Re: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?
Nick Harper <ietf@nharper.org> Tue, 07 March 2023 07:19 UTC
Return-Path: <nharper@nharper.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 390E3C151AE3 for <tls@ietfa.amsl.com>; Mon, 6 Mar 2023 23:19:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HsIDjXWSgDjD for <tls@ietfa.amsl.com>; Mon, 6 Mar 2023 23:19:03 -0800 (PST)
Received: from mail-ed1-f44.google.com (mail-ed1-f44.google.com [209.85.208.44]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83FA4C15155A for <tls@ietf.org>; Mon, 6 Mar 2023 23:19:03 -0800 (PST)
Received: by mail-ed1-f44.google.com with SMTP id o12so48444480edb.9 for <tls@ietf.org>; Mon, 06 Mar 2023 23:19:03 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678173541; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=H75bLmFNKqugZ0H8TpvksEFcaUYbjOkQqmjrGAN+saY=; b=oSYTx3gXBGlvHHw/YogHN6HgQo8dMTOgCY6vmNcULJsVmNzSFJoHoN/ylsyGgRbKUw 7aPiTyCUzvE7n/AG6L5MN//vU3vNi23DYXMsnksAGgIP9Im2iWrtN25e2w6k7beHmc5o z8YIsUskK+1g4REihaXhl6ljvWRMC76+K9mHJeHfHAk/7/cI65ZHWincAUDLO7r/O6ON Vm7bsQpCudMtZl8Qscbr+PlqHevEzYM3GwJ9AtbYmCY1yq7rwdrJtGfNKGePN7PVVPAI QGjjyC/n/mo+rmyHC6MqDlDcJlMUQ+hDTD95cqerT0QB0/3XTEd9VSMRhZDeVH/pstZT 72dQ==
X-Gm-Message-State: AO0yUKXjsjmSVcLeLxYd7V6yxijje7E3rIMkbkF6Tx6w4b0pGomrU0Sd MYJZWIpl6x7W4H76o6xNdgSk+KbDo/1oXpLFAc8GWwlzA/FnVFntIZQ=
X-Google-Smtp-Source: AK7set/S3/5iGVrxX/krCxYWfd2FNKTh53kMc0UGTaiFD4cRuL/KkGylqR1YToaUR0ZEW/pMhj7TK1e2zD1yTOwJPZ0=
X-Received: by 2002:a17:906:36d6:b0:8b2:23fb:dfd8 with SMTP id b22-20020a17090636d600b008b223fbdfd8mr6585588ejc.12.1678173541296; Mon, 06 Mar 2023 23:19:01 -0800 (PST)
MIME-Version: 1.0
References: <Y/1ngz1ITlYds2WP@straasha.imrryr.org> <SY4PR01MB6251E03AE8A05E38FA8A3F0DEEB79@SY4PR01MB6251.ausprd01.prod.outlook.com> <ZAbL6AP8uzgb60NB@straasha.imrryr.org>
In-Reply-To: <ZAbL6AP8uzgb60NB@straasha.imrryr.org>
From: Nick Harper <ietf@nharper.org>
Date: Mon, 06 Mar 2023 23:18:50 -0800
Message-ID: <CACcvr=mS9DM__U-7=SEg58YFCJzfhheckbY==QNRy2KFCY8x2A@mail.gmail.com>
To: tls@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cd016505f64a3917"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/paImopOZyKu3flFLUsA4IuLcyLA>
Subject: Re: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 07:19:04 -0000
On Mon, Mar 6, 2023 at 9:30 PM Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: > On 6 Mar 2023, at 8:13 pm, Peter Gutmann <pgut001@cs.auckland.ac.nz> > wrote: > > > Not really sure how to fix this, although at the moment "stay with TLS > > classic" seems to be the preferred option. > > There are three stages of fixes: > > 1. Update the protocol specification. > 2. Fix the implementations. > 3. Keep using TLS 1.2 until the fixed implementations are broadly adopted. > > Keeping in mind that LTS enterprise editions of Linux are lately supported > for ~13 years, step 3 may take a while. Which is not to say that we should > not start doing 1. and 2., but it is like planting an olive tree, the fruit > will be enjoyed by future generations. > > The protocol specification needs to say something along the lines of: > > - Implementations MUST support both psk_ke and psk_dhe_ke. > > - Server operators SHOULD leave both modes enabled. > > - In closed environments, or specific applications where *all* > clients are expected to and required to support psk_dhe_ke > the required to enable psk_ke is relaxed to MAY. > > - Conversely, where no clients are expected to support psk_dhe_ke, > the requirement to leave it enabled changes to MAY. > > - psk_dhe_ke is negotiated when supported by both sides, otherwise > psk_ke is negotiated. > > - Clients SHOULD generally offer both modes in the client HELLO. > > - Clients MAY offer just one or the other when appropriate for the > application in question, and can expect to interoperate with a > "general purpose" server. > > Basically, one way or another, PSK key exchange mode negotiation needs > to be interoperable by default. Based on your first message, it sounds like you have identified an implementation where it is not interoperable. All of the spec language in the world won’t fix implementation bugs. PSK only and PSK-DHE modes offer two fundamentally different security properties. PSK only key exchange lacks forward secrecy. For general purpose libraries, defaulting to PSK-DHE with forward secrecy is the right choice for security. (As you point out, a server that only supports DHE PSKs shouldn’t send new session tickets to a client that doesn’t support psk_dhe_ke, but that doesn’t contradict psk_dhe_ke only as being a sane default.) RFC 8446 provides the right building blocks, and delegates the choice of which to use to an application profile standard. There’s no need for any additional language in the TLS 1.3 spec to encourage or mandate the use of non-FS PSK modes. For applications where forward secrecy isn’t needed or the computation costs outweigh the security benefits, the application profiles for those use cases can encourage or mandate psk_ke. > > > As for implementations, the code changes are not that difficult, but will > take time to release, and then there's step 3... > > Meanwhile, when there's no other choice, keep using TLS 1.2. > > -- > Viktor. > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] TLS 1.3 servers and psk_key_exchange_modes … Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Peter Gutmann
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Nick Harper
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Nick Harper
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Nick Harper
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Peter Gutmann
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Viktor Dukhovni
- Re: [TLS] TLS 1.3 servers and psk_key_exchange_mo… Peter Gutmann