Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
David Benjamin <davidben@chromium.org> Thu, 22 December 2016 22:12 UTC
Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDD581295FB for <tls@ietfa.amsl.com>; Thu, 22 Dec 2016 14:12:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.799
X-Spam-Level:
X-Spam-Status: No, score=-5.799 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvjHQo1Cy0IF for <tls@ietfa.amsl.com>; Thu, 22 Dec 2016 14:12:37 -0800 (PST)
Received: from mail-qt0-x22e.google.com (mail-qt0-x22e.google.com [IPv6:2607:f8b0:400d:c0d::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECEFF1295E8 for <tls@ietf.org>; Thu, 22 Dec 2016 14:12:36 -0800 (PST)
Received: by mail-qt0-x22e.google.com with SMTP id d45so25096826qta.1 for <tls@ietf.org>; Thu, 22 Dec 2016 14:12:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=c9N2UnS2oQ4CeqC6GLsCt3jj8Xnd4ggRar/0QvL7e8Q=; b=kASKQthVhL5111H4HCzqk/p4TVLfTgNZkF6IUa28VM4sJU1KhGCJr72ifXAdbJnBLu bScqMtom9a9FHAY7EBtLpaKwnESFz1xUDNvNNq8C3WYjAFStfm9pO4YVkRzyGuOooZEa kNsBaGdO8NuUkcQ8ESxJQCtzt2nJUgNUpgx/Y=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=c9N2UnS2oQ4CeqC6GLsCt3jj8Xnd4ggRar/0QvL7e8Q=; b=VeiMplltm9Kno0ETJWKQ387kwwleM8Chb+1DCdio8P7aQQqL0XO0UBdeto1UssVrTO nwn0K47xMbqcdN0vBBJJBnRnmhnR6je1lcgPJotUYMi7pf+SFdARBd0a2R0G5INAFl/g 7/HbbG3hd8pSRGZNlMfO90KnzxOO1g2e7BFGPErj7CcLFl66Oi0BemHWv6UjhSoxjKsx Nq+0n9XY/wQjXXGJ2JLbjQVkrUEMgWvZemzwEgllnMbi1waaqdhJ116P7O95XpHCUP1s ZKDvNA94R6afdfK3oqcvvw/pxzHRwMr2H/Ql+qr2I4Ymy/obSBN9tdceJGrPRpilOQPW ds2w==
X-Gm-Message-State: AIkVDXLFija7rHGCq2Wm2nDFXe1L2wDxRZjosQAPt46u8bdMvcuq4xmm+yPbl9oQwfhBT3olU/q/UV4vH9nIqV2y
X-Received: by 10.200.38.39 with SMTP id u36mr13237698qtu.31.1482444756073; Thu, 22 Dec 2016 14:12:36 -0800 (PST)
MIME-Version: 1.0
References: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com>
In-Reply-To: <0DA64421-5975-4B7E-BC08-7428AFA9D1A1@vigilsec.com>
From: David Benjamin <davidben@chromium.org>
Date: Thu, 22 Dec 2016 22:12:25 +0000
Message-ID: <CAF8qwaB8+o20QP71=zuCJ2EXt9EGFuLcn4s6es=gjnOccZE9fQ@mail.gmail.com>
To: Russ Housley <housley@vigilsec.com>, IETF TLS <tls@ietf.org>
Content-Type: multipart/alternative; boundary="001a114580ee160d9305444691aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/z7k4KJpp5RfxOcKp5QmLvQfC7is>
Subject: Re: [TLS] Using both External PSK and (EC)DH in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Dec 2016 22:12:39 -0000
It's possible I'm misunderstanding your message here (I'm a little confused by the mention of combining normal certificate authentication with an external PSK), but TLS 1.3 already allows doing both PSK and (EC)DH. That's the psk_dhe_ke mode, rather than the psk_ke mode. It's signaled by the server by sending both pre_shared_key and key_share extensions. Perhaps the wording should be a bit clearer. Our stack does not even implement psk_ke. It always requires an (EC)DH operation in a TLS 1.3 handshake, whether using PSK or certificates. David On Thu, Dec 22, 2016 at 4:54 PM Russ Housley <housley@vigilsec.com> wrote: > I want to make sure that it is possible to mix PSK with (EC)DH as a > protection against the discovery of a quantum computer. I recognize that > the WG does not want to tackle this topic in the base specification; > however, the following text in Section 4.1.1 makes this difficult to do so > in a companion document: > > > The server indicates its selected parameters in the ServerHello as > > follows: > > > > - If PSK is being used then the server will send a "pre_shared_key" > > extension indicating the selected key. > > > > - If PSK is not being used, then (EC)DHE and certificate-based > > authentication are always used. > > > > - When (EC)DHE is in use, the server will also provide a "key_share" > > extension. > > > > - When authenticating via a certificate (i.e., when a PSK is not in > > use), the server will send the Certificate (Section 4.4.1) and > > CertificateVerify (Section 4.4.2) messages. > > An Internal PSK offers no protection against the discovery of a quantum > computer. I assume that an attacker can save the handshake that > established the Internal PSK, and then at some future date use the quantum > computer to discover the Internal PSK. Therefore, protection against the > discovery of a quantum computer is only concerned with External PSK. > > I would like for the specification to permit normal certificate > authentication when someone is using an External PSK. I am guessing that > the granularity of the name associated with the External PSK to be pretty > broad. If this guess is correct, it would be appropriate for the name in > the certificate to be further restrict the one associated with the External > PSK. Maybe the External PSK is associated with example.com, and then the > certificate that includes www.example.com would be acceptable > acceptable. Then, I would expect any Internal PSK that is generated after > such an authentication would be associated with the more granular > certificate name. > > Maybe it is as simple as reorganizing these bullets like this: > > - When only PSK is being used, … > > - When only (EC)DHE is being used, … > > - When PSK and (EC)DHE are both being used, … > > If others agree with this direction, I am willing to propose some text. > > Happy holidays, > Russ > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
- [TLS] Using both External PSK and (EC)DH in TLS 1… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Joseph Salowey
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Martin Thomson
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Benjamin Kaduk
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… David Benjamin
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Russ Housley
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Eric Rescorla
- Re: [TLS] Using both External PSK and (EC)DH in T… Jim Schaad
- Re: [TLS] Using both External PSK and (EC)DH in T… Ilari Liusvaara