[TLS] Universal PSKs
David Benjamin <davidben@chromium.org> Thu, 14 June 2018 19:46 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91DAF130EE0 for <tls@ietfa.amsl.com>; Thu, 14 Jun 2018 12:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.25
X-Spam-Level:
X-Spam-Status: No, score=-9.25 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RIxR9tMsyBbn for <tls@ietfa.amsl.com>; Thu, 14 Jun 2018 12:46:41 -0700 (PDT)
Received: from mail-qt0-x22c.google.com (mail-qt0-x22c.google.com [IPv6:2607:f8b0:400d:c0d::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 73376130E79 for <tls@ietf.org>; Thu, 14 Jun 2018 12:46:41 -0700 (PDT)
Received: by mail-qt0-x22c.google.com with SMTP id i18-v6so6953546qtp.12 for <tls@ietf.org>; Thu, 14 Jun 2018 12:46:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=3NJ7UQsEUIj4YqLWqhT4JHYh34BlcQvA53TFyVnPv94=; b=OD1z+OIXIdgdeKYgWEbxzGj08O2kSugAJM8/hxsgUwvmBVnpd7tKHNtVe0lTycJTW5 Uxi6019Kx14IVntCspem/bgIU76/8ubw2wUTdijpf8/bvEiB/mw5DaTxbm0ONsExGFxL VAuArw2L0W0Jmc2Ex9Ho2AjZclYaG3c5lU62k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3NJ7UQsEUIj4YqLWqhT4JHYh34BlcQvA53TFyVnPv94=; b=hTAOt8NiT9uCQzofsfb+5ISbX0LX55JychBa9dWaLoq7IYpTefivJw2kq4LwBkdwuZ 9Kt2cD6yW35CTsW2QhImu1fAKK27tjrgFAjZ5w7dMGDV1X2GFKus/sLDyyf/QsxQs7Ok FwAT5xn27l78BmSNqDEtH7Z7s458PP93uO7RAR6i1ifAsSa5eO+hFU7liGS1fswZig8G Jkfptb2tC3PEsE0YRsw+1XzRujyvUdnBBNnNy4wrSLhZ1TPgo4Hhkb1GHyRzbtA5Xe6a eZbzdI33A9PRYBAtE9v/UxyiRmmfwlyAS1GW14zpHpbESlx0w3sirQi1LwcWG7kIdFS5 wx8A==
X-Gm-Message-State: APt69E0COifeaKiWQed2y66ZjFg7pG6ozN6XJkn2ikhdTgWYxUJIqfo3 cMFBl+fmM032fb4g5rrcuHSIOmWC5wsyCMi2xCe9p84=
X-Google-Smtp-Source: ADUXVKKBCDMADyH9Osyk4DbdaNsTNgPRzUH94k6JYG8Rb3ImWPpMAgKx/oKpkZa5uJuU72wpowk1Rp2G6peykaQ7cds=
X-Received: by 2002:a0c:8ab1:: with SMTP id 46-v6mr3707744qvv.147.1529005600035; Thu, 14 Jun 2018 12:46:40 -0700 (PDT)
MIME-Version: 1.0
From: David Benjamin <davidben@chromium.org>
Date: Thu, 14 Jun 2018 15:46:27 -0400
Message-ID: <CAF8qwaB3GH8WbXD=snEwjA==Jx02gtWejyNTXXO6nVW0Cp1YHA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a6ef7e056e9f5b38"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/kfz1RGByOxE3Sf0eLsYs8Le2xn4>
Subject: [TLS] Universal PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jun 2018 19:46:44 -0000
Hey all, So TLS 1.2 has a mechanism for PSKs. We attempted to mirror it in TLS 1.3 via the external PSK mechanism, repurposing the resumption flow. But the security proof requires PSKs be associated with a specific hash for key separation. We use distinguishing labels in the key schedule, but if that key is fed into a completely different KDF, analysis must additionally consider interactions between the KDFs. The hash constraint, however, makes it difficult to actually use external PSKs in applications. Usually the TLS stack and its configuration evolves somewhat independently from the calling application. But now the PSK provisioning process must short-circuit part of the TLS parameter negotiation, despite it likely being implemented in a separate library altogether. This is a leaky abstraction. It also complicates server parameter selection. We've found the cleanest algorithm is selecting the cipher suite first, and then ignoring the PSKs that don't match. This is simple and avoids weird behavior if a session is renewed across preference changes. However, this only works for resumption PSK: if the session mismatches, a full handshake is always an option. With external PSKs, the application usually expects the PSK to be mandatory. Finally, some libraries (e.g. OpenSSL) already TLS 1.2 PSK APIs and wish to transparently upgrade to TLS 1.3. The specification does not explicitly say if a TLS 1.2 PSK may be used directly as a TLS 1.3 PSK and I believe some implementations are doing that. However that violates TLS 1.3's key separation assumptions in the same way as mixing hashes: the TLS 1.2 PRF is not the same as HKDF. It's a bit late to completely redo external PSKs in 1.3, but I believe we can fix this in a separate draft. The draft below proposes "universal PSKs" which derive independent hash- and version-specific secrets for TLS 1.3 (and later) as needed. For existing TLS 1.2 PSKs, it includes a compatibility derivation to go from TLS 1.2 PSKs to universal PSKs. (Thanks to Karthikeyan Bhargavan, Matt Caswell, Eric Rescorla, and Victor Vasiliev for discussions which led to this design. Any mistakes in it are mine.) Thoughts? If the WG likes this design, I would suggest: - Most folks who want to use TLS 1.3 with external PSKs should probably design their protocols to provision universal PSKs instead, after it stabilizes. - Folks who want to use TLS 1.3 with existing TLS 1.2 PSKs should use the compatibility derivation in this draft, after it stabilizes. - Folks who want to ship TLS 1.3 before then and have a TLS 1.2 PSK API should not use the 1.2 PSK as a 1.3 PSK. For now, just turn TLS 1.3 off by default if that API is used and, in a future release, use the compatibility derivation after it stabilizes. - If it's not too late to clarify whether TLS 1.3 believes whether PSKs are version-specific, it would be good to do that. David PS: Looking over the draft now, I see I mixed up some of the RFC 4279 and RFC 5246 citations. I'll fixed that in the next iteration. ---------- Forwarded message --------- From: <internet-drafts@ietf.org> Date: Thu, Jun 14, 2018 at 3:21 PM Subject: New Version Notification for draft-davidben-tls-universal-psk-00.txt To: David Benjamin <davidben@google.com> A new version of I-D, draft-davidben-tls-universal-psk-00.txt has been successfully submitted by David Benjamin and posted to the IETF repository. Name: draft-davidben-tls-universal-psk Revision: 00 Title: Universal PSKs for TLS Document date: 2018-06-14 Group: Individual Submission Pages: 7 URL: https://www.ietf.org/internet-drafts/draft-davidben-tls-universal-psk-00.txt Status: https://datatracker.ietf.org/doc/draft-davidben-tls-universal-psk/ Htmlized: https://tools.ietf.org/html/draft-davidben-tls-universal-psk-00 Htmlized: https://datatracker.ietf.org/doc/html/draft-davidben-tls-universal-psk Abstract: This document describes universal PSKs (Pre-Shared Keys) for TLS. Universal PSKs abstract the TLS 1.3 requirement that each PSK can only be used with a single hash function. This allows PSKs to be provisioned without depending on details of the TLS negotiation, which may change as TLS evolves. Additionally, this document describes a compatibility profile for using TLS 1.3 with PSKs provisioned for the TLS 1.2 PSK mechanism. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat
- Re: [TLS] Universal PSKs Ilari Liusvaara
- Re: [TLS] Universal PSKs Jonathan Hoyland
- Re: [TLS] Universal PSKs Nikos Mavrogiannopoulos
- Re: [TLS] Universal PSKs Jonathan Hoyland
- Re: [TLS] Universal PSKs Hubert Kario
- Re: [TLS] Universal PSKs Nikos Mavrogiannopoulos
- Re: [TLS] Universal PSKs Nikos Mavrogiannopoulos
- Re: [TLS] Universal PSKs Nikos Mavrogiannopoulos
- Re: [TLS] Universal PSKs Jonathan Hoyland
- Re: [TLS] Universal PSKs Benjamin Kaduk
- Re: [TLS] Universal PSKs Jonathan Hoyland
- Re: [TLS] Universal PSKs Ilari Liusvaara
- Re: [TLS] Universal PSKs David Benjamin
- Re: [TLS] Universal PSKs Jonathan Hoyland
- Re: [TLS] Universal PSKs Salz, Rich
- Re: [TLS] Universal PSKs David Benjamin
- Re: [TLS] Universal PSKs Matt Caswell
- Re: [TLS] Universal PSKs Nikos Mavrogiannopoulos
- Re: [TLS] Universal PSKs Hubert Kario
- [TLS] Universal PSKs David Benjamin