Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Hubert Kario <hkario@redhat.com> Tue, 13 March 2018 17:44 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AACF4124BAC; Tue, 13 Mar 2018 10:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a6eX_hsX32th; Tue, 13 Mar 2018 10:44:47 -0700 (PDT)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A9B9A127601; Tue, 13 Mar 2018 10:44:47 -0700 (PDT)
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id DBCA44023BB3; Tue, 13 Mar 2018 17:44:46 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (unknown [10.43.21.223]) by smtp.corp.redhat.com (Postfix) with ESMTP id 270DFAB400; Tue, 13 Mar 2018 17:44:45 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Ilari Liusvaara <ilariliusvaara@welho.com>
Cc: TLS WG <tls@ietf.org>, iesg@ietf.org
Date: Tue, 13 Mar 2018 18:44:39 +0100
Message-ID: <3060420.fu6fxUo7fv@pintsize.usersys.redhat.com>
In-Reply-To: <20180313151848.GA26250@LK-Perkele-VII>
References: <6112806.hxzZ6NivhB@pintsize.usersys.redhat.com> <20180313151848.GA26250@LK-Perkele-VII>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart3827793.3DyBKaybik"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 13 Mar 2018 17:44:46 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.7]); Tue, 13 Mar 2018 17:44:46 +0000 (UTC) for IP:'10.11.54.5' DOMAIN:'int-mx05.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sKnVsFi3MZOKVzpLP5s1H1-ajo0>
Subject: Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Mar 2018 17:44:50 -0000

On Tuesday, 13 March 2018 16:18:48 CET Ilari Liusvaara wrote:
> On Mon, Mar 12, 2018 at 04:27:46PM +0100, Hubert Kario wrote:
> > When the server supports externally set PSKs that use human readable
> > identities (or, in general, guessable identities), the current text makes
> > it trivial to perform enumeration attack.
> 
> What would be impact of such enumeration attack? It seems to me that
> not disclosing identities is to make weak passwords more difficult to
> attack, but here there are no weak passwords.

the usernames themselves can be confidential information

behaviour like that was considered a vulnerability before, irrespective of 
robustness of passwords:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229

> Note that:
> 
> - There is no protection for the PSK identity, so putting anything
>   sensitive in it is a bad idea.

the server can be accessible both through Internet and through encrypted 
connections (e.g. IPsec), and while it exposing identities may not lead to an 
exploit, it very likely will make social engineering easier; it is information 
disclosure one way or the other

> - Passive attack gives attacker not only a valid PSK identity, but
>   enough information to mount high-speed offline cracking attack on the
>   PSK secret. Only one captured key exchange is needed, and (EC)DHE
>   does not help.

that does require you to be on-route of a connection and to capture it, that's 
much harder to do than firing up a simple script against any given server with 
PSK enabled.

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purky┼łova 115, 612 00  Brno, Czech Republic