Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Benjamin Kaduk <kaduk@mit.edu> Wed, 14 March 2018 02:02 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C2F39124BFA; Tue, 13 Mar 2018 19:02:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.231
X-Spam-Level:
X-Spam-Status: No, score=-4.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jlKKJBL7w31V; Tue, 13 Mar 2018 19:02:20 -0700 (PDT)
Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AEC1E1205D3; Tue, 13 Mar 2018 19:02:20 -0700 (PDT)
X-AuditID: 1209190d-0a1ff70000005ef5-48-5aa882aab5c1
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id F5.9E.24309.BA288AA5; Tue, 13 Mar 2018 22:02:19 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH-1.MIT.EDU [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id w2E22Eoo018006; Tue, 13 Mar 2018 22:02:16 -0400
Received: from kduck.kaduk.org (24-107-191-124.dhcp.stls.mo.charter.com [24.107.191.124]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id w2E22Acp003169 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 13 Mar 2018 22:02:12 -0400
Date: Tue, 13 Mar 2018 21:02:10 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Hubert Kario <hkario@redhat.com>
Cc: Ilari Liusvaara <ilariliusvaara@welho.com>, TLS WG <tls@ietf.org>, iesg@ietf.org
Message-ID: <20180314020207.GY55987@kduck.kaduk.org>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <20180313151848.GA26250@LK-Perkele-VII> <3060420.fu6fxUo7fv@pintsize.usersys.redhat.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="Qrgsu6vtpU/OV/zm"
Content-Disposition: inline
In-Reply-To: <3060420.fu6fxUo7fv@pintsize.usersys.redhat.com>
User-Agent: Mutt/1.9.1 (2017-09-22)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrJKsWRmVeSWpSXmKPExsUixG6nrru6aUWUwa0luha3vh1mtZjxZyKz xfvd01ksPp3vYnRg8Viy5CeTx/t9V9k8bnfPYQtgjuKySUnNySxLLdK3S+DKOLCjm6XgCFfF 4yVfWBsYt3N2MXJySAiYSLS+W8vexcjFISSwmEliWtcMVghnI6PEgR1bGUGqhASuMklcP5ME YrMIqEqcnfOfHcRmE1CRaOi+zAxiiwDZZ091gtnMArESV06/YAWxhQVSJfae3cwEYvMCbVv4 /SkLxIKZjBI7Lv9jhkgISpyc+QQowQHUXCZxe5kyhCktsfwfB0gFp4CtxLdlz8HWigooS+zt O8Q+gVFgFpLmWQjNsxCaZ4HdoyVx499LJgxhW4l1696zLGBkW8Uom5JbpZubmJlTnJqsW5yc mJeXWqRrpJebWaKXmlK6iREUB5ySvDsY/931OsQowMGoxMMbcWl5lBBrYllxZe4hRkkOJiVR XtPaFVFCfEn5KZUZicUZ8UWlOanFhxhVgHY92rD6AqMUS15+XqqSCO9WGaA63pTEyqrUonyY MmkOFiVxXncT7SghgfTEktTs1NSC1CKYrAwHh5IErxYwDQgJFqWmp1akZeaUIKSZODgPMUpw 8AAN/90IMry4IDG3ODMdIn+K0Zjj2d4HbcwcN168bmMWArtDSpz3OkipAEhpRmke3DRQipPI 3l/zilEc6FFh3s0gVTzA9Ag37xXQKiagVVdOLAFZVZKIkJJqYKyobO6WXX2cU1JW6B/Pk3dT 3647c+35OdHQ/b2cr6aWm0jlrN7xw+G4kcSB9yJbLq/aUBIqG6e+6IXaxnOFCgrH9G3+u/6e szXWku/but9vptZlXRZRtkjZtXwNwx2vewJZmQsn6r8rEVq+mbnYI1W0wzw0Y7vJ8pd9WtmC UdbvHfYVa9arLFBiKc5INNRiLipOBACC0sFGTAMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rYYo54iQ7SXpmOCXpnPh0YwT8lM>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Mar 2018 02:02:22 -0000

It seems like we get ourselves in trouble by allowing multiple
external PSKs to be present.  If we allowed at most one external
PSK in a given ClientHello, then aborting the handshake on binder
failure would be the correct choice, as discovering a valid identity
would require discovering a valid key/password as well.

Disallowing multiple external PSKs would make migration scenarios a
little more annoying, but perhaps not fatally so.

-Ben(jamin)