Re: [TLS] Comments on draft-ietf-tls-external-psk-importer-04
Christopher Wood <caw@heapingbits.net> Fri, 24 April 2020 23:09 UTC
Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B1FF3A0F2E for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 16:09:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=TSAfy63o; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=uxjkTU6A
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aRiwv3X82odS for <tls@ietfa.amsl.com>; Fri, 24 Apr 2020 16:09:38 -0700 (PDT)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C4A63A0F30 for <TLS@ietf.org>; Fri, 24 Apr 2020 16:09:38 -0700 (PDT)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.west.internal (Postfix) with ESMTP id 565261BAB; Fri, 24 Apr 2020 19:09:37 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Fri, 24 Apr 2020 19:09:37 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=OdYlPCuI1WPUbWq5j8QthSuqwDE45Bl VPIx5TUtOXg8=; b=TSAfy63o46koQ5wwxlPP3XvVWL8DhGqiURL6BihehSxSRVA fUogW58qiOGJVHNZQU1yF80Ksht5I3BxiM3RrirLIfXpiDOmdf4FBSoIYuZRUN53 X+sqdggXd3nHRY6rE8MGxGdL4Wa0TR9GBx0b23dqEBxE5FgFeRsPnPWpIcz0fc+Y LH/voHt+tflHwzNpHsYFjFsVTMdvMLs5U8QPNDzgB07nClID/HIHGKbe7aDkRs4n cTsHYUjhQm6SkQUZb5DSC1MDvSJcqnjg4UNqRZ9CYKntFs5Vhp/wcn2Gi+xyE/al iuUHS+X+XBAATIn0BAviEEuWszni2XOh9OiD7Jw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=OdYlPC uI1WPUbWq5j8QthSuqwDE45BlVPIx5TUtOXg8=; b=uxjkTU6AdCaezYPNLSkWwd qMw+OlUMPJjgtLhSTcKZwJ7NEPyvBLxE9Gy+m3lxBeSf1sCFyQM69O8Ng7eMDfjp KSnu+3JSk7xP7HQYkskTCVcYUFBj7kSNaQc+ngPANbgKRsHwzY/xRw+ROvF1q+s4 VoAneMo60wxKIrtMybRGsdRytLj9rJYQWWYf5NQaL29IHBrH2UWmhdyCUxkfSeqc lltWakoiGG6zAQuo51DEybdbyOvnY0+fhEnKCDoujEVYioZMXTcO+GzuIchPuDHf ir8VhLGhJ5MetxPdgtrm25BHZ/85i1WtdGKqPP2wWqtEGCk/2jk/tcHLP40XaB1g ==
X-ME-Sender: <xms:sHGjXoIbcQv-FnzK2Tt9Hn1dDf3mW2hZTGjYYcAHnUwlqKMsA4Uipw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduhedrhedvgddujecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucffohhmrghinheptghishgtohdrtghomhdphhhtthhpshefrgdvfhdvfhhgihhthhhu sgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhroh hmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:sHGjXjDqHMKZ4NXGSR3L7pCGFsSfV03md_6a7rySNe9KJokl4XnWIg> <xmx:sHGjXpq2_pJDrwDKyQ-uJ-r_ihui30h6Eqspj2qaU2G5osQmWGFhAQ> <xmx:sHGjXsZ5UEu9FM4DnsNCv17p9kzHwq3ykNYrWUafNJVPK31l6QQ9aQ> <xmx:sHGjXuR1yU7SqL6K62gahYdbigQVJ6rTnlJF5mYPJjOOjtwiNOSOoA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7EB073C00A1; Fri, 24 Apr 2020 19:09:36 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.3.0-dev0-351-g9981f4f-fmstable-20200421v1
Mime-Version: 1.0
Message-Id: <8fd481c1-7edb-4d9c-bc6d-f1a3f67e8bcf@www.fastmail.com>
In-Reply-To: <acd71cd2e3b7412aafc98595161bfb1d@verisign.com>
References: <fb7c3f894dfa49efb5917d2e39c4ea78@verisign.com> <96ed3f4c-7ad4-4406-95c9-1e96b5a49eed@www.fastmail.com> <acd71cd2e3b7412aafc98595161bfb1d@verisign.com>
Date: Fri, 24 Apr 2020 16:09:15 -0700
From: Christopher Wood <caw@heapingbits.net>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/p4wQKiTgWeTyT7mSHgb4nCms2yQ>
Subject: Re: [TLS] Comments on draft-ietf-tls-external-psk-importer-04
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Apr 2020 23:09:41 -0000
On Thu, Apr 23, 2020, at 8:10 AM, Hollenbeck, Scott wrote: > > -----Original Message----- > > From: TLS <tls-bounces@ietf.org> On Behalf Of Christopher Wood > > Sent: Tuesday, April 21, 2020 9:57 PM > > To: TLS@ietf.org > > Subject: [EXTERNAL] Re: [TLS] Comments on draft-ietf-tls-external-psk- > > importer-04 > > > > Thanks for the feedback, Scott! Please see inline below. > > > > On Tue, Apr 21, 2020, at 6:57 AM, Hollenbeck, Scott wrote: > > > 2. Technical comments. > > > > > > a. Distinct identities? Sec. 3 states "Non-imported and imported PSKs > > > are distinct since their identities are different on the wire." We > > > have two concerns about this statement. First, the statement appears > > > to suggest that if two EPSKs have different identities, then they must > > > have different secret values. But couldn't two EPSKs have the same > > > secret value yet employ different identities for convenience? For > > > example, an endpoint might identify the same EPSK with a domain name > > > in some cases and with an IP address in others. > > > > This seems like a reasonable editorial improvement to make. I filed: > > > > https://secure-web.cisco.com/1WQM3tDUuuSkXPZ- > > qwaA2YKrAcqlkOAsqUSqvQThf6zv7T7Gi7ofekeY-6UPrqcF1k5cW- > > i8pc5KYZ8GDkbBhgNSydezOTkChVTOsIlACtvE0hnca9DN7D056URvddDaO54LI > > jMM4o4hOFRlCHReLnVJ4g90Pm0foS9AAaeBQK2w1oTQNJrx9B6EqDlIvn3- > > Sh3oF_cBDlKk0XXLyJYWRZRflbYw3Tg1Ga8HPzfUZf- > > qJqqQquKG5sEsl_vdKIQbyIVGSYJVTTx6x- > > viXGJXTsQ/https%3A%2F%2Fgithub.com%2Ftlswg%2Fdraft-ietf-tls-external- > > psk-importer%2Fissues%2F31 > > Thanks! > > > > Second, and more > > > fundamentally, the statement assumes that a non-imported EPSK, by > > > definition, cannot be misinterpreted as an imported PSK. But isn't > > > the identifier of a non-imported EPSK just an opaque string? A > > > non-imported EPSK identity could therefore have the same "bits on the > > > wire" as an IPSK identity, if the client and server employ an > > > identifier system that whose encoding happens to coincide with the > > > ImportedIdentity structure defined in the draft. ( Moreover, the > > > identifier of a resumption PSK is just an opaque string > > > -- so couldn't this also collide with ImportedIdentity values? > > > Perhaps we are missing something even more fundamental in our > > > reading.) ([draft-dt-tls-external-psk-guidance-01] covers similar > > > issues in its Sec. 6.1.2, "PSK Identity Collisions.") > > > > Yes, certainly it's possible for a non-imported EPSK to have an identity which > > matches the constructed identity of an imported PSK. We can't do anything > > to prevent applications from crafting such identities, so I'm inclined to just > > note this as a possibility, if anything. > > A note would be fine. > > > > b. Attack impact. If it's possible for an opaque identifier for a > > > non-imported EPSK identity to have the same encoding as an > > > ImportedIdentity value, then how does the server recognize > > > unambiguously that the opaque identifier is intended to be an imported > > > identity? The server could take an optimistic approach and assume > > > that an identifier that meets the ImportedIdentity syntax is probably > > > an imported identity, and run the code path for imported identities first. > > > > Yep, that's what I envisioned servers would do. > > > > > If that path fails, however -- either because the server doesn't > > > accept the EPSK or associated parameters, or because the binder value > > > is incorrect -- then the server may need to run the code path for > > > non-imported identities as a fallback, checking next to see if the > > > opaque string is recognized as an ordinary EPSK identity. But this > > > practice just puts more burden on a server against an attacker who > > > replays (or makes up) the PSKIdentity.identity value: two code paths > > > are exercised for the price of one attempted handshake. > > > > I don't think this is a particularly useful attack, though I do agree that it causes > > more work for the server. I'm curious to hear what others think. > > > > > c. Mitigations. One way to reduce the burden is to impose a new > > > requirement that the opaque string can only have the ImportedIdentity > > > syntax if the client (or server in the case of hints) indeed intends > > > to use the import mechanism. An ordinary EPSK could have any other > > > value, just not this kind. But this may not be compatible with the > > > installed base, especially with implementations that allow clients and > > > servers to specify arbitrary EPSK identities. (Consider the case where > > > an application adopts the imported identity syntax for the use > > > intended in this draft, and then decides to reuse the syntax for other > > > purposes, including ordinary EPSK identities.) > > > > > > Another way to ensure distinctness is to add a flag that indicates > > > that the PSK identity is an imported identity. But it's not clear > > > where this flag would go, given that the PskIdentity syntax isn't extensible. > > > Perhaps there could be an overall flag indicating that _all PSK > > > identities are imported identities? Or a new extension for imported > > > PSKs? > > > > Since this draft is meant to fix an annoyance in TLS 1.3, I think anything more > > than a different Identity encoding is overkill. I absolutely agree that the > > rigidity of PskIdentity is something we might want to fix. I'm just not sure > > that should be done here. > > Agreed, this would be a larger discussion. Just wanting to be sure the > concern was noted in the document. > > > > d. Key separation. Note that the foregoing discussion about EPSK > > > identifiers potentially colliding is separate from the question about > > > what happens if an IPSK happens to collide with a non-imported EPSK. > > > The draft handles this effectively with different inputs to the binder > > > derivation ("ext binder" vs. "imp binder"). But this happens after > > > the implementation has already decided whether to interpret the > > > identifier as external or imported. > > > > > > e. Incremental deployment. Section 6 states that " the derived PSK > > > will not be the same [as the underlying EPSK] since the importer > > > differentiates the PSK via the identity, target protocol and target > > > key KDF." However, the next statement does not follow directly: > > > "Thus, PSKs imported for TLS 1.3 are distinct from those used in TLS > > > 1.2, and thereby avoid cross-protocol collisions." Rather, the > > > statement also depends on the requirement in Section 3 that clients > > > (and servers) don't deliberately use EPSKs or IPSKs for other > > > purposes, and the security properties of the KDF that produces the IPSK > > (which ensures > > > that collisions don't occur accidentally). But there also seems to be > > > an implication in Section 6 that the use of the KDF in the TLS 1.3 > > > importer doesn't conflict with the cryptographic functions used for > > > obtaining the TLS 1.2 pre-master secret. If so, this distinction > > > should be spelled out. > > > > Hmm, not quite. The statement intends to say that if you need EPSK k into an > > importer and into TLS 1.2 then the resulting keys used in TLS 1.3 and 1.2 are > > different. I'm not sure further clarification is needed, though I'm happy to > > review suggestions if you have them! > > Agree with that as the goal. Here's our concern in brief. If our > understanding is correct, prior to this draft, the client could use an > EPSK k in two ways: > > * as input to the TLS 1.2 PRF (based on any hash function) > * as input to the TLS 1.3 key schedule via HKDF-extract (based on a > single hash function) > > Following this draft, the client could use k in two ways: > > * as input to the TLS 1.2 PRF (based on any hash function) [same as > before] > * as input to the importer function via HKDF-extract (based on a single > hash function) > > So there is still a potential cryptographic overlap in the use of k > between TLS 1.2 and TLS 1.3. The imported keys don't have this > overlap, because they're separated from one another and from the > underlying EPSK through the use of the importer function. But doesn't > the security proof for k still need to take into account that the input > to HKDF-extract might also be input to the TLS 1.2 PRF (with the same > or a different hash function)? > > In other words, if it was a problem for the security proof that k could > be input to the PRF and to HKDF-extract before the draft, isn't it > still a problem afterwards? The conclusion that there are no > cross-protocol collisions depends on the specifics of the TLS 1.2 PRF > and how it's used, compared to HKDF-extract. > > We're not suggesting there is any attack here, just trying to > understand the design actually addresses the statement in the > introduction that k "could possibly be re-used in two different > contexts with the same hash functions during key derivation". For lack of a better way to describe this (sorry!), we're trying to avoid this input collision during the key derivation process of a TLS connection. As the importer happens before a connection, and can be viewed as part of the provisioning process that produces unique PSKs for each target hash function, we achieve the goal for TLS 1.3 of not re-using a PSK with different hash functions. I'm not sure how to better clarify that right now, so suggestions are very much welcome. Best, Chris
- [TLS] Comments on draft-ietf-tls-external-psk-imp… Hollenbeck, Scott
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Christopher Wood
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Hollenbeck, Scott
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Christopher Wood
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Hollenbeck, Scott
- Re: [TLS] Comments on draft-ietf-tls-external-psk… Christopher Wood