[TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
Mohit Sethi M <mohit.m.sethi@ericsson.com> Mon, 23 September 2019 17:49 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95B491200F4 for <tls@ietfa.amsl.com>; Mon, 23 Sep 2019 10:49:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lQa-O6MrD2Fe for <tls@ietfa.amsl.com>; Mon, 23 Sep 2019 10:49:05 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on062a.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::62a]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B42C12004D for <tls@ietf.org>; Mon, 23 Sep 2019 10:49:05 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FDRgJ0xv+L26zddCGzSr1uYbnW8vSQTY4VGRuSK0SALaOiiOI2Vnd4W262F7q+fKW47+RpSaZfj+LViPU9980Uuo9reu5I+RY6mb+v/Q+2jDWcYo4mMI9aIrrcRFF0dx6nwNeOTsN4WqydeesPQCCJPWXM852IFRTeBZ8BbyuguYUnCxE3Nko4i5685GFzplniHIKy6pW0W0Mlc8WxaxViAXE5w73iMZ1d8PSXJ3t31vzL+m18Hdw1bWoCnS9pXvzcdOz4EsIUpKAVUh7FeCS/RSmeLjCOKGuvOLY1dj+bA38G/VZGfLAMnpcGGQ3spuVZNlEw+9YcrVjR9eqE8drg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vro8O7BFcR08oJ7FeYElNk5756Iw8AVyfysKiZvEXYU=; b=jZHHzdlzHSlbw1hQOkJBu6WkaoVk7Z4nI6D7Xq+2sgVxHhbyN0eYOhfEZbVTc7bOUSPCHCTD8XalmAaMzTBl55nbwyLcd6aWHWpDtas+dwVdc9BZFnOhUNdqqYZPl5etkgw7DvAl1knLYydHYBVowKt77+3S1vGBk46BunzWB/218gDqwohGYOp/shZakQpDM8X85do4QVV6GRL+/wKsWmTaqJutMV05enxN/MiDBq9RXV+tVQwvIko8IMETROPk6Fz2jYaZq8glajCWsiRvKapQelo/rpQkxwoFcdjCbw9DryCDVdw4S7oSVuB2Zb59Hk3hdpRup5pmO0EzvIUITA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vro8O7BFcR08oJ7FeYElNk5756Iw8AVyfysKiZvEXYU=; b=I5cia6JiYqzXB2HC1IVH7bmARBgOgW76+884pdaLbZgHdDQvuUzE9sx9U4NxkkUtIXymfMKCm69y6Ur8AFAu4ApwFiTPMGFSNZikMPaydMoFL8cvrkrNfHrETMpI7QWxezXE7qVcMW25UinjbC2TfAOYZeoiuIL6JCFHuYvgSDU=
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com (10.168.98.146) by HE1PR0701MB2268.eurprd07.prod.outlook.com (10.168.36.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.15; Mon, 23 Sep 2019 17:49:02 +0000
Received: from HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9]) by HE1PR0701MB2905.eurprd07.prod.outlook.com ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2305.013; Mon, 23 Sep 2019 17:49:02 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, Jonathan Hoyland <jonathan.hoyland@gmail.com>
CC: "tls@ietf.org" <tls@ietf.org>
Thread-Topic: Selfie attack was Re: [TLS] Distinguishing between external/resumption PSKs
Thread-Index: AQHVcjcupIqzbqDFTkaQMASo9tbMYw==
Date: Mon, 23 Sep 2019 17:49:02 +0000
Message-ID: <964aab95-1a42-df82-e8e4-cf7ee15ba0f8@ericsson.com>
References: <CY4PR1101MB227834A5DF828F000C6D1144DB890@CY4PR1101MB2278.namprd11.prod.outlook.com> <CACykbs2qp0EDa3pGfFpQY6rgruJD1f-6mZ_B5KF8kBkrXD9caw@mail.gmail.com> <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR1101MB227871FEF520A88CF65BADF6DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mohit.m.sethi@ericsson.com;
x-originating-ip: [2001:999:0:df0b:89b1:f546:2643:2d30]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 754b0854-f604-4b8d-e2b9-08d7404e5205
x-ms-traffictypediagnostic: HE1PR0701MB2268:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <HE1PR0701MB226848629E5615F28DB75CECD0850@HE1PR0701MB2268.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0169092318
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(376002)(39860400002)(136003)(366004)(396003)(13464003)(53754006)(189003)(199004)(6486002)(486006)(71200400001)(66946007)(71190400001)(66476007)(66446008)(7736002)(305945005)(14454004)(4326008)(86362001)(58126008)(76116006)(31686004)(64756008)(66556008)(6512007)(256004)(14444005)(6436002)(65806001)(65956001)(31696002)(110136005)(316002)(2906002)(966005)(476003)(446003)(6306002)(2616005)(11346002)(25786009)(6116002)(76176011)(81156014)(81166006)(5660300002)(46003)(36756003)(53546011)(6506007)(8936002)(99286004)(8676002)(478600001)(102836004)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2268; H:HE1PR0701MB2905.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: y5xN3wtOKQZSgyiTVFa8pcTUqEfHppHQZL+GP1qV0xuXvv4VH2fHEmVZm7BD60juoYACCOrUr8/mjfVLGtUHW9SQudcLqz2stiPM123WGiuFhcWH88Mc3zVmP6DOzI03qTHqmehDe8hkZ7x0iN5UNTc0t7Jy1o4m10w0PMh/eC7yYzRiqpDr29iKpbiUPaZ0z4i5cqnIV27i8jS7Tl3KWtKaxaS0EGYlANIRPmv0hTNSi3BUqlvqYn7zvH5Y67BP+R9U2C5aLAI+wn5Fsa9wn89QCdTp2jaGjtdn2Hj5obmxg9QlWlu3w8yEV9fUKynNGmBNw+ojcigZBWFeq4j8ggHfGNUtXu2xfEWonz57PIezdIDErfdAShqEbj871KYvUWbdFJ3LBvNMKy8Tt8ou87gCg8oV4CC273EgE+yb7/g=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <2D8FCE13E5B8494B8DCF46154E906296@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 754b0854-f604-4b8d-e2b9-08d7404e5205
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Sep 2019 17:49:02.3109 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: INwhp2AhwhSwEMDKo/S4gVCWAGwpvAbuU0iQtGfgSlO3fInRA69LhVHr6czx6v9vQfIpGl8ecZq01Dm4dZLaFKv4dSCCZh0G03iJDsV+Kcg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2268
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/zh64mdKUFUakKBqVrvx6mmePfLo>
Subject: [TLS] Selfie attack was Re: Distinguishing between external/resumption PSKs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Sep 2019 17:49:08 -0000
Hi all, On the topic of external PSKs in TLS 1.3, I found a publication on the Selfie attack: https://eprint.iacr.org/2019/347 Perhaps this was already discussed on the list. I thought that sharing it again wouldn't hurt while we discuss how servers distinguish between external and resumption PSKs. --Mohit On 9/19/19 5:04 PM, Owen Friel (ofriel) wrote: > >> -----Original Message----- >> From: Jonathan Hoyland <jonathan.hoyland@gmail.com> >> Sent: 19 September 2019 14:32 >> To: Owen Friel (ofriel) <ofriel@cisco.com> >> Cc: Martin Thomson <mt@lowentropy.net>; tls@ietf.org >> Subject: Re: [TLS] Distinguishing between external/resumption PSKs >> >> Hi Owen, >> >> If I understand your question correctly the distinguishing is done implicitly >> (not explicitly) through the key schedule. >> If the client and server do not agree on whether the PSK is a resumption or >> an OOB PSK then the `binder_key` will not match, and the handshake will fail. >> >> See pp. 93-94 of the spec. > And we only even get that far on the off chance that an ext PskIdentity.identity is exactly the same as a res PskIdentity.identity. e.g. a client presents an ext PskIdentity.identity, the server somehow thinks it’s a res PskIdentity.identity, and then handshaking will fail, not only because the actual raw PSK is likely different but the binders will not match due to different labels. > > But my question was before we even get that far - its an internal server implementation decision how it determines whether the presented PskIdentity.identity is ext or res, or whether e.g. to try lookup an ext DB table vs. a res cache first to find a PskIdentity.identity match. And say it fails to find an ext match then it tries to find a res match, and if it finds a match, then it knows what binder label to use. > > >> Does that answer your question? >> >> Regards, >> >> Jonathan >> >> On Thu, 19 Sep 2019 at 11:52, Owen Friel (ofriel) <mailto:ofriel@cisco.com> >> wrote: >> >>> -----Original Message----- >>> From: TLS <mailto:tls-bounces@ietf.org> On Behalf Of Martin Thomson >>> Sent: 04 September 2019 02:46 >>> To: mailto:tls@ietf.org >>> Subject: Re: [TLS] Binder key labels for imported PSKs >>> >>> >>> When we built the ext/res distinction, there was a clear problem >> expressed. >>> We had the potential for both to be used by the same servers at the same >>> time (though not for the same connection) and distinguishing between >> them >>> was important >> Martin, maybe I am missing something in the threads on this. Is there >> anything explicit planned in ClientHello PreSharedKeyExtension or >> PskKeyExchangeModes to explicitly distinguish between ext/res PSKs? Or is >> it up to server implementation and how the server handles the opaque >> PskIdentity.identity? e.g. ImportedIdentity.external_identity fields could be >> stored in one DB table, and (ignoring https://tools.ietf.org/html/draft-ietf- >> tls-external-psk-importer-00#section-9 for now) the server on receipt of a >> ClientHello searches for PskIdentity.identity in its >> ImportedIdentity.external_identity table and if that lookup fails, then try to >> parse PskIdentity.identity as a NewSessionTicket.ticket? And the order of >> those two operations is of course implementation specific too. >> >> >> _______________________________________________ >> TLS mailing list >> mailto:TLS@ietf.org >> https://www.ietf.org/mailman/listinfo/tls > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls
- [TLS] Distinguishing between external/resumption … Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Owen Friel (ofriel)
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Christian Huitema
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Jonathan Hoyland
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Richard Barnes
- Re: [TLS] Distinguishing between external/resumpt… Nico Williams
- Re: [TLS] Distinguishing between external/resumpt… Mohit Sethi M
- Re: [TLS] Distinguishing between external/resumpt… Nikos Mavrogiannopoulos
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- Re: [TLS] Distinguishing between external/resumpt… Rob Sayre
- [TLS] Selfie attack was Re: Distinguishing betwee… Mohit Sethi M
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… John Mattsson
- Re: [TLS] Selfie attack was Re: Distinguishing be… Viktor Dukhovni
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack was Re: Distinguishing be… Christopher Wood
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack Christian Huitema
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Christopher Wood
- Re: [TLS] Selfie attack was Re: Distinguishing be… Hao, Feng
- Re: [TLS] Selfie attack John Mattsson
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack Mohit Sethi M
- Re: [TLS] Selfie attack John Mattsson