Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

John Mattsson <john.mattsson@ericsson.com> Tue, 24 September 2019 15:17 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 056761208E8 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 08:17:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CeZhisUThRIf for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 08:17:12 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0626.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::626]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 432291200B2 for <tls@ietf.org>; Tue, 24 Sep 2019 08:17:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hf2O3rdkiR40FekibZMzbSXEkZhuxeyqBNY2X9RbF5ESREBHV7FU9+7Yx8xaXvtrbSyv9DQr5W4QQakaFWZ/S/wIQe8CbuVVLvjU++mpUpobMwesPlP0LhPcbj03U34gyy/oAFEf8qf83EjbYu64wU/iYUK4CknimOzQ9LJxDcspgjPNH03S6+X4DWYt9t3+mIixcomIHRNxm7McGTysVDxx8c0X19/XqM7UNc1twIndTPuRghwCbpB2n7YdTrw12o4ECPD/iYfF+8lUWBDrSJ5Ew3hUtnHC85jByHooTTfXooVb2X6QypYEQl7IHlURAoEgWK0V39re837KOqnvvQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aQQgaVUNHTYhGxzrwOdJKluhUrq0i4Nifi2Si19v/Qo=; b=AoMrBb+NM6Nd2OdNa+4bz0O/Z7Crua4BYrz3NUPG0jcJDBuHTlBq5YirFFVHfiOnwjINIwJWiWkCqNj/74y2/bqSFXgiRDBobAGazFWVbdGLxJh4g3N8oFJUtROSOtGI/Kx7dqLpwYN2BN8brZT5ySfFTqx3tJwzrCC5Wl1ieBN4oFWYNuOQDUwrEcP/8v6yM4HqfAArDQkR7GPMEWY58M5EY90kbOnLrJ3EuZfMuhlFb/YDtqHz6PEX0g+EH5bxRMBL/p9lh+WkHtRf9ncZhmX8U6w5U2+B9vH9EYbl36liHflWwITJd+/+pnLM9dE7zhr7lreP0HruW/vNGEJkLg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aQQgaVUNHTYhGxzrwOdJKluhUrq0i4Nifi2Si19v/Qo=; b=clPsN6DReJ9ve9gfE2XXVvyM6GxORxQRuLZpRZ/YPcFmslQCFtxXqYIvw5xLWHCbuBWYTIUbU57I6bXkoAGNPvN3fHVlsGbRGL8Xt/io6G9UYgALpQZs5mccR7bcsCxLIac7weE6pEd01/Mo48h3fWU/tvqYnJdeHg/9tDpeoAk=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3259.eurprd07.prod.outlook.com (10.170.246.26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15; Tue, 24 Sep 2019 15:17:09 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2305.013; Tue, 24 Sep 2019 15:17:09 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Hao, Feng" <Feng.Hao@warwick.ac.uk>, Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
Thread-Index: AQHVcjdFVDkRCnJu/EWS+/ttziRTO6c63m0AgAA074A=
Date: Tue, 24 Sep 2019 15:17:09 +0000
Message-ID: <896F89B2-37D0-4674-881D-FB9FE4874978@ericsson.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com> <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk>
In-Reply-To: <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8e516b5-68a9-4f2c-2abb-08d7410244e5
x-ms-traffictypediagnostic: HE1PR07MB3259:
x-ms-exchange-purlcount: 6
x-microsoft-antispam-prvs: <HE1PR07MB325962D41D3BAF56D471D65B89840@HE1PR07MB3259.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0170DAF08C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(396003)(136003)(376002)(366004)(13464003)(189003)(199004)(53754006)(14454004)(2906002)(6246003)(71190400001)(76176011)(7736002)(5660300002)(26005)(6116002)(6506007)(3846002)(186003)(102836004)(53546011)(71200400001)(256004)(14444005)(99286004)(478600001)(36756003)(966005)(86362001)(81166006)(6512007)(81156014)(6306002)(316002)(2616005)(476003)(11346002)(446003)(486006)(44832011)(33656002)(6486002)(6436002)(8676002)(66446008)(66066001)(110136005)(66556008)(64756008)(66946007)(66476007)(25786009)(4326008)(229853002)(58126008)(76116006)(91956017)(305945005)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3259; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QVFJc3hqUIacoXhQdQG+f9bRnbSkVHAA/ye45Cia1rDrBGIPp2/ofzzQHvYe6TBN8VuoIalFKA2IUGRAC0+O65zVZJGc8/rnA0Zx629azHDIy9HConyD8KY+6XOaT9yM2Uq3q+rwyz7nad2iqCn2sYK7nj0bGYWEJBVtrnH+Rmk51GTpPvs0/HWw6XsBjnibwhU/WtY/h0R8NZ2z6hfFGsEZIbkktBOKAHg7c89EHPCJT2Iwq/orqBXKZTq3DPZyUa+m904IOu7ssJ1anWYNaeIpB9hj6Nxq0oUvMEf7+4oUj9BWyjRqF2Xxx51aIdoBw0BJWP0v3QhOvO/3KaO+n8ycCY7jcrH8D3iCZlPCpk9QxFtJgx7Ic/q/eF9dq/yo80/ZvxF//Ht/0uXap/4b78mkmCLAmHqID5tUWfyrM7o=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <07DA765390B98C44825A98EBCB3BD3CF@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a8e516b5-68a9-4f2c-2abb-08d7410244e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2019 15:17:09.6744 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: xc7MT2KXXiAjecrTIMzHyYAdO8BznM9GVDIEiKR6yj5zAThF5DHMf4Q63njtVoAp7HHU8lj42HQq2+6/XwYN0wK7oe6HN1viSh0rtycanKI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3259
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eT5Eszlujk3VoIvjjw0rcL7k5wk>
Subject: Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 15:17:16 -0000

Hi,

I think these reflection attacks are much older than this. I quick search for reflection attack security protocol gives a lot of old results, The description of reflection attack in the following lecture material from 2009 looks just like the "selfie attack" on TLS 1.3
http://www.cs.bham.ac.uk/~tpc/cwi/Teaching/Files/Lecture4_6up.pdf

With multiple sections there are other things that change as well. If two nodes unintentionally initiate simultaneous ClientHello to each other, even if they only want a single secure connection (I have seen live systems where this happens in practice), an attacker can select which ClientHello to block (e.g. the one with the strongest cryptographic parameters). The following security property would then no longer hold :

  "Downgrade protection:  The cryptographic parameters should be the
      same on both sides and should be the same as if the peers had been
      communicating in the absence of an attack"

(I have not looked at what the definitions in [BBFGKZ16] say).

Cheers,
John

-----Original Message-----
From: TLS <tls-bounces@ietf.org>; on behalf of "Hao, Feng" <Feng.Hao@warwick.ac.uk>;
Date: Tuesday, 24 September 2019 at 16:09
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>;, "Owen Friel (ofriel)" <ofriel@cisco.com>;, Jonathan Hoyland <jonathan.hoyland@gmail.com>;
Cc: "TLS@ietf.org"; <tls@ietf.org>;
Subject: Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

    
    On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" <tls-bounces@ietf.org on behalf of mohit.m.sethi=40ericsson.com@dmarc.ietf.org>; wrote:
    
        Hi all,
        
        On the topic of external PSKs in TLS 1.3, I found a publication on the 
        Selfie attack: https://protect2.fireeye.com/url?k=dd432f13-81c9e5ad-dd436f88-869a17b5b21b-dc6c6f0a5dd21faf&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2019%2F347
        
        Perhaps this was already discussed on the list. I thought that sharing 
        it again wouldn't hurt while we discuss how servers distinguish between 
        external and resumption PSKs.
        
    I just read the paper with interest. It occurs to me that the selfie attack is consistent with the "impersonation attack" that we reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5, [3]) is reported on the self-communication mode of HMQV. The essence of these attacks is the same: Bob tricks Alice into thinking that she is talking to authenticated Bob, but she is actually talking to herself. In [3], we explained that the attack was missed from the "security proofs" as the proofs didn't consider multiple sessions. 
    
    The countermeasure we proposed in [1-3] was to ensure the user identity is unique in key exchange processes: in case of multiple sessions that may cause confusion in the user identity, an extension should be added to the user identity to distinguish the instances. The underlying intuition is that one should know "unambiguously" whom they are communicating with, and perform authentication based on that. The discovery of this type of attacks and the proposed solution are inspired by the "explicitness principle" (Ross Anderson and Roger Needham, Crypto'95), which states the importance of being explicit on user identities and other attributes in a public key protocol; also see [3]. I hope it might be useful to people who work on TLS PSK.
    
    [1] https://protect2.fireeye.com/url?k=5a822513-0608efad-5a826588-869a17b5b21b-eb260151f78b0718&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2014%2F585.pdf
    [2] https://arxiv.org/abs/1802.04900
    [3] https://protect2.fireeye.com/url?k=d5bf88ff-89354241-d5bfc864-869a17b5b21b-0e9b3bf58e104f32&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2010%2F136.pdf 
    
    
    _______________________________________________
    TLS mailing list
    TLS@ietf.org
    https://www.ietf.org/mailman/listinfo/tls