Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Benjamin Kaduk <kaduk@mit.edu> Wed, 14 March 2018 20:13 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8153612426E; Wed, 14 Mar 2018 13:13:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8WFwUOI7KDeb; Wed, 14 Mar 2018 13:13:40 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2ED3C127337; Wed, 14 Mar 2018 13:13:40 -0700 (PDT)
X-AuditID: 1209190e-d0fff70000005c6b-74-5aa982729829
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id F7.AB.23659.27289AA5; Wed, 14 Mar 2018 16:13:39 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2EKDYeE006465; Wed, 14 Mar 2018 16:13:35 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2EKDTEF011533 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 14 Mar 2018 16:13:31 -0400
Date: Wed, 14 Mar 2018 15:13:29 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Hubert Kario <hkario@redhat.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, TLS WG <tls@ietf.org>, iesg@ietf.org
Message-ID: <20180314201328.GF55987@kduck.kaduk.org>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <3060420.fu6fxUo7fv@pintsize.usersys.redhat.com> <20180314020207.GY55987@kduck.kaduk.org> <2062943.8cTCpni5Dm@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <2062943.8cTCpni5Dm@pintsize.usersys.redhat.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupileLIzCtJLcpLzFFi42IRYrdT1y1uWhllsPMEj8Wtb4dZLWb8mchs 8X73dBaLT+e7GB1YPJYs+cnk8X7fVTaP291z2AKYo7hsUlJzMstSi/TtErgyeiYsZitYwV3x b/9RpgbGnxxdjJwcEgImEv0P5rJ3MXJxCAksZpLobfzHDpIQEtjIKLHriRaEfZVJ4vqiMhCb RUBV4t6sOawgNpuAikRD92VmEFsEyD57qhPMZhaIlbhy+gVYjbBAqsTes5uZQGxeoGVHHqyC WnaWUeLd/POsEAlBiZMzn7BANGtJ3Pj3EqiBA8iWllj+jwPE5BSwlfh/IACkQlRAWWJv3yH2 CYwCs5A0z0LSPAuheQEj8ypG2ZTcKt3cxMyc4tRk3eLkxLy81CJdY73czBK91JTSTYygAOaU 5NvBOKnB+xCjAAejEg+vgdrKKCHWxLLiytxDjJIcTEqivPunrIgS4kvKT6nMSCzOiC8qzUkt PsQowcGsJMJ7vxConDclsbIqtSgfJiXNwaIkzutuoh0lJJCeWJKanZpakFoEk5Xh4FCS4G1t BGoULEpNT61Iy8wpQUgzcXCCDOcBGm4IUsNbXJCYW5yZDpE/xWjM8WzvgzZmjhsvXrcxC7Hk 5eelSonzPmsAKhUAKc0ozYObBkpCEtn7a14xigM9J8x7B2QgDzCBwc17BbSKCWhV5rYVIKtK EhFSUg2MTM8FH3rq+TEv2zzLpiSsXtetocz41txZOyreh5cYzH9/Ku7dQq9vLclhQnsm8ky/ mbgjsDzq0gV2tgoH1grFO7GMdT73bDkvOQaw+bMdYl87WfrcH3/ufzN66hcmaPqdsIzuTrxl +2Xa0xmbf+uet8i9fFdVa1uV6FKFNzOb//z231rAuH2eEktxRqKhFnNRcSIA4cP8lB0DAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/algq9su4k7eZcIRV6FFtJYCTr0g>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 20:13:41 -0000

On Wed, Mar 14, 2018 at 12:46:25PM +0100, Hubert Kario wrote:
> On Wednesday, 14 March 2018 03:02:10 CET Benjamin Kaduk wrote:
> > It seems like we get ourselves in trouble by allowing multiple
> > external PSKs to be present.  If we allowed at most one external
> > PSK in a given ClientHello, then aborting the handshake on binder
> > failure would be the correct choice, as discovering a valid identity
> > would require discovering a valid key/password as well.
> 
> but identity/binder may be invalid only because the server was restarted and 
> generated a new in-memory key; we don't want to abort connection in such 

For an external PSK?  That hardly sounds like "external" to me...

> situation, continuing to a regular handshake is necessary then for good user 
> experience (and likely, even security, given the history of TLS version 
> fallbacks)
>  
> > Disallowing multiple external PSKs would make migration scenarios a
> > little more annoying, but perhaps not fatally so.
> 
> not only migration, but session resumption and regular PSK at the same time 
> too - for session resumption you may not do DH, while for initial handshake 
> with PSK you may want to to gain PFS...
> 
> so as tempting as the removal of multiple PSKs from ClientHello is, I'm afraid 
> the fallout is far too large to do it

I did not say removal of multiple PSKs, rather removal of multiple
*external* PSKs.

-Ben(jamin)