IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer

David Benjamin <davidben@chromium.org> Fri, 28 February 2020 16:09 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 652413A1A7B for <tls@ietfa.amsl.com>; Fri, 28 Feb 2020 08:09:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.249
X-Spam-Level:
X-Spam-Status: No, score=-9.249 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0xAt4IJnUUrO for <tls@ietfa.amsl.com>; Fri, 28 Feb 2020 08:09:27 -0800 (PST)
Received: from mail-pg1-x534.google.com (mail-pg1-x534.google.com [IPv6:2607:f8b0:4864:20::534]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D47E63A07B8 for <tls@ietf.org>; Fri, 28 Feb 2020 08:09:26 -0800 (PST)
Received: by mail-pg1-x534.google.com with SMTP id h8so1732887pgs.9 for <tls@ietf.org>; Fri, 28 Feb 2020 08:09:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=/IRq/LskjTyw6K91EAQBzehEYxDNjTHcAlBvUXsqces=; b=Dw/0M6qELKR/D2P1kp7gQg+JFpvfWhIjjm+f3QXaH+j+hskATyLTKuSHakQ//QTiiu MCBDcXzuPm4wQiZfsRjmUehbOByLNPnfUgL85RGWDYU40zLNudNqGzNIztsQZU9mcim7 8Mdb+CTbQykKISNelr1Vx3ylpmS15+8dDUAw8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=/IRq/LskjTyw6K91EAQBzehEYxDNjTHcAlBvUXsqces=; b=L99R4PLr1EAf5lslWfIy3GVdz/prVcLG0ScvfilzAhXmYcZBqiChp6y+wzXIbZh9Jk ohNs8JXiiYI9Ih2W6OS16Bc9v2601uSh4DIXQdCH620fhWvtksABB2foWzR/LEYqX/qb 95fTFQhKMpdCnqounZJ3JEX2MSnq7kTwlu/QcREKVXhl+tL7Dmvs1S+IlwUxJgv+ioFl J2LEoEK0KYGITzi9POrkCpsdrZxjoTjiqpaY8mFELDiUbd7r4TyEHQVDx5F49ObV9/ZL mh5ja6ZCeZYHWeNqzqn668KJFpBO6BnjE72ZsYxmf7TnSoD3EqcBGX9Xo4z9VRiZg/zS GPig==
X-Gm-Message-State: APjAAAW8bpaeXrIRY5I48wOkhBjchwCuvf2kujcLNNvFw7PhW2XZ+s/t rsj5JIqw07cPTuVESZev5Nxds555P8KormzOSGApGDo=
X-Google-Smtp-Source: APXvYqwUjlASbM0hMRvoUbrL+eDRY7CFlkbqk/CiVZ/MWJE18TbTuDTwXlUbwPLjm/AjIQ31fOVENJbm9wQTAw+rbXc=
X-Received: by 2002:a63:e5d:: with SMTP id 29mr5281535pgo.124.1582906165862; Fri, 28 Feb 2020 08:09:25 -0800 (PST)
MIME-Version: 1.0
References: <CAOgPGoBnSsDDaWWRHjkdjVRWw_DtxFYSQS7G-NyeSUfTzmYbAw@mail.gmail.com> <CAChr6SyA05VTB1n5Dcc2WNP6rrpsvDGXuPQxDxM9-=3JiYYPLQ@mail.gmail.com> <CABcZeBOPaGZ1ZKWpXkhC05v3HcbSLNuXYD_Lzw0S6iaBQY0a9A@mail.gmail.com> <CAChr6Sz7EqMbHNzcvbwdXkWB1JbQQig3RXCrzG6zascJL__t2Q@mail.gmail.com> <8887946c-8509-483c-9c62-de5393fb9eaf@www.fastmail.com> <CACykbs3LjPXPyvXGthCxYPK_Kv_+3TCV8VmkYab6gkfOfNmYuA@mail.gmail.com> <CAF8qwaCPbQfXWvTm7VgS7G6XAfzEY_=rTfD2CzRWsSod+MpC2Q@mail.gmail.com> <CACykbs08ico3WVDK-E=sqTSVPD=gYQdJ8eiQzyxhKqY=q_EPUQ@mail.gmail.com> <CAF8qwaCPQ1JwKKwbM9THnhiO=1F1V5Z_Wj5LYMjZkyf0W-zygg@mail.gmail.com> <75b70352-9cc5-4aa1-9cca-42f37fe615d2@www.fastmail.com> <CACykbs3jHsasE4MmDWYGyZfq-TT3rhq84hbU6VOoP9XYo8__pg@mail.gmail.com>
In-Reply-To: <CACykbs3jHsasE4MmDWYGyZfq-TT3rhq84hbU6VOoP9XYo8__pg@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Fri, 28 Feb 2020 11:09:09 -0500
Message-ID: <CAF8qwaCm2T8OW3fqmV4e-MCTzpp0fKg_Z8=18RqdV+78wqiHQA@mail.gmail.com>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000bb275d059fa50fe6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rpud3MOk0EbbrnUtK26XUu2T2UM>
Subject: Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 16:09:30 -0000

On Fri, Feb 28, 2020 at 10:58 AM Jonathan Hoyland <
jonathan.hoyland@gmail.com> wrote:

> On Fri, 28 Feb 2020 at 04:49, Christopher Wood <caw@heapingbits.net>
> wrote:
>
>> On Thu, Feb 27, 2020, at 1:31 PM, David Benjamin wrote:
>> > On Mon, Feb 24, 2020 at 5:58 PM Jonathan Hoyland
>> > <jonathan.hoyland@gmail.com> wrote:
>> > > This would be for cases where we want to inject extra context into a
>> resumption.
>> > > That would be anything that changes an authentication property, so
>> for example if you wanted to include some agreement on the status of a
>> post-handshake auth or Exported Authenticator.
>> > >
>> > > So for example imagine I had a session during which I received an EA
>> and when I came to resume that session I wished to indicate that I was
>> still willing to accept the EA.
>> > > I would offer a special PSK and inject some extra material into the
>> handshake*, and if the server was able / willing to agree to this it would
>> select the PSK.
>> > > I could also offer a PSK with no extra injected material, as a
>> fallback, and request the EA again.
>> > >
>> > > * This would only affect the binder for the PSK in the ClientHello.
>> >
>> > I'm still not following. If you're resuming, this is a PSK issued from
>> > a NewSessionTicket, in which case this isn't an imported PSK at all.
>> > It's a resumption PSK and uses "res binder". If we needed to negotiate
>> > variations on a resumption, this importer mechanism wouldn't give us a
>> > way to express that anyway. I expect we'd instead lean on some
>> > combination of multiple tickets, NewSessionTicket extensions, and plain
>> > ClientHello extensions. But maybe I'm still not understanding the
>> > scenario.
>>
> The security of combinations of tickets is non-trivial to reason about
> (though not impossible), in the same way as Exported Authenticators (which
> makes sense given that EAs would be a reason to do this).
> I'll have to give some thought to a compelling use case, but I just like
> the option for consistency.
> Then again it is said "A foolish consistency is the hobgoblin of little
> minds [...]", so ...
>

Well, if we never end up adding "imp r binder", then the current spelling
is more consistent. If we later add "imp r binder", then your proposed
spelling is more consistent. If we later add "imp r binder" but spell it
"xyz binder", then I guess the current spelling is more consistent.

The label values don't *actually* matter so this is all aesthetics at this
point. My assertion is that if we have clear reason to believe we'll add
"imp r binder", then "imp e binder" seems reasonable. If we don't have a
reason to believe we will, let's just leave it as is. Either way, it's
probably not worth expending too much effort on it. :-)


> > > Another potential use would be the binding for ECHO, although I don't
>> have a clear enough picture of the precise mechanics of that to know if it
>> would be helpful.
>> >
>> > Chris is probably more up-to-date here, but I don't believe the current
>> > ECHO design looks like a funny PSK.
>>
>> That's right -- it's just another extension in the outer CH.
>>
>
> I was thinking about the ECHO design from a forward/backward binding
> perspective.
> I think we should make the smallest number of changes to the key schedule
> possible that will cover all possible future use cases, so an overall
> consistent approach would be ideal.
> If the WG doesn't adopt a key schedule extension draft (either mine,
> draft-Stebila, or some other one) then this looks like the strongest choice.
>
>
>> Best,
>> Chriss
>>
>> > > Something that would allow for a consistent naming in the future
>> would be my preference, because just as "imp binder" doesn't preclude "imp
>> r binder", using "imp e binder" doesn't preclude us never adopting "imp r
>> binder".
>> > > I vaguely remember discussing whether the longer name would tip us
>> into an extra hash invocation at the last IETF, and concluding that it
>> didn't, although I'd have to double check that.
>> >
>> > Of course. Yeah, I think the more pertinent question is whether "imp r
>> > binder" is actually a thing.
>> > > Regards,
>> > >
>> > > Jonathan
>> > >
>> > > On Mon, 24 Feb 2020, 22:23 David Benjamin, <davidben@chromium.org>
>> wrote:
>> > >> On Mon, Feb 24, 2020 at 4:33 PM Jonathan Hoyland <
>> jonathan.hoyland@gmail.com> wrote:
>> > >>> Just looking at this again, it might be better to make a slightly
>> different tweak to the key schedule.
>> > >>> Instead of:
>> > >>>                 0
>> >                 |
>> >                 v
>> >       PSK ->  HKDF-Extract = Early Secret
>> >                 |
>> >                 +-----> Derive-Secret(., "ext binder"
>> >                 |                      | "res binder"
>> >                 |                      | "imp binder", "")
>> >                 |                     = binder_key                v
>> > >>>
>> > >>> We should do:
>> > >>>
>> > >>>                 0
>> >                 |
>> >                 v
>> >       PSK ->  HKDF-Extract = Early Secret
>> >                 |
>> >                 +-----> Derive-Secret(., "ext binder"
>> >                 |                      | "res binder"
>> >                 |                      | "imp e binder"
>> > |                      | "imp r binder", "")
>> >                 |                     = binder_key                v
>> > >>> or at least:
>> > >>>                 0
>> >                 |
>> >                 v
>> >       PSK ->  HKDF-Extract = Early Secret
>> >                 |
>> >                 +-----> Derive-Secret(., "ext binder"
>> >                 |                      | "res binder"
>> >                 |                      | "imp e binder", "")
>> >                 |                     = binder_key                v
>> > >>>
>> > >>>
>> > >>> Just so that we can distinguish between external imported binders
>> and resumed imported binders, should we at some point decide to do both.
>> > >>
>> > >> I may just be confused, but what would a resumed imported binder
>> mean? I see this mechanism as largely a bugfix for TLS 1.3 external PSKs,
>> rather than a new kind of adjective describing PSKs.
>> > >>
>> > >> ("imp binder" also doesn't preclude "imp r binder" later if we later
>> define something which needs it, but I'm confused what the concept even
>> would be.)
>> > >>
>> > >> David
>> > >>> On Mon, 24 Feb 2020 at 20:50, Christopher Wood <caw@heapingbits.net>
>> wrote:
>> > >>>> On Fri, Feb 21, 2020, at 1:15 PM, Rob Sayre wrote:
>> > >>>>  >
>> > >>>>  >
>> > >>>>  > On Fri, Feb 21, 2020 at 8:35 AM Eric Rescorla <ekr@rtfm.com>
>> wrote:
>> > >>>>  > >
>> > >>>>  > >
>> > >>>>  > > On Thu, Feb 20, 2020 at 7:08 PM Rob Sayre <sayrer@gmail.com>
>> wrote:
>> > >>>>  > >> Hi,
>> > >>>>  > >>
>> > >>>>  > >> I'm not sure how violations of these requirements would
>> result in poor interoperability:
>> > >>>>  > >>
>> > >>>>  > >> Clients which import external keys TLS MUST NOT use these
>> keys for
>> > >>>>  > >> any other purpose. Moreover, each external PSK MUST be
>> associated
>> > >>>>  > >> with at most one hash function.
>> > >>>>  > >>
>> > >>>>  > >> These seem like aspirational security goals. It would be
>> better to describe the consequences of violating these conditions.
>> > >>>>  > >
>> > >>>>  > > I don't agree. They are requirements in order to be able to
>> make the assertions we want to make about the security of the protocol.
>> > >>>>  > >
>> > >>>>  > > This is consistent with the following text of RFC 2119 S 6
>> > >>>>  > > ".. or to limit behavior which has potential for causing harm
>> (e.g., limiting retransmisssions) "
>> > >>>>  > >
>> > >>>>  > > I don't think it would be unreasonable.to explain the reason
>> for these, though this is already a requirement of 8446 S 4.2.11 (though
>> without justification).
>> > >>>>  >
>> > >>>>  > I think that interpretation of 2119 is a stretch, but your idea
>> to add
>> > >>>>  > an explanation while keeping the 2119 terms addresses my
>> concern. At
>> > >>>>  > the very least, the draft should note this is already a
>> requirement of
>> > >>>>  > 8446.
>> > >>>>
>> > >>>>  That seems perfectly reasonable! We can point to the security
>> considerations to clarify the "single hash function" requirement, and we
>> can note cross protocol attack deterrence for the other claim. Would that
>> suffice? If not, can you please recommend text?
>> > >>>>
>> > >>>>  Thanks,
>> > >>>>  Chris
>> > >>>>
>> > >>>>  _______________________________________________
>> > >>>>  TLS mailing list
>> > >>>> TLS@ietf.org
>> > >>>> https://www.ietf.org/mailman/listinfo/tls
>> > >>>  _______________________________________________
>> > >>>  TLS mailing list
>> > >>> TLS@ietf.org
>> > >>> https://www.ietf.org/mailman/listinfo/tls
>>
>

v2.23.0 | Report a Bug | By Email