Re: [TLS] Selfie attack

Mohit Sethi M <> Tue, 08 October 2019 09:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 6A868120164 for <>; Tue, 8 Oct 2019 02:55:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 21YkQ8SBh6sh for <>; Tue, 8 Oct 2019 02:55:42 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 448AF120144 for <>; Tue, 8 Oct 2019 02:55:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=mcJr5qgfzx+FVdvOtMDliTRJepo6z+tcAb76wQB5IGIcxbN2qIeNOR11XZ5IdpMVS5nuzOe5GKBwqAOjsWGpguLnqi8ys0csAdgLxAa3uBhSsS+fJ4tPtajsA2vhzXL4KR/zg/F8JaEsrrLpfMGXnNDenKNc7QnGgBkmHgLlXKiy11bO7agfTFadRiC0/P27melX4gEHEbaDCpm8eZfdsNyOu06FzzATWs710ezVaGrKtSXgzQ++MAF4F3vvRnYpPJq9ecGP55hClnaVkAMLTw8oHwiz36T49VXOlJTemOs/QrFdQr01nLPKfatLcPmxl9uW7smLLCAN0UBt37Mplg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mFZawpdWrtbBPvZvFAs7vQu180W9xaB7QAAR59pYKPk=; b=m0KUgXOZU6fU8L280pLgBnIm5cVvRYhMcjROUloYBEo6Q917VwyzvOQLVTvD9eHUJWTe2YdlNSxNXl/hnUR6VXjyb5WulC7L/OEWLzqIODWiUbxCvRkevq0RJXsCt7GTixvMprAhxd+XNtI/M9NaJZl5+x2grDBBHnqmZwrQ9chXeA6nJLLM0ZdXGKMTNUCYnndecxTk36qAdJLNPx5b+oy6DFQTc1cmYzrgipeN2yN6BEEL5V7TJ986nrdYcZ+iNcZ9opD1equR86T/Jk1NCB0KlzVmIh2j/NPkGyvObpH1y9NahrGQ+o7A21loJWs2Pp94qUsfF8H02PYG0EiujQ==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=mFZawpdWrtbBPvZvFAs7vQu180W9xaB7QAAR59pYKPk=; b=aWc4IF4KymWR9sDtd1OWRDGEkGxvIBLzXdTQzxIi1iLO3aMzdAflGhzofhn7iSAr25LSJ3cGK6qtO/rDPbc55k1AHT8Lw5wbnfka6C9I6milUyhmuxiA/IqCcnH1AZcyWeyAFm446nMvNRlqPvY5peNweyWeroAduDwXusza6eU=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.13; Tue, 8 Oct 2019 09:55:38 +0000
Received: from ([fe80::758a:12ec:c6d:e8a9]) by ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2305.023; Tue, 8 Oct 2019 09:55:38 +0000
From: Mohit Sethi M <>
To: Christopher Wood <>, "" <>
Thread-Topic: [TLS] Selfie attack
Thread-Index: AQHVfb6JZ9ydCGu6h0WNgLEAne6JUw==
Date: Tue, 8 Oct 2019 09:55:37 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is );
x-originating-ip: [2001:14bb:140:26ac:193b:4683:69c6:f65d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a8ab00c8-e04b-4460-da38-08d74bd5abe5
x-ms-traffictypediagnostic: HE1PR0701MB2298:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(39860400002)(366004)(396003)(136003)(346002)(53754006)(13464003)(189003)(199004)(66446008)(476003)(486006)(186003)(102836004)(7736002)(76116006)(53546011)(31696002)(6506007)(66946007)(54896002)(236005)(6306002)(8936002)(6512007)(64756008)(66556008)(66476007)(446003)(11346002)(86362001)(46003)(6486002)(8676002)(6436002)(65806001)(65956001)(25786009)(2616005)(81166006)(81156014)(36756003)(14444005)(256004)(229853002)(31686004)(99286004)(6246003)(58126008)(6116002)(2906002)(110136005)(316002)(2501003)(5660300002)(14454004)(76176011)(478600001)(71200400001)(71190400001)(606006)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2298;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: z2wsi3jq8llg0Qg/7MKTEtsjUY0ZQruLI/hvBo69w9MUrDqIhrBnNJ9d6obUJnRega3iAZpAEOlpQW1whGBd+QzIpLLLvdfmr6mNUofJLvpsDuTFZOdpFr+aCsnbXNr1/89QYTGYCAfWGBh4N/OIgMrovqm+mEumoCc+p4TkZ7rmAkTnOrj47SOmhmnhyPJ5/H6tKtYpBru1ZrJ78gUCwXZHrpMSE2pOpryOJgooezxNgmoeal3oS+cfiBg+lC2YAU4AHRQq3VROUMBcQtDK65yFFvmbTo4NW8/6iYK7M0XHXO8lfVqU/wAh5sKpvnNKeN7Zd7oUurmToddKaP+8uN5EHBnadUFFF+cmY//DRC2jbBL7rTlOB+k2zstflyKXa07ZKjIVjKzs6v+wDBbs1dQoXYyS4BotegBoDkfPbrKs3eaK+GijI9FypX5x1M1EVnEY/PV3LQSGgw6vGGYprg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_a0c560b08bcad843dac857c90c0488deericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a8ab00c8-e04b-4460-da38-08d74bd5abe5
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2019 09:55:37.9039 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /+kISdDXByPltUqLKCZGtvLnkrmYcstedgtD5O6SNMeELhcnAOtM84quUNNlAC71v0SaBaCl85yWX4TOpiv8Mgqv3+32Gz40u5hd5d5WDPY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2298
Archived-At: <>
Subject: Re: [TLS] Selfie attack
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 08 Oct 2019 09:55:45 -0000

Hi Chris,

For the benefit of the list, let me summarize that the selfie attack is only relevant where multiple parties share the same PSK and use the same PSK for outgoing and incoming connections. These situations are rather rare, but I accept that TLS is widely used (and sometimes misused) in many places.

The Selfie attack only happens when an entity with the PSK acts maliciously. So I think the fact that you write in the draft: "each node must be trusted not to impersonate another node's role" does not take into account that there must be a malicious node for the selfie attack to happen in the first place.

Drucker and Gueron's paper recommends that "every participating party gets (during the setup of the network) a unique identity" and "the client and the server must verify the validity of the claimed identities.". The reality however is that in most group PSK scenarios, the nodes don't have any strong identities that can be verified.

What you should instead (or additionally) say in the text is that a node should check that the client_mac and server_mac (or any other identities used) are never the same. Without this check, the selfie attack would still be possible. And at least this does not require strong identity verification for preventing selfie attacks.


On 10/5/19 2:41 PM, Christopher Wood wrote:

Hi Feng,

For what it's worth, the latest version of the PSK importers draft includes a "context" field into which identity information can be fed:


On Tue, Sep 24, 2019, at 9:19 AM, Hao, Feng wrote:

Hi John,

Reflection attacks are indeed older, but the selfie attack is a bit
different. It's actually a variant of the unknown key share attack. A
typical example of the UKS attack is the one reported on MQV by Kaliski
in 2001 (see "An unknown key-share attack on the MQV key agreement
protocol" in ACM TISSEC 2001). In that example, the adversary plays
message between two users to cause confusion in the identity, but in
Selfie, the adversary plays message with only one user and uses another
instance of the user to cause confusion in the identity. When we
reported this variant of UKS in [3], we were not aware of anything like
that in the literature.


On 24/09/2019, 16:17, "John Mattsson" <><> wrote:


    I think these reflection attacks are much older than this. I quick
search for reflection attack security protocol gives a lot of old
results, The description of reflection attack in the following lecture
material from 2009 looks just like the "selfie attack" on TLS 1.3

    With multiple sections there are other things that change as well.
If two nodes unintentionally initiate simultaneous ClientHello to each
other, even if they only want a single secure connection (I have seen
live systems where this happens in practice), an attacker can select
which ClientHello to block (e.g. the one with the strongest
cryptographic parameters). The following security property would then
no longer hold :

      "Downgrade protection:  The cryptographic parameters should be the
          same on both sides and should be the same as if the peers had been
          communicating in the absence of an attack"

    (I have not looked at what the definitions in [BBFGKZ16] say).


    -----Original Message-----
    From: TLS <><> on behalf of "Hao, Feng"
    Date: Tuesday, 24 September 2019 at 16:09
    To: Mohit Sethi M <><>,
"Owen Friel (ofriel)" <><>, Jonathan Hoyland
    Cc: ""<> <><>
    Subject: Re: [TLS] Selfie attack was Re: Distinguishing between
external/resumption PSKs

        On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M"
< on behalf of><> wrote:

            Hi all,

            On the topic of external PSKs in TLS 1.3, I found a
publication on the
            Selfie attack:

            Perhaps this was already discussed on the list. I thought
that sharing
            it again wouldn't hurt while we discuss how servers
distinguish between
            external and resumption PSKs.

        I just read the paper with interest. It occurs to me that the
selfie attack is consistent with the "impersonation attack" that we
reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with
details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack
can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5,
[3]) is reported on the self-communication mode of HMQV. The essence of
these attacks is the same: Bob tricks Alice into thinking that she is
talking to authenticated Bob, but she is actually talking to herself.
In [3], we explained that the attack was missed from the "security
proofs" as the proofs didn't consider multiple sessions.

        The countermeasure we proposed in [1-3] was to ensure the user
identity is unique in key exchange processes: in case of multiple
sessions that may cause confusion in the user identity, an extension
should be added to the user identity to distinguish the instances. The
underlying intuition is that one should know "unambiguously" whom they
are communicating with, and perform authentication based on that. The
discovery of this type of attacks and the proposed solution are
inspired by the "explicitness principle" (Ross Anderson and Roger
Needham, Crypto'95), which states the importance of being explicit on
user identities and other attributes in a public key protocol; also see
[3]. I hope it might be useful to people who work on TLS PSK.


        TLS mailing list<>

TLS mailing list<>

TLS mailing list<>