Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
"Tschofenig, Hannes" <hannes.tschofenig@siemens.com> Tue, 16 April 2024 09:30 UTC
Return-Path: <hannes.tschofenig@siemens.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10B75C14F617 for <tls@ietfa.amsl.com>; Tue, 16 Apr 2024 02:30:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=siemens.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ib3e70G1c9qL for <tls@ietfa.amsl.com>; Tue, 16 Apr 2024 02:30:54 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2045.outbound.protection.outlook.com [40.107.7.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8BE8C14F68B for <tls@ietf.org>; Tue, 16 Apr 2024 02:30:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J1sPVQcePDlC6EQc5YbQyQafO5IZ7/P78Id+EVmN+UGwasn/2z0W4tluHu1/5qor2zufEnJdSSWqAkamfzngn9H9FOsEDD4yjnFjYkA0Lw1mWK703+V2HYxQNBUiUjoXTntQ5Ch9UdX6BNz00tqFdk2yApJgBJjCSdiZqBveaDbfPassfqLAN7YyP15M+DnZqgjVEDgZDSGh0w0EbYUFQaU5lV4CXFzNZ7bjhAYoqTGcqNUzl3WqYktG2CcA0VaHW1iP01uLlkYtm0CS1Pxec5ktdDI4/RkqXV5cYSX0EHlm6hi5C3Oo0FxpqZRcg+teOfYst4mRKqEzI7xlNYQ6JA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=rIZ6V4v4GEGJsOaIpvoA4UNlEv/QEuIO6T/eP0gWZoQ=; b=hOlQFMaIN38PTl9ZXRaY5Ra/U9KaJv54dpnKstmNDiFJ4zEOdd5e025ndVFfQ+jpIHPiFDfugmOVpA38ZwbxZ0Q7omzwz3drFJf7JDb7qxFaMnY3x3On+uyHsV0RNWozSOovX9GiE75wAFSOgWXIh4RfwFKCI4In9LrYhGgosfmZrNNqy1e81xbzK0AVH/VE5Vi+zKrwU9y+KB47KIN98pNWlhHRD0GrdDRSls7D/NIlPNtDYhksN2r7qYY7inU6qsUze6eBnlOH5Da5WWmWU0KDvizZvOOQCeq7fb5zTsYsNO589DTcMyakZ6UU5s/bvc6aZQOc3zj1q/G7K1g5RA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rIZ6V4v4GEGJsOaIpvoA4UNlEv/QEuIO6T/eP0gWZoQ=; b=RIbYFOCNAAcHOFdNaXsjbHq5wh77mXBP5a9oaFHwSjtYyLb0+1ypQG+nPSIGuWPXm0D3tY/kDndGx7+ujfwn7Bi5yiLA5iqDRGJP5Ya3MD/HUXjNfzbls4qNMmK7dMVnKFG7qCQhTYbmkX0KpLZayMVLQADp9FkqYpzt5sganVzXR87ElK2eyA3myUMFK5x4dlmV4sJOL9+ORzWO+tivy3VRVW461VJ6gvQUgWlt+Wf84LkwB2HYj6N7VUjpmweuGx45qAi9+mvDLURDXOeaMefvLiGDhbbLNXhzDQ72O56+nZDEhv3H29Oj/44SVhWY94XM5AE6UfO/g+jgPzAuFQ==
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:5ab::22) by AM7PR10MB3175.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:dd::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7452.50; Tue, 16 Apr 2024 09:30:48 +0000
Received: from AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::9172:20d1:3f36:a3d]) by AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM ([fe80::9172:20d1:3f36:a3d%3]) with mapi id 15.20.7452.049; Tue, 16 Apr 2024 09:30:48 +0000
From: "Tschofenig, Hannes" <hannes.tschofenig@siemens.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Thread-Topic: TLS 1.3, Raw Public Keys, and Misbinding Attacks
Thread-Index: AQHagSJ9IianpISz5U22vf2RrMlNorFqvBhA
Date: Tue, 16 Apr 2024 09:30:48 +0000
Message-ID: <AS8PR10MB7427BE068D9472C465A7392EEE082@AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM>
References: <GVXPR07MB9678DFD1EED3971606FB3DE6893B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
In-Reply-To: <GVXPR07MB9678DFD1EED3971606FB3DE6893B2@GVXPR07MB9678.eurprd07.prod.outlook.com>
Accept-Language: de-DE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ActionId=dc27b515-46f3-4f4f-a8f5-3e2b9ba24b74; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_ContentBits=0; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Enabled=true; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Method=Standard; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_Name=restricted; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SetDate=2024-04-16T09:19:28Z; MSIP_Label_9d258917-277f-42cd-a3cd-14c4e9ee58bc_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=siemens.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS8PR10MB7427:EE_|AM7PR10MB3175:EE_
x-ms-office365-filtering-correlation-id: df66c67f-a618-4113-3d71-08dc5df7e670
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eDbKJ9Tny9WWRvqbze2QqaD5vmdap4GmbgoSX3pQooeN1NSNxqZT+K4uNz5jT998I0TPzCSzEufXOSOOMYZ2POay5f+74AL8v6gvZlI8/cFLwKvfzCCOcPudqolp7RiDWmvdEkSROP6Yoq/S5U8WlPAHacRDVF+1mocbx1WcZRMmhx+GnKscc/9UFfR9V0NYs0q50GxCHa0SG+E/X4w9xN72PJn42ivYWSpZ2ZrNPVIm0k9HeJHqgX9GDmYDTSCNr2/27EDfm4JuCfR7bzkG2/4mY1O8Hi/muxcdFvBGQai5yQmeM1oELsXvwbsmM0EZzvYQKde0yagL3TYFgda0id+XVvliwOH5Y/d1iYgfQfzYGj4uqFRSBNmgVu8/ObrXRDTf2YlqtJRlsphH6W+zBdubFRt4R2ZRkerpA2zYPtal1/4qmM7amVJ8ozd2eDresou3W6BE4WzBQOp3JN++pF++LBVNrzWwQwR7tU6Qzux8y7NaKOFCduYA0EZPC+tnYWxYsyIrSNe1B6Rn388WvOYIXSGLko2djxNJowXlMirTRBntgIjONzJa0ohiBC3LOaS5zPpD08FSEq2UYJ5xOFyQ7SAHbz46c+DvRDhrTVlCPAhGnTtkgXKoZqa9NYIWmGrHUsT/7M+A9wbOyLw6q1CeDHvcQlMqjD3yBol8LZs=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(366007)(376005)(1800799015)(38070700009); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: s2d+9/M159moaO6q14eGAzdli4o6GPlosrke758CzmdSckpSFZarU1Hp1aoqiH5Y9DHntCnTgCero/ukdMAgsQYTRjKSf0375+k2EqdYpjkT62SuRBU9IbojyC7ovN223GEeF0jLF8DodYzZ25kAn6VTjij6MUxOI90BjmA3AfShx1hurAr5rMzyHKtzUxD74NYadDzD9Wwx53kJhpaKz/afUdjQTkX1vUKx5a208P22WPC+JAjsCvM8L+FkWvvjFkgMUWK8xzwAo0AoOHHMxv/Re7F46vt4GB8vQQK8RjYjMI6R4vWwN51quDWQKbPSMJ/zn80LFHnIaSyWOIOrZu/3VMFZYRg3HbPJ0UqZAB0xvSyEb7JyOdjSMZ15MNGMdK1bopK3PaNrqWADztCDpzzy/fjhGlqZ6MNLV3x4Tfq6YtFu9/nwAoTkDaYEHhQabifWxNGDpIZz7vPGXNGGu5ilfVgYBvDJwve8/cYHZbiHP8kEuBXLJE0wq+zV7f355perK/RdrG2b4XKtJjxYq+yu87ScCMYYc63oASH6Iiy45j5nLPo+NNtjR1GIKFmIjPI1isPO+b7n5CRnj4wRCEzTUe3wXvlix5q+uWIixUs9rdk0u9r35lc+8+Y3rJEpeDPe1G8Fpv1BUAHMNiMWAYFXvy0t3Y7ktXrOPs1iGKQH/8zk4g/yjQpGLHVCajrmZkfkW0G2KFSpK1+EdWxYh4bdtaVABrzaXA5SToUJPU5lhwz5N0+miDxiIoeIs3V9bt0x6xBKFlkdFKRk+Tw7y9Kdyq8WY/39/m83XgBa82qFhm+pm+5oN/1BIfQNkcVJgKUKbYTB5+LvFGHR6n3Kf8aUjCagEGCl+7Lz4Q/S4ia4o/8Z2zgsdddOtadQwUWJtfA95jVdLT3mFkWN3tpXXUuAganKSe83x8fgzixyT/EF50gdzuHVMn7RZLd0cZwYpWK59Th4POj6JoYuRO6NWS21LCBJHUz2lWQcTawi7k3jWc1YtaDiJQhaPdQM6RTTBXkrQDv9x/H0mgqVYEDrGiqbOEJj6qJEKd/HwVA9JX27pOFqZWAA7yrr5cK5O0dkpIae7rVIQa2GwgH8eJSDMBRbNzme81TSZ31Axglnrs+QR5c8OJsGWxm+eQPYfZGKD7JrS4J0LyO47mpDbDOq8vv1yqO2/XTbqr9Ox04RrZLBm/O1eHwzOqheL7eyRc2z/6MwsqcRh9QHWZF4qwdJC2GigaXQgcdV+2Za3S8KNP8I8ElGTsjBT8T9I6WwpdCz8xZ9EVCs+M31yXdPzCtqTweHqR8GHXh9ljWvCSkSdrUN+cTa6pxxRI73E/dPFUn3hy8s9TJpMBLNgBOW0+mUsG7xzxxAhryQIkQGxBDtKP6oIy3qYhhFyJcqo12ARctWNW35rVkt2iADHSBldbgLPkVTbQhBXDLT7hfsHvm3sTeoAetQYQ5r5+6L5Zv9PZbhRb9exTpNeIUf0CKXbMoWWCrdmkzV6ZI1S5YKm6ewwYZHqo02ekbVWWO5hgeKPJfzZeb/6/0ufRbBcFXMamIQpJf2i9eeZXJm5hS99S4E4+Xig0oOY0aPOTB9K2Y4ANzd4xeA80DdRr3wImxYyNm3Pw==
Content-Type: multipart/alternative; boundary="_000_AS8PR10MB7427BE068D9472C465A7392EEE082AS8PR10MB7427EURP_"
MIME-Version: 1.0
X-OriginatorOrg: siemens.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS8PR10MB7427.EURPRD10.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: df66c67f-a618-4113-3d71-08dc5df7e670
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Apr 2024 09:30:48.3959 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vCmhQ2sqNVgIQ3+nRVNyDJgfawbm/p5fuIdVXvs9AD+20F9pnXo/5dCZ71wXPwOefoIbCRod7Td+AXv7iYj8tbzVE/0dTJi1jOJaxmq6cok=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR10MB3175
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lM3rbtxknBRiGL5nVKHwHJSw9kE>
Subject: Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 09:30:58 -0000
Hi John, I missed this email exchange and I largely agree with what has been said by others before. I disagree with your conclusion since the “identity” in the raw public key case is the public key. With the self-signed certificate there would the danger that the self-asserted identity in the certificate is actually used for anything. Ciao Hannes From: TLS <tls-bounces@ietf.org> On Behalf Of John Mattsson Sent: Thursday, March 28, 2024 4:22 PM To: TLS@ietf.org Subject: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks Hi, I looked into what RFC 8446(bis) says about Raw Public Keys. As correctly stated in RFC 8446, TLS 1.3 with signatures and certificates is an implementation of SIGMA-I: SIGMA does however require that the identities of the endpoints (called A and B in [SIGMA]) are included in the messages. This is not true for TLS 1.3 with RPKs and TLS 1.3 with RPKs is therefore not SIGMA. TLS 1.3 with RPKs is vulnerable to what Krawczyk’s SIGMA paper calls misbinding attacks: “This attack, to which we refer as an “identity misbinding attack”, applies to many seemingly natural and intuitive protocols. Avoiding this form of attack and guaranteeing a consistent binding between a session key and the peers to the session is a central element in the design of SIGMA.” “Even more significantly we show here that the misbinding attack applies to this protocol in any scenario where parties can register public keys without proving knowledge of the corresponding signature key.” As stated in Appendix E.1, at the completion of the handshake, each side outputs its view of the identities of the communicating parties. On of the TLS 1.3 security properties are “Peer Authentication”, which says that the client’s and server’s view of the identities match. TLS 1.3 with PRKs does not fulfill this unless the out-of-band mechanism to register public keys proved knowledge of the private key. RFC 7250 does not say anything about this either. I think this needs to be clarified in RFC8446bis. The only reason to ever use an RPK is in constrained IoT environments. Otherwise a self-signed certificate is a much better choice. TLS 1.3 with self-signed certificates is SIGMA-I. It is worrying to find comments like this: “I'd like to be able to use wireguard/ssh-style authentication for my app. This is possible currently with self-signed certificates, but the proper solution is RFC 7250, which is also part of TLS 1.3.” https://github.com/openssl/openssl/issues/6929 RPKs are not the proper solution. (Talking about misbinding, does RFC 8446 say anything about how to avoid selfie attacks where an entity using PSK authentication ends up talking to itself?) Cheers, John Preuß Mattsson [SIGMA] https://link.springer.com/chapter/10.1007/978-3-540-45146-4_24
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Dennis Jackson
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Bas Westerbaan
- [TLS] TLS 1.3, Raw Public Keys, and Misbinding At… John Mattsson
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Viktor Dukhovni
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Martin Thomson
- Re: [TLS] TLS 1.3, Raw Public Keys, and Misbindin… Tschofenig, Hannes
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Mohit Sethi
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Achim Kraus
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Viktor Dukhovni
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Ilari Liusvaara
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Mohit Sethi
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Viktor Dukhovni
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Achim Kraus
- [TLS] Re: TLS 1.3, Raw Public Keys, and Misbindin… Peter Gutmann