[TLS] issues with DTLS + PSK
Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 05 January 2015 16:08 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD04A1A1A31 for <tls@ietfa.amsl.com>; Mon, 5 Jan 2015 08:08:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.911
X-Spam-Level:
X-Spam-Status: No, score=-6.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QShZ7ZPYltPK for <tls@ietfa.amsl.com>; Mon, 5 Jan 2015 08:08:19 -0800 (PST)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC4BD1A1A04 for <tls@ietf.org>; Mon, 5 Jan 2015 08:08:18 -0800 (PST)
Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id t05G8GXi016101 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for <tls@ietf.org>; Mon, 5 Jan 2015 11:08:17 -0500
Received: from dhcp-2-127.brq.redhat.com (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id t05G8EAx006272 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=NO) for <tls@ietf.org>; Mon, 5 Jan 2015 11:08:16 -0500
Message-ID: <1420474094.10168.49.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: IETF TLS <tls@ietf.org>
Date: Mon, 05 Jan 2015 17:08:14 +0100
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/qTH6LYByqRMfWefziINiHQQsH0Y
Subject: [TLS] issues with DTLS + PSK
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Jan 2015 16:08:21 -0000
Some issues while using PSK in combination with DTLS. 1. The PSK ciphersuites rely on Finished messages mismatch to detect a wrong preshared-key. That doesn't work well with DTLS where wrongly encrypted messages are simply ignored. Thus there is no reasonable way to detect wrong PSK keys except wait for some timeout. 2. Even if one would not ignore the finished message decryption issue, and fail the handshake immediately, there is no way to notify the peer of the failure. The exchanged keys don't match, so any alert message will not be received by the peer. A solution would be, on a revision of the PSK ciphersuites, to define PSK ciphersuites which will authenticate (e.g., with a MAC), an (EC)DH key exchange. That would allow a graceful failure in case of a mismatch of keys. In addition it will allow the usage of hardware security modules with PSK (something that is very hard to impossible with the current ECDHE/DHE PSK ciphersuites). regards, Nikos
- [TLS] issues with DTLS + PSK Nikos Mavrogiannopoulos
- Re: [TLS] issues with DTLS + PSK Martin Thomson
- Re: [TLS] issues with DTLS + PSK Hannes Tschofenig
- Re: [TLS] issues with DTLS + PSK Martin Thomson
- Re: [TLS] issues with DTLS + PSK Hannes Tschofenig
- Re: [TLS] issues with DTLS + PSK Martin Thomson
- Re: [TLS] issues with DTLS + PSK Nikos Mavrogiannopoulos