Re: [TLS] [DTLS]: how to handle unknown identity and bad psk ?
Simon Bernard <contact@simonbernard.eu> Thu, 26 April 2018 09:31 UTC
Return-Path: <contact@simonbernard.eu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C757612420B for <tls@ietfa.amsl.com>; Thu, 26 Apr 2018 02:31:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HzXw9L-BRZzw for <tls@ietfa.amsl.com>; Thu, 26 Apr 2018 02:31:52 -0700 (PDT)
Received: from 10.mo178.mail-out.ovh.net (10.mo178.mail-out.ovh.net [46.105.76.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7DCC126579 for <tls@ietf.org>; Thu, 26 Apr 2018 02:31:52 -0700 (PDT)
Received: from player728.ha.ovh.net (unknown [10.109.108.48]) by mo178.mail-out.ovh.net (Postfix) with ESMTP id 91D031188A for <tls@ietf.org>; Thu, 26 Apr 2018 11:31:50 +0200 (CEST)
Received: from [10.41.51.106] (134.163-14-84.ripe.coltfrance.com [84.14.163.134]) (Authenticated sender: contact@simonbernard.eu) by player728.ha.ovh.net (Postfix) with ESMTPSA id 5BB56540098; Thu, 26 Apr 2018 11:31:43 +0200 (CEST)
To: Eric Rescorla <ekr@rtfm.com>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <e36279ab-2ac7-3ab6-a1b6-d1fac2b0aa79@simonbernard.eu> <CABcZeBNf+svJCN8LpkF0c_rkOAhsCSjheK8ms1qkFvpZgafrNA@mail.gmail.com>
From: Simon Bernard <contact@simonbernard.eu>
Message-ID: <de812f93-f579-956a-42d1-1d2cf104c8f8@simonbernard.eu>
Date: Thu, 26 Apr 2018 11:31:32 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBNf+svJCN8LpkF0c_rkOAhsCSjheK8ms1qkFvpZgafrNA@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------07139250823B819C74864B97"
Content-Language: en-US
X-Ovh-Tracer-Id: 11278702319763732721
X-VR-SPAMSTATE: OK
X-VR-SPAMSCORE: 0
X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedtgedrleefgddukecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfqggfjpdevjffgvefmvefgnecuuegrihhlohhuthemuceftddtnecu
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/orVJzXVef5d1KQ8qcO1pGyynO10>
Subject: Re: [TLS] [DTLS]: how to handle unknown identity and bad psk ?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Apr 2018 09:31:57 -0000
Eric, thx a lot for your answer. We are discussing a lot about that with our community and there is still no consensus ... So I come back to you to have clearer information to help us to make the good decision. Using DTLS with PSK over UDP, without re-negotiation allowed : - Is there known security issue about sending the same alert for both "unknown identity" and "bad_psk"(invalid record for handshake message) ? "Discarding records aims to preserve current association", if we are able to preserve current association using : - no renegotiation allowed, - send alert for invalid record only for handshake record and if we have an ongoing handshake, - In cases where a server believes it has an existing association on a given host/port quartet and it receives an epoch=0 ClientHello, destroy the existing association only if the client has demonstrated reachability by completing a cookie exchange. Should it be OK ? Thx again for your time. Simon Le 06/04/2018 à 19:26, Eric Rescorla a écrit : > > > On Fri, Apr 6, 2018 at 10:16 AM, Simon Bernard > <contact@simonbernard.eu <mailto:contact@simonbernard.eu>> wrote: > > Hi, > > We are implementing DTLS with PSK over UDP and I would like to > know how "unknown identity" and "bad psk" should be handled > > Pre-Shared Key Ciphersuites for Transport Layer Security (TLS) says : > (https://tools.ietf.org/html/rfc4279#section-2 > <https://tools.ietf.org/html/rfc4279#section-2>) > > > If the server does not recognize the PSK identity, it MAY respond > > with an "unknown_psk_identity" alert message. Alternatively, > if the > > server wishes to hide the fact that the PSK identity was not > known, > > it MAY continue the protocol as if the PSK identity existed > but the > > key was incorrect: that is, respond with a "decrypt_error" alert. > > In TLS the safer way seems to send a "decrypt_error" alert for both. > > But in DTLS : > https://tools.ietf.org/html/rfc6347#section-4.1.2.7 > <https://tools.ietf.org/html/rfc6347#section-4.1.2.7> > > > In general, invalid records > > SHOULD be silently discarded, thus preserving the association; > > however, an error MAY be logged for diagnostic purposes. > > Implementations which choose to generate an alert instead, MUST > > generate fatal level alerts to avoid attacks where the attacker > > repeatedly probes the implementation to see how it responds to > > various types of error. Note that if DTLS is run over UDP, > then any > > implementation which does this will be extremely susceptible to > > denial-of-service (DoS) attacks because UDP forgery is so easy. > > Thus, this practice is NOT RECOMMENDED for such transports. > > Is this record layer recommendation for all type of record ? even > HANDSHAKE(22) record (and so FINISHED message) or is it mainly for > APPLICATION_DATA(23) record ? > > Is it acceptable to send fatal alert "decrypt_error" in DTLS or > should we just ignore bad credentials silently ? > > > Hi Simon, > > The advice in 4279 is basically "make an unknown identity look like a > bad key". So the idea would be to just randomize the key and then get > the TLS or DTLS-type behavior. I.e., with TLS you would send > decrypt_error and in DTLS the handshake would just stall because you > would drop packets. > > -Ekr > > -- > Simon > > _______________________________________________ > TLS mailing list > TLS@ietf.org <mailto:TLS@ietf.org> > https://www.ietf.org/mailman/listinfo/tls > <https://www.ietf.org/mailman/listinfo/tls> > >
- [TLS] [DTLS]: how to handle unknown identity and … Simon Bernard
- Re: [TLS] [DTLS]: how to handle unknown identity … Eric Rescorla
- Re: [TLS] [DTLS]: how to handle unknown identity … Kraus Achim (INST/ECS4)
- Re: [TLS] [DTLS]: how to handle unknown identity … Simon Bernard
- Re: [TLS] [DTLS]: how to handle unknown identity … Jim Schaad