IETF Logo Mail Archive

Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3

Ilari Liusvaara <ilariliusvaara@welho.com> Fri, 20 July 2018 14:21 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3FF9126BED for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 07:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UX_rUCFTjCJp for <tls@ietfa.amsl.com>; Fri, 20 Jul 2018 07:21:12 -0700 (PDT)
Received: from welho-filter3.welho.com (welho-filter3.welho.com [83.102.41.25]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B223130E15 for <tls@ietf.org>; Fri, 20 Jul 2018 07:21:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter3.welho.com (Postfix) with ESMTP id 1FDEE33792; Fri, 20 Jul 2018 17:21:10 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp3.welho.com ([IPv6:::ffff:83.102.41.86]) by localhost (welho-filter3.welho.com [::ffff:83.102.41.25]) (amavisd-new, port 10024) with ESMTP id 6I44OR5_lWri; Fri, 20 Jul 2018 17:21:09 +0300 (EEST)
Received: from LK-Perkele-VII (87-92-19-27.bb.dnainternet.fi [87.92.19.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp3.welho.com (Postfix) with ESMTPSA id 294D22308; Fri, 20 Jul 2018 17:21:04 +0300 (EEST)
Date: Fri, 20 Jul 2018 17:21:04 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: David Benjamin <davidben@chromium.org>
Cc: Nikos Mavrogiannopoulos <nmav@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>, Benjamin Kaduk <bkaduk@akamai.com>
Message-ID: <20180720142104.GA27715@LK-Perkele-VII>
References: <20180719230009.GD14551@akamai.com> <ce4cb23be8939e57574062e17c4f204f7145d020.camel@redhat.com> <CABcZeBN4tdHZ_fzqqEJNR46BP5bxiy6gWa17xxhfj9YXVAR0rw@mail.gmail.com> <86b69d7d0534d7c711d13182c18774cf484e6431.camel@redhat.com> <CAF8qwaBDXw1vur5eaLhGyMcZefgwX66QBzfXMB+E6mBKsUnwdA@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <CAF8qwaBDXw1vur5eaLhGyMcZefgwX66QBzfXMB+E6mBKsUnwdA@mail.gmail.com>
User-Agent: Mutt/1.10.0 (2018-05-17)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yDyal20JaPs8dYqnZDDTtVcoYxA>
Subject: Re: [TLS] on sharing PSKs between TLS 1.2 and TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Jul 2018 14:21:22 -0000

On Fri, Jul 20, 2018 at 08:42:47AM -0400, David Benjamin wrote:
> 
> (I suspect using the same key with TLS1.2-PRF-SHA256 and HKDF-SHA256 is
> probably *more* risky than mixing HKDF-SHA256 and HKDF-SHA384. I don't
> think we actually believe SHA256 and SHA384 give related output. It's just
> nice to avoid the assumption. Whereas TLS1.2-PRF-SHA256 and HKDF-SHA256
> actually a chance of misbehavior. Perhaps it's worth doing that analysis?)

TLS 1.3 does this with PSK:

HMAC(<zeroes>, PSK)

And TLS 1.2 does:

HMAC(<expanded PSK>, <some data>)

(where <some data> actually depends on <expanded psk>). Now, it is
possible that there is second similar block in there, but that uses
the same <expanded PSK>.


However, noteworthy point is that there is only two ways to end up in
situation where the effective key in TLS 1.2 is all zeroes:

1) <expanded psk> is longer than hash block and is preimage of 0.
   Finding such thing is supposed to be infeasible.
2) The PSK is empty. However, the <some data> on TLS 1.2 side is
   not empty in this case (it starts with gunk from HMAC that
   involves at least both randoms). Also, empty PSK is not secure.


The definition of HMAC is:

H(C(key) XOR opad | H(C(key) XOR ipad, data))

Which preserves collision resistance on C(key) and data. Now, C(key)
is not collision resistant. However, the only possible cases where
C(key) can collide are the two above.


So it seems to me that TLS 1.2 and TLS 1.3 compute independent
things from PSK values, in all practical cases.



-Ilari

v2.23.0 | Report a Bug | By Email