Re: [TLS] Selfie attack

"Christopher Wood" <caw@heapingbits.net> Tue, 08 October 2019 23:48 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16D451200D6 for <tls@ietfa.amsl.com>; Tue, 8 Oct 2019 16:48:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=Cv27LHmf; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=U73E06rW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZjgWu0ojmmz4 for <tls@ietfa.amsl.com>; Tue, 8 Oct 2019 16:48:30 -0700 (PDT)
Received: from wout2-smtp.messagingengine.com (wout2-smtp.messagingengine.com [64.147.123.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7A170120046 for <tls@ietf.org>; Tue, 8 Oct 2019 16:48:30 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id A8EB5738; Tue, 8 Oct 2019 19:48:29 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Tue, 08 Oct 2019 19:48:29 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=pkz5i1O/gsOfE/pt3E/BxVPi47+1xlY fGh9AGz4dbzo=; b=Cv27LHmfRtfGnP/P1l4kCrsus9EKhPEYxl3PvsnUbthijqx SCUWhEk0TsKm+ERUq8FHppxWGz7gj47YIQpiPcqDzo1ymUwIj495xD5JCZku2r6+ yDMZ++tKlmVtudxeVUjY3Jrh5KVazVD7dKvbIZKAkHUhKTjiRCYtJtl3CYYT896o XqobwpEjDZ+btqoLnuQAvqYYTT8HXzNPWdhU8HrqXqdY1O8Tu/b6ZpFTRd2QJXjQ Zmyy4R5muYXI/FwVFI1RO3vsSvwGMgGoHKuGi2JszAsbqY9kpCfRQNVnJLPHHCWa B4oEPFaY1Y3MFQLF6D1Xk8XFk46VrqBwtlPcz7g==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=pkz5i1 O/gsOfE/pt3E/BxVPi47+1xlYfGh9AGz4dbzo=; b=U73E06rWpmizx1wpIbyp1U org/ZZ22qVB44dipOkR+j8/GUQxJG8i9XKDuZh0Ah3ftxK7bcwJcSNbUEkwZk1NM Xw9H8jZkQAP2FjsjPKmNoF68s8R+mCdjm8hvepa+HtUqS6lcStWUECxhUIEyeAAF yUWkEACGKVZqzRIqnelF3j4FDTV98FfhS4kz/X9AsJCL759V7FuGsC890Jfcthfp CxF88XztSYD3x6Sq/TBVAtNjmr1Tbs4I2+RApBYNRpzNQmy8MDw+1vWiBVvMeO6w Jh2EEbOY36swJtHqYSb5MKueRJJloW8Rf/d/9MK2JBXSsEnYLi9N9/UEuIp0KyJg ==
X-ME-Sender: <xms:TCCdXb3uxvkQiPNZXNs3mccGoEO42N_uysIBThTc3dIzzQwq4ZFdkw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedriedtgddvgecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgv thenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:TCCdXQ9atob3NYcTAh7LBaHKM0pgzBCWBS0QVMIB9VoN0gvRyY1j0Q> <xmx:TCCdXXYwSlnpgiITRfQgPJ1L66HVO4ICoQJo5-DRTp-ZIxLc2mugHA> <xmx:TCCdXZWInG0J4snvalv72Kkvnqa2ehQJd6suPqnFxJqXpwhh9ePjTQ> <xmx:TSCdXe72HRXeIn7jrC0dDgtX-2sv5L50-_MjUFrJY8apa4_tHeaWfg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id A19653C00A1; Tue, 8 Oct 2019 19:48:28 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <3a51cdaa-d04c-48b8-89b9-07d1510dba1a@www.fastmail.com>
In-Reply-To: <a70e420c-eeab-b446-57a8-a496a0541f89@huitema.net>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com> <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk> <896F89B2-37D0-4674-881D-FB9FE4874978@ericsson.com> <FE583332-1915-4B5A-AAAB-AD854CF336B8@live.warwick.ac.uk> <bb410c2a-6836-48a8-ac3d-de395f4c57d8@www.fastmail.com> <a0c560b0-8bca-d843-dac8-57c90c0488de@ericsson.com> <90ddc116-f5d9-4b22-8b80-e31835e09f10@www.fastmail.com> <a70e420c-eeab-b446-57a8-a496a0541f89@huitema.net>
Date: Tue, 08 Oct 2019 16:48:08 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "Christian Huitema" <huitema@huitema.net>, "Mohit Sethi M" <mohit.m.sethi@ericsson.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/qogeQ_1PBn92CjacPj6xcnRq5fQ>
Subject: Re: [TLS] Selfie attack
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 23:48:32 -0000

On Tue, Oct 8, 2019, at 11:51 AM, Christian Huitema wrote:
>  
> On 10/8/2019 9:46 AM, Christopher Wood wrote:
> 
> > On Tue, Oct 8, 2019, at 2:55 AM, Mohit Sethi M wrote:
> >>  
> Hi Chris,
> 
> For the benefit of the list, let me summarize that the selfie attack is 
> only relevant where multiple parties share the same PSK and use the 
> same PSK for outgoing and incoming connections. These situations are 
> rather rare, but I accept that TLS is widely used (and sometimes 
> misused) in many places. 
> 
> 
> I may be getting old but the way Mohit writes it, it seems that the 
> attack happens when the security of a group relies on a secret shared 
> by all members of the group, and can then be compromised when one of 
> the group members misbehaves. How is that a new threat? If groups are 
> defined by a shared secret, then corruption of a group member reveals 
> that shared secret to the attacker and open the path for all kinds of 
> exploitation. In what sense is the "selfie" attack different from that 
> generic threat?

In my opinion, it's not. 

Best,
Chris