Re: [TLS] PSK in 1.3?

Ilari Liusvaara <ilari.liusvaara@elisanet.fi> Sun, 19 October 2014 14:23 UTC

Return-Path: <ilari.liusvaara@elisanet.fi>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 378EE1A19EA for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 07:23:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.601
X-Spam-Level:
X-Spam-Status: No, score=-1.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aESlSl4pXw2b for <tls@ietfa.amsl.com>; Sun, 19 Oct 2014 07:23:21 -0700 (PDT)
Received: from emh06.mail.saunalahti.fi (emh06.mail.saunalahti.fi [62.142.5.116]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 779231A1A01 for <tls@ietf.org>; Sun, 19 Oct 2014 07:23:20 -0700 (PDT)
Received: from LK-Perkele-VII (a88-112-44-140.elisa-laajakaista.fi [88.112.44.140]) by emh06.mail.saunalahti.fi (Postfix) with ESMTP id 95F256996F; Sun, 19 Oct 2014 17:23:17 +0300 (EEST)
Date: Sun, 19 Oct 2014 17:23:17 +0300
From: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
To: Manuel Pégourié-Gonnard <mpg@polarssl.org>
Message-ID: <20141019142317.GA21422@LK-Perkele-VII>
References: <544384C7.9030002@polarssl.org> <CABcZeBNdCiK4N7MTYD6guuyAgh7j4xVLXjpid1knjDf5yCS3JQ@mail.gmail.com> <20141019123312.GA13591@LK-Perkele-VII> <5443B2C4.5050306@polarssl.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <5443B2C4.5050306@polarssl.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Sender: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/xjoL3V7OaT1HpXxhUkmVPdahuJQ
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] PSK in 1.3?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 19 Oct 2014 14:23:23 -0000

On Sun, Oct 19, 2014 at 02:47:00PM +0200, Manuel Pégourié-Gonnard wrote:
> On 19/10/2014 14:33, Ilari Liusvaara wrote:
> > Some notes about PSK in TLS 1.2:
> > 
> > - TLS 1.2 has PSK identity hints. These are fundamentially 2RTT if used.
> > - PSK without identity hints is still 2RTT in TLS 1.2, but is not fundamentally
> >   2RTT (send identity in ClientHello).
> 
> I was thinking that maybe this can use the same "optimistic with fallback"
> mechanism as the other key exchanges: initially the client chooses an identity
> and sends it in ClientKeyShare in the same flight as the initial ClientHello. If
> the server is happy with this identity, the normal 1.3 1RTT flow is used,
> otherwise the server sends back an identity hint and things start over at
> ClientHello.
> 
> (Only a rough idea, I didn't think about it carefully yet.)

Something along those lines would work, except that AFAIK client either knows
the PSK identity immediately or needs a hint from server to select it.

So one would have to stick the hint into HelloRetryRequest.

Also, would work rather nicely for DHE-PSK: If you don't know identity to
use, don't send any shares on the first round (since you will get to know
the group too on the second round).


(Well, personally I don't think HelloRetryRequest is a good idea. And
I think resetting the hash would be a very bad idea).


-Ilari