IETF Logo Mail Archive

Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3

Ilari Liusvaara <ilariliusvaara@welho.com> Sat, 25 March 2017 13:52 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C3D712441E for <tls@ietfa.amsl.com>; Sat, 25 Mar 2017 06:52:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cSuEGYYBXV_s for <tls@ietfa.amsl.com>; Sat, 25 Mar 2017 06:52:21 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id B2063126DFB for <tls@ietf.org>; Sat, 25 Mar 2017 06:52:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id 02D431EEE4; Sat, 25 Mar 2017 15:52:19 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id 2yG0aigCubxy; Sat, 25 Mar 2017 15:52:18 +0200 (EET)
Received: from LK-Perkele-V2 (87-92-51-204.bb.dnainternet.fi [87.92.51.204]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id B1500C4; Sat, 25 Mar 2017 15:52:18 +0200 (EET)
Date: Sat, 25 Mar 2017 15:52:17 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Eric Rescorla <ekr@rtfm.com>, IETF TLS <tls@ietf.org>
Message-ID: <20170325135217.GA19918@LK-Perkele-V2.elisa-laajakaista.fi>
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com> <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com> <9D8BEE12-49F9-4DE3-81C7-909CB114805F@vigilsec.com> <1b678d65-b146-b25f-c1ad-6dfc044f7ce0@akamai.com> <CABkgnnXfw45-R-Tvf2cZQGb4a5mas2yZRXT4q3ArRyTMSF9x2Q@mail.gmail.com> <733EE968-69EF-43A5-A39B-F016993A3CCD@vigilsec.com> <949EBD4E-613B-4B36-BD93-FDE3E4D4926F@vigilsec.com> <CAF8qwaA5ntF8iN99=tQyFt7dqucvcKNw9avgVRGJRmGu-3UswA@mail.gmail.com> <CABcZeBNXu==kGd63OdF07WEqcFiD0qd0aL=KQqKY23Y75XfewA@mail.gmail.com> <141723AB-B4E4-4233-8C35-C720E4A7FE0C@vigilsec.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <141723AB-B4E4-4233-8C35-C720E4A7FE0C@vigilsec.com>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jqnob7zb3QUts7xK9SFTWmEkyzE>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 25 Mar 2017 13:52:24 -0000

On Fri, Mar 24, 2017 at 12:16:48PM -0400, Russ Housley wrote:
> 
> > I agree with David here. Specifically, I think.
> > 
> > - The base specification should continue to forbid certificates in combination with PSK
> > - We should at some point contemplate an extension that allows the use of certificates in combination with PSK
> > - The base spec should be factored in such a way as to make that extension easy.
> 
> While I agree that we do not want to delay the TLS 1.3 specification
> to sort this out; however, I do not think we have provided the hook
> to make this future extension easy.   Looking at the key schedule in
> -19, I think we can provide the hook without being disruptive.  My
> goal is to minimize the pain to implementing the extension in the
> future by putting a straightforward hook in today:

Unless you have fairly good idea about how such extension would look
(especially security properties!), I think it is premature to specify
where the key will go (if it doesn't go there, you got problems).

At least from what I know about my implementation, adding new keys
to be injected in present spots is easy (after one has computed
the value, it is one method call to inject it). Actually changing
what keys are derived from each stage or creating new stages is of
course expensive.

Currently, there are three stages in key schedule.
- 0-RTT (Binders, 0-RTT keys and 0-RTT exporters).
- Handshake (handshake keys, finished)
- Application (application keys, exporters and dynamic PSKs).


In comparision, new handshake message would be far more expensive
code-wise, even if I could piggyback main handshake states like with
CertificateRequest. And something that actually changes the main
state machine would be far more expensive still.


And extension specs are only really bound by TLS offer-answer
rules. The rest is matter of how difficult the extensions are
actually to implement, and how much security problems they
have...



-Ilari

v2.23.0 | Report a Bug | By Email