IETF Logo Mail Archive

Re: [TLS] Distinguishing between external/resumption PSKs

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 20 September 2019 08:07 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6749C1200A1 for <tls@ietfa.amsl.com>; Fri, 20 Sep 2019 01:07:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TF_d1BysrlKw for <tls@ietfa.amsl.com>; Fri, 20 Sep 2019 01:07:33 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50052.outbound.protection.outlook.com [40.107.5.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 54AF0120026 for <tls@ietf.org>; Fri, 20 Sep 2019 01:07:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TMX9bgwBuF9tUk8sC+4LGr866t/PuOVUGFZW3PV+wou6ZGLft5QHr1NA0Q5oS56MLHYQC8dHZAlvBpedj6KUpegFVtWF7JE+p+D/G2CpqeuL+g/2TRhUHqM9HaNO2pCbTva8bFscwKLVFEe+7Xz/TvyI1Gj4FaCS6Id1zOLnasEAxWs6GExZOQ/jQXubnqKPtXX+azHOwDilYPKi3QYpTL5MeojcUoOW3UN78fTGf/9jqNIfPxUWZuMlE8nqRJFE/33ojCqEZOKsEYQXx7vRcT5d7HADJKwuy+bRrTZyZ20bAYkuaEuAZbGXxzm8nEwoHYeOoBhLCRoVNw3eRlj49A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dUIyo5Rrz5QkkVAREmqRfOIBL0trWew521GM7TQ6l30=; b=N93fwbIheX9TS6Y5k49V8NBPi/6kFDOCpbxDN/EyyzesKLRJ7HhvmlvLWZ3PYdPoMZN9qcV9+IlNnJt0KVWqmRnFmsJv5n8e9vIs75pP0DnvKC+U7UmxG3CJZ865q9uJr9HnxL3Ik8ghZQxdK5w1xcAdjgzvwtKx4vHBiNEqB+bfv2tOweBiX7XZCWW6Irs0ytKejIOTqNRPozrVU1ipgiIeNpvXIIgakN/gIIaCmW9ION+alAbTCxvK0vmYpskhl7G5rSnNRQSVi/N1X9yOl/Pdjg3tNU3ssMVFrCBrCbidvBBs4K4FkGHt5AiBD1h7A0cWf/vHTubXJK/7EXNGQA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dUIyo5Rrz5QkkVAREmqRfOIBL0trWew521GM7TQ6l30=; b=iGZ/rF3OSOkPCC/psVHEdXZXsF2kpx8nL+m5khgInG6eWV3QA1+Sf1FrNr6H/FCLg0BoOdwSNNRnpwNdslVolTbJXBrYurgGCQ5WsWrVhB0CwGLGtiDUmFD8qIWnjVl1ukBpdw8UbDo+rAeYlToWr4Hj9UdMwYLAbEY29QccQJI=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2489.eurprd07.prod.outlook.com (10.168.128.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.16; Fri, 20 Sep 2019 08:07:30 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2284.009; Fri, 20 Sep 2019 08:07:30 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Richard Barnes <rlb@ipv.sx>, Nico Williams <nico@cryptonector.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Distinguishing between external/resumption PSKs
Thread-Index: AQHVb4pynq4nVGKsdEudyk+AkgsC1w==
Date: Fri, 20 Sep 2019 08:07:30 +0000
Message-ID: <9a201702-50ca-7df2-74dc-f301218d677f@ericsson.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs3aQxM3kxa3khOYbj8naXfcaPmSOKY01nAsuAyfEWYkzg@mail.gmail.com> <CAL02cgT73q0iOj=7fMsneQwjAFFDnSYM92MhV0adSfU2qOCurQ@mail.gmail.com> <CACykbs2=e9LvnvvU=zOWuzqeU4aYXOA3SPWBwQGyPcW6QjrSkA@mail.gmail.com> <CAL02cgSuFGNd26TS8bNbjhh+YEYVbAH5TQBneeLNyouZemAZXw@mail.gmail.com> <DDFDB072-63F6-4B52-9F64-56772910515D@huitema.net> <20190919183539.GB5002@localhost> <CAL02cgRdeP6noogLiVXzthKGMNGq7gyFhPKqHGQCsrACg9Cs5A@mail.gmail.com> <20190919214851.GC5002@localhost> <CAL02cgQXGdq06YkU-0kqcybbCmZT33diW+d09ZMKyKEqNo_uzQ@mail.gmail.com>
In-Reply-To: <CAL02cgQXGdq06YkU-0kqcybbCmZT33diW+d09ZMKyKEqNo_uzQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [2001:14bb:140:1eed:81cd:56e6:4ad9:98e5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 82421c9a-652a-484c-1d0c-08d73da1959d
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600167)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0701MB2489;
x-ms-traffictypediagnostic: HE1PR0701MB2489:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <HE1PR0701MB2489ADC2F407F29D3CBB97A6D0880@HE1PR0701MB2489.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0166B75B74
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(366004)(39860400002)(346002)(396003)(53754006)(189003)(199004)(229853002)(31696002)(6436002)(99286004)(6116002)(54896002)(86362001)(6306002)(36756003)(25786009)(71200400001)(71190400001)(6486002)(316002)(58126008)(8936002)(110136005)(81166006)(14454004)(81156014)(31686004)(966005)(4326008)(65806001)(8676002)(76116006)(2906002)(66946007)(64756008)(66446008)(7736002)(486006)(66476007)(66556008)(65956001)(478600001)(186003)(76176011)(11346002)(446003)(2616005)(6246003)(606006)(6506007)(53546011)(14444005)(102836004)(46003)(236005)(256004)(5660300002)(476003)(6512007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2489; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2poKN9EmQ0KsOFbJrEL653OMEWtnwBMN1eFuKFwTidIPFq5gqpZ2UBmDn/HmgPCdJAf84PjxR2vF2z9PFm1rLn1oOcdfb/LNmzrcnhpMlLsZKpBOBdromFc27KktsPqBEBELyEXUhaTtlD972CblCOqA5yRmgL2BlJxdqfK5Ta3sjgrlttZ2DtbkJlE1fBOfkaT97nPjEd5/w08YJFOngeEoqZt3EWwslbDup7fuTX/NIfxk1gkxCjwM2iwxjMmyDMYzqyUsAdZ4wcLCbPp109gm7rUpP6hvqX/HP9zh4PdRxbGUnL/ZXrsQXtq9OxaSRX5clk0pt+2CNxbYltfsjRI6ckSfVTfsv+h293wKuA8Icc+UkVYAGYKqVCIVzDkXw2Irn9b5gvTUKVcmRUhZnVosoLjK3evOPnKoRlY6cPs=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_9a20170250ca7df274dcf301218d677fericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 82421c9a-652a-484c-1d0c-08d73da1959d
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Sep 2019 08:07:30.4615 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QeE0OjNtNBL7kDhtbQ/5qaxjBj0Gep2P7ECNXcqFAgdRmwW3PDUa0EWY/tUk7sBa+V8u+fGB89b+VlAj8SV1rZAWEKtQ3u0gg0m3457eZlY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2489
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ix62dFyyYpAQak_b2UpVwJeKHu4>
Subject: Re: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Sep 2019 08:07:37 -0000

Hi all,

Thanks Owen for starting this discussion. For some context, the EMU working group is currently working on a document titled "Using EAP-TLS with TLS 1.3": https://tools.ietf.org/html/draft-ietf-emu-eap-tls13-06

There has been recent discussion in the working group on whether EAP-TLS should support PSKs for the initial authentication. The current text says "Pre-Shared Key (PSK) authentication SHALL NOT be used except for resumption.".

As Richard points out, there is a distinction between "the server". Almost all EAP-TLS implementations use existing cryptographic libraries which handle the resumption PSK and PskIdentity. However, it is not clear (to me) who would set the PSKIdentity for the initial authentication. Should it be left to the application logic (in this case the EAP server)?

Do we care about PSKIdentity collisions? As Jonathan points out, having several PSKs with the same identity may require trial decryption and that can go wrong in several ways.

Chrisitian Huitema rightly points out that having free from PSKIdentity is good from a privacy perspective as an attacker cannot distinguish between initial authentication and resumption. However, if the server first has to lookup the resumption PSKs table before checking for any matching external PSKs, the timing information would leak that nonetheless.

Should a server issue NewSessionTickets when the original authentication itself was based on PSK? It would be nice to prevent tracking based on PSKIdentity.

We (or at least I) could certainly benefit with some more guidance from the TLS working group on this topic.

--Mohit

On 9/20/19 1:03 AM, Richard Barnes wrote:
On Thu, Sep 19, 2019 at 5:49 PM Nico Williams <nico@cryptonector.com<mailto:nico@cryptonector.com>> wrote:
On Thu, Sep 19, 2019 at 04:57:17PM -0400, Richard Barnes wrote:
> I don't think anyone's asking for these cases to be differentiable on the
> wire.  The question is whether the *server* can differentiate, in
> particular, the application running on the server.

And the answer to that one is "yes", because the server has control over
the PSK IDs.

That glosses over an important distinction made up-thread: When we say "the server", there is typically a distinction between the TLS stack and the server application logic.  Resumption PSKs are typically controlled by the TLS stack, while external PSKs are provided by the application logic.  The question is how the application logic, when presented with a session authenticated under a given PSK ID, can distinguish whether the PSK used was one provided by the TLS stack for resumption, or provided by the application logic.

--Richard



_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email