Re: [TLS] External PSK importers
Russ Housley <housley@vigilsec.com> Tue, 30 October 2018 11:07 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19B4D128B14 for <tls@ietfa.amsl.com>; Tue, 30 Oct 2018 04:07:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VbzadSWUmFaq for <tls@ietfa.amsl.com>; Tue, 30 Oct 2018 04:07:49 -0700 (PDT)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16F06126CC7 for <tls@ietf.org>; Tue, 30 Oct 2018 04:07:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 98DF7300AA5 for <tls@ietf.org>; Tue, 30 Oct 2018 07:07:46 -0400 (EDT)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id eSucH97HcRID for <tls@ietf.org>; Tue, 30 Oct 2018 07:07:45 -0400 (EDT)
Received: from a860b60074bd.fios-router.home (pool-71-178-45-35.washdc.fios.verizon.net [71.178.45.35]) by mail.smeinc.net (Postfix) with ESMTPSA id A954D300A48; Tue, 30 Oct 2018 07:07:45 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <1a5c2d42-4232-b7b1-27a0-97c2b033129c@huitema.net>
Date: Tue, 30 Oct 2018 07:07:46 -0400
Cc: IETF TLS <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7DE67484-DF67-47CF-9934-CB44F61D1EA0@vigilsec.com>
References: <D8741E2F-9D4B-4405-8A73-33CDD39F2857@apple.com> <CABkgnnXwPRdcwPATaWMpvCb8NdDLBbWEzu9RmxJb0iPwUL75Jg@mail.gmail.com> <1a5c2d42-4232-b7b1-27a0-97c2b033129c@huitema.net>
To: Christian Huitema <huitema@huitema.net>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/eYPIxJtWeH6MKs-Rz7FGS5OK7ZE>
Subject: Re: [TLS] External PSK importers
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Oct 2018 11:07:51 -0000
> On Oct 30, 2018, at 2:26 AM, Christian Huitema <huitema@huitema.net> wrote: > > On 10/29/2018 9:56 PM, Martin Thomson wrote: > >> You should do something more concrete with the label parameter. Keep >> in mind that both client and server need to agree on a use for this, >> so my initial intuition to put the server identity might not work, but >> it could be a start. The problem being that how the client identifies >> the server might not be something it shares with the server. > > There is also a privacy issue with the external identifiers. For session > tickets, this is solved by only using a given resume ticket once, but > that's harder with external PSK. Christian: Proclaiming that you have access to a particular external PSK may reveal that you as part of a group. I do not see a way to completely avoid this because the PSK is input to the key schedule at the very top. Thus, there is no key that could be used to encrypt it. The importer described by Chris does provide some obfuscation of the base key identity, but an observer will be able to see each of the key identifiers that are derived, even if they cannot tell which one goes with a particular external PSK. Padding with bogus key identifiers does not help either as the group membership may be revealed by watching which imported key identifier get selected by the server. Russ
- [TLS] External PSK importers Christopher Wood
- Re: [TLS] External PSK importers Martin Thomson
- Re: [TLS] External PSK importers Christian Huitema
- Re: [TLS] External PSK importers Russ Housley
- Re: [TLS] External PSK importers Christian Huitema