IETF Logo Mail Archive

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

Karthikeyan Bhargavan <karthik.bhargavan@gmail.com> Fri, 27 July 2018 13:43 UTC

Return-Path: <karthik.bhargavan@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3241130EC5 for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 06:43:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eFKclkT1IEnB for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 06:43:06 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 374C8127598 for <tls@ietf.org>; Fri, 27 Jul 2018 06:43:06 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id z74-v6so3268417qkb.10 for <tls@ietf.org>; Fri, 27 Jul 2018 06:43:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=/USKlVlxM7fzhmcGftio79IABy6hk9ZDrRYvGPvvARM=; b=K4qF86KDfkzfcBD3IHKy7uxYvsJJP3VuTSaLFRzzBCxU4W6qRI2orSCWT/LgvREzd4 Ffg6xfRQd2J25ByA41X3f5tKw1kZPcwt9sEgDSjKrRMsqQlL5oO2VfsKYAHz9juYkFKQ whPuvbG7wv5XHc/C4V8tgY0dmakKtHr9c7GS/kJZwohszbpN6Fm0Rwi6WOILxc0JbIJZ udldbCZGyKzp7EF2RTJURKi0DQQfBcl+HCJ7M9JsrqPS2fR3l/JHMq7teeIdEd6EX6Rb EXgGEkLzdzAaW+CK8ZWaH8qf19IaEzvjbdx/tsUG7Kj8vkeovCUPRfJIrXsF4egdriKY bgJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=/USKlVlxM7fzhmcGftio79IABy6hk9ZDrRYvGPvvARM=; b=AG6P3gqtvvJxoejKjW/IesKBCEDsHb4n6ZO9KXtmL1EiPOuTkoQVQj9AwJ1V9wksLG eCy25QwOL+XCq7oB2NAIVCno5TB92YCyCcpE31bmsA3k3eqRZhy9NlSMKSdQuGlmk1lw JVrptcUjPK7gmDK17Ah1a/jbVPMsJwKwfppGFfHatVg3F+bQiZYH736lWMA6P/xFr2cN asAeaDSxfW42JhSntkO0+ZYGSY8acwKep4yZtRn7ZuBZIv4hFBa/KksmEbxPYcgnEPaY j3D/9yKVsgc6wnriH0Dntn+UeynPQ2L/96iOzH35C9pjzxp1/eIFuaUh1jCnBi+JS6Ui B6Bw==
X-Gm-Message-State: AOUpUlFTe8U9otl+Cu89ZMbxcSOgXMMs8Vm2p+KzAUTkSQz8JsKf0q5Q W7GM250ZfcaeaPcHyOzDYiuoTjud
X-Google-Smtp-Source: AAOMgpdRpYNdt92HsEbK7zfD5RAk6zqkmQCyFjTmag8kqiZZRzaLJ74nZZtBNLct0Lz8Ty7ehi1Yjg==
X-Received: by 2002:a37:86:: with SMTP id t6-v6mr5835587qkg.443.1532698985138; Fri, 27 Jul 2018 06:43:05 -0700 (PDT)
Received: from [192.168.1.28] ([71.181.119.27]) by smtp.gmail.com with ESMTPSA id v41-v6sm3117575qtk.70.2018.07.27.06.43.04 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 27 Jul 2018 06:43:04 -0700 (PDT)
From: Karthikeyan Bhargavan <karthik.bhargavan@gmail.com>
Message-Id: <A8DCFB30-FF57-4FDA-80F7-F68A7DE4315E@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2B595C65-118E-4432-ABA9-F8FB593B2143"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\))
Date: Fri, 27 Jul 2018 09:43:03 -0400
In-Reply-To: <CABcZeBO=LnxybFq2uog3UYoGgnb0KiE3oG=hGY5UWYauOtwMBw@mail.gmail.com>
Cc: Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org>, "<tls@ietf.org>" <tls@ietf.org>
To: Eric Rescorla <ekr@rtfm.com>
References: <20180719230009.GD14551@akamai.com> <CABcZeBO=LnxybFq2uog3UYoGgnb0KiE3oG=hGY5UWYauOtwMBw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.9.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p-mTHWwd8sThxHT97PTvt3jcrvE>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 13:43:10 -0000

> As with Universal PSKs (UPSKs), each input key is a triplet of
> (BaseIdentity, BaseKey, KDF), where a BaseIdentity is a PSK identity
> as used today. To use a UPSK, an implementation takes the set of KDF
> hashes it knows about H_i and derives a set of PSKs

To be clear, you’re suggesting that the KDF  attached to an input key could be different from the KDF used within TLS 1.3 itself.
E.g. the KDF here could use HKDF-SHA256 whereas H_i and the hash function in the TLS 1.3 cipher suite could be SHA-384 or whatever, is that correct?

The nice feature of this imported PSK is that it is then completely outside the model of TLS, its just a way of provisioning multiple independent TLS PSKs, where each TLS PSK can presumably only be used with one hash algorithm (and one protocol version?)
If so, this should compose nicely with existing TLS proofs.

-Karthik




> 
>   Hash_i: H_i
>   Identity_i: BaseIdentity || H_i
>   Key_i: Derived from BaseKey and Identity_i
> 
> This gives you a set of keys which you can offer simultaneously on the
> TLS connection in independent psk_identity blocks. (Note that the hash
> algorithm is what differentiates each derived key.) This is a bit
> ugly, but with the current TLS 1.3 ciphers, this basically just means
> SHA-256, but even in the worst case it’s probably only 2-3.
> 
> The nice thing about this design is that if you know the set of hash
> functions, you can just compute all the imported PSKs in advance, and
> there’s no need to touch the internals of the TLS stack. This also
> means that if you have decided you don’t like old hash X, you don’t
> need to use it to compute PSK binders, you just use it do the KDF,
> which seems like it has weakersecurity requirements. 
> 
> Here’s a specific construction, but we’re flexible about the details:
> 
>    struct {
>        opaque base_identity<1...2^16-1>;
>        HashAlgorithm hash;
>    } imported_psk_identity;
> 
>    UPSKx = HKDF-Extract(0, UPSK)  // UPSK is the input universal PSK
>    PSK = HKDF-Expand-Label(UPSKx, "derived psk", BaseKDF(psk_identity), TargetHash.length) // Might need to shorten label
> 
> These functions would be executed with the KDF associated with the UPSK, but produce
> a key the size of the desired hash.
> 
> This brings us to the question of TLS 1.2. I found Ilari’s analyis
> pretty persuasive, so I would suggest we add the following text to the
> TLS 1.3 spec:
> 
>     TLS 1.3 takes a conservative approach to PSKs by binding them to a
>     specific KDF. TLS 1.2 allows PSKs to be used with any hash function
>     and the TLS 1.2 PRF. The constructions in TLS 1.2 and TLS 1.3,
>     although both based on HMAC, are very different and there is no known
>     way in which reuse of the same PSK in TLS 1.3 and TLS 1.2 would
>     produce related output, although only limited formal analysis has been
>     done. Implementations MAY wish to avoid reuse of keys between TLS 1.3
>     and TLS 1.2, or use a key derivation proposal such as [Informative ref
>     to this email or a draft].
> 
> Other than this, we wouldn’t make any changes to the document.
> 
> What do people think?
> 
> -Ekr
> 
> 
> 
> 
> 
> On Thu, Jul 19, 2018 at 4:00 PM, Benjamin Kaduk <bkaduk=40akamai.com@dmarc.ietf.org <mailto:bkaduk=40akamai.com@dmarc.ietf.org>> wrote:
> Hi all,
> 
> As I mentioned at the mic today, there is a question that has been
> raised about whether it's wise to reuse an existing (TLS 1.2) PSK
> directly in the TLS 1.3 key ladder.  At a high level, the reason why one
> might want to restrict this is that the security proofs for TLS 1.3 rely
> on the pre-shared key being only used with a single key-derivation
> function (our HKDF-using Derive-Secret), and TLS 1.2 uses a different
> key-derivation function, so formally the proofs do not hold.  We don't
> currently know of a specifc attack against such reuse, of course, but
> perhaps it is prudent to restrict our usage to adhere to the verified
> scenarios.
> 
> This is somewhat timely, as if we do want to introduce a restriction, it
> would ideally be in the form of some text in the TLS 1.3 specification,
> which is very nearly done.
> 
> It would be good to hear more opinions on this question, particularly
> from those who have worked on the formal verification directly.
> 
> If I can attempt to summarize some discussion that occurred in the mic
> line today, Hannes was surprised that we would care, likening this case
> to the regular version negotiation, where we are happy to use the same
> certificate to sign messages for both TLS 1.2 and 1.3.  David Benjamin
> points out that we explicitly go to the trouble of putting 64 bytes of
> 0x20 padding at the front of the content that gets signed for
> CertificateVerify, to enforce separation between the TLS versions.
> 
> My own personal opinion is that we should enforce a domain separation
> between TLS 1.2 PSKs and TLS 1.3 PSKs; David Benjamin's "Universal PSKs"
> proposal seems like a potential mechanism by which to do so without
> doubling the provisioning needs.
> 
> -Ben (with no hat)
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org <mailto:TLS@ietf.org>
> https://www.ietf.org/mailman/listinfo/tls <https://www.ietf.org/mailman/listinfo/tls>
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email