IETF Logo Mail Archive

Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Martin Thomson <martin.thomson@gmail.com> Wed, 21 February 2018 23:22 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FAA5126DFF; Wed, 21 Feb 2018 15:22:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E7Bsx19qUNF2; Wed, 21 Feb 2018 15:22:37 -0800 (PST)
Received: from mail-oi0-x230.google.com (mail-oi0-x230.google.com [IPv6:2607:f8b0:4003:c06::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2DC451200E5; Wed, 21 Feb 2018 15:22:37 -0800 (PST)
Received: by mail-oi0-x230.google.com with SMTP id a207so2410791oii.10; Wed, 21 Feb 2018 15:22:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=V3XN/wm0ZdCCuznVBbHBJIyMwxOGoRXCBJL/ShKaMk8=; b=Zf1SBR4YPN+tGB4rczSUX9YXXDdNfxSxm509DLTpfURxwWtERDoAGs1QZ1P+tmnyGO PqD/YxB4wAgCnXRVWynDr52Iie6zU9Rt3xc/c6UTFdWvCyX3/RkJi0Cn2XMmyYxIPmy6 DxvQh/cBLGwW4JLann76Vq5BfTZXo10cHXPNqWM1jETjdgLXjXlUuPKcPB5eYV4Kl8QR KHjjaAyD8sckc5Jvy5zq5PHcBhTTjf5xjm2sMY3Dj4TyISnmteKWyy4pkKMoElkxI/92 dBZZcqpCi2BKhnMW/yttgeZRMgNYq2wwpRKclTlBJEuZgChwqB1F4K7hFPvZ79LrC5PB ujnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=V3XN/wm0ZdCCuznVBbHBJIyMwxOGoRXCBJL/ShKaMk8=; b=EBKCMYfyJWf9pgHWZLUztNe+ikbFiegIRAtFbEHNnlJE8OViZAV3bg63h1adYY+/r/ 4XgJlnfNkM2owgDG/4GSgLcaCdS4LU0Y882f6ogz9UNjEUfTikDAFscwpD/o8CM3KBKE fqFEFN9APQ1JHg0BjTSNLnAiX7TB+9E5ip9h/4klujB/VoF5d0iOhGrbq2M8kouQIAzJ FznFarYngyuWJ2c8vKBXTRn3sBhCFNbjicEfo6zClKtM4kZzbmv0ZG1tmM5EzYmlcK3f obR7pLrRwMMDE9zTIFRwvyAsfJHWD7xR9SQDN43NM0LZGk25wKyIgEYAenW1Svom537k rXVg==
X-Gm-Message-State: APf1xPAo3o2XkhAVtuhr1px3Wzp45gU8bN42wsXmwJpo/3Kyoy+jlW2J p/nlguu7AjczREqM3FQpy2PGzVpEt0pLAi89Nyg=
X-Google-Smtp-Source: AH8x224COxXA3D9HvmGDuWqTRtxyGxTpWy9k8/UIkyilprJTI5NNHigr9GjOURdgDbSNOvAbrMxptxU3dK8uzzoFmyo=
X-Received: by 10.202.94.196 with SMTP id s187mr932752oib.144.1519255356444; Wed, 21 Feb 2018 15:22:36 -0800 (PST)
MIME-Version: 1.0
Received: by 10.157.16.85 with HTTP; Wed, 21 Feb 2018 15:22:35 -0800 (PST)
In-Reply-To: <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <1545738.SpB3f87gQo@pintsize.usersys.redhat.com> <CABcZeBOXzXf32JZkOw51JkXz6e_RG5Y+n+XG-9Y=Fb=a-as-CQ@mail.gmail.com> <21708133.DmTAOkxbDk@pintsize.usersys.redhat.com> <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Thu, 22 Feb 2018 10:22:35 +1100
Message-ID: <CABkgnnWvXi_wchOBQhj+KFKcvd17YQJO_NV2xLn6SZScVQynsg@mail.gmail.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: Hubert Kario <hkario@redhat.com>, draft-ietf-tls-tls13@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/nzn-DYipB4ykdyvlQMfj7__dFo0>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Feb 2018 23:22:39 -0000

I think that the current behavior is fine, but we might add text to
suggest that identities be self-authenticating to avoid this sort of
enumeration.  Note that in common practice, this sort of enumeration
would be over an infeasibly large space, it's only where identities
are more easily enumerable that it becomes an issue (e.g., "ted" as an
identity, rather than a self-encrypted session ticket)

On Thu, Feb 22, 2018 at 1:31 AM, Eric Rescorla <ekr@rtfm.com> wrote:
> i think your general point is sound here, but I'll nitpick the statement
> that
> "if the server recognises an identity but is unable to verify corresponding
> binder".
>
> 1. The server only picks one identity so you if you send A, B, and C and you
> get an abort, you don't know if it recognized one or all.
> 2. The server can *recognize* the identity but ignore it (say it's a ticket
> that's
> too old)
>
> With that said, I think it would probably be safe to say you must ignore an
> identity
> where the binder doesn't validate, but I'd like to hear from cryptographers
> on this
> one.
>
> Thanks,
> -Ekr
>
>
> On Wed, Feb 21, 2018 at 6:26 AM, Hubert Kario <hkario@redhat.com> wrote:
>>
>> On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote:
>> > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> wrote:
>> > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote:
>> > > > The IESG has received a request from the Transport Layer Security WG
>> > >
>> > > (tls)
>> > >
>> > > > to consider the following document: - 'The Transport Layer Security
>> > > > (TLS)
>> > > > Protocol Version 1.3'
>> > > >
>> > > >   <draft-ietf-tls-tls13-24.txt> as Proposed Standard
>> > >
>> > > The current draft states that if the server recognises an identity but
>> > > is
>> > > unable to verify corresponding binder, it "MUST abort the handshake"
>> >
>> > Which text are you referring to here?
>>
>> Section 4.2.11:
>>
>>    Prior to accepting PSK key establishment, the server MUST validate
>>    the corresponding binder value (see Section 4.2.11.2 below).  If this
>>    value is not present or does not validate, the server MUST abort the
>>    handshake.  Servers SHOULD NOT attempt to validate multiple binders;
>>    rather they SHOULD select a single PSK and validate solely the binder
>>    that corresponds to that PSK.
>>
>> > -Ekr
>> >
>> > at the same time, they "SHOULD select as single PSK and validate solely
>> > the
>> >
>> > > binder that corresponds to that PSK"
>> > > (Page 60, draft-ietf-tls-tls13-24).
>> > >
>> > > That allows for trivial enumeration of externally established
>> > > identities -
>> > > the
>> > > attacker just needs to send to the server a list of identity guesses,
>> > > with
>> > > random data as binders, if the server recognises any identity it will
>> > > abort
>> > > connection, if it doesn't, it will continue to a non-PSK handshake.
>> > >
>> > > Behaviour like this is generally considered a vulnerability:
>> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
>> > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
>> > >
>> > > I was wondering if the document shouldn't recommend ignoring any and
>> > > all
>> > > identities for which binders do not verify to prevent this kind of
>> > > attack.
>> > > --
>> > > Regards,
>> > > Hubert Kario
>> > > Senior Quality Engineer, QE BaseOS Security team
>> > > Web: www.cz.redhat.com
>> > > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
>> > > _______________________________________________
>> > > TLS mailing list
>> > > TLS@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/tls
>>
>>
>> --
>> Regards,
>> Hubert Kario
>> Senior Quality Engineer, QE BaseOS Security team
>> Web: www.cz.redhat.com
>> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
>
>

v2.23.0 | Report a Bug | By Email