IETF Logo Mail Archive

Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard

Hubert Kario <hkario@redhat.com> Wed, 07 March 2018 12:51 UTC

Return-Path: <hkario@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80EA312751F; Wed, 7 Mar 2018 04:51:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pIp96NCijKAX; Wed, 7 Mar 2018 04:51:54 -0800 (PST)
Received: from mx1.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5333312708C; Wed, 7 Mar 2018 04:51:54 -0800 (PST)
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 6BD9F81A8EC8; Wed, 7 Mar 2018 12:51:53 +0000 (UTC)
Received: from pintsize.usersys.redhat.com (ovpn-200-41.brq.redhat.com [10.40.200.41]) by smtp.corp.redhat.com (Postfix) with ESMTP id 3555D112C268; Wed, 7 Mar 2018 12:51:52 +0000 (UTC)
From: Hubert Kario <hkario@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: draft-ietf-tls-tls13@ietf.org, "<tls@ietf.org>" <tls@ietf.org>, IETF discussion list <ietf@ietf.org>
Date: Wed, 07 Mar 2018 13:51:46 +0100
Message-ID: <3226233.3oPuUMPEbk@pintsize.usersys.redhat.com>
In-Reply-To: <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com>
References: <151880080195.1349.14035524657942875385.idtracker@ietfa.amsl.com> <21708133.DmTAOkxbDk@pintsize.usersys.redhat.com> <CABcZeBOpPW_0=2qfCL4Uc8y8=o8Toj8cVec0=hLUCucUJNwO-w@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="nextPart2336933.BFfdCHI88J"; micalg="pgp-sha512"; protocol="application/pgp-signature"
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 07 Mar 2018 12:51:53 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.8]); Wed, 07 Mar 2018 12:51:53 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'hkario@redhat.com' RCPT:''
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/tGYRuxPstx1Q1n3kLVYsv0LyBB8>
Subject: Re: [TLS] external PSK identity enumeration Re: UPDATED Last Call: <draft-ietf-tls-tls13-24.txt> (The Transport Layer Security (TLS) Protocol Version 1.3) to Proposed Standard
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Mar 2018 12:51:56 -0000

On Wednesday, 21 February 2018 15:31:33 CET Eric Rescorla wrote:
> i think your general point is sound here, but I'll nitpick the statement
> that
> "if the server recognises an identity but is unable to verify corresponding
> binder".
> 
> 1. The server only picks one identity so you if you send A, B, and C and you
> get an abort, you don't know if it recognized one or all.
> 2. The server can *recognize* the identity but ignore it (say it's a ticket
> that's
> too old)
> 
> With that said, I think it would probably be safe to say you must ignore an
> identity
> where the binder doesn't validate, but I'd like to hear from cryptographers
> on this
> one.

Proposed https://github.com/tlswg/tls13-spec/pull/1167 so that we don't forget 
about it.
 
> Thanks,
> -Ekr
> 
> On Wed, Feb 21, 2018 at 6:26 AM, Hubert Kario <hkario@redhat.com> wrote:
> > On Wednesday, 21 February 2018 15:21:58 CET Eric Rescorla wrote:
> > > On Wed, Feb 21, 2018 at 6:13 AM, Hubert Kario <hkario@redhat.com> wrote:
> > > > On Friday, 16 February 2018 18:06:41 CET The IESG wrote:
> > > > > The IESG has received a request from the Transport Layer Security WG
> > > > 
> > > > (tls)
> > > > 
> > > > > to consider the following document: - 'The Transport Layer Security
> > > > > (TLS)
> > > > > Protocol Version 1.3'
> > > > > 
> > > > >   <draft-ietf-tls-tls13-24.txt> as Proposed Standard
> > > > 
> > > > The current draft states that if the server recognises an identity but
> > 
> > is
> > 
> > > > unable to verify corresponding binder, it "MUST abort the handshake"
> > > 
> > > Which text are you referring to here?
> > 
> > Section 4.2.11:
> >    Prior to accepting PSK key establishment, the server MUST validate
> >    the corresponding binder value (see Section 4.2.11.2 below).  If this
> >    value is not present or does not validate, the server MUST abort the
> >    handshake.  Servers SHOULD NOT attempt to validate multiple binders;
> >    rather they SHOULD select a single PSK and validate solely the binder
> >    that corresponds to that PSK.
> > > 
> > > -Ekr
> > > 
> > > at the same time, they "SHOULD select as single PSK and validate solely
> > 
> > the
> > 
> > > > binder that corresponds to that PSK"
> > > > (Page 60, draft-ietf-tls-tls13-24).
> > > > 
> > > > That allows for trivial enumeration of externally established
> > 
> > identities -
> > 
> > > > the
> > > > attacker just needs to send to the server a list of identity guesses,
> > 
> > with
> > 
> > > > random data as binders, if the server recognises any identity it will
> > > > abort
> > > > connection, if it doesn't, it will continue to a non-PSK handshake.
> > > > 
> > > > Behaviour like this is generally considered a vulnerability:
> > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0190
> > > > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5229
> > > > 
> > > > I was wondering if the document shouldn't recommend ignoring any and
> > 
> > all
> > 
> > > > identities for which binders do not verify to prevent this kind of
> > 
> > attack.
> > 
> > > > --
> > > > Regards,
> > > > Hubert Kario
> > > > Senior Quality Engineer, QE BaseOS Security team
> > > > Web: www.cz.redhat.com
> > > > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
> > > > _______________________________________________
> > > > TLS mailing list
> > > > TLS@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/tls
> > 
> > --
> > Regards,
> > Hubert Kario
> > Senior Quality Engineer, QE BaseOS Security team
> > Web: www.cz.redhat.com
> > Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic


-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

v2.20.3 | Report a Bug | By Email