[TLS] Review of draft-ietf-tls-tls13-cert-with-extern-psk-00
Yoav Nir <ynir.ietf@gmail.com> Mon, 25 March 2019 21:08 UTC
Return-Path: <ynir.ietf@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5F07120856 for <tls@ietfa.amsl.com>; Mon, 25 Mar 2019 14:08:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2LGt2gEl7PHf for <tls@ietfa.amsl.com>; Mon, 25 Mar 2019 14:08:30 -0700 (PDT)
Received: from mail-wr1-x435.google.com (mail-wr1-x435.google.com [IPv6:2a00:1450:4864:20::435]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D38291200D6 for <tls@ietf.org>; Mon, 25 Mar 2019 14:08:28 -0700 (PDT)
Received: by mail-wr1-x435.google.com with SMTP id j9so11869702wrn.6 for <tls@ietf.org>; Mon, 25 Mar 2019 14:08:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:subject:message-id:date:to; bh=hpVwe0okitYURALuTX+9g7Gcv3VpIRqOnU0xZ68Oc34=; b=LGsQ1Iu761XzLD4p9RHdF6oCqwEn/+5nLGgYV/FOkuvWykT8ABigWWFPTwQhUOG1rw ljo1/xzH4iKBxU1AUNRZH36JHqyhkCi7PVIYAFV0r4KahMhcIYQdEYLuZ/CqIKp8yGyk FQHF7cx1iM4B/88+K9oTBO8LBCjURXymApF37D9rc9M4BcIjNjfsfX2ZzvlSYn2nSINK BgpsIAHv+woLRjIPlyUbVLK18qSHS76V9TRY4xhZtdPtsh+c4qvodo+I4/PgoBYALT92 pRQmriHHTicujyUnhH8Hwt6y4SVvasMykA1CunA1De10aUvrCHneGJI7Tf+4szEZzrfo IWMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:subject:message-id:date:to; bh=hpVwe0okitYURALuTX+9g7Gcv3VpIRqOnU0xZ68Oc34=; b=a3y0EZWIFizkjVMb3Rj3jHHI2v381trBn32lXXFPpfHLQAw3fguyz3/XJulCeTG0hK ebuDqfqAj9I+R3ys2dUmwYSyvBAZVH/VoqJ/3YA7Rte+vDe259YZ8UCqotE8ZJVPJaFd 3Zy2v5BLqstETXnqZ9poxDOR7hzsCtGcbzaIcUGJOBlO8WjpWzRCOlxjWr7yhg/xfBBS hYqyVIFoH+gmswJDzeLDigkyTbMQ8kcZ8GbR7hpmkn5uFEwzWg85H2XijpwQUSyx0vXL QURiJFQfDKlgpFt5kEjeX6NiZcgHYhH2sBJKRPXdHzDaqd4vMtHWUf86eZ2TV0kX59Hq s0jg==
X-Gm-Message-State: APjAAAWkEaoDX6s4WNB/GhZHXOD0TO+DYPMDQYpk3CsDHnQvXaVHeyWY aJk1DTCQ3uZDFSpc8ikyZ7G/oHA5
X-Google-Smtp-Source: APXvYqxd0ZNxjbSTk7n4ypJOztHJhgINzVbTmg5mzh3AOzUCzqq3s64s6qegL+mNgr1TyHJywGCEgg==
X-Received: by 2002:a5d:6681:: with SMTP id l1mr18062394wru.186.1553548106721; Mon, 25 Mar 2019 14:08:26 -0700 (PDT)
Received: from [10.96.4.243] (94-74-228-155.client.rionet.cz. [94.74.228.155]) by smtp.gmail.com with ESMTPSA id f20sm40387493wrg.91.2019.03.25.14.08.18 for <tls@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 25 Mar 2019 14:08:25 -0700 (PDT)
From: Yoav Nir <ynir.ietf@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E02B4F15-95C5-418B-B6C5-67852E53250A"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-Id: <468BB192-0359-4B96-AC37-B0927EA317E8@gmail.com>
Date: Mon, 25 Mar 2019 22:08:10 +0100
To: "<tls@ietf.org>" <tls@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/oScGGLWZc6PgAOmp52XelhBUvFY>
Subject: [TLS] Review of draft-ietf-tls-tls13-cert-with-extern-psk-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 21:08:34 -0000
Hi. I’ve read this draft. For the most part it seems fine, but I have a few editorial nits: Abstract: I realize that all of section 3 is dedicated to motivation, but there really needs to be something in the abstract. Otherwise, I’m reading “authenticate with a combination of a certificate and an external pre-shared key” and wondering why you would want to use a certificate at all if you’ve managed to get a PSK between the client and the server. It needs at least something like “... in order to facilitate post-quantum forward secrecy.” at the end. Section 1 (Introduction): The Introduction contains the following text: "The TLS 1.3 ... provides two mutually exclusive forms of server authentication... Second, the server can be authenticated by demonstrating that it possesses a pre-shared key (PSK) that was established by a previous handshake.” This flatly says that all PSKs in TLS 1.3 are established by a previous handshake, and that is not true. The very next sentence calls these “resumption PSKs” and describes other PSKs called “external PSKs”. So these external PSKs are part of TLS 1.3, so the above sentence is incorrect. Section 3 (Motivation and Design Rationale): The section describes the threat to forward secrecy of a future large-scale quantum computer. Then the third paragraph says this: "In the near-term, this document describes [a] TLS 1.3 extension to protect today's communications from the future invention of a large-scale quantum computer by providing a strong external PSK as an input to the TLS 1.3 key schedule while preserving the authentication provided by the existing certificate and digital signature mechanisms.” It is not obvious to me that adding an external PSK to the TLS 1.3 key schedule protects against a large-scale quantum computer. The IPsecME draft specifying the same thing ( https://tools.ietf.org/html/draft-ietf-ipsecme-qr-ikev2 ) has such rationale in the Introduction, in the Security Considerations section, and in Appendix A. I think this document needs some similar text as well. Section 5 (Certificate with External PSK Extension): There’s a lot of stuff repeated here from RFC 8446: The extensions structure, including its fields The rules for a server responding with an extension (only if the ClientHello contained it) The rules for a repeated ClientHello following a HelloRetryRequest The PreSharedKeyExtension from RFC 8446. The rules for handling an extension that appears in the wrong message. I don’t believe repeating this information adds clarity. Section 7 (Security Considerations): The fifth paragraph says the following: Implementations must choose external PSKs with a secure key management technique, such as pseudo-random generation of the key or derivation of the key from one or more other secure keys. The use of inadequate pseudo-random number generators (PRNGs) to generate external PSKs can result in little or no security. An attacker may find it much easier to reproduce the PRNG environment that produced the external PSKs and searching the resulting small set of possibilities, rather than brute force searching the whole key space. The generation of quality random numbers is difficult. [RFC4086] offers important guidance in this area. That’s fine, but I’m missing the required length of such a PSK. I believe the text should say “at least 256 randomly-generated bits” Yoav