Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

"Christopher Wood" <caw@heapingbits.net> Sat, 05 October 2019 11:41 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8036F12012C for <tls@ietfa.amsl.com>; Sat, 5 Oct 2019 04:41:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=ZKAm45yz; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=ikDdBeJr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jK_FGPhxx3qs for <tls@ietfa.amsl.com>; Sat, 5 Oct 2019 04:41:44 -0700 (PDT)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF48B1200D5 for <tls@ietf.org>; Sat, 5 Oct 2019 04:41:43 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id 5BBED21D73 for <tls@ietf.org>; Sat, 5 Oct 2019 07:41:43 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Sat, 05 Oct 2019 07:41:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type:content-transfer-encoding; s=fm2; bh=CIOYI jZaAvH1ZseaVS+Mq3IcWocmIu1qkNp6sJrYUfI=; b=ZKAm45yzNxXRPSThEezi4 7WtQWeEtTTppwhI5vnmw1h9yEJpebBi7r9myiXsvesoIRds66BUutR5Wk9uK8Kxt Patvi7RQvvGeQV3/f6+oWAVe9WUaiTXvVJnhlLRAv0LPp2kF8ORHyirAbWO+EzFY rTIqX7C15jvzz42om0zJrKlM1dnghJFcQjLkgR5ckK+/H8PJktQHwvL+FL9Xi4VA WtH94oAbU2ZnIRALj76SU6qEeuteBFyKFhNjPcujZRdnedA16HKA5/n6p9bH3fLO uCswf7GiXdQsjrmNPbA9D2e5n9lZ1xvhDQ8/SmNePSBJRmTqBX6/V8rpQsusfIZs w==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm3; bh=CIOYIjZaAvH1ZseaVS+Mq3IcWocmIu1qkNp6sJrYU fI=; b=ikDdBeJrJTqO1D2mMMUL8VqUcYOpN0oosVkhxeZx3vsZaZSGEYdGvjJwL cAU34Oimqr1+Kjpq/OPApcBDFP7O7g9HVprgZsBXR25x/XLgGhcfkurONP6aVQWH 4f2mB5G6/AfuAsLWSBMDAS3Gcl9cvEsKs96+TR8Sor4POngMrQLB3ONEk1le7D6r 0h9sAj9paIRkhK9s3u6QEgDyMf+yAHpnifk+oeaZybW5gsR0Evwx8R61PBf+KhPi t0tySVtrKwJBA6xWiuTNx3CW0s/6XRlb8lB6dn9Yo2ukwIga+SzrL/tJhxK+1PN7 0YjBxmhnIIQocrvI0IPfTT1ScO0Iw==
X-ME-Sender: <xms:d4GYXcYMiFvTHQvsS9MjlMYx-1cn6bSsaLozULoYVH5dmA0g9Bijuw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrheefgdegfecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgsehtqh ertderreejnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgif sehhvggrphhinhhgsghithhsrdhnvghtqeenucffohhmrghinhepsghhrghmrdgrtgdruh hkpdhivghtfhdrohhrghenucfrrghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghp ihhnghgsihhtshdrnhgvthenucevlhhushhtvghrufhiiigvpedt
X-ME-Proxy: <xmx:d4GYXcRHQLFrr2poGz22R_I7XGYQNoKk7gfJnwvyggfB40KorQSuug> <xmx:d4GYXUi3tLEheg9QzlFTCWP63NG3PPOW2IihFD3F_kaME433vvNw1w> <xmx:d4GYXYuJn3lhb_L_IMXFCnzopi762igLOpa7dF_m6T1i-6jUu4auxA> <xmx:d4GYXWG8BCgtcJiQAf3SwMxUJJlvZGDu_G02Wpc7bHYLuFOb_WtcNg>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id EAE573C00A1; Sat, 5 Oct 2019 07:41:42 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-360-g7dda896-fmstable-20191004v2
Mime-Version: 1.0
Message-Id: <bb410c2a-6836-48a8-ac3d-de395f4c57d8@www.fastmail.com>
In-Reply-To: <FE583332-1915-4B5A-AAAB-AD854CF336B8@live.warwick.ac.uk>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com> <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk> <896F89B2-37D0-4674-881D-FB9FE4874978@ericsson.com> <FE583332-1915-4B5A-AAAB-AD854CF336B8@live.warwick.ac.uk>
Date: Sat, 05 Oct 2019 04:41:22 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain;charset=utf-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vhzb3PLrkP1ZD3PF86o3R8QIbwM>
Subject: Re: [TLS] =?utf-8?q?Selfie_attack_was_Re=3A_Distinguishing_between_e?= =?utf-8?q?xternal/resumption_PSKs?=
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Oct 2019 11:41:46 -0000

Hi Feng,

For what it's worth, the latest version of the PSK importers draft includes a "context" field into which identity information can be fed:

   https://tools.ietf.org/html/draft-ietf-tls-external-psk-importer-01#appendix-B

Best,
Chris

On Tue, Sep 24, 2019, at 9:19 AM, Hao, Feng wrote:
> Hi John,
> 
> Reflection attacks are indeed older, but the selfie attack is a bit 
> different. It's actually a variant of the unknown key share attack. A 
> typical example of the UKS attack is the one reported on MQV by Kaliski 
> in 2001 (see "An unknown key-share attack on the MQV key agreement 
> protocol" in ACM TISSEC 2001). In that example, the adversary plays 
> message between two users to cause confusion in the identity, but in 
> Selfie, the adversary plays message with only one user and uses another 
> instance of the user to cause confusion in the identity. When we 
> reported this variant of UKS in [3], we were not aware of anything like 
> that in the literature.
> 
> Cheers,
> Feng
> 
> ´╗┐On 24/09/2019, 16:17, "John Mattsson" <john.mattsson@ericsson.com>; wrote:
> 
>     Hi,
>     
>     I think these reflection attacks are much older than this. I quick 
> search for reflection attack security protocol gives a lot of old 
> results, The description of reflection attack in the following lecture 
> material from 2009 looks just like the "selfie attack" on TLS 1.3
>     http://www.cs.bham.ac.uk/~tpc/cwi/Teaching/Files/Lecture4_6up.pdf
>     
>     With multiple sections there are other things that change as well. 
> If two nodes unintentionally initiate simultaneous ClientHello to each 
> other, even if they only want a single secure connection (I have seen 
> live systems where this happens in practice), an attacker can select 
> which ClientHello to block (e.g. the one with the strongest 
> cryptographic parameters). The following security property would then 
> no longer hold :
>     
>       "Downgrade protection:  The cryptographic parameters should be the
>           same on both sides and should be the same as if the peers had been
>           communicating in the absence of an attack"
>     
>     (I have not looked at what the definitions in [BBFGKZ16] say).
>     
>     Cheers,
>     John
>     
>     -----Original Message-----
>     From: TLS <tls-bounces@ietf.org>; on behalf of "Hao, Feng" 
> <Feng.Hao@warwick.ac.uk>;
>     Date: Tuesday, 24 September 2019 at 16:09
>     To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>;, 
> "Owen Friel (ofriel)" <ofriel@cisco.com>;, Jonathan Hoyland 
> <jonathan.hoyland@gmail.com>;
>     Cc: "TLS@ietf.org"; <tls@ietf.org>;
>     Subject: Re: [TLS] Selfie attack was Re: Distinguishing between 
> external/resumption PSKs
>     
>         
>         On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" 
> <tls-bounces@ietf.org on behalf of 
> mohit.m.sethi=40ericsson.com@dmarc.ietf.org>; wrote:
>         
>             Hi all,
>             
>             On the topic of external PSKs in TLS 1.3, I found a 
> publication on the 
>             Selfie attack: 
> https://protect2.fireeye.com/url?k=dd432f13-81c9e5ad-dd436f88-869a17b5b21b-dc6c6f0a5dd21faf&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2019%2F347
>             
>             Perhaps this was already discussed on the list. I thought 
> that sharing 
>             it again wouldn't hurt while we discuss how servers 
> distinguish between 
>             external and resumption PSKs.
>             
>         I just read the paper with interest. It occurs to me that the 
> selfie attack is consistent with the "impersonation attack" that we 
> reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with 
> details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack 
> can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5, 
> [3]) is reported on the self-communication mode of HMQV. The essence of 
> these attacks is the same: Bob tricks Alice into thinking that she is 
> talking to authenticated Bob, but she is actually talking to herself. 
> In [3], we explained that the attack was missed from the "security 
> proofs" as the proofs didn't consider multiple sessions. 
>         
>         The countermeasure we proposed in [1-3] was to ensure the user 
> identity is unique in key exchange processes: in case of multiple 
> sessions that may cause confusion in the user identity, an extension 
> should be added to the user identity to distinguish the instances. The 
> underlying intuition is that one should know "unambiguously" whom they 
> are communicating with, and perform authentication based on that. The 
> discovery of this type of attacks and the proposed solution are 
> inspired by the "explicitness principle" (Ross Anderson and Roger 
> Needham, Crypto'95), which states the importance of being explicit on 
> user identities and other attributes in a public key protocol; also see 
> [3]. I hope it might be useful to people who work on TLS PSK.
>         
>         [1] 
> https://protect2.fireeye.com/url?k=5a822513-0608efad-5a826588-869a17b5b21b-eb260151f78b0718&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2014%2F585.pdf
>         [2] https://arxiv.org/abs/1802.04900
>         [3] 
> https://protect2.fireeye.com/url?k=d5bf88ff-89354241-d5bfc864-869a17b5b21b-0e9b3bf58e104f32&q=1&u=https%3A%2F%2Feprint.iacr.org%2F2010%2F136.pdf 
>         
>         
>         _______________________________________________
>         TLS mailing list
>         TLS@ietf.org
>         https://www.ietf.org/mailman/listinfo/tls
>         
>     
>     
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>