Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Benjamin Kaduk <kaduk@mit.edu> Mon, 19 March 2018 22:53 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67AF212AF84; Mon, 19 Mar 2018 15:53:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apyUcMh4_dOs; Mon, 19 Mar 2018 15:53:29 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09443126B72; Mon, 19 Mar 2018 15:53:28 -0700 (PDT)
X-AuditID: 1209190e-783ff70000001eb7-d3-5ab03f654c0e
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id 93.B4.07863.56F30BA5; Mon, 19 Mar 2018 18:53:26 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2JMrLrL013643; Mon, 19 Mar 2018 18:53:22 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2JMrGf2018445 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 19 Mar 2018 18:53:19 -0400
Date: Mon, 19 Mar 2018 17:53:16 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Hubert Kario <hkario@redhat.com>
Cc: Eric Rescorla <ekr@rtfm.com>, tls-chairs <tls-chairs@ietf.org>, TLS WG <tls@ietf.org>, The IESG <iesg@ietf.org>
Message-ID: <20180319225316.GP55745@kduck.kaduk.org>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <CABcZeBOFvdfV3b5+yfJbeYxHLi_uDY34X7u3cbpiLa6RtnmFkQ@mail.gmail.com> <6535335.hpFIu7S1IC@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="lrZ03NoBR/3+SXJZ"
Content-Disposition: inline
In-Reply-To: <6535335.hpFIu7S1IC@pintsize.usersys.redhat.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrNKsWRmVeSWpSXmKPExsUixG6nrptmvyHKYP4LUYsVr8+xW9z6dpjV YsaficwWc07cYLH4dL6L0YHVY8mSn0we7/ddZfOY/LiNOYA5issmJTUnsyy1SN8ugSvj39rM gnW8FSuWtjE2MB7m7mLk5JAQMJHY86KfrYuRi0NIYDGTxO9De1ghnI2MEofmN0BlrjJJXNt+ g7GLkYODRUBV4nG/Kkg3m4CKREP3ZWYQWwTIPnuqE8xmFqiRuLd1NpgtLJAqsffsZiYQmxdo 2/eVP6AWbGOU+PXqLztEQlDi5MwnLBDNZRL/fzSzgOxiFpCWWP6PAyTMKWAr8XHtL7ByUQFl ib19h9gnMArMQtI9C0n3LIRuiLCWxI1/L5kwhLUlli18zQxh20qsW/eeZQEj+ypG2ZTcKt3c xMyc4tRk3eLkxLy81CJdY73czBK91JTSTYygWOGU5NvBOKnB+xCjAAejEg+vxp31UUKsiWXF lbmHGCU5mJREeU8xbYgS4kvKT6nMSCzOiC8qzUktPsSoArTr0YbVFxilWPLy81KVRHifXlkX JcSbklhZlVqUD1MmzcGiJM7rbqIdJSSQnliSmp2aWpBaBJOV4eBQkuAVsgNaIFiUmp5akZaZ U4KQZuLgPMQowcEDNNwKpIa3uCAxtzgzHSJ/itGY49neB23MHDdevG5jFgK7Q0qcVxWkVACk NKM0D24aKA1KZO+vecUoDvSoMK8TSBUPMIXCzXsFtIoJaJXP0jUgq0oSEVJSDYzl52Q4SgRq MlYHcxYm32dmK2c24RFKS2QXfbNxwZfvZ7j5txU73qv6onnc3UzG/d9pxuPPhO13hnfeU/Gb OvHmm3emHe/ULeVfl1zpzVXyUGNUfx9YVveZ57OoYtKhbd8+v9uctSQ+umK1D//ibafTRD/m hnwI298hK6+yzWbTR/nY89en7FJiKc5INNRiLipOBABethhCXgMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eJvNKFtjqGM5z81IBlz1Cz6-sxg>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Mar 2018 22:53:32 -0000

On Mon, Mar 19, 2018 at 05:00:51PM +0100, Hubert Kario wrote:
> On Sunday, 18 March 2018 16:27:34 CET Eric Rescorla wrote:
> > After discussion with the chairs and the AD, I have opted to just add a
> > section
> > that explains the attack. I just merged that (but managed not to get it
> > into -27
> > due to fumble fingering).
> 
> If there is no consensus on the recommended fix for the issue, I wonder if we 
> shouldn't then soften the language in the section about PSK binder handling, 
> from SHOULD to MAY.

I think on the balance I am happier retaining SHOULD.

> Though, I'd say that the reference to that newly added section is definitely 
> missing.

I expect that can be done as an RFC Editor note or during AUTH48.

-Benjamin