IETF Logo Mail Archive

[TLS] Re: [TLS]Consensus call for RFC8773bis Formal Analysis Requirement

Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de> Thu, 07 November 2024 21:13 UTC

Return-Path: <muhammad_usama.sardar@tu-dresden.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E9B5C1ECA84 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2024 13:13:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=tu-dresden.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JgLwBeLN8R1 for <tls@ietfa.amsl.com>; Thu, 7 Nov 2024 13:13:51 -0800 (PST)
Received: from mailout3.zih.tu-dresden.de (mailout3.zih.tu-dresden.de [141.30.67.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2E4CC1F7D7E for <tls@ietf.org>; Thu, 7 Nov 2024 13:13:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=tu-dresden.de; s=dkim2022; h=In-Reply-To:From:CC:References:To:Subject: MIME-Version:Date:Message-ID:Content-Type:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=4jNgNJZBS7xTjZgBePMIrzVdMJWs0I9QpfXvTCGlVIE=; b=QY5QUzCkLEW2pRbKS11fId/wGw 4BM2trVPlg05/P2ytYDc4udEZLT6YFjDgi1uug3Zet0LsL8GcRnmHAec9d2yxq+k8rjNWDjqZzF/V U2FfAk3ShlyLnMK8t19pWoGYETCgQLolYqb70ntGNbTBjSXEyohbmUGQ3Nx8BjJtlHpuTobX7FBiu oyNfCfIIKecV23xOWmip9iwV7jPOv9w/cjIk2fcKXfeKNUlIkYHWxu9JbVZ05GYH3n/zZvk/TAVMS PKtx6Po81RwtuQt75rsWfoqVUHrJifAx+S+WqsZ7Tfg4Ah4352IVzFjZJLPrdzUmo0vXEur/yU54Y cp0jt7jw==;
Received: from [172.26.35.112] (helo=msx.tu-dresden.de) by mailout3.zih.tu-dresden.de with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <muhammad_usama.sardar@tu-dresden.de>) id 1t99p5-001xiR-Ob; Thu, 07 Nov 2024 22:13:48 +0100
Received: from msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) by MSX-T312.msx.ad.zih.tu-dresden.de (172.26.35.112) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Thu, 7 Nov 2024 22:13:43 +0100
Received: from [10.20.6.196] (89.101.156.233) by msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 7 Nov 2024 22:13:43 +0100
Content-Type: multipart/alternative; boundary="------------r2ubP3WeQRer6TfnJkE7L8C7"
Message-ID: <c1f05eb9-91dd-4e10-bd6e-e395f550362f@tu-dresden.de>
Date: Thu, 07 Nov 2024 21:13:42 +0000
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: tls@ietf.org
References: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com>
Content-Language: en-US
From: Muhammad Usama Sardar <muhammad_usama.sardar@tu-dresden.de>
In-Reply-To: <CAOgPGoBxoEhVkzb=WYFvNEhN0sKLDLir0qPVSqx_a=Co7dkXgA@mail.gmail.com>
X-ClientProxiedBy: MSX-L311.msx.ad.zih.tu-dresden.de (172.26.34.111) To msx-t422.msx.ad.zih.tu-dresden.de (172.26.35.139)
X-TUD-Virus-Scanned: mailout3.zih.tu-dresden.de
Message-ID-Hash: FSKS2E4EKFOTBCJF5D6X6A5752OAWAQI
X-Message-ID-Hash: FSKS2E4EKFOTBCJF5D6X6A5752OAWAQI
X-MailFrom: muhammad_usama.sardar@tu-dresden.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: [TLS]Consensus call for RFC8773bis Formal Analysis Requirement
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/euIlubnHu6eU-7hg2Qx0hxwQEz8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Dear chairs,

I had a short meeting with Russ today and we don't understand 
/precisely/ what the FATT is worried about and therefore why a formal 
analysis is required at all.

Extending CH and SH to negotiate external PSK follows the best current 
practice for extending TLS. Moreover, external PSK (shared out of band) 
instead of zero in the initial handshake can't make security worse. Even 
if external PSK is leaked, it's not worse than a known constant (zero). 
What could possibly go wrong?

I don't see any liaison announced for this draft. So I don't know whom 
to ask for it. Could you please clarify with the FATT exactly which 
property from Appendix E.1 of RFC8446 it thinks might break with this 
draft?

Thanks,

Usama

On 23.08.24 18:30, Joseph Salowey wrote:
> In regard to moving RFC 8773 to standards track the formal analysis 
> triage group has provided input on the need for formal analysis which 
> was posted to the list [1].  The authors have published a revision of 
> the draft [2] to address some of this feedback, however the general 
> sentiment of the triage panel was that there should be some additional 
> symbolic analysis done to verify the security properties of the draft 
> and to verify there is no negative impact on TLS 1.3 security properties.
>
> The formal analysis is to verify the following properties of the 
> proposal in the draft:
>
> - The properties of the handshake defined in Appendix E.1 of RFC8446 
> [3] remain intact if either the external PSK is not compromised or 
> (EC)DH is unbroken.
> - The public key certificate authentication works as in TLS 1.3, and 
> this extension adds the condition that the party has possession of the 
> external PSK. The details of external PSK distribution are outside the 
> scope of this extension.
>
> This is a consensus call for the working group to determine how to 
> proceed between these two options:
>
> 1. Require formal analysis in the symbolic model to verify that the 
> proposal in the document does not negatively impact the security 
> properties of base TLS 1.3 and that the additional security properties 
> cited above are met
> 2. Proceed with publishing the document without additional formal 
> verification
>
> Please respond to the list with a brief reason why you think the 
> document requires formal analysis or not. This call will end on 
> September 16, 2024.
>
> Thanks
>
> Joe, Deirdre, and Sean
>
> [1] https://mailarchive.ietf.org/arch/msg/tls/vK2N0vr83W6YlBQMIaVr9TeHzu4/
> [2] 
> https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-8773bis-00&url2=draft-ietf-tls-8773bis-02&difftype=--html 
> <https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-8773bis-00&url2=draft-ietf-tls-8773bis-02&difftype=--html>
> [3] https://www.rfc-editor.org/rfc/rfc8446.html#appendix-E.1
>
> _______________________________________________
> TLS mailing list --tls@ietf.org
> To unsubscribe send an email totls-leave@ietf.org

v2.40.4 | Report a Bug | By Email | System Status