[TLS] Universal PSKs

David Benjamin <davidben@chromium.org> Thu, 14 June 2018 19:46 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 91DAF130EE0 for <tls@ietfa.amsl.com>; Thu, 14 Jun 2018 12:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id RIxR9tMsyBbn for <tls@ietfa.amsl.com>; Thu, 14 Jun 2018 12:46:41 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73376130E79 for <tls@ietf.org>; Thu, 14 Jun 2018 12:46:41 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id i18-v6so6953546qtp.12 for <tls@ietf.org>; Thu, 14 Jun 2018 12:46:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=3NJ7UQsEUIj4YqLWqhT4JHYh34BlcQvA53TFyVnPv94=; b=OD1z+OIXIdgdeKYgWEbxzGj08O2kSugAJM8/hxsgUwvmBVnpd7tKHNtVe0lTycJTW5 Uxi6019Kx14IVntCspem/bgIU76/8ubw2wUTdijpf8/bvEiB/mw5DaTxbm0ONsExGFxL VAuArw2L0W0Jmc2Ex9Ho2AjZclYaG3c5lU62k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3NJ7UQsEUIj4YqLWqhT4JHYh34BlcQvA53TFyVnPv94=; b=hTAOt8NiT9uCQzofsfb+5ISbX0LX55JychBa9dWaLoq7IYpTefivJw2kq4LwBkdwuZ 9Kt2cD6yW35CTsW2QhImu1fAKK27tjrgFAjZ5w7dMGDV1X2GFKus/sLDyyf/QsxQs7Ok FwAT5xn27l78BmSNqDEtH7Z7s458PP93uO7RAR6i1ifAsSa5eO+hFU7liGS1fswZig8G Jkfptb2tC3PEsE0YRsw+1XzRujyvUdnBBNnNy4wrSLhZ1TPgo4Hhkb1GHyRzbtA5Xe6a eZbzdI33A9PRYBAtE9v/UxyiRmmfwlyAS1GW14zpHpbESlx0w3sirQi1LwcWG7kIdFS5 wx8A==
X-Gm-Message-State: APt69E0COifeaKiWQed2y66ZjFg7pG6ozN6XJkn2ikhdTgWYxUJIqfo3 cMFBl+fmM032fb4g5rrcuHSIOmWC5wsyCMi2xCe9p84=
X-Google-Smtp-Source: ADUXVKKBCDMADyH9Osyk4DbdaNsTNgPRzUH94k6JYG8Rb3ImWPpMAgKx/oKpkZa5uJuU72wpowk1Rp2G6peykaQ7cds=
X-Received: by 2002:a0c:8ab1:: with SMTP id 46-v6mr3707744qvv.147.1529005600035; Thu, 14 Jun 2018 12:46:40 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Thu, 14 Jun 2018 15:46:27 -0400
Message-ID: <CAF8qwaB3GH8WbXD=snEwjA==Jx02gtWejyNTXXO6nVW0Cp1YHA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a6ef7e056e9f5b38"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kfz1RGByOxE3Sf0eLsYs8Le2xn4>
Subject: [TLS] Universal PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 19:46:44 -0000

Hey all,

So TLS 1.2 has a mechanism for PSKs. We attempted to mirror it in TLS 1.3
via the external PSK mechanism, repurposing the resumption flow. But the
security proof requires PSKs be associated with a specific hash for key
separation. We use distinguishing labels in the key schedule, but if that
key is fed into a completely different KDF, analysis must additionally
consider interactions between the KDFs.

The hash constraint, however, makes it difficult to actually use external
PSKs in applications. Usually the TLS stack and its configuration evolves
somewhat independently from the calling application. But now the PSK
provisioning process must short-circuit part of the TLS parameter
negotiation, despite it likely being implemented in a separate library
altogether. This is a leaky abstraction.

It also complicates server parameter selection. We've found the cleanest
algorithm is selecting the cipher suite first, and then ignoring the PSKs
that don't match. This is simple and avoids weird behavior if a session is
renewed across preference changes. However, this only works for resumption
PSK: if the session mismatches, a full handshake is always an option. With
external PSKs, the application usually expects the PSK to be mandatory.

Finally, some libraries (e.g. OpenSSL) already TLS 1.2 PSK APIs and wish to
transparently upgrade to TLS 1.3. The specification does not explicitly say
if a TLS 1.2 PSK may be used directly as a TLS 1.3 PSK and I believe some
implementations are doing that. However that violates TLS 1.3's key
separation assumptions in the same way as mixing hashes: the TLS 1.2 PRF is
not the same as HKDF.

It's a bit late to completely redo external PSKs in 1.3, but I believe we
can fix this in a separate draft. The draft below proposes "universal PSKs"
which derive independent hash- and version-specific secrets for TLS 1.3
(and later) as needed. For existing TLS 1.2 PSKs, it includes a
compatibility derivation to go from TLS 1.2 PSKs to universal PSKs.

(Thanks to Karthikeyan Bhargavan, Matt Caswell, Eric Rescorla, and Victor
Vasiliev for discussions which led to this design. Any mistakes in it are

Thoughts? If the WG likes this design, I would suggest:

- Most folks who want to use TLS 1.3 with external PSKs should probably
design their protocols to provision universal PSKs instead, after it

- Folks who want to use TLS 1.3 with existing TLS 1.2 PSKs should use the
compatibility derivation in this draft, after it stabilizes.

- Folks who want to ship TLS 1.3 before then and have a TLS 1.2 PSK API
should not use the 1.2 PSK as a 1.3 PSK. For now, just turn TLS 1.3 off by
default if that API is used and, in a future release, use the compatibility
derivation after it stabilizes.

- If it's not too late to clarify whether TLS 1.3 believes whether PSKs are
version-specific, it would be good to do that.


PS: Looking over the draft now, I see I mixed up some of the RFC 4279 and
RFC 5246 citations. I'll fixed that in the next iteration.

---------- Forwarded message ---------
From: <internet-drafts@ietf.org>
Date: Thu, Jun 14, 2018 at 3:21 PM
Subject: New Version Notification for
To: David Benjamin <davidben@google.com>

A new version of I-D, draft-davidben-tls-universal-psk-00.txt
has been successfully submitted by David Benjamin and posted to the
IETF repository.

Name:           draft-davidben-tls-universal-psk
Revision:       00
Title:          Universal PSKs for TLS
Document date:  2018-06-14
Group:          Individual Submission
Pages:          7

   This document describes universal PSKs (Pre-Shared Keys) for TLS.
   Universal PSKs abstract the TLS 1.3 requirement that each PSK can
   only be used with a single hash function.  This allows PSKs to be
   provisioned without depending on details of the TLS negotiation,
   which may change as TLS evolves.  Additionally, this document
   describes a compatibility profile for using TLS 1.3 with PSKs
   provisioned for the TLS 1.2 PSK mechanism.

Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.

The IETF Secretariat