Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
Nikos Mavrogiannopoulos <nmav@redhat.com> Fri, 27 July 2018 09:07 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03CCE130DF2 for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 02:07:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CKEmMfRyT7yr for <tls@ietfa.amsl.com>; Fri, 27 Jul 2018 02:07:23 -0700 (PDT)
Received: from mail-wm0-f50.google.com (mail-wm0-f50.google.com [74.125.82.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0601712426A for <tls@ietf.org>; Fri, 27 Jul 2018 02:07:23 -0700 (PDT)
Received: by mail-wm0-f50.google.com with SMTP id h20-v6so4672481wmb.4 for <tls@ietf.org>; Fri, 27 Jul 2018 02:07:22 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=J5BpsvFhaRapqOB1Io7rlkVth6zAcH8lL0zXhfxP6n0=; b=phVX+eDgMjMSPs5n7Z7+yfj0MsFl63EDY9xe/EteL+kzECfO0SmzhbXH8aVk+4seYl F2DqtKistldMVL6+4ztlUHzNydob3g16pccXN10dH8uipHaK3C8unZ7Rb0uRLfL3y5AT UmU9hE7ZHV3sALhLbWnENmQPNn8XqZ3NZ5HZCYXHR3o0YXOAX8sIsi0dUTIPuwydEXIU 34/VQQ4Vaf9U0UfIXUoytHkbHsw02k59hAsDhBnoYPNWTrQiaozNSGB6/BSAPIrep6Za WxytxDcRB4iNjzRmZRmV4sBjBdICZxhyRMdWOWDGDiyKlbSlh+/Rxsi6RSQonfCWEU76 5kTg==
X-Gm-Message-State: AOUpUlH9qByj3yx+JFY/qe7wPnlxK5H4UF2VOmyEkgZep5bZALxXl6oF Jva69OZ0m1SS2Ifp+W33eo6oaA==
X-Google-Smtp-Source: AAOMgpdPQk2/ST7LeaEMnRsYxFSAxYGiSPafy01TKCJfml9W8UkxL9BL6qt5ll5rT3D+HXYIgyDWBw==
X-Received: by 2002:a1c:93d2:: with SMTP id v201-v6mr3622191wmd.77.1532682441422; Fri, 27 Jul 2018 02:07:21 -0700 (PDT)
Received: from dhcp-10-40-1-102.brq.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id h83-v6sm4792324wmf.46.2018.07.27.02.07.20 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 27 Jul 2018 02:07:20 -0700 (PDT)
Message-ID: <53da03a8ca05f4bb443bba1a2faeb46b750e7c2e.camel@redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Eric Rescorla <ekr@rtfm.com>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Date: Fri, 27 Jul 2018 11:07:20 +0200
In-Reply-To: <CABcZeBO=LnxybFq2uog3UYoGgnb0KiE3oG=hGY5UWYauOtwMBw@mail.gmail.com>
References: <20180719230009.GD14551@akamai.com> <CABcZeBO=LnxybFq2uog3UYoGgnb0KiE3oG=hGY5UWYauOtwMBw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
X-Mailer: Evolution 3.28.4 (3.28.4-1.fc28)
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uMutsRLhLUo8xdj5HwxSBGL4WuE>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Jul 2018 09:07:25 -0000
On Thu, 2018-07-26 at 10:58 -0700, Eric Rescorla wrote:
> Ben,
>
> Thanks for focusing on this issue.
>
> Chris and I have been discussing an alternative design which we think
> is more consistent with the existing structure, which we call PSK
> Importers. As with your design, we have an input universal PSK, but
> instead of using explicitly as part of the connection, we just use it
> as the base key to import a set of new PSKs into TLS.
>
> As with Universal PSKs (UPSKs), each input key is a triplet of
> (BaseIdentity, BaseKey, KDF), where a BaseIdentity is a PSK identity
> as used today. To use a UPSK, an implementation takes the set of KDF
> hashes it knows about H_i and derives a set of PSKs:
>
> Hash_i: H_i
> Identity_i: BaseIdentity || H_i
> Key_i: Derived from BaseKey and Identity_i
>
> This gives you a set of keys which you can offer simultaneously on
> the
> TLS connection in independent psk_identity blocks. (Note that the
> hash
> algorithm is what differentiates each derived key.) This is a bit
> ugly, but with the current TLS 1.3 ciphers, this basically just means
> SHA-256, but even in the worst case it’s probably only 2-3.
>
> The nice thing about this design is that if you know the set of hash
> functions, you can just compute all the imported PSKs in advance, and
> there’s no need to touch the internals of the TLS stack. This also
> means that if you have decided you don’t like old hash X, you don’t
> need to use it to compute PSK binders, you just use it do the KDF,
> which seems like it has weakersecurity requirements.
>
> Here’s a specific construction, but we’re flexible about the details:
>
> struct {
> opaque base_identity<1...2^16-1>;
> HashAlgorithm hash;
> } imported_psk_identity;
That looks nice, as it allows compatibility with existing psk
implementations.
One improvement could be to have a magic number, to allow easy
disambiguation between an potential existing "raw" (non ascii username
identity), and the new approach.
struct {
opaque magic[4]; // 0x544c0103
HashAlgorithm hash;
opaque base_identity<1...2^16-1>;
} imported_psk_identity;
Such a field will also allow further future improvements to that
approach if needed and allow for incompatible changes in draft versions
as the magic serves as version number.
regards,
Nikos
- [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3 Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… David Benjamin
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Jonathan Hoyland
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Matt Caswell
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Benjamin Kaduk
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Nikos Mavrogiannopoulos
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Ilari Liusvaara
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Karthikeyan Bhargavan
- Re: [TLS] on sharing PSKs between TLS 1.2 and TLS… Eric Rescorla