IETF Logo Mail Archive

Re: [TLS] PSK in 1.3?

Manuel Pégourié-Gonnard <mpg@polarssl.org> Sun, 19 October 2014 12:47 UTC

Return-Path: <mpg@polarssl.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D8651A0164 for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 05:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.397
X-Spam-Level:
X-Spam-Status: No, score=0.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_MISMATCH_COM=0.553, HOST_EQ_NL=1.545, MIME_8BIT_HEADER=0.3, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NAoGYFCdyuHs for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 05:47:05 -0700 (PDT)
Received: from vps2.offspark.com (vps2.brainspark.nl [141.138.204.106]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E92DA1A015B for <tls@ietf.org>; Sun, 19 Oct 2014 05:47:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=polarssl.org; s=exim; h=Subject:Content-Transfer-Encoding:Content-Type:In-Reply-To:References:CC:To:MIME-Version:From:Date:Message-ID; bh=3LZiRydh8eX5KOJBQHqaXh0yhGjYwzoNZ86Ye/Qrd6I=; b=HkuE8O9B3zKr6r8zCFog6wBlSyVMiAEIZEnrwfmbzAgerDM1IdaJMLFmQR+fEcQLFynmjOTxqyzB/bmvkc23/5shuIssi9K1VTdzi3WVA38jxcqaJZoIeMR/hz2ulsVLk9J8NAbRWO6sTCbaDigMyooqM4zm9C+0IhwChrKn7d8=;
Received: from thue.elzevir.fr ([88.165.216.11] helo=[192.168.0.124]) by vps2.offspark.com with esmtpsa (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mpg@polarssl.org>) id 1Xfpsv-0001wA-9A; Sun, 19 Oct 2014 14:46:57 +0200
Message-ID: <5443B2C4.5050306@polarssl.org>
Date: Sun, 19 Oct 2014 14:47:00 +0200
From: Manuel Pégourié-Gonnard <mpg@polarssl.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>, Eric Rescorla <ekr@rtfm.com>
References: <544384C7.9030002@polarssl.org> <CABcZeBNdCiK4N7MTYD6guuyAgh7j4xVLXjpid1knjDf5yCS3JQ@mail.gmail.com> <20141019123312.GA13591@LK-Perkele-VII>
In-Reply-To: <20141019123312.GA13591@LK-Perkele-VII>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
X-SA-Exim-Connect-IP: 88.165.216.11
X-SA-Exim-Mail-From: mpg@polarssl.org
X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000)
X-SA-Exim-Scanned: Yes (on vps2.offspark.com)
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/eDIc7e0kSuW_NaNU5cWDAie-OK0
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Oct 2014 12:47:06 -0000

On 19/10/2014 14:33, Ilari Liusvaara wrote:
> Some notes about PSK in TLS 1.2:
> 
> - TLS 1.2 has PSK identity hints. These are fundamentially 2RTT if used.
> - PSK without identity hints is still 2RTT in TLS 1.2, but is not fundamentally
>   2RTT (send identity in ClientHello).

I was thinking that maybe this can use the same "optimistic with fallback"
mechanism as the other key exchanges: initially the client chooses an identity
and sends it in ClientKeyShare in the same flight as the initial ClientHello. If
the server is happy with this identity, the normal 1.3 1RTT flow is used,
otherwise the server sends back an identity hint and things start over at
ClientHello.

(Only a rough idea, I didn't think about it carefully yet.)

> - There is also DHE-PSK in TLS 1.2. There kex data is combination of PSK
>   kex data and anonDH kex data. This one is PFS.

For the sake of completeness, there is also ECDHE-PSK (RFC 5489) with the same
properties.

> - Then there is RSA-PSK in TLS 1.2. Too difficult to support and
>   pretty much useless.

Apparently not widely implemented currently, btw:

https://en.wikipedia.org/wiki/Comparison_of_TLS_implementations#Key_exchange_algorithms_.28alternative_key-exchanges.29

> - 1RTT PSK also has some interactions with formulation of THS fix.
>   Basically, one wants to force ServerHello to be always hashed.
> 
That's the kind of things I was hoping you (and others with the relevant
expertise) could mention!

Manuel.

v2.23.0 | Report a Bug | By Email