On Sat, Oct 31, 2015 at 11:19:20AM +0000, Sam Scott wrote:
> Dear all,
> 
> While revision 10 does not yet appear to permit certificate-based client
> authentication in PSK (and in particular resumption using PSK), we modelled
> what we believe is the intended functionality.

Eh, I thought that using static client certificate auth with PSK is not
supposed to be possible.

BTW: TLS 1.2 doesn't seem to explicitly prohibit client auth with PSK, and
if client and server try to use client certs with PSK, bad things happen...

> While the modifications proposed in PR#316 [4] explicitly allow client
> authentication in these contexts, the PR also redefines the client signature
> based on a new "Handshake Context" value which includes the server Finished
> message. Intuitively, this new definition appears to address the attack
> because the attacker cannot transplant the Finished message between
> connections. We are currently working towards a Tamarin proof that PR#316
> indeed prevents our attack.

By my reading, #316 does not permit static client authentication with
PSK (it only permits dynamic auth, which didn't even exist previously),
most definitely not explicitly.

Also, found out that -10 looks to be at least unclear about if the
server Finished is included in the data to be signed or not...

I also searched when this got broken. Looks to be part of "DH-based
key exchange" changes in -07 (in -06, hashes definitely did include
finished messages).


-Ilari

_______________________________________________
TLS mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/tls

Reply via email to