Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Tuesday, 20 March 2018 22:21:06 CET Eric Rescorla wrote: > On Tue, Mar 20, 2018 at 7:42 PM, Hubert Kario wrote: > > On Monday, 19 March 2018 14:38:05 CET Eric Rescorla wrote: > > > On Mon, Mar 19, 2018 at 1:33 PM, Nikos Mavrogiannopoulos < > > > > n...@redhat.com> > > > >

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

The document has been approved for publication and the outstanding reference will be added in the RFC editor process during Auth48. Thank you all for your work on this protocol. Best regards, Kathleen On Tue, Mar 20, 2018 at 5:21 PM, Eric Rescorla wrote: > > > On Tue, Mar 20,

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Tue, Mar 20, 2018 at 7:42 PM, Hubert Kario wrote: > On Monday, 19 March 2018 14:38:05 CET Eric Rescorla wrote: > > On Mon, Mar 19, 2018 at 1:33 PM, Nikos Mavrogiannopoulos < > n...@redhat.com> > > > > wrote: > > > On Fri, 2018-03-16 at 14:45 -0500, Benjamin Kaduk wrote: > >

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Monday, 19 March 2018 14:38:05 CET Eric Rescorla wrote: > On Mon, Mar 19, 2018 at 1:33 PM, Nikos Mavrogiannopoulos > > wrote: > > On Fri, 2018-03-16 at 14:45 -0500, Benjamin Kaduk wrote: > > > On Fri, Mar 16, 2018 at 09:11:32AM -0400, Christian Huitema wrote: > > > > On

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

> On Mar 20, 2018, at 12:52, Hubert Kario wrote: > > On Monday, 19 March 2018 23:53:16 CET Benjamin Kaduk wrote: >> On Mon, Mar 19, 2018 at 05:00:51PM +0100, Hubert Kario wrote: >>> On Sunday, 18 March 2018 16:27:34 CET Eric Rescorla wrote: After discussion with the

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Monday, 19 March 2018 23:53:16 CET Benjamin Kaduk wrote: > On Mon, Mar 19, 2018 at 05:00:51PM +0100, Hubert Kario wrote: > > On Sunday, 18 March 2018 16:27:34 CET Eric Rescorla wrote: > > > After discussion with the chairs and the AD, I have opted to just add a > > > section > > > that explains

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Mon, Mar 19, 2018 at 02:33:52PM +0100, Nikos Mavrogiannopoulos wrote: > On Fri, 2018-03-16 at 14:45 -0500, Benjamin Kaduk wrote: > > On Fri, Mar 16, 2018 at 09:11:32AM -0400, Christian Huitema wrote: > > > > > > > > If you want to use PSK with some level of privacy, you might adopt > > > a >

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Mon, Mar 19, 2018 at 05:00:51PM +0100, Hubert Kario wrote: > On Sunday, 18 March 2018 16:27:34 CET Eric Rescorla wrote: > > After discussion with the chairs and the AD, I have opted to just add a > > section > > that explains the attack. I just merged that (but managed not to get it > > into

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Sunday, 18 March 2018 16:27:34 CET Eric Rescorla wrote: > After discussion with the chairs and the AD, I have opted to just add a > section > that explains the attack. I just merged that (but managed not to get it > into -27 > due to fumble fingering). If there is no consensus on the

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Mon, Mar 19, 2018 at 1:33 PM, Nikos Mavrogiannopoulos wrote: > On Fri, 2018-03-16 at 14:45 -0500, Benjamin Kaduk wrote: > > On Fri, Mar 16, 2018 at 09:11:32AM -0400, Christian Huitema wrote: > > > > > > > > > On 3/15/2018 5:51 PM, Benjamin Kaduk wrote: > > > > On Thu, Mar 15,

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Fri, 2018-03-16 at 14:45 -0500, Benjamin Kaduk wrote: > On Fri, Mar 16, 2018 at 09:11:32AM -0400, Christian Huitema wrote: > > > > > > On 3/15/2018 5:51 PM, Benjamin Kaduk wrote: > > > On Thu, Mar 15, 2018 at 12:25:38PM +0100, Hubert Kario wrote: > > > ... > > > > we do not have a reliable

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Mon, Mar 19, 2018 at 6:38 AM, Daniel Kahn Gillmor wrote: > On Sun 2018-03-18 12:08:13 -0400, Viktor Dukhovni wrote: > >> The devices that might use external PSKs will likely be unavoidably >> fingerprinted by source IP address and the target mothership. > > I'm not

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Sun 2018-03-18 12:08:13 -0400, Viktor Dukhovni wrote: > The devices that might use external PSKs will likely be unavoidably > fingerprinted by source IP address and the target mothership. I'm not convinced that this is the case -- it's not at all clear that IoT devices will be attached to a

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Sun, Mar 18, 2018 at 03:24:02PM +, Lanlan Pan wrote: > Benjamin Kaduk 于2018年3月14日周三 上午10:02写道： > > > It seems like we get ourselves in trouble by allowing multiple > > external PSKs to be present. If we allowed at most one external > > PSK in a given ClientHello, then

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

> On Mar 18, 2018, at 11:27 AM, Eric Rescorla wrote: > > After discussion with the chairs and the AD, I have opted to just add a > section > that explains the attack. I just merged that (but managed not to get it into > -27 > due to fumble fingering). It seems to me that

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

After discussion with the chairs and the AD, I have opted to just add a section that explains the attack. I just merged that (but managed not to get it into -27 due to fumble fingering). -Ekr On Mon, Mar 12, 2018 at 8:27 AM, Hubert Kario wrote: > When the server supports

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

Benjamin Kaduk 于2018年3月14日周三 上午10:02写道： > It seems like we get ourselves in trouble by allowing multiple > external PSKs to be present. If we allowed at most one external > PSK in a given ClientHello, then aborting the handshake on binder > failure would be the correct choice, as

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Fri, Mar 16, 2018 at 09:11:32AM -0400, Christian Huitema wrote: > > > On 3/15/2018 5:51 PM, Benjamin Kaduk wrote: > > On Thu, Mar 15, 2018 at 12:25:38PM +0100, Hubert Kario wrote: > > ... > >> we do not have a reliable mechanism of differentiating between external > >> and > >> resumption

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On 3/15/2018 5:51 PM, Benjamin Kaduk wrote: > On Thu, Mar 15, 2018 at 12:25:38PM +0100, Hubert Kario wrote: > ... >> we do not have a reliable mechanism of differentiating between external and >> resumption PSKs while parsing Client Hello > Well, a valid external PSK (identity) the server will

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Thursday, 15 March 2018 22:51:49 CET Benjamin Kaduk wrote: > On Thu, Mar 15, 2018 at 12:25:38PM +0100, Hubert Kario wrote: > > On Wednesday, 14 March 2018 21:13:29 CET Benjamin Kaduk wrote: > > > On Wed, Mar 14, 2018 at 12:46:25PM +0100, Hubert Kario wrote: > > > > On Wednesday, 14 March 2018

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Wednesday, 14 March 2018 21:13:29 CET Benjamin Kaduk wrote: > On Wed, Mar 14, 2018 at 12:46:25PM +0100, Hubert Kario wrote: > > On Wednesday, 14 March 2018 03:02:10 CET Benjamin Kaduk wrote: > > > It seems like we get ourselves in trouble by allowing multiple > > > external PSKs to be present.

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Wed, Mar 14, 2018 at 12:46:25PM +0100, Hubert Kario wrote: > On Wednesday, 14 March 2018 03:02:10 CET Benjamin Kaduk wrote: > > It seems like we get ourselves in trouble by allowing multiple > > external PSKs to be present. If we allowed at most one external > > PSK in a given ClientHello,

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Wednesday, 14 March 2018 03:02:10 CET Benjamin Kaduk wrote: > It seems like we get ourselves in trouble by allowing multiple > external PSKs to be present. If we allowed at most one external > PSK in a given ClientHello, then aborting the handshake on binder > failure would be the correct

Re: [TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

On Tuesday, 13 March 2018 16:18:48 CET Ilari Liusvaara wrote: > On Mon, Mar 12, 2018 at 04:27:46PM +0100, Hubert Kario wrote: > > When the server supports externally set PSKs that use human readable > > identities (or, in general, guessable identities), the current text makes > > it trivial to

[TLS] draft-ietf-tls-tls13-26 is vulnerable to externally set PSK identity enumeration

When the server supports externally set PSKs that use human readable identities (or, in general, guessable identities), the current text makes it trivial to perform enumeration attack. The proposed fix was identified as conflicting with the "Client Hello Recording" security section, the