[TLS] Review of draft-ietf-tls-external-psk-guidance-00
John Mattsson <john.mattsson@ericsson.com> Tue, 29 September 2020 07:58 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45EF63A0417 for <tls@ietfa.amsl.com>; Tue, 29 Sep 2020 00:58:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.301
X-Spam-Level:
X-Spam-Status: No, score=-3.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xSN3suySpmhP for <tls@ietfa.amsl.com>; Tue, 29 Sep 2020 00:58:17 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10082.outbound.protection.outlook.com [40.107.1.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C47F3A0414 for <TLS@ietf.org>; Tue, 29 Sep 2020 00:58:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kKHbUub/IiLKUNaFY9En07qeFRfY9ll3vdCedC+QJbzJG2l80Yn/E25O4wMRlquC9Jirn18bvxWJfhx7AgYUkF9eJwShaziUWmkv5ZTrBi5oH1xUID4ct27LyWj3zSH4N2Dvq85WwxIJiTIisiwXnRjpyL6tNZ8m+lXsm+MNdX2PiPyn6zx6RDUXbb7tRQRpPH6r+yWfo2zc15z/EG3yZO5O5SeCX6sOUn7Uz9uYjMbT4IoMYI3zavAx/6gEioYG1zkw20vThyXQl5WcO4s/UpOFdV3wZiNm39pk7P6Skm6KCNY127hbtQvEEkDdro/GscmomlibnQJjZ6omI81LhQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qk1Q/rdFo1v9kFc8h0DslZRGxZywQa6iwVVYTzzHqsE=; b=mS+29xLnrQW2fQ7BRWYmu0+owZ+BXV09ziPjzFg81BA0zOxJygl66j4pXUy4MTyakPfVhqh7+pYq5LDr4D98M9tL7eyoIo2NzhyImxdnnyPFCfP0ItgGbNqUSUTTgpvi/3hfCKlIrTSEVqWwUJlIBHDsW2nO9fSpu/E3i8LhQNw3rhMTsoTQa1KwNdE8H4BZlBVV9pP9h15joI/HtjtMIk4L8JpipLjrXKD2/sZxDYnSslvTX+GgRj2gDLOiYYYhhCT2BauxjKOWr4n1dxSJKrk+59sDy/6BkX0PXhV2A61diwnrW5h0hESimYUmY7XMUBy+tDWxWo48GJADxaMmZg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qk1Q/rdFo1v9kFc8h0DslZRGxZywQa6iwVVYTzzHqsE=; b=BWI0uqQV+C4/m7HOylaqwahJSDjnz0YCpIXraS855di5/wGSNk2tUlZ1bfzSIJzfVpPMDDzwONhb8CC47ii9+CQo2o1KSFYWU9eSR/aneBK3gjw0SU1ayBNRSnIS9TN28jBH9GXhAiIyKJ/87XZFVYFb55QJh0Pa3hNRmjcIXOI=
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com (2603:10a6:20b:17::24) by AM5PR0701MB2498.eurprd07.prod.outlook.com (2603:10a6:203:11::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3433.13; Tue, 29 Sep 2020 07:58:10 +0000
Received: from AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c]) by AM6PR07MB4584.eurprd07.prod.outlook.com ([fe80::951:a4c3:7f39:e39c%5]) with mapi id 15.20.3433.032; Tue, 29 Sep 2020 07:58:10 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: Review of draft-ietf-tls-external-psk-guidance-00
Thread-Index: AQHWljZGvVQswLN9b0GeV+66OiwzAA==
Date: Tue, 29 Sep 2020 07:58:10 +0000
Message-ID: <FA5E20A8-5994-40CD-B9FD-0803B7153B6C@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.40.20081000
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: edd03d35-ce71-42c8-2279-08d8644d688c
x-ms-traffictypediagnostic: AM5PR0701MB2498:
x-microsoft-antispam-prvs: <AM5PR0701MB2498C361F081A4A749693F4189320@AM5PR0701MB2498.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OPXwxgPob4ThyCAjFym0sf4gKoCteXcO7HCtTXppnIGd4DmZZejFGkUiGXC3mP3Doo/PSB1kB0XPAjhXNGmwe7E6LXfbcw9Bb4/mj6/VSyzavh8Lolq/DULZ0tDchTvHnC7e9GDAvB+i5mRS4EdlXvdpzizoMXx76UEO6+gKdcQYQRf84SKz8YKXAeiX7lv76d20fn1tgZFGrRJanZVGmx+WbkasMPCehTmbPpKNlRo3WFn2njWqAmhAHrl/ZA7H/XHezLfIFDxWSDVuMMTKTvHbIZ114YlN0FBO4q30VLvbIpoXun2huRoCn8yWzL/s2D/roHsp3wwrowlEQ9YZCw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB4584.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(396003)(346002)(136003)(39860400002)(366004)(376002)(44832011)(71200400001)(316002)(5660300002)(8676002)(8936002)(6916009)(66446008)(64756008)(66556008)(66476007)(66946007)(91956017)(76116006)(478600001)(2906002)(6506007)(6486002)(36756003)(83380400001)(2616005)(6512007)(26005)(186003)(33656002)(86362001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: QrvX8a5n8wxt1b+XibugPqpUS+Bsh33NQSHwMNx9MoVAGlgZBqa43WQVUB9X0IdcTSvm6cH2MAgeUjfTLaRR4PY1Xi89Biv0z77O2ODJbkkTMLp20sof9vrljBQ3kN6sCFDWH0jyruEzmhehPsQyv/gHby7yD4LnrS4kgN51/WuBEgrz/LHDQx1UiCTub5A36XU8s7xLFtUV/m4v1D/RTa8zWCpJ7dTyRLMgZ4oZShs72ICWmOBd6C28cvQyLXKt34on3idZoAWAKfcwyabG6UCOQLJnrfNr8YsjFdGDVb/bXJxyf70X8TniQJ+uTKBgCOzh10/5/JCJOMCKA1Gw3cUUaoSDzbtbb/IG1Aop9SpY9KyGqpT9OdmyG7lbfV02H9gTRPd1quZCTqov2Im5raHpQAOWIdIUnsFXeQPZyI+Giy3L6tLFmHDxAi9dn48huqtoibCZCHhFJOSgFbcD9GhFt/mR9ksQFjd8eOG8OJZW1Co2vNzTFtlZQRqcM940c0iyJczPIur/oPDoN8r59QQgV1bG6HvqDr9XpczJWk8GD07sLITQLHh2WHqgyjXZuH12/LA4M1cPVN/eoQBu9bRF6Aiq54CiXiTzWy4NpuydWEQsnuJLqxFFot1+jsiVnkjP13pPnd+ucGLDl5F8tw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2FC63A2A1B90B6469D1D4D8B93EF8828@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB4584.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: edd03d35-ce71-42c8-2279-08d8644d688c
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Sep 2020 07:58:10.1359 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MXQJkzNafbwquuAkHRLK0KNRfMRbJAOcLYdmg5jt5eyxOzqM1+Uqc4g+U6WC/87iR4miE0Iy5nYORjHoanUZ3DI5fuMv4b3MQtZAi4cvanY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2498
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/td0JCNvSI2E1xdMhaT4pydH85x0>
Subject: [TLS] Review of draft-ietf-tls-external-psk-guidance-00
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Sep 2020 07:58:19 -0000
Hi, I think is a very well written and very useful document. Comments and suggestions: - Abstract and Section 1 ”It lists TLS security properties provided by PSKs under certain assumptions and demonstrates how violations of these assumptions lead to attacks.” I think a very important objective of the document is to list the security properties not provided by PSKs. Suggestion: ”It lists TLS security properties provided by PSKs as well as security properties not provided by PSKs” - Section 4 “There are a number of obvious weaknesses here:” The are several more weaknesses/attacks possible when using a group PSK: - If PSK with DH is used, a group member that actively MITM the handshakes and all following traffic can eavesdrop or modify all traffic. - If PSK without DH is used, a group member that passively eavesdropped on the handshake can eavesdrop on or modify selected traffic. The list is now a mixture of a misbehaving group member and an attacker that compromised a group member. I would suggest that the list only talks about what a group member can to and then after the list states that “If a group member is compromised, then the attacker can perform all of the above attacks.” - Section 4 The are several more weaknesses/limitation (not attacks) when using a group PSK: - Revocation of individual group members is not possible without changing the authentication key for all members. - Network activity logging becomes less useful as messages can only be tied to the group and not individual members (or pair of members). There also several weaknesses/limitation that are hinted at in RFC 8446 which apply for two-party PSK authenticated connections. As this is a guidance document for all uses of external PSK, I think this document should bring up and expand upon: - Key Compromise Impersonation (KCI) resistance - Protection of endpoint identities - Forward secret with respect to long-term keys (psk_ke only) An additional security property given by signature authentication but not psk authentication is non-repudiation. As stated by Wikipedia “By this property, an entity that has signed some information cannot at a later time deny having signed it.” - Section 4 ”In addition to these, a malicious non-member can reroute handshakes between honest group members to connect them in unintended ways, as detailed below. The attack only works under certain assumption on the PSK identity and PSK. It does not work if the members use their identities “A”, “B”, “C” to create PSK identities or derive pairwise PSKs from a master group key. This should be clarified. - Section 5 ”As a result, a passive adversary can link two or more connections together that use the same external PSK on the wire. Sending identifiers in cleartext lead to more weaknesses than linkability. Suggestion: ”As a result, a passive adversary can link two or more connections together that use the same external PSK on the wire. Depending on the PSK identity, a passive attacker may also be able to identify the device, person, or enterprise running the TLS client or TLS server. An active attacker can also use the PSK identity to oppress handshakes or application data from a specific device/user by blocking, delaying, or rate-limit traffic. Section 6 ”Internet of Things (IoT) and devices with limited computational capabilities.” Limited memory and storage might be more important. Most devices today have computational capabilities to do asymmetric crypto, it is computational capabilities combined with latency requirement that is limiting. Section 6 ”[RFC7925] defines TLS and DTLS profiles for resource-constrained devices and suggests the use of PSK” This kind of makes is sounds like PSK is recommended over ECDSA. Both RFC 7252 and RFC 7925 treats ECDSA and PSK authentication equally. Section 6 ”There are also use cases where PSKs are shared between more than two entities. Some examples below (as noted by Akhmetzyanova et al.[Akhmetzyanova]):” These are not real use cases. Akhmetzyanova et. Al. clearly states that they are “providing two dummy systems”, I.e. these are not real systems. If there are no actual concrete use cases, the use of group PSK should maybe stay forbidden. Section 7.1 “OpenSSL and BoringSSL: Applications specify support for external PSKs via distinct ciphersuites.” I assume this is not the case for TLS 1.3 as the cipher suites in TLS 1.3 are independent of the authentication. Section 8 “It is NOT RECOMMENDED to share the same PSK between more than one client and server.” As described earlier in the document, group PSK violates both “peer authentication” and “downgrade protection property”. It also violates “secrecy of the session keys”. Two-party PSK already does not provide “Key Compromise Impersonation (KCI) resistance” and “Protection of endpoint identities” and psk_key does not provide “Forward secret with respect to long-term keys”. So when psk_ke is used in a group, the only property left is “Uniqueness of the session keys”... I am skeptical to introduce this new group PSK mode in an informal guidance document. If group PSK should be allowed, it should be more clearly declared as a new mode of TLS 1.3 and the security properties given and not given should be more clearly stated. Cheers, John
- [TLS] Review of draft-ietf-tls-external-psk-guida… John Mattsson
- Re: [TLS] Review of draft-ietf-tls-external-psk-g… John Mattsson