IETF Logo Mail Archive

Re: [TLS] Pre_shared_key Extension Question

Benjamin Kaduk <bkaduk@akamai.com> Thu, 18 August 2016 15:47 UTC

Return-Path: <bkaduk@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BD90912DE1C for <tls@ietfa.amsl.com>; Thu, 18 Aug 2016 08:47:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.967
X-Spam-Level:
X-Spam-Status: No, score=-3.967 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsK9v7Lez0lz for <tls@ietfa.amsl.com>; Thu, 18 Aug 2016 08:47:09 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (prod-mail-xrelay07.akamai.com [23.79.238.175]) by ietfa.amsl.com (Postfix) with ESMTP id B185612DE9E for <tls@ietf.org>; Thu, 18 Aug 2016 08:47:09 -0700 (PDT)
Received: from prod-mail-xrelay07.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id CC2F0433424; Thu, 18 Aug 2016 15:47:08 +0000 (GMT)
Received: from prod-mail-relay11.akamai.com (prod-mail-relay11.akamai.com [172.27.118.250]) by prod-mail-xrelay07.akamai.com (Postfix) with ESMTP id B254F433408; Thu, 18 Aug 2016 15:47:08 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1471535228; bh=zRLpCZ9vVjH2PH/zS30BXPFocsFHBnhn6WNery1FkJY=; l=5552; h=To:References:Cc:From:Date:In-Reply-To:From; b=fsdQvpj24FSIPgvIcs7p+ASxL4nAImby8J2HCmNyyJiF9z39EwfRW6R+tNvJpeGIq mUmwq95baqSnxI/CNEwytG+DDzdv2mxhEYSjjxreCelOX/VeckbKzJnblRBpUwn/37 QowKxB5Qfv+6EI5MkI3en4Gsgj9oQ9sgg8/fXql8=
Received: from [172.19.0.25] (bos-lpczi.kendall.corp.akamai.com [172.19.0.25]) by prod-mail-relay11.akamai.com (Postfix) with ESMTP id 7D6641FC88; Thu, 18 Aug 2016 15:47:08 +0000 (GMT)
To: Eric Rescorla <ekr@rtfm.com>
References: <fa85eafb-b2f5-b5c2-859a-a2e24d734324@gmx.net> <CABcZeBOBffGU6RWgfMkRhqzxLd-yUw0v_CoUvtdDyTR0Ubvm6A@mail.gmail.com> <4458b764-8814-a3b6-0765-1692d19e278f@akamai.com> <CABcZeBMM_OKPifQ=G+wEnUzJXfV=oJwoAa8zjLVTkHx94A798A@mail.gmail.com>
From: Benjamin Kaduk <bkaduk@akamai.com>
X-Enigmail-Draft-Status: N1110
Message-ID: <b45384ae-bd1b-a079-2bb1-d56cd1b39644@akamai.com>
Date: Thu, 18 Aug 2016 10:47:08 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <CABcZeBMM_OKPifQ=G+wEnUzJXfV=oJwoAa8zjLVTkHx94A798A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------EFC232BF323CBFD377C5DC31"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vGKDg1B0_p823qZfrAK0xucsvuA>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] Pre_shared_key Extension Question
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Aug 2016 15:47:12 -0000

On 08/18/2016 10:29 AM, Eric Rescorla wrote:
>
>
> On Thu, Aug 18, 2016 at 8:18 AM, Benjamin Kaduk <bkaduk@akamai.com
> <mailto:bkaduk@akamai.com>> wrote:
>
>     On 08/17/2016 05:17 PM, Eric Rescorla wrote:
>>     It would be a fairly significant simplification to say you could
>>     only have one PSK, because then we could easily require the
>>     client to prove knowledge of the key, for instance by stuffing a
>>     MAC at the end of the ClientHello as we discussed in Berlin.
>>
>>     So:
>>     Is there any demand for multiple identities? I do not believe
>>     there is any in the Web context. If not, we should remove this
>>     feature.
>>
>
>     Then at PSK rollover time, clients are expected to fall back to a
>     new TLS connection using the other PSK?
>
>
> I'm not sure I follow. Can you say more?
>

With caveat that I don't deploy PSK-based systems and this is before my
morning coffee ... suppose I have a related group of IoT devices that
use TLS+PSK to communicate.  But, I don't want the long-term
cryptographic secret (the PSK) to be permanent and unchanging, since
that's not best practices and leaves me in a tough spot if it ever
leaks.  So, I generate a new PSK every three months, provide a device on
the network that lets the devices retrieve the new one, and everyone is
supposed to expire the old one a month after the new one is available. 
My PSK identities could then be something like "2016Q2" (or something
more complicated; it doesn't really matter), but since the devices are
autonomous and not synchronized, I can't have a "flag day" transition
from using the 2016Q1 to 2016Q2 key.  At some point, a device will try
to use the 2016Q2 key as a client against a server device that only has
the 2016Q1 key, and the handshake fails.  In the rollover scenario I
describe, the client can then try a new handshake with the 2016Q1 key
instead of the 2016Q2 key, which should succeed.

Given the benefits of only allowing one PSK identity from the client, I
am fine with requiring the second hanshake in this (contrived?)
scenario; I just wanted to mention it so that we know what we're getting
into.

-Ben

v2.23.0 | Report a Bug | By Email