Re: [TLS] Distinguishing between external/resumption PSKs

Richard Barnes <rlb@ipv.sx> Thu, 19 September 2019 22:04 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 085C9120241 for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 15:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tL9oBFJ_dSdq for <tls@ietfa.amsl.com>; Thu, 19 Sep 2019 15:03:59 -0700 (PDT)
Received: from mail-ot1-x333.google.com (mail-ot1-x333.google.com [IPv6:2607:f8b0:4864:20::333]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327161200C5 for <tls@ietf.org>; Thu, 19 Sep 2019 15:03:59 -0700 (PDT)
Received: by mail-ot1-x333.google.com with SMTP id s22so4500789otr.6 for <tls@ietf.org>; Thu, 19 Sep 2019 15:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Be81FgCHI3qU/tuk5xBn7Fb/9AGggLpmcHs7qsmWnq0=; b=lPYdE9WUZukIIsvbZqmqLyD30m8DOq73IkVd0YYWzXCSKrwuFAedhaVUi6ReMX3zSh 6htvpSl/KO5SNGATlKhT1euAgUGOXw/kVFPfwCrZ7njrk9PYIaPxGFA0/EykkakzDqX2 kimAXOXg1Q7zpU1h29eWdg2SmyqEX4VIuwCKAzJ3ggBd29p3Zm2igryPzE2ELjom80Y0 /CQOkzBSRZ3awMCs3zddHSWluN0fU3Bkh2MEZjC8vpFFby1d3wPBeKFInMKs5Xxh9Gcz y9T/npVnVAEpQT3veHzZ06E5KUl2dlYVgAcxF9rX4eOHsKpc/c0cdIPtRmKrXazQAAce oQGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Be81FgCHI3qU/tuk5xBn7Fb/9AGggLpmcHs7qsmWnq0=; b=RmVKSwdwwnhCvJj5sJuqLbrIZ0U4Im7PEeQ61gqehoipj9X6GriHlNppJ2cDu93ukd /zBWDAkKWKIh0ca4Csyg9AJ6y1awGuiUOx3iqeFSNcKPwQDlsnLJgJvm5mxr+5tE2/M6 8j064atdsIMMGPo/29Gs/WYZ6d/qoC2sjSmj97BcU515CCmGdnkGixX5Y0XQ/lDbOULh yY6zbExF8cVK3xFZnhTHkokRFR7WgpiYkfAPowXmJU5eyKQBq5yHB9WFLMC9LhA0DkRz hrNEohQf1HinPnAEbc2d7SgLIRb17WG9kwFPaD90g8RYzQ3J3Zh9XuiKnfAQ+etnjY3o 4hMQ==
X-Gm-Message-State: APjAAAUbOZfeUCaopyLFXgs/Amalhby8aSNItopWo685tpo9jR7zKUjw kqznhVLeQirPxJ7BBBvx0LHcHMdctYlpYIoiPyeM8LY8r8I=
X-Google-Smtp-Source: APXvYqz0cpGGSBp5BXsKmB/4fZ0UNncaMnXd0t2sCfH0AWH3M02w5WtsaDPtCgvHIEGj29yR5ey/K28qwexzGVPXiDM=
X-Received: by 2002:a9d:6c9a:: with SMTP id c26mr8882577otr.241.1568930638186; Thu, 19 Sep 2019 15:03:58 -0700 (PDT)
MIME-Version: 1.0
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs3aQxM3kxa3khOYbj8naXfcaPmSOKY01nAsuAyfEWYkzg@mail.gmail.com> <CAL02cgT73q0iOj=7fMsneQwjAFFDnSYM92MhV0adSfU2qOCurQ@mail.gmail.com> <CACykbs2=e9LvnvvU=zOWuzqeU4aYXOA3SPWBwQGyPcW6QjrSkA@mail.gmail.com> <CAL02cgSuFGNd26TS8bNbjhh+YEYVbAH5TQBneeLNyouZemAZXw@mail.gmail.com> <DDFDB072-63F6-4B52-9F64-56772910515D@huitema.net> <20190919183539.GB5002@localhost> <CAL02cgRdeP6noogLiVXzthKGMNGq7gyFhPKqHGQCsrACg9Cs5A@mail.gmail.com> <20190919214851.GC5002@localhost>
In-Reply-To: <20190919214851.GC5002@localhost>
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 19 Sep 2019 18:03:44 -0400
Message-ID: <CAL02cgQXGdq06YkU-0kqcybbCmZT33diW+d09ZMKyKEqNo_uzQ@mail.gmail.com>
To: Nico Williams <nico@cryptonector.com>
Cc: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000005dddcd0592ef2160"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/sxov2pXwgit0WYvBCcudN_XyxnM>
Subject: Re: [TLS] Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 22:04:01 -0000

On Thu, Sep 19, 2019 at 5:49 PM Nico Williams <nico@cryptonector.com>; wrote:

> On Thu, Sep 19, 2019 at 04:57:17PM -0400, Richard Barnes wrote:
> > I don't think anyone's asking for these cases to be differentiable on the
> > wire.  The question is whether the *server* can differentiate, in
> > particular, the application running on the server.
>
> And the answer to that one is "yes", because the server has control over
> the PSK IDs.
>

That glosses over an important distinction made up-thread: When we say "the
server", there is typically a distinction between the TLS stack and the
server application logic.  Resumption PSKs are typically controlled by the
TLS stack, while external PSKs are provided by the application logic.  The
question is how the application logic, when presented with a session
authenticated under a given PSK ID, can distinguish whether the PSK used
was one provided by the TLS stack for resumption, or provided by the
application logic.

--Richard