IETF Logo Mail Archive

Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks

Martin Thomson <mt@lowentropy.net> Fri, 29 March 2024 01:43 UTC

Return-Path: <mt@lowentropy.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 418C2C14F6A0 for <tls@ietfa.amsl.com>; Thu, 28 Mar 2024 18:43:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.098
X-Spam-Level:
X-Spam-Status: No, score=-7.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lowentropy.net header.b="OZQ3sLBs"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="IhV5sEvr"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IweygG0V1c89 for <tls@ietfa.amsl.com>; Thu, 28 Mar 2024 18:43:42 -0700 (PDT)
Received: from fout8-smtp.messagingengine.com (fout8-smtp.messagingengine.com [103.168.172.151]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D618C14F684 for <tls@ietf.org>; Thu, 28 Mar 2024 18:43:42 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailfout.nyi.internal (Postfix) with ESMTP id 3E63F13800BE for <tls@ietf.org>; Thu, 28 Mar 2024 21:43:41 -0400 (EDT)
Received: from imap41 ([10.202.2.91]) by compute6.internal (MEProxy); Thu, 28 Mar 2024 21:43:41 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lowentropy.net; h=cc:content-transfer-encoding:content-type:content-type:date :date:from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:subject:subject:to:to; s=fm3; t=1711676621; x=1711763021; bh=D+Hta2sZ6Nc2SkQ2/VRt28r7tvBmcsvzI0NCUg+Vugs=; b= OZQ3sLBs5cqkL7Um4fbavMjypIZUCUDqFXGTQwFiXP/DPlQC8rU26Hwz4RNO2yvc Zx+79jOOPMASaBsNDiNYtD+6nCZAa8y5F07vVZxwb5Lowx9CEQMFkKg/CanyIRFk ylElfzmYUFEwCLHjrr7XbT/OuzfuV++iN+v9ekW6P8S8rbuIk1XQCEDosp7w0tld jZWRph3ELkmILB/XMLHHbJSzCaSGL8bxxHvVu5wExdjtLgzw4wcEFWeDpQKlIKOW gV7FpsyWOfnh5tOiaBVgaDL22K1x64Oxf6LVYgx0OpoS+b6weitcp+/O3qUOOSjA 9O9M7ZLu9sUdSifeIVGxjw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm2; t=1711676621; x= 1711763021; bh=D+Hta2sZ6Nc2SkQ2/VRt28r7tvBmcsvzI0NCUg+Vugs=; b=I hV5sEvr5LD2lpmfaLhqsgdcNj9C9j3m/01dOanBKmm+P6igBTwHRxS42XKXYSiGQ V2ojaQ1pzOlBsCDklMSB4O0h1TZKaMl3+m4KXjnxpuDHWn+hfTCuAd8IYzhYQxeK Ew5UBhhPAlKyIzOXSnzuiuyghy53Cqe2VhpeFuasEI0mS8VfuI0SK56ablTK9CkG vAExY8qTmgo+sXTIpnWKdayNcm5ID+f43ApUqdRUfzhS5D/jzjYWu6UU70xQ0JAF JQUEfCzEa8WvhFnsxb4WfrJHxGuA/FP5Ht10xxPOH2RD48KylBheW7kmCrMkHYnf mTs+54Eu+PPgkABsTfW0A==
X-ME-Sender: <xms:zBwGZikaVJD6gk1zloDXWnSHs_5aF4C2UwebF9Y8h8eONvAs54jL8g> <xme:zBwGZp0VEvfdASdNArCvM96f45MIr5AylKG7i2wB87MHsXaxRAw7FyN1vwkYsIu09 zMkT7RTNXvoB4z0QPg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrudduledgudeikecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgfgse htqhertderreejnecuhfhrohhmpedfofgrrhhtihhnucfvhhhomhhsohhnfdcuoehmthes lhhofigvnhhtrhhophihrdhnvghtqeenucggtffrrghtthgvrhhnpedufedthfdtudelhe fgvdfhgedtfeffvedufffhgfejvdevheeugeduleetuddvleenucffohhmrghinhepghhi thhhuhgsrdgtohhmpdhsphhrihhnghgvrhdrtghomhdpihgvthhfrdhorhhgnecuvehluh hsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhepmhhtsehlohifvghn thhrohhphidrnhgvth
X-ME-Proxy: <xmx:zRwGZgqaOnyFescqLz_nTon3oBVYKdxYlWcEDnhTYic7O9LgwIygCg> <xmx:zRwGZmn-c32H4O9XkiMWo_Wwy_JSfUDj-ZN0nt_twJo_TfYTwQTzlQ> <xmx:zRwGZg1tBXRVFiKY80ugv4eWLL-eROj2NRfPIik-rZuUsdHRtUPdUA> <xmx:zRwGZtu4K5Wq2zX4zEb0x9MTBqvQTkkUM-cONIAQJJ-cEafxLtQs4Q> <xmx:zRwGZt8Ne067yL14V0DIrm6_R0VxvdQou8GP8PCyP2-StVzZKvrrIg>
Feedback-ID: ic129442d:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id E5F292340081; Thu, 28 Mar 2024 21:43:40 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-333-gbfea15422e-fm-20240327.001-gbfea1542
MIME-Version: 1.0
Message-Id: <f3f4ddcb-e852-4a1e-a32f-4f7f274d7bf0@betaapp.fastmail.com>
In-Reply-To: <da24e8f7-64d9-473d-855b-fd0fbf3fb67d@dennis-jackson.uk>
References: <GVXPR07MB9678DFD1EED3971606FB3DE6893B2@GVXPR07MB9678.eurprd07.prod.outlook.com> <da24e8f7-64d9-473d-855b-fd0fbf3fb67d@dennis-jackson.uk>
Date: Fri, 29 Mar 2024 12:43:20 +1100
From: Martin Thomson <mt@lowentropy.net>
To: tls@ietf.org
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/wSu3bPK8wOEQuoUc6AcitnnSmYY>
Subject: Re: [TLS] TLS 1.3, Raw Public Keys, and Misbinding Attacks
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Mar 2024 01:43:47 -0000

Dennis beat me to making the key point about identity :)

There are cases where identity misbinding is possible in similar systems.  RFC 8844 describes one such case.  However, this is not an inherent failing in TLS, but in the usage context.  That weakness was not the result of using raw public keys though.

What TLS *says* about this risk is really what we should be considering.  It might be enough to say that where TLS does not carry all of the relevant identification information, there is a risk of identity misbinding attacks.  This can be mitigated by including additional information about identity in the transcript and checking it for consistency (as RFC 8844 does).

On Fri, Mar 29, 2024, at 05:27, Dennis Jackson wrote:
> Hi John, 
>
> It depends what you mean by an identity. TLS1.3 ensures the peers agree 
> on the used RPKs and it doesn't rely on any external proof of 
> possession to achieve that property.
>
> How the peers come to trust the RPKs or their corresponding identity is 
> of necessity left to the application - not dissimilar to how the 
> application has to decide which root certificates to trust and whether 
> the leaf certificate is appropriate for the intended connection (e.g. 
> browsers extract the valid identities from the SAN). 
>
> Best,
> Dennis
>
> On 28/03/2024 15:22, John Mattsson wrote:
>> Hi,
>>  
>> I looked into what RFC 8446(bis) says about Raw Public Keys. As correctly stated in RFC 8446, TLS 1.3 with signatures and certificates is an implementation of SIGMA-I: 
>>  
>> SIGMA does however require that the identities of the endpoints (called A and B in [SIGMA]) are included in the messages. This is not true for TLS 1.3 with RPKs and TLS 1.3 with RPKs is therefore not SIGMA. TLS 1.3 with RPKs is vulnerable to what Krawczyk’s SIGMA paper calls misbinding attacks:
>>  
>> “This attack, to which we refer as an “identity misbinding attack”, applies to many seemingly natural and intuitive protocols. Avoiding this form of attack and guaranteeing a consistent binding between a session key and the peers to the session is a central element in the design of SIGMA.”
>>  
>> “Even more significantly we show here that the misbinding attack applies to this protocol in any scenario where parties can register public keys without proving knowledge of the corresponding signature key.”
>>  
>> As stated in Appendix E.1, at the completion of the handshake, each side outputs its view of the identities of the communicating parties. On of the TLS 1.3 security properties are “Peer Authentication”, which says that the client’s and server’s view of the identities match. TLS 1.3 with PRKs does not fulfill this unless the out-of-band mechanism to register public keys proved knowledge of the private key. RFC 7250 does not say anything about this either. 
>>  
>> I think this needs to be clarified in RFC8446bis. The only reason to ever use an RPK is in constrained IoT environments. Otherwise a self-signed certificate is a much better choice. TLS 1.3 with self-signed certificates is SIGMA-I.
>>  
>> It is worrying to find comments like this:
>>  
>> “I'd like to be able to use wireguard/ssh-style authentication for my app. This is possible currently with self-signed certificates, but the proper solution is RFC 7250, which is also part of TLS 1.3.”
>> https://github.com/openssl/openssl/issues/6929
>>  
>> RPKs are not the proper solution.
>>  
>> (Talking about misbinding, does RFC 8446 say anything about how to avoid selfie attacks where an entity using PSK authentication ends up talking to itself?)
>>  
>> Cheers,
>> John Preuß Mattsson
>>  
>> [SIGMA] https://link.springer.com/chapter/10.1007/978-3-540-45146-4_24
>>  
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email