Re: [TLS] draft-wood-tls-external-psk-importer-00

Subodh Iyengar <> Tue, 06 November 2018 03:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5B092130F20 for <>; Mon, 5 Nov 2018 19:59:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.171
X-Spam-Status: No, score=-1.171 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, KHOP_DYNAMIC=1.999, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key) header.b=LKEKh1Lv; dkim=pass (1024-bit key) header.b=OoyelCqK
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id S0ZfzTzZgWmL for <>; Mon, 5 Nov 2018 19:59:17 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id BCA1D130EC3 for <>; Mon, 5 Nov 2018 19:59:17 -0800 (PST)
Received: from pps.filterd ( []) by ( with SMTP id wA63w8JA021859; Mon, 5 Nov 2018 19:59:16 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=sIgzyMEqTFauxiwRg4VAzyvmE1zBWuXhF7Bs1h2qDUg=; b=LKEKh1LvtMP7ik9z1823OcY43cNPGH38YEm45VoIHBn2nrP/vUfufEYNiBpmEAXEeIiT 2eYFpcjlkDXe33Ld9ZoXh2rsP3GoW/MhaL7dfbWKrV+j6PvJWJtWXvvoar9q6Gk6vW3P RtTCLukLiqcAnE/nPNDUaA6oX7O0i7D+O7c=
Received: from ([]) by with ESMTP id 2nk0f90f6q-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 05 Nov 2018 19:59:16 -0800
Received: from (2620:10d:c021:18::172) by (2620:10d:c021:18::172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.1.1531.3; Mon, 5 Nov 2018 19:59:15 -0800
Received: from (2620:10d:c021:18::24) by (2620:10d:c021:18::172) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA) id 15.1.1531.3 via Frontend Transport; Mon, 5 Nov 2018 19:59:15 -0800
Received: from ( by ( with Microsoft SMTP Server (TLS) id 14.3.361.1; Mon, 5 Nov 2018 22:59:15 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sIgzyMEqTFauxiwRg4VAzyvmE1zBWuXhF7Bs1h2qDUg=; b=OoyelCqKqZ79WXfB50hmzm/DapZCru55qQnDL3rz4/jIx3rBsv2FeSdHC6i0rHf0ghhOgNKQ9I85wgzf7yPC/dm5M+sLJgZoRpoOlRw7kbgqTfpg5/o5hpr/IKsxU6DdOOLoOy2LnReapVSo9rlgwiMikg4dTlvLpg6ia1J+EuI=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.23; Tue, 6 Nov 2018 03:59:14 +0000
Received: from ([fe80::20a0:f378:6f76:1948]) by ([fe80::20a0:f378:6f76:1948%7]) with mapi id 15.20.1294.032; Tue, 6 Nov 2018 03:59:14 +0000
From: Subodh Iyengar <>
To: Christopher Wood <>
CC: "<>" <>
Thread-Topic: [TLS] draft-wood-tls-external-psk-importer-00
Thread-Index: AQHUdS9S9W+Q5eSekkSCXUrUFvN58qVCDmSAgAARFS0=
Date: Tue, 06 Nov 2018 03:59:14 +0000
Message-ID: <>
References: <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: [2620:10d:c090:180::1:4899]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1710; 20:ccjC+RrwyI/F/ElN3ZrfZpUe7wYaMIOszKrCfwchENS9WF2wzbVUkPTGKvj+hjLjNi9d6W9tvGwl05VU0lTHOSyMHpW9IyTHC9rnqa7CZ00jk7xqArX+/IGPm+M8Itn7I1CwFYKgVNDM4OiwYnRoxzV3n5YPopG/BQJaTwdELoA=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7d35d1d8-a603-4860-5873-08d6439c3776
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:MWHPR15MB1710;
x-ms-traffictypediagnostic: MWHPR15MB1710:
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(85827821059158)(67672495146484)(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3002001)(3231382)(11241501184)(944501410)(52105095)(148016)(149066)(150057)(6041310)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:MWHPR15MB1710; BCL:0; PCL:0; RULEID:; SRVR:MWHPR15MB1710;
x-forefront-prvs: 0848C1A6AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(136003)(376002)(366004)(396003)(199004)(189003)(8936002)(53546011)(316002)(6506007)(68736007)(229853002)(33656002)(256004)(14444005)(9686003)(7696005)(76176011)(7736002)(71190400001)(2906002)(102836004)(71200400001)(99286004)(54896002)(6246003)(74316002)(186003)(55016002)(53936002)(97736004)(6436002)(46003)(486006)(86362001)(8676002)(5660300001)(6606003)(446003)(39060400002)(25786009)(81166006)(476003)(6116002)(81156014)(6916009)(106356001)(14454004)(561944003)(11346002)(105586002)(478600001)(19627405001)(1411001)(4326008)(2900100001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1710;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: dOsc5oX7UATNPRudRp/buKHabYzVEnK7ciB04uINbgLo6ckItdYGTf9BvzrrWyMD0JrDKuV2ClsklvzJh3A0kvfjtYhi2FBbDx/7UBFY2t1sQHforP713tS+T/zMhCL+rOdCgljo7M2w1IQx6r0HUsRH/t10/O1fjUONFVdb+q6t23UGYAOQuGoGpryRrZXkUBWdzSzyHA4pPyuarUKaGcK+NhGADpkRdNx23oEHP93lVXUibitmWuYVhEg5lezxyzBGuor46jgTCfDh2F52dQcLIH+EGDC7z9HGAjlnE8TQwj2SuNINUZfX4ktsmPeYCPhLrKi7e5hhNSurI08DyA7N7uVywikCkMQLdbNIaDo=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB18216923E04D8A593704390AB6CB0MWHPR15MB1821namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 7d35d1d8-a603-4860-5873-08d6439c3776
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Nov 2018 03:59:14.2834 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1710
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-06_01:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Archived-At: <>
Subject: Re: [TLS] draft-wood-tls-external-psk-importer-00
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 06 Nov 2018 03:59:21 -0000

Ya I think failing hard depends on the use case for the external psk. For example if external psk is your own source of identity then ya you can't really fallback, however if you are using external psk as an optimization or something else, then falling back might be desirable.

From: Christopher Wood <>
Sent: Monday, November 5, 2018 6:56:57 PM
To: Subodh Iyengar
Cc: <>
Subject: Re: [TLS] draft-wood-tls-external-psk-importer-00

On Tue, Nov 6, 2018 at 12:56 AM Subodh Iyengar <> wrote:
> I brought up an alternate construction in BKK for draft-wood-tls-external-psk-importer-00 which might have some potentially better properties. I didn't get time to explain then, so here it is:
> One issue I think with the current construction in the draft with external psk is that if the client uses the external psk with a different hash function due to configuration error, then it turns into a fatal connection error because TLS endpoints are required to tear down the connections on binder mismatch. The client does not recover until it stops using the external psk.
> An alternate approach to solve this could be to have a construction like:
> [hash of (psk identity + ImportedIdentity)] [psk identity]
> A server that uses the psk would perform the following steps during the resumption
> Negotiate the cipher suite to use
> If an external psk is used, strip off the first hash length of the psk identity where the hash length depends on the cipher suite.
> Compute the hash of pskidentity + imported identity and compare it against (2)
> If it doesn't match, don't use the PSK and fallback to full handshake.
> I think this a subtle change, because if you treat this case as if you were not willing to use the PSK, then you can ignore the binder. This might be operationally easier to deploy and reason about than a hard failure.

Thanks for writing this down! This is certainly an interesting
proposal. That said, in cases where one might use external PSKs,
failing hard seems like a fine (and probably preferred?) outcome. I'd
be happy to hear of cases where one might want to fall back to a full