IETF Logo Mail Archive

Re: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?

Viktor Dukhovni <ietf-dane@dukhovni.org> Tue, 07 March 2023 14:50 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7362C15153D for <tls@ietfa.amsl.com>; Tue, 7 Mar 2023 06:50:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wgUgrnhnke_r for <tls@ietfa.amsl.com>; Tue, 7 Mar 2023 06:50:04 -0800 (PST)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3297DC14CEE4 for <tls@ietf.org>; Tue, 7 Mar 2023 06:50:03 -0800 (PST)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 0DBB5126750; Tue, 7 Mar 2023 09:50:02 -0500 (EST)
Date: Tue, 07 Mar 2023 09:50:02 -0500
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: tls@ietf.org
Message-ID: <ZAdPGnIJe63I035Z@straasha.imrryr.org>
Reply-To: tls@ietf.org
References: <Y/1ngz1ITlYds2WP@straasha.imrryr.org> <SY4PR01MB6251E03AE8A05E38FA8A3F0DEEB79@SY4PR01MB6251.ausprd01.prod.outlook.com> <ZAbL6AP8uzgb60NB@straasha.imrryr.org> <CACcvr=mS9DM__U-7=SEg58YFCJzfhheckbY==QNRy2KFCY8x2A@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CACcvr=mS9DM__U-7=SEg58YFCJzfhheckbY==QNRy2KFCY8x2A@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vywnRShDVHk1egun78MVylCGBwY>
Subject: Re: [TLS] TLS 1.3 servers and psk_key_exchange_modes == [psk_ke]?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2023 14:50:08 -0000

On Mon, Mar 06, 2023 at 11:18:50PM -0800, Nick Harper wrote:

> > Basically, one way or another, PSK key exchange mode negotiation needs
> > to be interoperable by default.
> 
> Based on your first message, it sounds like you have identified an
> implementation where it is not interoperable. All of the spec language in
> the world won’t fix implementation bugs.

It isn't the only one.

> PSK only key exchange lacks forward secrecy.

That's not quite accurate.  Resumption via PSK-only key exchange is not
compromised by disclosure of the server's long-term private keys.  Yes,
disclosure of the short-term ticket encryption key can compromise a set
of sessions, and so clients are free to not offer "psk_ke".

> For general purpose libraries, defaulting to PSK-DHE with forward
> secrecy is the right choice for security.

Defaulting, sure, provided both sides offer it.  But defaulting
(interoperable) is different from exclusively offering only psk_dhe_ke
(not interoperable with clients offeringl only "psk_ke").

> (As you point out, a server that only supports DHE PSKs shouldn’t send
> new session tickets to a client that doesn’t support psk_dhe_ke, but
> that doesn’t contradict psk_dhe_ke only as being a sane default.)

Yes, but the more serious issue is that resumption is impossible,
sending an unusable ticket is only a minor nuisance.

> RFC 8446 provides the right building blocks, and delegates the choice of
> which to use to an application profile standard. There’s no need for any
> additional language in the TLS 1.3 spec to encourage or mandate the use of
> non-FS PSK modes.

I disagree, protocols need to be interoperable by default.  Features
that fragment clients and servers into non-interoperable islands of
compatibility are poorly designed.  This is why we have MTI code points,
and mechanisms to negotiate more preferred options.  We need both PSK
modes to be MTI and enabled by default, with the stronger chosen when
mutually supported and enabled.

> For applications where forward secrecy isn’t needed or the computation
> costs outweigh the security benefits, the application profiles for
> those use cases can encourage or mandate psk_ke.

This is not well understood or likely to happen.  For example, ADoT in
DNS (from iterative resolver to authoritative server, not user to
resolver) is a good candidate for psk_ke, but it is not possible to to
enable it, so as a non-trivial fraction of servers are psk_dhe_ke-only,
negotiating "psk_ke" based on the client's preferred mode does not work.
This is a protocol issue first, and implementation issue second.

> > Meanwhile, when there's no other choice, keep using TLS 1.2.

[ See thread on TLS 1.2 deprecation, it is much too early to consider. ]

--
    Viktor.

v2.23.0 | Report a Bug | By Email