Re: [TLS] Distinguishing between external/resumption PSKs
Richard Barnes <rlb@ipv.sx> Thu, 19 September 2019 22:04 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 085C9120241 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 15:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL9oBFJ_dSdq for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 15:03:59 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327161200C5 for <tls@ietf.org>; Thu, 19 Sep 2019 15:03:59 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id s22so4500789otr.6 for <tls@ietf.org>; Thu, 19 Sep 2019 15:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Be81FgCHI3qU/tuk5xBn7Fb/9AGggLpmcHs7qsmWnq0=; b=lPYdE9WUZukIIsvbZqmqLyD30m8DOq73IkVd0YYWzXCSKrwuFAedhaVUi6ReMX3zSh 6htvpSl/KO5SNGATlKhT1euAgUGOXw/kVFPfwCrZ7njrk9PYIaPxGFA0/EykkakzDqX2 kimAXOXg1Q7zpU1h29eWdg2SmyqEX4VIuwCKAzJ3ggBd29p3Zm2igryPzE2ELjom80Y0 /CQOkzBSRZ3awMCs3zddHSWluN0fU3Bkh2MEZjC8vpFFby1d3wPBeKFInMKs5Xxh9Gcz y9T/npVnVAEpQT3veHzZ06E5KUl2dlYVgAcxF9rX4eOHsKpc/c0cdIPtRmKrXazQAAce oQGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Be81FgCHI3qU/tuk5xBn7Fb/9AGggLpmcHs7qsmWnq0=; b=RmVKSwdwwnhCvJj5sJuqLbrIZ0U4Im7PEeQ61gqehoipj9X6GriHlNppJ2cDu93ukd /zBWDAkKWKIh0ca4Csyg9AJ6y1awGuiUOx3iqeFSNcKPwQDlsnLJgJvm5mxr+5tE2/M6 8j064atdsIMMGPo/29Gs/WYZ6d/qoC2sjSmj97BcU515CCmGdnkGixX5Y0XQ/lDbOULh yY6zbExF8cVK3xFZnhTHkokRFR7WgpiYkfAPowXmJU5eyKQBq5yHB9WFLMC9LhA0DkRz hrNEohQf1HinPnAEbc2d7SgLIRb17WG9kwFPaD90g8RYzQ3J3Zh9XuiKnfAQ+etnjY3o 4hMQ==
X-Gm-Message-State: APjAAAUbOZfeUCaopyLFXgs/Amalhby8aSNItopWo685tpo9jR7zKUjw kqznhVLeQirPxJ7BBBvx0LHcHMdctYlpYIoiPyeM8LY8r8I=
X-Google-Smtp-Source: APXvYqz0cpGGSBp5BXsKmB/4fZ0UNncaMnXd0t2sCfH0AWH3M02w5WtsaDPtCgvHIEGj29yR5ey/K28qwexzGVPXiDM=
X-Received: by 2002:a9d:6c9a:: with SMTP id c26mr8882577otr.241.1568930638186; Thu, 19 Sep 2019 15:03:58 -0700 (PDT)
MIME-Version: 1.0
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs3aQxM3kxa3khOYbj8naXfcaPmSOKY01nAsuAyfEWYkzg@mail.gmail.com> <CAL02cgT73q0iOj=7fMsneQwjAFFDnSYM92MhV0adSfU2qOCurQ@mail.gmail.com> <CACykbs2=e9LvnvvU=zOWuzqeU4aYXOA3SPWBwQGyPcW6QjrSkA@mail.gmail.com> <CAL02cgSuFGNd26TS8bNbjhh+YEYVbAH5TQBneeLNyouZemAZXw@mail.gmail.com> <DDFDB072-63F6-4B52-9F64-56772910515D@huitema.net> <20190919183539.GB5002@localhost> <CAL02cgRdeP6noogLiVXzthKGMNGq7gyFhPKqHGQCsrACg9Cs5A@mail.gmail.com> <20190919214851.GC5002@localhost>
In-Reply-To: <20190919214851.GC5002@localhost>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 19 Sep 2019 18:03:44 -0400
Message-ID: <CAL02cgQXGdq06YkU-0kqcybbCmZT33diW+d09ZMKyKEqNo_uzQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005dddcd0592ef2160"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sxov2pXwgit0WYvBCcudN_XyxnM>
Subject: Re: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 22:04:01 -0000
On Thu, Sep 19, 2019 at 5:49 PM Nico Williams <nico@cryptonector.com> wrote: > On Thu, Sep 19, 2019 at 04:57:17PM -0400, Richard Barnes wrote: > > I don't think anyone's asking for these cases to be differentiable on the > > wire. The question is whether the *server* can differentiate, in > > particular, the application running on the server. > > And the answer to that one is "yes", because the server has control over > the PSK IDs. > That glosses over an important distinction made up-thread: When we say "the server", there is typically a distinction between the TLS stack and the server application logic. Resumption PSKs are typically controlled by the TLS stack, while external PSKs are provided by the application logic. The question is how the application logic, when presented with a session authenticated under a given PSK ID, can distinguish whether the PSK used was one provided by the TLS stack for resumption, or provided by the application logic. --Richard
- [TLS] Distinguishing between external/resumption … Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Christian Huitema
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Mohit Sethi M
- Re: [TLS] Distinguishing between external/resumpt… Nikos Mavrogiannopoulos
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- [TLS] Selfie attack was Re: Distinguishing betwee… Mohit Sethi M
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… John Mattsson
- Re: [TLS] Selfie attack was Re: Distinguishing be… Viktor Dukhovni
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… Christopher Wood
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack Christian Huitema
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson