Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
David Benjamin <davidben@chromium.org> Fri, 28 February 2020 16:09 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 652413A1A7B for <tls@ietfa.amsl.com>; Fri, 28 Feb 2020 08:09:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0xAt4IJnUUrO for <tls@ietfa.amsl.com>; Fri, 28 Feb 2020 08:09:27 -0800 (PST)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D47E63A07B8 for <tls@ietf.org>; Fri, 28 Feb 2020 08:09:26 -0800 (PST)
Received: by mail-pg1-x534.google.com with SMTP id h8so1732887pgs.9 for <tls@ietf.org>; Fri, 28 Feb 2020 08:09:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/IRq/LskjTyw6K91EAQBzehEYxDNjTHcAlBvUXsqces=; b=Dw/0M6qELKR/D2P1kp7gQg+JFpvfWhIjjm+f3QXaH+j+hskATyLTKuSHakQ//QTiiu MCBDcXzuPm4wQiZfsRjmUehbOByLNPnfUgL85RGWDYU40zLNudNqGzNIztsQZU9mcim7 8Mdb+CTbQykKISNelr1Vx3ylpmS15+8dDUAw8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/IRq/LskjTyw6K91EAQBzehEYxDNjTHcAlBvUXsqces=; b=L99R4PLr1EAf5lslWfIy3GVdz/prVcLG0ScvfilzAhXmYcZBqiChp6y+wzXIbZh9Jk ohNs8JXiiYI9Ih2W6OS16Bc9v2601uSh4DIXQdCH620fhWvtksABB2foWzR/LEYqX/qb 95fTFQhKMpdCnqounZJ3JEX2MSnq7kTwlu/QcREKVXhl+tL7Dmvs1S+IlwUxJgv+ioFl J2LEoEK0KYGITzi9POrkCpsdrZxjoTjiqpaY8mFELDiUbd7r4TyEHQVDx5F49ObV9/ZL mh5ja6ZCeZYHWeNqzqn668KJFpBO6BnjE72ZsYxmf7TnSoD3EqcBGX9Xo4z9VRiZg/zS GPig==
X-Gm-Message-State: APjAAAW8bpaeXrIRY5I48wOkhBjchwCuvf2kujcLNNvFw7PhW2XZ+s/t rsj5JIqw07cPTuVESZev5Nxds555P8KormzOSGApGDo=
X-Google-Smtp-Source: APXvYqwUjlASbM0hMRvoUbrL+eDRY7CFlkbqk/CiVZ/MWJE18TbTuDTwXlUbwPLjm/AjIQ31fOVENJbm9wQTAw+rbXc=
X-Received: by 2002:a63:e5d:: with SMTP id 29mr5281535pgo.124.1582906165862; Fri, 28 Feb 2020 08:09:25 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoBnSsDDaWWRHjkdjVRWw_DtxFYSQS7G-NyeSUfTzmYbAw@mail.gmail.com> <CAChr6SyA05VTB1n5Dcc2WNP6rrpsvDGXuPQxDxM9-=3JiYYPLQ@mail.gmail.com> <CABcZeBOPaGZ1ZKWpXkhC05v3HcbSLNuXYD_Lzw0S6iaBQY0a9A@mail.gmail.com> <CAChr6Sz7EqMbHNzcvbwdXkWB1JbQQig3RXCrzG6zascJL__t2Q@mail.gmail.com> <8887946c-8509-483c-9c62-de5393fb9eaf@www.fastmail.com> <CACykbs3LjPXPyvXGthCxYPK_Kv_+3TCV8VmkYab6gkfOfNmYuA@mail.gmail.com> <CAF8qwaCPbQfXWvTm7VgS7G6XAfzEY_=rTfD2CzRWsSod+MpC2Q@mail.gmail.com> <CACykbs08ico3WVDK-E=sqTSVPD=gYQdJ8eiQzyxhKqY=q_EPUQ@mail.gmail.com> <CAF8qwaCPQ1JwKKwbM9THnhiO=1F1V5Z_Wj5LYMjZkyf0W-zygg@mail.gmail.com> <75b70352-9cc5-4aa1-9cca-42f37fe615d2@www.fastmail.com> <CACykbs3jHsasE4MmDWYGyZfq-TT3rhq84hbU6VOoP9XYo8__pg@mail.gmail.com>
In-Reply-To: <CACykbs3jHsasE4MmDWYGyZfq-TT3rhq84hbU6VOoP9XYo8__pg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 28 Feb 2020 11:09:09 -0500
Message-ID: <CAF8qwaCm2T8OW3fqmV4e-MCTzpp0fKg_Z8=18RqdV+78wqiHQA@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb275d059fa50fe6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rpud3MOk0EbbrnUtK26XUu2T2UM>
Subject: Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 16:09:30 -0000
On Fri, Feb 28, 2020 at 10:58 AM Jonathan Hoyland < jonathan.hoyland@gmail.com> wrote: > On Fri, 28 Feb 2020 at 04:49, Christopher Wood <caw@heapingbits.net> > wrote: > >> On Thu, Feb 27, 2020, at 1:31 PM, David Benjamin wrote: >> > On Mon, Feb 24, 2020 at 5:58 PM Jonathan Hoyland >> > <jonathan.hoyland@gmail.com> wrote: >> > > This would be for cases where we want to inject extra context into a >> resumption. >> > > That would be anything that changes an authentication property, so >> for example if you wanted to include some agreement on the status of a >> post-handshake auth or Exported Authenticator. >> > > >> > > So for example imagine I had a session during which I received an EA >> and when I came to resume that session I wished to indicate that I was >> still willing to accept the EA. >> > > I would offer a special PSK and inject some extra material into the >> handshake*, and if the server was able / willing to agree to this it would >> select the PSK. >> > > I could also offer a PSK with no extra injected material, as a >> fallback, and request the EA again. >> > > >> > > * This would only affect the binder for the PSK in the ClientHello. >> > >> > I'm still not following. If you're resuming, this is a PSK issued from >> > a NewSessionTicket, in which case this isn't an imported PSK at all. >> > It's a resumption PSK and uses "res binder". If we needed to negotiate >> > variations on a resumption, this importer mechanism wouldn't give us a >> > way to express that anyway. I expect we'd instead lean on some >> > combination of multiple tickets, NewSessionTicket extensions, and plain >> > ClientHello extensions. But maybe I'm still not understanding the >> > scenario. >> > The security of combinations of tickets is non-trivial to reason about > (though not impossible), in the same way as Exported Authenticators (which > makes sense given that EAs would be a reason to do this). > I'll have to give some thought to a compelling use case, but I just like > the option for consistency. > Then again it is said "A foolish consistency is the hobgoblin of little > minds [...]", so ... > Well, if we never end up adding "imp r binder", then the current spelling is more consistent. If we later add "imp r binder", then your proposed spelling is more consistent. If we later add "imp r binder" but spell it "xyz binder", then I guess the current spelling is more consistent. The label values don't *actually* matter so this is all aesthetics at this point. My assertion is that if we have clear reason to believe we'll add "imp r binder", then "imp e binder" seems reasonable. If we don't have a reason to believe we will, let's just leave it as is. Either way, it's probably not worth expending too much effort on it. :-) > > > Another potential use would be the binding for ECHO, although I don't >> have a clear enough picture of the precise mechanics of that to know if it >> would be helpful. >> > >> > Chris is probably more up-to-date here, but I don't believe the current >> > ECHO design looks like a funny PSK. >> >> That's right -- it's just another extension in the outer CH. >> > > I was thinking about the ECHO design from a forward/backward binding > perspective. > I think we should make the smallest number of changes to the key schedule > possible that will cover all possible future use cases, so an overall > consistent approach would be ideal. > If the WG doesn't adopt a key schedule extension draft (either mine, > draft-Stebila, or some other one) then this looks like the strongest choice. > > >> Best, >> Chriss >> >> > > Something that would allow for a consistent naming in the future >> would be my preference, because just as "imp binder" doesn't preclude "imp >> r binder", using "imp e binder" doesn't preclude us never adopting "imp r >> binder". >> > > I vaguely remember discussing whether the longer name would tip us >> into an extra hash invocation at the last IETF, and concluding that it >> didn't, although I'd have to double check that. >> > >> > Of course. Yeah, I think the more pertinent question is whether "imp r >> > binder" is actually a thing. >> > > Regards, >> > > >> > > Jonathan >> > > >> > > On Mon, 24 Feb 2020, 22:23 David Benjamin, <davidben@chromium.org> >> wrote: >> > >> On Mon, Feb 24, 2020 at 4:33 PM Jonathan Hoyland < >> jonathan.hoyland@gmail.com> wrote: >> > >>> Just looking at this again, it might be better to make a slightly >> different tweak to the key schedule. >> > >>> Instead of: >> > >>> 0 >> > | >> > v >> > PSK -> HKDF-Extract = Early Secret >> > | >> > +-----> Derive-Secret(., "ext binder" >> > | | "res binder" >> > | | "imp binder", "") >> > | = binder_key v >> > >>> >> > >>> We should do: >> > >>> >> > >>> 0 >> > | >> > v >> > PSK -> HKDF-Extract = Early Secret >> > | >> > +-----> Derive-Secret(., "ext binder" >> > | | "res binder" >> > | | "imp e binder" >> > | | "imp r binder", "") >> > | = binder_key v >> > >>> or at least: >> > >>> 0 >> > | >> > v >> > PSK -> HKDF-Extract = Early Secret >> > | >> > +-----> Derive-Secret(., "ext binder" >> > | | "res binder" >> > | | "imp e binder", "") >> > | = binder_key v >> > >>> >> > >>> >> > >>> Just so that we can distinguish between external imported binders >> and resumed imported binders, should we at some point decide to do both. >> > >> >> > >> I may just be confused, but what would a resumed imported binder >> mean? I see this mechanism as largely a bugfix for TLS 1.3 external PSKs, >> rather than a new kind of adjective describing PSKs. >> > >> >> > >> ("imp binder" also doesn't preclude "imp r binder" later if we later >> define something which needs it, but I'm confused what the concept even >> would be.) >> > >> >> > >> David >> > >>> On Mon, 24 Feb 2020 at 20:50, Christopher Wood <caw@heapingbits.net> >> wrote: >> > >>>> On Fri, Feb 21, 2020, at 1:15 PM, Rob Sayre wrote: >> > >>>> > >> > >>>> > >> > >>>> > On Fri, Feb 21, 2020 at 8:35 AM Eric Rescorla <ekr@rtfm.com> >> wrote: >> > >>>> > > >> > >>>> > > >> > >>>> > > On Thu, Feb 20, 2020 at 7:08 PM Rob Sayre <sayrer@gmail.com> >> wrote: >> > >>>> > >> Hi, >> > >>>> > >> >> > >>>> > >> I'm not sure how violations of these requirements would >> result in poor interoperability: >> > >>>> > >> >> > >>>> > >> Clients which import external keys TLS MUST NOT use these >> keys for >> > >>>> > >> any other purpose. Moreover, each external PSK MUST be >> associated >> > >>>> > >> with at most one hash function. >> > >>>> > >> >> > >>>> > >> These seem like aspirational security goals. It would be >> better to describe the consequences of violating these conditions. >> > >>>> > > >> > >>>> > > I don't agree. They are requirements in order to be able to >> make the assertions we want to make about the security of the protocol. >> > >>>> > > >> > >>>> > > This is consistent with the following text of RFC 2119 S 6 >> > >>>> > > ".. or to limit behavior which has potential for causing harm >> (e.g., limiting retransmisssions) " >> > >>>> > > >> > >>>> > > I don't think it would be unreasonable.to explain the reason >> for these, though this is already a requirement of 8446 S 4.2.11 (though >> without justification). >> > >>>> > >> > >>>> > I think that interpretation of 2119 is a stretch, but your idea >> to add >> > >>>> > an explanation while keeping the 2119 terms addresses my >> concern. At >> > >>>> > the very least, the draft should note this is already a >> requirement of >> > >>>> > 8446. >> > >>>> >> > >>>> That seems perfectly reasonable! We can point to the security >> considerations to clarify the "single hash function" requirement, and we >> can note cross protocol attack deterrence for the other claim. Would that >> suffice? If not, can you please recommend text? >> > >>>> >> > >>>> Thanks, >> > >>>> Chris >> > >>>> >> > >>>> _______________________________________________ >> > >>>> TLS mailing list >> > >>>> TLS@ietf.org >> > >>>> https://www.ietf.org/mailman/listinfo/tls >> > >>> _______________________________________________ >> > >>> TLS mailing list >> > >>> TLS@ietf.org >> > >>> https://www.ietf.org/mailman/listinfo/tls >> >
- [TLS] WGLC for draft-ietf-tls-external-psk-import… Joseph Salowey
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Eric Rescorla
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Rob Sayre
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Jonathan Hoyland
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… David Benjamin
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Joseph Salowey
- Re: [TLS] WGLC for draft-ietf-tls-external-psk-im… Christopher Wood