[TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs

Mohit Sethi M <mohit.m.sethi@ericsson.com> Mon, 23 September 2019 17:49 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B491200F4 for <tls@ietfa.amsl.com>; Mon, 23 Sep 2019 10:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQa-O6MrD2Fe for <tls@ietfa.amsl.com>; Mon, 23 Sep 2019 10:49:05 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on062a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B42C12004D for <tls@ietf.org>; Mon, 23 Sep 2019 10:49:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FDRgJ0xv+L26zddCGzSr1uYbnW8vSQTY4VGRuSK0SALaOiiOI2Vnd4W262F7q+fKW47+RpSaZfj+LViPU9980Uuo9reu5I+RY6mb+v/Q+2jDWcYo4mMI9aIrrcRFF0dx6nwNeOTsN4WqydeesPQCCJPWXM852IFRTeBZ8BbyuguYUnCxE3Nko4i5685GFzplniHIKy6pW0W0Mlc8WxaxViAXE5w73iMZ1d8PSXJ3t31vzL+m18Hdw1bWoCnS9pXvzcdOz4EsIUpKAVUh7FeCS/RSmeLjCOKGuvOLY1dj+bA38G/VZGfLAMnpcGGQ3spuVZNlEw+9YcrVjR9eqE8drg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vro8O7BFcR08oJ7FeYElNk5756Iw8AVyfysKiZvEXYU=; b=jZHHzdlzHSlbw1hQOkJBu6WkaoVk7Z4nI6D7Xq+2sgVxHhbyN0eYOhfEZbVTc7bOUSPCHCTD8XalmAaMzTBl55nbwyLcd6aWHWpDtas+dwVdc9BZFnOhUNdqqYZPl5etkgw7DvAl1knLYydHYBVowKt77+3S1vGBk46BunzWB/218gDqwohGYOp/shZakQpDM8X85do4QVV6GRL+/wKsWmTaqJutMV05enxN/MiDBq9RXV+tVQwvIko8IMETROPk6Fz2jYaZq8glajCWsiRvKapQelo/rpQkxwoFcdjCbw9DryCDVdw4S7oSVuB2Zb59Hk3hdpRup5pmO0EzvIUITA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vro8O7BFcR08oJ7FeYElNk5756Iw8AVyfysKiZvEXYU=; b=I5cia6JiYqzXB2HC1IVH7bmARBgOgW76+884pdaLbZgHdDQvuUzE9sx9U4NxkkUtIXymfMKCm69y6Ur8AFAu4ApwFiTPMGFSNZikMPaydMoFL8cvrkrNfHrETMpI7QWxezXE7qVcMW25UinjbC2TfAOYZeoiuIL6JCFHuYvgSDU=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2268.eurprd07.prod.outlook.com (10.168.36.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15; Mon, 23 Sep 2019 17:49:02 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2305.013; Mon, 23 Sep 2019 17:49:02 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Selfie attack was Re: [TLS] Distinguishing between external/resumption PSKs
Thread-Index: AQHVcjcupIqzbqDFTkaQMASo9tbMYw==
Date: Mon, 23 Sep 2019 17:49:02 +0000
Message-ID: <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [2001:999:0:df0b:89b1:f546:2643:2d30]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 754b0854-f604-4b8d-e2b9-08d7404e5205
x-ms-traffictypediagnostic: HE1PR0701MB2268:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <HE1PR0701MB226848629E5615F28DB75CECD0850@HE1PR0701MB2268.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0169092318
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(39860400002)(136003)(366004)(396003)(13464003)(53754006)(189003)(199004)(6486002)(486006)(71200400001)(66946007)(71190400001)(66476007)(66446008)(7736002)(305945005)(14454004)(4326008)(86362001)(58126008)(76116006)(31686004)(64756008)(66556008)(6512007)(256004)(14444005)(6436002)(65806001)(65956001)(31696002)(110136005)(316002)(2906002)(966005)(476003)(446003)(6306002)(2616005)(11346002)(25786009)(6116002)(76176011)(81156014)(81166006)(5660300002)(46003)(36756003)(53546011)(6506007)(8936002)(99286004)(8676002)(478600001)(102836004)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2268; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y5xN3wtOKQZSgyiTVFa8pcTUqEfHppHQZL+GP1qV0xuXvv4VH2fHEmVZm7BD60juoYACCOrUr8/mjfVLGtUHW9SQudcLqz2stiPM123WGiuFhcWH88Mc3zVmP6DOzI03qTHqmehDe8hkZ7x0iN5UNTc0t7Jy1o4m10w0PMh/eC7yYzRiqpDr29iKpbiUPaZ0z4i5cqnIV27i8jS7Tl3KWtKaxaS0EGYlANIRPmv0hTNSi3BUqlvqYn7zvH5Y67BP+R9U2C5aLAI+wn5Fsa9wn89QCdTp2jaGjtdn2Hj5obmxg9QlWlu3w8yEV9fUKynNGmBNw+ojcigZBWFeq4j8ggHfGNUtXu2xfEWonz57PIezdIDErfdAShqEbj871KYvUWbdFJ3LBvNMKy8Tt8ou87gCg8oV4CC273EgE+yb7/g=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2D8FCE13E5B8494B8DCF46154E906296@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 754b0854-f604-4b8d-e2b9-08d7404e5205
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2019 17:49:02.3109 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: INwhp2AhwhSwEMDKo/S4gVCWAGwpvAbuU0iQtGfgSlO3fInRA69LhVHr6czx6v9vQfIpGl8ecZq01Dm4dZLaFKv4dSCCZh0G03iJDsV+Kcg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2268
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zh64mdKUFUakKBqVrvx6mmePfLo>
Subject: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 17:49:08 -0000

Hi all,

On the topic of external PSKs in TLS 1.3, I found a publication on the 
Selfie attack: https://eprint.iacr.org/2019/347

Perhaps this was already discussed on the list. I thought that sharing 
it again wouldn't hurt while we discuss how servers distinguish between 
external and resumption PSKs.

--Mohit

On 9/19/19 5:04 PM, Owen Friel (ofriel) wrote:
>
>> -----Original Message-----
>> From: Jonathan Hoyland <jonathan.hoyland@gmail.com>;
>> Sent: 19 September 2019 14:32
>> To: Owen Friel (ofriel) <ofriel@cisco.com>;
>> Cc: Martin Thomson <mt@lowentropy.net>;; tls@ietf.org
>> Subject: Re: [TLS] Distinguishing between external/resumption PSKs
>>
>> Hi Owen,
>>
>> If I understand your question correctly the distinguishing is done implicitly
>> (not explicitly) through the key schedule.
>> If the client and server do not agree on whether the PSK is a resumption or
>> an OOB PSK then the `binder_key` will not match, and the handshake will fail.
>>
>> See pp. 93-94 of the spec.
> And we only even get that far on the off chance that an ext PskIdentity.identity is exactly the same as a res PskIdentity.identity. e.g. a client presents an ext PskIdentity.identity, the server somehow thinks it’s a res PskIdentity.identity, and then handshaking will fail, not only because the actual raw PSK is likely different but the binders will not match due to different labels.
>
> But my question was before we even get that far - its an internal server implementation decision how it determines whether the presented PskIdentity.identity is ext or res, or whether e.g. to try lookup an ext DB table vs. a res cache first to find a PskIdentity.identity match. And say it fails to find an ext match then it tries to find a res match, and if it finds a match, then it knows what binder label to use.
>
>
>> Does that answer your question?
>>
>> Regards,
>>
>> Jonathan
>>
>> On Thu, 19 Sep 2019 at 11:52, Owen Friel (ofriel) <mailto:ofriel@cisco.com>
>> wrote:
>>
>>> -----Original Message-----
>>> From: TLS <mailto:tls-bounces@ietf.org> On Behalf Of Martin Thomson
>>> Sent: 04 September 2019 02:46
>>> To: mailto:tls@ietf.org
>>> Subject: Re: [TLS] Binder key labels for imported PSKs
>>>
>>>
>>> When we built the ext/res distinction, there was a clear problem
>> expressed.
>>> We had the potential for both to be used by the same servers at the same
>>> time (though not for the same connection) and distinguishing between
>> them
>>> was important
>> Martin, maybe I am missing something in the threads on this. Is there
>> anything explicit planned in ClientHello PreSharedKeyExtension or
>> PskKeyExchangeModes to explicitly distinguish between ext/res PSKs? Or is
>> it up to server implementation and how the server handles the opaque
>> PskIdentity.identity? e.g. ImportedIdentity.external_identity fields could be
>> stored in one DB table, and (ignoring https://tools.ietf.org/html/draft-ietf-
>> tls-external-psk-importer-00#section-9 for now) the server on receipt of a
>> ClientHello searches for PskIdentity.identity in its
>> ImportedIdentity.external_identity  table and if that lookup fails, then try to
>> parse PskIdentity.identity  as a NewSessionTicket.ticket? And the order of
>> those two operations is of course implementation specific too.
>>
>>
>> _______________________________________________
>> TLS mailing list
>> mailto:TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls