IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer

"Christopher Wood" <caw@heapingbits.net> Fri, 28 February 2020 16:03 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127F83A1AE0 for <tls@ietfa.amsl.com>; Fri, 28 Feb 2020 08:03:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=Vny030/+; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=XqxISDQy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6DZ7MH4qyu-4 for <tls@ietfa.amsl.com>; Fri, 28 Feb 2020 08:03:16 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E77C03A1AD8 for <tls@ietf.org>; Fri, 28 Feb 2020 08:03:15 -0800 (PST)
Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 0B70D22022; Fri, 28 Feb 2020 11:03:15 -0500 (EST)
Received: from imap4 ([10.202.2.54]) by compute1.internal (MEProxy); Fri, 28 Feb 2020 11:03:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :cc:subject:content-type; s=fm3; bh=7J/HmpdvRpMdIjP7yvUNRdkRKTz0 +Xqj77D5QfLNM3g=; b=Vny030/+EoZQijmfVW81nDemcl/t0qrWG9xmFhjg53hN U+BRxSqobs/QqUER0+SbU+4UBcnQzVrFMYc2EWUViNz3JJyUV0k1aJFBOnGJGACH I06+QquSC2rCJTpD86U0qKFaSGC4zWuE+wms5HXBwUZhcNSZaNHTZoiqvUAklwk4 s/y34uiARMK4VWFZKBWwMU0yfaIVr6xxUypzMv31BD4GCHVSUYX5y0Guo6KHHMTt Utg72MSdkePVruLoL+flLlEjk/bga5O4pbVQh9BEVkLIup5U9nSiVlM8tmPGp6fQ Q+ikuJykD7MG+TLd/qu7YTZDaIlGUDhPFe++fOC64A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=7J/Hmp dvRpMdIjP7yvUNRdkRKTz0+Xqj77D5QfLNM3g=; b=XqxISDQyyiogx9yUXiLgyu WqqLGFDL4zjwmsdLrfwT6/FOSzGocdrJ95ONH/ng7nRldrkXClnssCdx8XPC5SKg sUtbdfpMMfiTgOJ8/I8Lw4FsDCUB9K+ioqkYzucrMeFfEaxAnJn0TfQyTScPs1VM CUOKuPAh7mz6Jc1QnDX6Xq/FQBuzmjRv2bgochBg2krAgY5at2/kXrmQVWNqn4wu 5AA/48BVOsOjhnXxa+kiCTvzFiNLr7AC1Syn3R00qIZaEj6N3I/SFqupMl4MWuir MFFI1jDFKY8S+ksKZwJs6q7asYpdixfUZgYIP78rhI8pNq1RiKl4QlH10YFcVOPA ==
X-ME-Sender: <xms:wjlZXjpZ1Rv4_Q4qkm9ZoZMzvHsuZSn0s8o3ndqnr-N9iJVyu9qYMA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrleekgdekvdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvufgtsehttdertderredtnecuhfhrohhmpedfvehhrhhi shhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggrphhinhhgsghithhsrdhnvghtqe enucffohhmrghinhepihgvthhfrdhorhhgnecuvehluhhsthgvrhfuihiivgeptdenucfr rghrrghmpehmrghilhhfrhhomheptggrfieshhgvrghpihhnghgsihhtshdrnhgvth
X-ME-Proxy: <xmx:wjlZXvFraMeBTXJQW6kBrF15pve21XgWK1dhWz7n8bm8Z4WmVnw6MQ> <xmx:wjlZXrmzUl2_zmaWJKkfX8Zwcm4G1hcH7DHLKD_hl-dl6XMzjwgjfQ> <xmx:wjlZXj-wmUCtUHDnqMk1YjXCXteooB32uPGSn-ZuTZLivyitiLdqxw> <xmx:wjlZXvvdCacfopIxt7tmbQNrGWDHgqzSA6SmRnSLXlVoXqzysI2T4g>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 56E4C3C00A1; Fri, 28 Feb 2020 11:03:14 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-967-g014f925-fmstable-20200226v1
Mime-Version: 1.0
Message-Id: <cb714a71-593d-424d-bbfe-dd46932f0b9e@www.fastmail.com>
In-Reply-To: <CACykbs3jHsasE4MmDWYGyZfq-TT3rhq84hbU6VOoP9XYo8__pg@mail.gmail.com>
References: <CAOgPGoBnSsDDaWWRHjkdjVRWw_DtxFYSQS7G-NyeSUfTzmYbAw@mail.gmail.com> <CAChr6SyA05VTB1n5Dcc2WNP6rrpsvDGXuPQxDxM9-=3JiYYPLQ@mail.gmail.com> <CABcZeBOPaGZ1ZKWpXkhC05v3HcbSLNuXYD_Lzw0S6iaBQY0a9A@mail.gmail.com> <CAChr6Sz7EqMbHNzcvbwdXkWB1JbQQig3RXCrzG6zascJL__t2Q@mail.gmail.com> <8887946c-8509-483c-9c62-de5393fb9eaf@www.fastmail.com> <CACykbs3LjPXPyvXGthCxYPK_Kv_+3TCV8VmkYab6gkfOfNmYuA@mail.gmail.com> <CAF8qwaCPbQfXWvTm7VgS7G6XAfzEY_=rTfD2CzRWsSod+MpC2Q@mail.gmail.com> <CACykbs08ico3WVDK-E=sqTSVPD=gYQdJ8eiQzyxhKqY=q_EPUQ@mail.gmail.com> <CAF8qwaCPQ1JwKKwbM9THnhiO=1F1V5Z_Wj5LYMjZkyf0W-zygg@mail.gmail.com> <75b70352-9cc5-4aa1-9cca-42f37fe615d2@www.fastmail.com> <CACykbs3jHsasE4MmDWYGyZfq-TT3rhq84hbU6VOoP9XYo8__pg@mail.gmail.com>
Date: Fri, 28 Feb 2020 08:02:54 -0800
From: Christopher Wood <caw@heapingbits.net>
To: Jonathan Hoyland <jonathan.hoyland@gmail.com>
Cc: David Benjamin <davidben@chromium.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/yPFQbrn25jgI5mGyGZ_NNGOFhww>
Subject: Re: [TLS] WGLC for draft-ietf-tls-external-psk-importer
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Feb 2020 16:03:18 -0000


On Fri, Feb 28, 2020, at 7:58 AM, Jonathan Hoyland wrote:
> 
> 
> On Fri, 28 Feb 2020 at 04:49, Christopher Wood <caw@heapingbits.net> wrote:
> > 
> > 
> >  On Thu, Feb 27, 2020, at 1:31 PM, David Benjamin wrote:
> >  > On Mon, Feb 24, 2020 at 5:58 PM Jonathan Hoyland 
> >  > <jonathan.hoyland@gmail.com> wrote:
> >  > > This would be for cases where we want to inject extra context into a resumption. 
> >  > > That would be anything that changes an authentication property, so for example if you wanted to include some agreement on the status of a post-handshake auth or Exported Authenticator.
> >  > > 
> >  > > So for example imagine I had a session during which I received an EA and when I came to resume that session I wished to indicate that I was still willing to accept the EA.
> >  > > I would offer a special PSK and inject some extra material into the handshake*, and if the server was able / willing to agree to this it would select the PSK. 
> >  > > I could also offer a PSK with no extra injected material, as a fallback, and request the EA again. 
> >  > > 
> >  > > * This would only affect the binder for the PSK in the ClientHello. 
> >  > 
> >  > I'm still not following. If you're resuming, this is a PSK issued from 
> >  > a NewSessionTicket, in which case this isn't an imported PSK at all. 
> >  > It's a resumption PSK and uses "res binder". If we needed to negotiate 
> >  > variations on a resumption, this importer mechanism wouldn't give us a 
> >  > way to express that anyway. I expect we'd instead lean on some 
> >  > combination of multiple tickets, NewSessionTicket extensions, and plain 
> >  > ClientHello extensions. But maybe I'm still not understanding the 
> >  > scenario.
> The security of combinations of tickets is non-trivial to reason about 
> (though not impossible), in the same way as Exported Authenticators 
> (which makes sense given that EAs would be a reason to do this).
> I'll have to give some thought to a compelling use case, but I just 
> like the option for consistency. 
> Then again it is said "A foolish consistency is the hobgoblin of little 
> minds [...]", so ...
> >  > > Another potential use would be the binding for ECHO, although I don't have a clear enough picture of the precise mechanics of that to know if it would be helpful.
> >  > 
> >  > Chris is probably more up-to-date here, but I don't believe the current 
> >  > ECHO design looks like a funny PSK.
> > 
> >  That's right -- it's just another extension in the outer CH. 
> 
> I was thinking about the ECHO design from a forward/backward binding 
> perspective. 
> I think we should make the smallest number of changes to the key 
> schedule possible that will cover all possible future use cases, so an 
> overall consistent approach would be ideal. 
> If the WG doesn't adopt a key schedule extension draft (either mine, 
> draft-Stebila, or some other one) then this looks like the strongest 
> choice.

The ECHO design presented in Singapore doesn't require any key schedule modification. It tunnels an entire encrypted CH inside an outer CH. Servers pick one and use that for the remainder of the handshake.

I'm inclined to agree with David on this one. I don't think this additional label is necessary.

Best,
Chris

> 
> > 
> >  Best,
> >  Chriss
> > 
> >  > > Something that would allow for a consistent naming in the future would be my preference, because just as "imp binder" doesn't preclude "imp r binder", using "imp e binder" doesn't preclude us never adopting "imp r binder".
> >  > > I vaguely remember discussing whether the longer name would tip us into an extra hash invocation at the last IETF, and concluding that it didn't, although I'd have to double check that. 
> >  > 
> >  > Of course. Yeah, I think the more pertinent question is whether "imp r 
> >  > binder" is actually a thing.
> >  > > Regards,
> >  > > 
> >  > > Jonathan 
> >  > > 
> >  > > On Mon, 24 Feb 2020, 22:23 David Benjamin, <davidben@chromium.org> wrote:
> >  > >> On Mon, Feb 24, 2020 at 4:33 PM Jonathan Hoyland <jonathan.hoyland@gmail.com> wrote:
> >  > >>> Just looking at this again, it might be better to make a slightly different tweak to the key schedule.
> >  > >>> Instead of:
> >  > >>> 0
> >  > |
> >  > v
> >  > PSK -> HKDF-Extract = Early Secret
> >  > |
> >  > +-----> Derive-Secret(., "ext binder"
> >  > | | "res binder"
> >  > | | "imp binder", "")
> >  > | = binder_key v
> >  > >>> 
> >  > >>> We should do:
> >  > >>> 
> >  > >>> 0
> >  > |
> >  > v
> >  > PSK -> HKDF-Extract = Early Secret
> >  > |
> >  > +-----> Derive-Secret(., "ext binder"
> >  > | | "res binder"
> >  > | | "imp e binder" 
> >  > | | "imp r binder", "")
> >  > | = binder_key v
> >  > >>> or at least:
> >  > >>> 0
> >  > |
> >  > v
> >  > PSK -> HKDF-Extract = Early Secret
> >  > |
> >  > +-----> Derive-Secret(., "ext binder"
> >  > | | "res binder"
> >  > | | "imp e binder", "")
> >  > | = binder_key v
> >  > >>> 
> >  > >>> 
> >  > >>> Just so that we can distinguish between external imported binders and resumed imported binders, should we at some point decide to do both. 
> >  > >> 
> >  > >> I may just be confused, but what would a resumed imported binder mean? I see this mechanism as largely a bugfix for TLS 1.3 external PSKs, rather than a new kind of adjective describing PSKs.
> >  > >> 
> >  > >> ("imp binder" also doesn't preclude "imp r binder" later if we later define something which needs it, but I'm confused what the concept even would be.)
> >  > >> 
> >  > >> David
> >  > >>> On Mon, 24 Feb 2020 at 20:50, Christopher Wood <caw@heapingbits.net> wrote:
> >  > >>>> On Fri, Feb 21, 2020, at 1:15 PM, Rob Sayre wrote:
> >  > >>>> > 
> >  > >>>> > 
> >  > >>>> > On Fri, Feb 21, 2020 at 8:35 AM Eric Rescorla <ekr@rtfm.com> wrote:
> >  > >>>> > > 
> >  > >>>> > > 
> >  > >>>> > > On Thu, Feb 20, 2020 at 7:08 PM Rob Sayre <sayrer@gmail.com> wrote:
> >  > >>>> > >> Hi,
> >  > >>>> > >> 
> >  > >>>> > >> I'm not sure how violations of these requirements would result in poor interoperability:
> >  > >>>> > >> 
> >  > >>>> > >> Clients which import external keys TLS MUST NOT use these keys for
> >  > >>>> > >> any other purpose. Moreover, each external PSK MUST be associated
> >  > >>>> > >> with at most one hash function.
> >  > >>>> > >> 
> >  > >>>> > >> These seem like aspirational security goals. It would be better to describe the consequences of violating these conditions.
> >  > >>>> > > 
> >  > >>>> > > I don't agree. They are requirements in order to be able to make the assertions we want to make about the security of the protocol.
> >  > >>>> > > 
> >  > >>>> > > This is consistent with the following text of RFC 2119 S 6
> >  > >>>> > > ".. or to limit behavior which has potential for causing harm (e.g., limiting retransmisssions) "
> >  > >>>> > > 
> >  > >>>> > > I don't think it would be unreasonable.to explain the reason for these, though this is already a requirement of 8446 S 4.2.11 (though without justification).
> >  > >>>> > 
> >  > >>>> > I think that interpretation of 2119 is a stretch, but your idea to add 
> >  > >>>> > an explanation while keeping the 2119 terms addresses my concern. At 
> >  > >>>> > the very least, the draft should note this is already a requirement of 
> >  > >>>> > 8446.
> >  > >>>> 
> >  > >>>> That seems perfectly reasonable! We can point to the security considerations to clarify the "single hash function" requirement, and we can note cross protocol attack deterrence for the other claim. Would that suffice? If not, can you please recommend text?
> >  > >>>> 
> >  > >>>> Thanks,
> >  > >>>> Chris
> >  > >>>> 
> >  > >>>> _______________________________________________
> >  > >>>> TLS mailing list
> >  > >>>> TLS@ietf.org
> >  > >>>> https://www.ietf.org/mailman/listinfo/tls
> >  > >>> _______________________________________________
> >  > >>> TLS mailing list
> >  > >>> TLS@ietf.org
> >  > >>> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email