On Sat, Oct 31, 2015 at 11:19:20AM +0000, Sam Scott wrote: > Dear all, > > While revision 10 does not yet appear to permit certificate-based client > authentication in PSK (and in particular resumption using PSK), we modelled > what we believe is the intended functionality.
Eh, I thought that using static client certificate auth with PSK is not supposed to be possible. BTW: TLS 1.2 doesn't seem to explicitly prohibit client auth with PSK, and if client and server try to use client certs with PSK, bad things happen... > While the modifications proposed in PR#316 [4] explicitly allow client > authentication in these contexts, the PR also redefines the client signature > based on a new "Handshake Context" value which includes the server Finished > message. Intuitively, this new definition appears to address the attack > because the attacker cannot transplant the Finished message between > connections. We are currently working towards a Tamarin proof that PR#316 > indeed prevents our attack. By my reading, #316 does not permit static client authentication with PSK (it only permits dynamic auth, which didn't even exist previously), most definitely not explicitly. Also, found out that -10 looks to be at least unclear about if the server Finished is included in the data to be signed or not... I also searched when this got broken. Looks to be part of "DH-based key exchange" changes in -07 (in -06, hashes definitely did include finished messages). -Ilari _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
