IETF Logo Mail Archive

Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3

David Benjamin <davidben@chromium.org> Thu, 02 February 2017 16:24 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C461612973D for <tls@ietfa.amsl.com>; Thu, 2 Feb 2017 08:24:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.898
X-Spam-Level:
X-Spam-Status: No, score=-5.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RqLIErcogrpN for <tls@ietfa.amsl.com>; Thu, 2 Feb 2017 08:24:55 -0800 (PST)
Received: from mail-qt0-x233.google.com (mail-qt0-x233.google.com [IPv6:2607:f8b0:400d:c0d::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F1682129735 for <tls@ietf.org>; Thu, 2 Feb 2017 08:24:54 -0800 (PST)
Received: by mail-qt0-x233.google.com with SMTP id k15so38767297qtg.3 for <tls@ietf.org>; Thu, 02 Feb 2017 08:24:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=6rwc8j6kiwcnTmH7mwIMtc/s9CiYrk22YWZb30qSozA=; b=G8y4RZRhUU/9KX2xLth+A850b0AnLhx23g4GDRFzvpYFxdFGiHJgUoZK7VaLCJNdyK L5t86jYrSgaksLiabMwqdWetmtEWRv56InEUQAbonl4tAyb9GVJBPBHLPInv3cSiQsWG 9ZC7msJLJCV48M1uodXMnlhELP+FBfxp7oNgw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=6rwc8j6kiwcnTmH7mwIMtc/s9CiYrk22YWZb30qSozA=; b=fQQniNLuZ9f7D/cq9nvoq3IxezlP+SNMFYYqGudvzyfeg7snbWyKoSzafgPAGyGv/c ZqQgOQtEZY3BHzwMi0lG4k5kOe47AQ5y320l8JFvAmFC2fhI2xi+T9G9SZWcYkwxaXG+ sezl2CqvIj5J/32WppDyXs/6PsMBPld/xLiCN3lgS84roU2gTl9YRdG9J6j1IOYL6Zxw GDfYMgxMVp/+kIE5Cq+nwsszjigT713H6xKQ45PYOvmf846iHj6ACp0OlH4Ze6nNnwp7 3Aw/b6b4U8gu1LVhPFFQNJjxQGLjm9MWDvSxcX0Ufv49abVcn7JUPbT1ye1oZBhu15gn hIEA==
X-Gm-Message-State: AIkVDXJlO2Ns7UGhvVibIQy3qDEk5Iug+udoBjIOSe6zLKA7gQbDdUD0mYthnOMeMzIKD4gS2r3B5lY8RYDxT1ts
X-Received: by 10.237.34.250 with SMTP id q55mr9473278qtc.127.1486052693916; Thu, 02 Feb 2017 08:24:53 -0800 (PST)
MIME-Version: 1.0
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com> <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com> <9D8BEE12-49F9-4DE3-81C7-909CB114805F@vigilsec.com> <1b678d65-b146-b25f-c1ad-6dfc044f7ce0@akamai.com> <CABkgnnXfw45-R-Tvf2cZQGb4a5mas2yZRXT4q3ArRyTMSF9x2Q@mail.gmail.com> <733EE968-69EF-43A5-A39B-F016993A3CCD@vigilsec.com> <949EBD4E-613B-4B36-BD93-FDE3E4D4926F@vigilsec.com>
In-Reply-To: <949EBD4E-613B-4B36-BD93-FDE3E4D4926F@vigilsec.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 02 Feb 2017 16:24:43 +0000
Message-ID: <CAF8qwaA5ntF8iN99=tQyFt7dqucvcKNw9avgVRGJRmGu-3UswA@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a113eea5af0a46405478e9a60"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/u3dXqDT2zbnkjI9Be1HOk0sGqyI>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Feb 2017 16:24:58 -0000

I think this is much clearer, except for one bullet point below:

On Thu, Feb 2, 2017 at 10:22 AM Russ Housley <housley@vigilsec.com> wrote:

> [...]
>   -  If PSK and (EC)DH are being used together, then the server will:
>
>      --  sends a "pre_shared_key" extension to indicate the selected
>          key;
>
>      --  provide a "key_share" extension; and
>
>      --  send the Certificate (Section 4.4.1) and CertificateVerify
>          (Section 4.4.2) messages.


This last bullet here contradicts what specification says elsewhere. From
4.4.1:

"""
The server MUST send a Certificate message whenever the agreed-upon key
exchange method uses certificates for authentication (this includes all key
exchange methods defined in this document except PSK). This message conveys
the endpoint’s certificate chain to the peer.
"""

(Otherwise we defeat the point of resumption and lose PSK-based identities.)

Like MT, I am interested in a mode with both (right now we have a ticket
renewal cliff because only the initial handshake does an online signature),
but we'll need to work out the exact semantics. Going from one identity to
two identities, especially when one is added partway through the stream
(consider 0-RTT) has a lot of sharp edges.

Since this can easily be added as an extension (and would need one anyway
for negotiation), I think it's better to do it as a later document, so we
don't delay what we've done already or rush in a combined mode without
considering all the details. The document would just say "when PSK and
fancy_new_extension are both negotiated, then the server will [...]".
Plenty of extensions have modified the handshake message flow.

David

v2.23.0 | Report a Bug | By Email