Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

"Hao, Feng" <Feng.Hao@warwick.ac.uk> Tue, 24 September 2019 14:07 UTC

Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA383120103 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 07:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgCTLwgaoRNB for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 07:07:46 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20085.outbound.protection.outlook.com [40.107.2.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AE8E120840 for <tls@ietf.org>; Tue, 24 Sep 2019 07:07:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DcI8aD244YMya6mSfBO9E+35aT/daUUTc9idKlTmI2JKdYpQFAxsmqmjDckYu3u91n8ZxUzLSDYjJ4mMhPke5qtkRMtrhLEC1taHZxsX/iORZoS5QkqeUxjxYW3pW9kvvnoGwkaRCrMS5i28KeAm1TlKY44fkz4S3xNlzSVWHKt2+2VTIrGOF7VsNXkBBZ/Tkpedqk77X0PB7ekhqMZe2LrrXkQ2nkSNpVfm4TpVPlWM2PQJQzZfZduJHFXYgvIcICmumNqULGB/WHDlQOT/oII99qZf1J2Hn3/ReHBb6Jd8FgqIr0NazbUuRulIis4nyn7jPaRhwPzX0TZVqBeV2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZMZ37pFnqcg3NDopSldsSj5tRfx0LmF1EkTq7+Fk6ro=; b=agm97/oC4ZWO6+v2iRFrFdoE7prfRz4wIGy7qmSaBezmRnSC3M5gE9/6kJ3k/t/4hooASpC7aUto6SY8Uykr9c2EQEIzrQ9qnsPfMszKehdXyoKlvd6ohRgLTvWdAxNwYm3cfS32DGzLf8xAXPo5rOYhnGQhcBLUXw/fCarzduHObg4LG/RldWyVdZ4eqXmPl8g0pjHG93eXcz2HOC+yNlSR7blboWl3SqmbZoO5vusEt5MhpMXKGiDKXPeyg8FzPIxKoVZMh4//okzpr3DZPW04SGxqg5XcB+53SsF/EfcuGmynXxE4wXOORIJLH0DokjoOeMe9e9EsbA8Ul67c9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7SPR01MB0025.eurprd01.prod.exchangelabs.com (20.177.195.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.26; Tue, 24 Sep 2019 14:07:42 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5%7]) with mapi id 15.20.2284.023; Tue, 24 Sep 2019 14:07:42 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
Thread-Index: AQHVcjdiA20I1fZQH0CS6LVlYJN8Lac67zCA
Date: Tue, 24 Sep 2019 14:07:42 +0000
Message-ID: <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com>
In-Reply-To: <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.b.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.166]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 071a027a-4650-4346-289e-08d740f89111
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DB7SPR01MB0025;
x-ms-traffictypediagnostic: DB7SPR01MB0025:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <DB7SPR01MB00257E693FA55566E21223B5D6840@DB7SPR01MB0025.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0170DAF08C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(39860400002)(346002)(366004)(376002)(199004)(189003)(53754006)(476003)(58126008)(256004)(102836004)(33656002)(81156014)(8676002)(8936002)(446003)(26005)(81166006)(5660300002)(99286004)(6116002)(71190400001)(71200400001)(2906002)(229853002)(3846002)(14444005)(66476007)(66556008)(64756008)(66446008)(6486002)(6436002)(6246003)(66946007)(4326008)(486006)(6512007)(305945005)(6306002)(76176011)(786003)(66066001)(110136005)(316002)(7736002)(478600001)(966005)(76116006)(186003)(91956017)(14454004)(11346002)(86362001)(6506007)(25786009)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7SPR01MB0025; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ec//WCSI7EiMmqi1l0an3Ik+Zk8LeC27gwLQmK+WWWwacbxL4HLbqZv+aXJRypVbEHKjqqiT9QvdScEOILDCpcD0bVmBJ0g7IHn6NMkL9yqmcErM/1KPs5JlptOoFkMRgrOcoq3uEEXQvrpqb6g0JNNFGNvrwlNwgtu714uIx2avPMs6JBPhq/ia2C3LdhgD7wBMSYJhR1uv9GGtjwba9ug94cgLviI5/NhZQnktZ4KV7U4l7T8UafsDQ2ft1xhhGUzdeF2SGq9ZQhYzohPqyRg+onaSSFrvVdx/0/6fm7JDhIqRhtwrTzr+frZg0ldCDAUE793A7E9jzRNs9o82APt/Hkr5tyzSLtPAL5lia+BF5LV7LTWfV3t3bt3T1Mf9AbNld4/TrodoadI3oFhZiyKT3JVJ8EQnr7542iFZklo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <1195C0CF41321942AB7914F976649155@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 071a027a-4650-4346-289e-08d740f89111
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2019 14:07:42.3873 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8/BzABTQPXlD+XTDd15a52zPynSK6eExD04dn5yAjztJ78N69EDHsDh1Xjl7iw4Ze1DdsPqI2SomOvTMbVnyar7plPfjy69/gza7L0rWmpo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7SPR01MB0025
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x2Bq-ts2pg4Oh_zDta_UF9GI_gU>
Subject: Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 14:07:50 -0000

On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" <tls-bounces@ietf.org on behalf of mohit.m.sethi=40ericsson.com@dmarc.ietf.org>; wrote:

    Hi all,
    
    On the topic of external PSKs in TLS 1.3, I found a publication on the 
    Selfie attack: https://eprint.iacr.org/2019/347
    
    Perhaps this was already discussed on the list. I thought that sharing 
    it again wouldn't hurt while we discuss how servers distinguish between 
    external and resumption PSKs.
    
I just read the paper with interest. It occurs to me that the selfie attack is consistent with the "impersonation attack" that we reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5, [3]) is reported on the self-communication mode of HMQV. The essence of these attacks is the same: Bob tricks Alice into thinking that she is talking to authenticated Bob, but she is actually talking to herself. In [3], we explained that the attack was missed from the "security proofs" as the proofs didn't consider multiple sessions. 

The countermeasure we proposed in [1-3] was to ensure the user identity is unique in key exchange processes: in case of multiple sessions that may cause confusion in the user identity, an extension should be added to the user identity to distinguish the instances. The underlying intuition is that one should know "unambiguously" whom they are communicating with, and perform authentication based on that. The discovery of this type of attacks and the proposed solution are inspired by the "explicitness principle" (Ross Anderson and Roger Needham, Crypto'95), which states the importance of being explicit on user identities and other attributes in a public key protocol; also see [3]. I hope it might be useful to people who work on TLS PSK.

[1] https://eprint.iacr.org/2014/585.pdf
[2] https://arxiv.org/abs/1802.04900
[3] https://eprint.iacr.org/2010/136.pdf