IETF Logo Mail Archive

Re: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?

Nick Harper <ietf@nharper.org> Wed, 08 March 2023 04:00 UTC

Return-Path: <nharper@nharper.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3E8EC14CEE3 for <tls@ietfa.amsl.com>; Tue, 7 Mar 2023 20:00:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PKBbWzbQhn7G for <tls@ietfa.amsl.com>; Tue, 7 Mar 2023 20:00:41 -0800 (PST)
Received: from mail-ed1-f41.google.com (mail-ed1-f41.google.com [209.85.208.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2401CC14F74A for <tls@ietf.org>; Tue, 7 Mar 2023 20:00:41 -0800 (PST)
Received: by mail-ed1-f41.google.com with SMTP id ec29so29882310edb.6 for <tls@ietf.org>; Tue, 07 Mar 2023 20:00:41 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678248039; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oFBhuXx8TOLZB3kntACckGX9V63M4F40mKLDadQKrpY=; b=2FEI2sgSOT/72sWWNi845Ny8UviOIE+N/F3JusnXUgEqwuKOaejv8V+FuIWGY9djWz hclBbBLJF//Tpe8yYBqZqElO3o7+QL7RUj6s84BWO5cKGlQvuMNnsN5IBMQO7xUmFx9B UoYXRkYvAv7sixl32NRSYvfR1+Pi+Cg6QJ/BpmQmM05GgRyjBV4/HC0Ap0WV4Nh5g3xR N7ivWbgGOFPmS9R16rJmchA/HB9eJUyq+RIETnhSO27mHoHbYS0WZubbZyyMgJp3z6Zt o94gFimreH5A+PLpr2MJmdpPcyHjHSt0ZQhS/nTpC6RGnDp6+mJuTiK/Ue0ZUnZrNDmA dT3Q==
X-Gm-Message-State: AO0yUKV8wkrTJXN/V1MjsSF4U34GCRQRBpOBxWimTucDK29npQUsA6bU 84FIIzUfVZImQyRhGAoux6E8IMiZJYcJrQxwjicXWCx1BQ+mEiQtjwk=
X-Google-Smtp-Source: AK7set+ehwkjo9hFii1mAZGBJoJzfBTZphCZutEKKyyLc+gKhskXLumRd5F0xoUIIziyPKRxlFhduya1F/qdYefRBvc=
X-Received: by 2002:a17:906:5857:b0:8af:43c6:10c0 with SMTP id h23-20020a170906585700b008af43c610c0mr8495150ejs.1.1678248038737; Tue, 07 Mar 2023 20:00:38 -0800 (PST)
MIME-Version: 1.0
References: <Y/1ngz1ITlYds2WP@straasha.imrryr.org> <SY4PR01MB6251E03AE8A05E38FA8A3F0DEEB79@SY4PR01MB6251.ausprd01.prod.outlook.com> <ZAbL6AP8uzgb60NB@straasha.imrryr.org> <CACcvr=mS9DM__U-7=SEg58YFCJzfhheckbY==QNRy2KFCY8x2A@mail.gmail.com> <ZAdPGnIJe63I035Z@straasha.imrryr.org> <CACcvr=mUACw8uHG0zmGZsUSFFdHq9+i7hZx6ST6RFsdWX_WsUA@mail.gmail.com> <ZAf4DqWEnUPNDP0k@straasha.imrryr.org>
In-Reply-To: <ZAf4DqWEnUPNDP0k@straasha.imrryr.org>
From: Nick Harper <ietf@nharper.org>
Date: Tue, 07 Mar 2023 20:00:27 -0800
Message-ID: <CACcvr=mznNv8Jmn_tB8C4H9dVGuswgwd84ud+uUb_3Rs-6DCjg@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="00000000000031bb8e05f65b9255"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bjxc6s-3nIjDLnBod474zRs7afg>
Subject: Re: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2023 04:00:43 -0000

On Tue, Mar 7, 2023 at 6:51 PM Viktor Dukhovni <ietf-dane@dukhovni.org>
wrote:

> What specific changes would you recommend in say the OpenSSL
> implementation?  Just not sending the useless tickets?  Fine, we've
> saved a bit of bandwidth, but haven't really solved the problem.
>

I don't know the details of the OpenSSL implementation or the behavior of a
psk_ke only client attempting that resumption with an OpenSSL server. Not
sending the useless tickets sounds like the right fix. It also sounds like
we've solved the problem: In a case where a client that only supports
psk_key for resumption modes is talking to a server that only supports
psk_dhe_ke for resumption, useless information is no longer being sent over
the wire and the client will always attempt a full handshake.

>
> We have somewhat different interoperability expectations, because I
> expect resumption to work under typical conditions, which would include
> clients sending just "psk_ke".  Unless the server has a good reason to
> expect all clients to always request "psk_dhe_ke", it should support
> "psk_ke", leaving the client the option to negotiate "psk_dhe_ke" or use
> "psk_ke" if preferred.
>

I expect resumption to work when both endpoints support the feature. TLS
has multiple options (thankfully TLS 1.3 has many fewer than TLS 1.2), and
only the full handshake is required. You're correct that the client should
have the option to negotiate psk_dhe_ke or psk_ke (or none at all) as
desired, and in the same vein the server has the option to negotiate
psk_dhe_ke or psk_ke (or decline resumption) as desired.

>
> Resumption is an important optimisation, it can make the difference
> between a scalable service and a degraded or unusable service.
>

I don't disagree. In application profiles where the optimization makes a
critical difference, the resumption modes that make that difference should
be specified as MTI. The key here is that they should only be MTI in those
application profiles.

>
> There's no downgrade attack, if both sides want psk_dhe_ke, they get it.
> If some application or private deployment never needs psk_ke resumption,
> fine.  But in the absence of specific knowledge a generic client using
> TLS to reach some random server should be able to perform resumption
> without the sort of friction that turning up forward-secrecy to 11
> introduces.  The client *should* still offer psk_dhe_ke where it makes
> sense, and servers *should* then use DHE resumption, but if the client
> has good reason to choose "psk_ke" it should not be punished for its
> choice to optimise for performance.
>

Why should a client be allowed to force a server to accept psk_ke over
performing a full handshake? A server should be free to choose to always
perform forward secret handshakes. When a client that prefers psk_ke talks
to said server, it isn't being punished. The client is offered psk_dhe_ke,
and if it doesn't like that, it can always do a full handshake. Each peer
is entitled to their preferences, and the TLS handshake negotiates the best
option for both endpoints.

>
> > This isn't a protocol issue. This is an implementation issue (buggy
> > implementations sending psk_dhe_ke NSTs in response to psk_ke
> ClientHellos)
> > and an ecosystem issue.
>
> But sending the unusable tickets isn't the problem, the problem is that
> non-DHE resumption is unavailable by default.  Is that an implementation
> bug or not?


That's not an implementation bug, that's an ecosystem issue. As I said
earlier, all of the pieces are there in RFC 8446. People just have to
choose to use it.

TLS is used in many different ways by different application protocols.
Stating that a certain feature of TLS should be available in all TLS
implementations is a high bar to pass — it must be near universally useful.
Instead, each ecosystem that uses TLS can and should decide for itself
which features are useful. Actors in those ecosystems can choose their
implementations (or choose to create their own) based on the availability
of TLS features.

v2.23.0 | Report a Bug | By Email