Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

[Nikos Mavrogiannopoulos <nmav@redhat.com>]

On Fri, 2018-07-20 at 02:38 -0700, Eric Rescorla wrote:
> > 
> > > This is somewhat timely, as if we do want to introduce a
> > restriction,
> > > it
> > > would ideally be in the form of some text in the TLS 1.3
> > > specification,
> > > which is very nearly done.
> > > 
> > > It would be good to hear more opinions on this question,
> > particularly
> > > from those who have worked on the formal verification directly.
> > > 
> > > If I can attempt to summarize some discussion that occurred in
> > the
> > > mic
> > > line today, Hannes was surprised that we would care, likening
> > this
> > > case
> > > to the regular version negotiation, where we are happy to use the
> > > same
> > > certificate to sign messages for both TLS 1.2 and 1.3.  David
> > > Benjamin
> > > points out that we explicitly go to the trouble of putting 64
> > bytes
> > > of
> > > 0x20 padding at the front of the content that gets signed for
> > > CertificateVerify, to enforce separation between the TLS
> > versions.
> > > 
> > > My own personal opinion is that we should enforce a domain
> > separation
> > > between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's
> > "Universal
> > > PSKs"
> > > proposal seems like a potential mechanism by which to do so
> > without
> > > doubling the provisioning needs.
> > 
> > I think the same rules should apply for PSK and RSA/ECDSA/EdDSA
> > keys. 
> > There is no inherent difference between the two keys types. I could
> > have deployed TLS with PKI or TLS with PSK. I should be able to
> > upgrade
> > protocols the same way.
> > 
> > If RSA keys can be re-used between TLS1.2 and TLS1.3, then so
> > should
> > PSK keys. The current document specifically allows that re-use, and
> > if
> > you fear that the current document did not take cross-protocol
> > attacks
> > in mind during design, then let's fix that instead.
> 
> The issue is not cross-protocol attacks; it's the reuse of PSKs with
> different KDFs, which we don't have any analysis for

I understand, but as I have already mentioned that argument also
applies for RSA keys which can be used e.g., for RSA encryption under
TLS1.2 and for RSA-PSS signatures under TLS1.3. ECDSA keys can be used
with multiple hashes under TLS1.2 while only one under TLS1.3.
TLS 1.3 did not enforce protocol separation for that ugly scenario, so
I wouldn't expect the treatment of PSKs differently.

Said that, I want to clarify that I wouldn't necessarily object to an
improvement the situation for externally established PSKs. The issue I
see is that TLS1.3 already gives a "good enough" solution with re-using 
the key, and I'm afraid we're going to have interoperation issues if
some implementations move to universal psks and some do not, defeating
the purpose of a standard.

regards,
Nikos