClientHello searches for PskIdentity.identity in its
>>>> > ImportedIdentity.external_identity  table and if that lookup fails,
>>>> then try to
>>>> > parse PskIdentity.identity  as a NewSessionTicket.ticket? And the
>>>> order of
>>>> > those two operations is of course implementation specific too.
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > TLS mailing list
>>>> > mailto:TLS@ietf.org
>>>> > https://www.ietf.org/mailman/listinfo/tls
>>>>
>>> _______________________________________________
>>> TLS mailing list
>>> TLS@ietf.org
>>> https://www.ietf.org/mailman/listinfo/tls
>>>
>>