Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
"Hao, Feng" <Feng.Hao@warwick.ac.uk> Tue, 24 September 2019 14:07 UTC
Return-Path: <Feng.Hao@warwick.ac.uk>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA383120103 for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 07:07:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TgCTLwgaoRNB for <tls@ietfa.amsl.com>; Tue, 24 Sep 2019 07:07:46 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20085.outbound.protection.outlook.com [40.107.2.85]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4AE8E120840 for <tls@ietf.org>; Tue, 24 Sep 2019 07:07:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DcI8aD244YMya6mSfBO9E+35aT/daUUTc9idKlTmI2JKdYpQFAxsmqmjDckYu3u91n8ZxUzLSDYjJ4mMhPke5qtkRMtrhLEC1taHZxsX/iORZoS5QkqeUxjxYW3pW9kvvnoGwkaRCrMS5i28KeAm1TlKY44fkz4S3xNlzSVWHKt2+2VTIrGOF7VsNXkBBZ/Tkpedqk77X0PB7ekhqMZe2LrrXkQ2nkSNpVfm4TpVPlWM2PQJQzZfZduJHFXYgvIcICmumNqULGB/WHDlQOT/oII99qZf1J2Hn3/ReHBb6Jd8FgqIr0NazbUuRulIis4nyn7jPaRhwPzX0TZVqBeV2g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZMZ37pFnqcg3NDopSldsSj5tRfx0LmF1EkTq7+Fk6ro=; b=agm97/oC4ZWO6+v2iRFrFdoE7prfRz4wIGy7qmSaBezmRnSC3M5gE9/6kJ3k/t/4hooASpC7aUto6SY8Uykr9c2EQEIzrQ9qnsPfMszKehdXyoKlvd6ohRgLTvWdAxNwYm3cfS32DGzLf8xAXPo5rOYhnGQhcBLUXw/fCarzduHObg4LG/RldWyVdZ4eqXmPl8g0pjHG93eXcz2HOC+yNlSR7blboWl3SqmbZoO5vusEt5MhpMXKGiDKXPeyg8FzPIxKoVZMh4//okzpr3DZPW04SGxqg5XcB+53SsF/EfcuGmynXxE4wXOORIJLH0DokjoOeMe9e9EsbA8Ul67c9A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=warwick.ac.uk; dmarc=pass action=none header.from=warwick.ac.uk; dkim=pass header.d=warwick.ac.uk; arc=none
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com (20.178.104.28) by DB7SPR01MB0025.eurprd01.prod.exchangelabs.com (20.177.195.203) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.26; Tue, 24 Sep 2019 14:07:42 +0000
Received: from DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5]) by DB7PR01MB5435.eurprd01.prod.exchangelabs.com ([fe80::55eb:f0c1:7e8e:3af5%7]) with mapi id 15.20.2284.023; Tue, 24 Sep 2019 14:07:42 +0000
From: "Hao, Feng" <Feng.Hao@warwick.ac.uk>
To: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, "Owen Friel (ofriel)" <ofriel@cisco.com>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
Thread-Index: AQHVcjdiA20I1fZQH0CS6LVlYJN8Lac67zCA
Date: Tue, 24 Sep 2019 14:07:42 +0000
Message-ID: <AE2F1D6C-39AD-4C2F-BE03-FA2F189BBF4B@live.warwick.ac.uk>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com>
In-Reply-To: <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.b.190609
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Feng.Hao@warwick.ac.uk;
x-originating-ip: [137.205.238.166]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 071a027a-4650-4346-289e-08d740f89111
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:DB7SPR01MB0025;
x-ms-traffictypediagnostic: DB7SPR01MB0025:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <DB7SPR01MB00257E693FA55566E21223B5D6840@DB7SPR01MB0025.eurprd01.prod.exchangelabs.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0170DAF08C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(396003)(39860400002)(346002)(366004)(376002)(199004)(189003)(53754006)(476003)(58126008)(256004)(102836004)(33656002)(81156014)(8676002)(8936002)(446003)(26005)(81166006)(5660300002)(99286004)(6116002)(71190400001)(71200400001)(2906002)(229853002)(3846002)(14444005)(66476007)(66556008)(64756008)(66446008)(6486002)(6436002)(6246003)(66946007)(4326008)(486006)(6512007)(305945005)(6306002)(76176011)(786003)(66066001)(110136005)(316002)(7736002)(478600001)(966005)(76116006)(186003)(91956017)(14454004)(11346002)(86362001)(6506007)(25786009)(53546011); DIR:OUT; SFP:1101; SCL:1; SRVR:DB7SPR01MB0025; H:DB7PR01MB5435.eurprd01.prod.exchangelabs.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: warwick.ac.uk does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: Ec//WCSI7EiMmqi1l0an3Ik+Zk8LeC27gwLQmK+WWWwacbxL4HLbqZv+aXJRypVbEHKjqqiT9QvdScEOILDCpcD0bVmBJ0g7IHn6NMkL9yqmcErM/1KPs5JlptOoFkMRgrOcoq3uEEXQvrpqb6g0JNNFGNvrwlNwgtu714uIx2avPMs6JBPhq/ia2C3LdhgD7wBMSYJhR1uv9GGtjwba9ug94cgLviI5/NhZQnktZ4KV7U4l7T8UafsDQ2ft1xhhGUzdeF2SGq9ZQhYzohPqyRg+onaSSFrvVdx/0/6fm7JDhIqRhtwrTzr+frZg0ldCDAUE793A7E9jzRNs9o82APt/Hkr5tyzSLtPAL5lia+BF5LV7LTWfV3t3bt3T1Mf9AbNld4/TrodoadI3oFhZiyKT3JVJ8EQnr7542iFZklo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <1195C0CF41321942AB7914F976649155@eurprd01.prod.exchangelabs.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: warwick.ac.uk
X-MS-Exchange-CrossTenant-Network-Message-Id: 071a027a-4650-4346-289e-08d740f89111
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Sep 2019 14:07:42.3873 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 09bacfbd-47ef-4465-9265-3546f2eaf6bc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8/BzABTQPXlD+XTDd15a52zPynSK6eExD04dn5yAjztJ78N69EDHsDh1Xjl7iw4Ze1DdsPqI2SomOvTMbVnyar7plPfjy69/gza7L0rWmpo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7SPR01MB0025
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/x2Bq-ts2pg4Oh_zDta_UF9GI_gU>
Subject: Re: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Sep 2019 14:07:50 -0000
On 23/09/2019, 18:50, "TLS on behalf of Mohit Sethi M" <tls-bounces@ietf.org on behalf of mohit.m.sethi=40ericsson.com@dmarc.ietf.org> wrote: Hi all, On the topic of external PSKs in TLS 1.3, I found a publication on the Selfie attack: https://eprint.iacr.org/2019/347 Perhaps this was already discussed on the list. I thought that sharing it again wouldn't hurt while we discuss how servers distinguish between external and resumption PSKs. I just read the paper with interest. It occurs to me that the selfie attack is consistent with the "impersonation attack" that we reported on SPEKE in 2014; see Sec 4.1 [1] and the updated version with details on how SPEKE is revised in ISO/IEC 11770-4 [2]. The same attack can be traced back to 2010 in [3] where a "worm-hole attack" (Fig. 5, [3]) is reported on the self-communication mode of HMQV. The essence of these attacks is the same: Bob tricks Alice into thinking that she is talking to authenticated Bob, but she is actually talking to herself. In [3], we explained that the attack was missed from the "security proofs" as the proofs didn't consider multiple sessions. The countermeasure we proposed in [1-3] was to ensure the user identity is unique in key exchange processes: in case of multiple sessions that may cause confusion in the user identity, an extension should be added to the user identity to distinguish the instances. The underlying intuition is that one should know "unambiguously" whom they are communicating with, and perform authentication based on that. The discovery of this type of attacks and the proposed solution are inspired by the "explicitness principle" (Ross Anderson and Roger Needham, Crypto'95), which states the importance of being explicit on user identities and other attributes in a public key protocol; also see [3]. I hope it might be useful to people who work on TLS PSK. [1] https://eprint.iacr.org/2014/585.pdf [2] https://arxiv.org/abs/1802.04900 [3] https://eprint.iacr.org/2010/136.pdf
- [TLS] Distinguishing between external/resumption … Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Christian Huitema
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Mohit Sethi M
- Re: [TLS] Distinguishing between external/resumpt… Nikos Mavrogiannopoulos
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- [TLS] Selfie attack was Re: Distinguishing betwee… Mohit Sethi M
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… John Mattsson
- Re: [TLS] Selfie attack was Re: Distinguishing be… Viktor Dukhovni
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… Christopher Wood
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack Christian Huitema
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson