Re: [TLS] Distinguishing between external/resumption PSKs

Jonathan Hoyland <jonathan.hoyland@gmail.com> Thu, 19 September 2019 21:16 UTC

Return-Path: <jonathan.hoyland@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 261F0120152 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 14:16:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8jYD-iPYQKWx for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 14:16:26 -0700 (PDT)
Received: from mail-ua1-x92e.google.com (mail-ua1-x92e.google.com [IPv6:2607:f8b0:4864:20::92e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 52B4B12006A for <tls@ietf.org>; Thu, 19 Sep 2019 14:16:26 -0700 (PDT)
Received: by mail-ua1-x92e.google.com with SMTP id u31so1575037uah.0 for <tls@ietf.org>; Thu, 19 Sep 2019 14:16:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=PzgNhni0/Ii3vRIFI+Gwi/B1jw1bKBdO7D4hucE6204=; b=E0UQAyDIFJBv34ANysdajcfbQdfFIw0hDzbO5fsMH0oxvjZnRJOgjrSPWIk4+vQrG5 OCUTQ5zqxiCoMPJDzGg6YbCqBfUJjv7LOj2wauvsRtwSlpvxo2OdeHedp/OiAfs8H4rN bEXsZJrPxT46xWtt8ttPPjdjDdfK1qsk7neBnDTGa+woHxPK5hQTAgJsqmjpqoZHrqeA eBsyisfoAttK8443eZHSqCN+9GI8IxJ3TWFxuHkqtek6tye/gP2jXaTZ7I80nPFow86L aMj8xMGsI6+G++1NZh5RLvzO95JUdg0GLZviynuWUK/tFq48TIlNihF9Esj7TXoQnexR pllQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=PzgNhni0/Ii3vRIFI+Gwi/B1jw1bKBdO7D4hucE6204=; b=HYykNPdihsse0Hy/40XxFxCrzlUC8wXroVvPprpKJwDDDmzm2BIlltrtZOPtCkTX2a 7t/jOxmMQ8yr16JKnHBS8BDE9/J9U0kl+HwVTTJ0F5a0ab7AcmZmB0J5FbipHRVgmSx6 ydL/ofAlyl6o9uTA4xI1pUoRNyMsX6sfGvx6tJVKmmZWo/HlFW2+Lg7HkZul62OgcdqJ oNfZ/zYK4xWKhjg5xgU+lmDfFaqZcWPeMV0Nx+8sd0/GZ42241m8Zrqdm+mW+x/Pq8AQ f6ajqpd+RAh8hV9P4clvgPtapBzb7YHy1/We7ju/ApZ6CBP2TdF0WxYgr9Jju+ukzX2Z XeeQ==
X-Gm-Message-State: APjAAAVYs7mI2JDVwy7XQTeTMMVRAJkVr1Jm186AvcqHXNzijNp/lQBR 2QWTpWQJsEPNBOq6VcHuruc5K6xvLmbnRoJUUWeslUGM
X-Google-Smtp-Source: APXvYqwMZbirVYdGs6fNI2lvO9bJkj32sCxpB2DgtRQM831AqGTAAzHEs2YntofvQCYf5ocCJnkzI0HMFSiogQ/nitk=
X-Received: by 2002:ab0:5eaa:: with SMTP id y42mr6353165uag.70.1568927784992; Thu, 19 Sep 2019 14:16:24 -0700 (PDT)
MIME-Version: 1.0
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs3aQxM3kxa3khOYbj8naXfcaPmSOKY01nAsuAyfEWYkzg@mail.gmail.com> <CAL02cgT73q0iOj=7fMsneQwjAFFDnSYM92MhV0adSfU2qOCurQ@mail.gmail.com> <CACykbs2=e9LvnvvU=zOWuzqeU4aYXOA3SPWBwQGyPcW6QjrSkA@mail.gmail.com> <CAL02cgSuFGNd26TS8bNbjhh+YEYVbAH5TQBneeLNyouZemAZXw@mail.gmail.com> <DDFDB072-63F6-4B52-9F64-56772910515D@huitema.net> <20190919183539.GB5002@localhost> <CAL02cgRdeP6noogLiVXzthKGMNGq7gyFhPKqHGQCsrACg9Cs5A@mail.gmail.com>
In-Reply-To: <CAL02cgRdeP6noogLiVXzthKGMNGq7gyFhPKqHGQCsrACg9Cs5A@mail.gmail.com>
From: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Date: Thu, 19 Sep 2019 22:16:13 +0100
Message-ID: <CACykbs2STXaZH9XU+ev=t1=yq_7HOcQsqe0pu-nbwab9xvaL1A@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
Cc: Nico Williams <nico@cryptonector.com>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004d84240592ee7755"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hTCQNWnqCSELJ957aQr3_oUE6KA>
Subject: Re: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 21:16:28 -0000

On Thu, 19 Sep 2019 at 21:57, Richard Barnes <rlb@ipv.sx>; wrote:

> I don't think anyone's asking for these cases to be differentiable on the
> wire.  The question is whether the *server* can differentiate, in
> particular, the application running on the server.
>
> --Richard
>
Exactly. I hope it's not controversial that the TLS server knows what's
going on / what it's agreeing to. The specific restriction I was suggesting
is that a server shouldn't accept multiple PSKs with the same PSK_ID.
That would require the server to do things like trial decryption, and has
so many ways it could go wrong. The PSK Importer draft is designed to make
it easy to take a single PSK and PSK_ID and diversify them safely.
Using one PSK_ID for multiple PSKs has no benefits and lots of risks.

Regards,

Jonathan


>
> On Thu, Sep 19, 2019 at 2:36 PM Nico Williams <nico@cryptonector.com>;
> wrote:
>
>> On Thu, Sep 19, 2019 at 08:06:26AM -1000, Christian Huitema wrote:
>> > There is also a privacy angle. From a privacy point of view, it is
>> > very nice that PSK cannot be distinguished from session resumption.
>>
>> This.
>>
>> PSK is the right way to, for example, integrate Kerberos into TLS 1.3
>> now.  But it's no eavesdropper's business whether a session used
>> Kerberos for setup or resumption tickets.
>>
>> Nico
>> --
>>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>